Secret Manager
Overview
Secret Manager Factory
The SecretManagerFactory is a utility class used to create instances of different types of secret managers. It leverages the Factory design pattern to abstract the creation logic based on the type of secret manager required. The factory supports creating instances of File, GCP, Kubernetes, and Vault Secret Managers.
The SECRET_MANAGER_TYPE environment variable plays a crucial role in the SecretManagerFactory for determining the default type of secret manager to be instantiated when no specific type is provided in the method call.
Functionality:
Default Secret Manager: If the SECRET_MANAGER_TYPE environment variable is set, its value dictates the default type of secret manager that the factory will create.
The value of this variable should correspond to one of the types defined in SecretManagerTypes enum (FILE, GCP, K8S, VAULT).
Example Configuration:
Setting SECRET_MANAGER_TYPE=GCP in the environment will make the factory create instances of GcpSecretManager by default.
If SECRET_MANAGER_TYPE is not set or is set to FILE, the factory defaults to creating instances of FileSecretManager.
This environment variable provides flexibility and ease of configuration, allowing different secret managers to be used in different environments or scenarios without code changes.
File Secert Manager
The FileSecretManager is a concrete implementation of the BaseSecretManager for managing secrets stored in the file system. It uses a specified directory (defaulting to ./) to read, write, and delete secret files.
Configuration:
Set the environment variable SECRET_MANAGER_DIRECTORY to specify the directory where secrets are stored. If not set, defaults to the current directory (./).
Usage:
- Secrets are stored as files in the specified directory.
- Reading a secret involves fetching content from a file.
- Writing a secret creates or updates a file with the given content.
- Deleting a secret removes the corresponding file.
Kubernetes Secret Manager
The KubernetesSecretManager interfaces with Kubernetes’ native secrets system. It manages secrets within a specified Kubernetes namespace and is designed to operate within a Kubernetes cluster.
Configuration:
Set K8S_NAMESPACE environment variable to specify the Kubernetes namespace. Defaults to default if not set. Assumes Kubernetes configurations (like service account tokens) are properly set up when running within a cluster.
Usage:
- Secrets are stored as Kubernetes Secret objects.
- Provides functionalities to create, retrieve, and delete Kubernetes secrets.
- Handles base64 encoding and decoding as required by Kubernetes.
GCP Secret Manager
The GcpSecretManager utilizes Google Cloud’s Secret Manager service for secret management. It requires setting up with Google Cloud credentials and a project ID.
Configuration:
Ensure the environment variable GOOGLE_CLOUD_PROJECT is set with your Google Cloud project ID.
Usage:
- Secrets are managed using Google Cloud’s Secret Manager.
- Supports operations to create, access, and delete secrets in the cloud.
- Integrates with OpenTelemetry for tracing secret management operations.
Hashicorp Vault Secret Manager
The VaultSecretManager is tailored for Hashicorp Vault, a tool for managing sensitive data. It supports token-based authentication as well as Kubernetes-based authentication for Vault.
Configuration:
- Set
HASHICORP_VAULT_ADDRto the Vault server address. Defaults to http://localhost:8200. - Use
HASHICORP_VAULT_TOKENfor token-based authentication. - Set
HASHICORP_VAULT_USE_K8Sto True and provideHASHICORP_VAULT_K8S_ROLEfor Kubernetes-based authentication.
Usage:
- Manages secrets in a Hashicorp Vault server.
- Provides methods to write, read, and delete secrets from Vault.
- Supports different Vault authentication methods including static tokens and Kubernetes service account tokens.