deckhand.engine.secrets_manager module¶
-
class
deckhand.engine.secrets_manager.
SecretsManager
[source]¶ Bases:
object
Internal API resource for interacting with Barbican.
Currently only supports Barbican.
-
barbican_driver
= <deckhand.barbican.driver.BarbicanDriver object>¶
-
classmethod
create
(secret_doc)[source]¶ Securely store secrets contained in
secret_doc
.Documents with
metadata.storagePolicy
== “clearText” have their secrets stored directly in Deckhand.Documents with
metadata.storagePolicy
== “encrypted” are stored in Barbican directly. Deckhand in turn stores the reference returned by Barbican in its own DB.Parameters: secret_doc – A Deckhand document with a schema that belongs to types.DOCUMENT_SECRET_TYPES
.Returns: Unecrypted data section from secret_doc
if the document’sstoragePolicy
is “cleartext” or a Barbican secret reference if thestoragePolicy
is “encrypted’.
-
classmethod
delete
(document)[source]¶ Delete a secret from Barbican.
Parameters: document (dict) – Document with secret_ref in data
section with format: “https://{barbican_host}/v1/secrets/{secret_uuid}”Returns: None
-
classmethod
get
(secret_ref, src_doc)[source]¶ Retrieve a secret payload from Barbican.
Extracts {secret_uuid} from a secret reference and queries Barbican’s Secrets API with it.
Parameters: secret_ref (str) – A string formatted like: “https://{barbican_host}/v1/secrets/{secret_uuid}” Returns: Secret payload from Barbican.
-
-
class
deckhand.engine.secrets_manager.
SecretsSubstitution
(substitution_sources=None, fail_on_missing_sub_src=True, encryption_sources=None, cleartext_secrets=False)[source]¶ Bases:
object
Class for document substitution logic for YAML files.
-
static
sanitize_potential_secrets
(error, document)[source]¶ Sanitize all secret data that may have been substituted into the document or contained in the document itself (if the document has
metadata.storagePolicy
== ‘encrypted’). Uses references indocument.substitutions
to determine which values to sanitize. Only meaningful to call this on post-rendered documents.Parameters: - error – Error message produced by
jsonschema
. - document (DocumentDict) – Document to sanitize.
- error – Error message produced by
-
substitute_all
(documents)[source]¶ Substitute all documents that have a metadata.substitutions field.
Concrete (non-abstract) documents can be used as a source of substitution into other documents. This substitution is layer-independent, a document in the region layer could insert data from a document in the site layer.
Parameters: documents (dict or List[dict]) – List of documents that are candidates for substitution.
Returns: List of fully substituted documents.
Return type: Generator[
DocumentDict
]Raises: - SubstitutionSourceNotFound – If a substitution source document is referenced by another document but wasn’t found.
- UnknownSubstitutionError – If an unknown error occurred during substitution.
-
update_substitution_sources
(meta, data)[source]¶ Update substitution sources with rendered data so that future layering and substitution sources reference the latest rendered data rather than stale data.
Parameters: - meta (tuple) – Tuple of (schema, layer, name).
- data (dict) – Dictionary of just-rendered document data that belongs
to the document uniquely identified by
meta
.
Returns: None
-
static