Categorygithub.com/square/keysync

modulepackage

0.0.0-20231004192809-b8ca463a888a

Repository: https://github.com/square/keysync.git

Documentation: pkg.go.dev

# README

Deprecated

As of 9/18/23 this project is now deprecated and no longer maintained; we recommend using HashiCorp Vault as a more robust and actively supported alternative.

Keysync

Keysync is a production-ready program for accessing secrets in Keywhiz.

It is a replacement for the now-deprecated FUSE-based keywhiz-fs.

Getting Started

Building

Keysync must be built with Go 1.11+. You can build keysync from source:

$ git clone https://github.com/square/keysync
$ cd keysync
$ go build github.com/square/keysync/cmd/keysync

This will generate a binary called ./keysync

Dependencies

Keysync uses Go modules to manage dependencies. If you've cloned the repo into GOPATH, you should export GO111MODULE=on before running any go commands. All deps should be automatically fetched when using go build and go test. Add go mod tidy before committing.

Testing

Entire test suite:

go test ./...

Short, unit tests only:

go test -short ./...

Running locally

Keysync requires access to Keywhiz to work properly. Assuming you run Keywhiz locally on default port (4444), you can start keysync with:

./keysync --config keysync-config.yaml

# Packages

backup

package backup handles reading and writing encrypted .tar files from the secretsDirectory to a backupPath using the key backupKey.

cmd

No description provided by the author

output

No description provided by the author

ownership

No description provided by the author

# Functions

BackupFromConfig

No description provided by the author

LoadConfig

LoadConfig loads the "global" keysync configuration file.

NewAPIServer

NewAPIServer is the constructor for an APIServer.

NewBackupBundleClient

NewBackupBundleClient creates a new BackupBundleClient instance given a backup JSON file.

NewClient

NewClient produces a ready-to-use client struct given client config and CA file with the list of trusted certificate authorities.

NewSyncer

NewSyncer instantiates the main stateful object in Keysync.

NewSyncerFromFile

NewSyncerFromFile instantiates a syncer that reads from a file/bundle instead of an HTTP server.

ParseSecret

ParseSecret deserializes raw JSON into a Secret struct.

ParseSecretList

ParseSecretList deserializes raw JSON into a list of Secret structs.

# Structs

APIServer

APIServer holds state needed for responding to HTTP api requests.

BackupBundleClient

BackupBundleClient is a secrets client that reads from a Keywhiz backup bundle.

ClientConfig

The ClientConfig describes a single Keywhiz client.

Config

Config is the main yaml configuration file passed to the keysync binary.

KeywhizHTTPClient

KeywhizHTTPClient is a client that reads from a Keywhiz server over HTTP (v2 API).

MonitorConfig

The MonitorConfig has extra settings for monitoring/alerts.

OutputDir

OutputDir implements Output to files, which is the typical keysync usage to a tmpfs.

OutputDirCollection

No description provided by the author

Secret

Secret represents data returned after processing a server request.

SecretDeleted

SecretDeleted is returned as an error when the server 404s.

StatusResponse

StatusResponse from API endpoints.

Syncer

A Syncer manages a collection of clients, handling downloads and writing out updated secrets.

Updated

Updated secrets during a sync.

# Interfaces

Client

Client represents an interface to a secrets storage backend.

Output

Output is an interface that encapsulates what it means to store secrets.

OutputCollection

OutputCollection handles a collection of outputs.