Planck.Headless.Secrets (Planck.Headless v0.1.10)

Copy Markdown View Source

Dispatch module for secret storage.

Resolves the active Planck.Agent.Secrets implementation from config and delegates calls to it. Declare the implementation in config.json:

{ "secrets_hook": "Sidecar.Secrets.AgentVault" }

When not set, Planck.Headless.Secrets.EnvFile is used — reads and writes .planck/.env (default behaviour, unchanged from earlier releases).

Process environment sync

Whenever a secret is stored or deleted, the change is mirrored into the OS process environment via System.put_env/2 or System.delete_env/1 and ResourceStore.reload/0 is called so Skogsra picks up the new value without a restart.

preload_to_env/0 loads all stored secrets into the process env at once — call it at application boot and after .env file changes (EnvFile backend only).

Remote dispatch

When the configured module lives on the sidecar node (e.g. Sidecar.Secrets.AgentVault), calls are dispatched via :rpc.call/5 to the connected sidecar. If the sidecar is not connected, calls return {:error, :sidecar_not_connected} (or %{} for fetch_all/0).

Planck.Headless.Secrets.EnvFile is always called in-process.

See Planck.Agent.Secrets for the behaviour definition.

Summary

Functions

delete(key)

Delete a secret and remove it from the process environment.

delete_service(host)

Delete the service rule for the given host.

fetch(key)

Fetch a secret using the configured implementation.

fetch_all()

Fetch all secrets as a map using the configured implementation.

list()

List all secret keys using the configured implementation.

list_services()

List all configured service rules.

preload_to_env(node \\ nil)

Load all stored secrets into the OS process environment via System.put_env/2.

resolve()

Return the configured secrets module, defaulting to EnvFile.

store(key, value)

Store a secret and sync to the process environment.

store_service(host, auth_type, credential_key, opts \\ [])

Upsert a service rule for the given host.

Functions

delete(key)

@spec delete(String.t()) :: :ok | {:error, term()}

Delete a secret and remove it from the process environment.

delete_service(host)

@spec delete_service(String.t()) :: :ok | {:error, term()}

Delete the service rule for the given host.

fetch(key)

@spec fetch(String.t()) :: {:ok, String.t()} | :not_found | {:error, term()}

Fetch a secret using the configured implementation.

fetch_all()

@spec fetch_all() :: Planck.Agent.Secrets.t()

Fetch all secrets as a map using the configured implementation.

list()

@spec list() :: {:ok, [String.t()]} | {:error, term()}

List all secret keys using the configured implementation.

list_services()

@spec list_services() :: {:ok, [Planck.Agent.Secrets.service()]} | {:error, term()}

List all configured service rules.

preload_to_env(node \\ nil)

@spec preload_to_env(atom() | nil) :: :ok

Load all stored secrets into the OS process environment via System.put_env/2.

When node is provided the secrets are fetched directly from that node via RPC, bypassing SidecarManager.node/0. This is required when called from within SidecarManager itself — calling SidecarManager.node/0 from inside a GenServer callback would deadlock on a self-call.

Does NOT call ResourceStore.reload/0 — callers are responsible for triggering a Skogsra refresh if needed.

resolve()

@spec resolve() :: module()

Return the configured secrets module, defaulting to EnvFile.

store(key, value)

@spec store(String.t(), String.t()) :: :ok | {:error, term()}

Store a secret and sync to the process environment.

store_service(host, auth_type, credential_key, opts \\ [])

@spec store_service(String.t(), String.t(), String.t(), keyword()) ::
  :ok | {:error, term()}

Upsert a service rule for the given host.