grafana/pkg/registry/apis/secret/contracts/encryption.go

package contracts

import "context"

// EncryptionManager is an envelope encryption service in charge of encrypting/decrypting secrets.
type EncryptionManager interface {
	// Encrypt MUST NOT be used within database transactions, it may cause database locks.
	// For those specific use cases where the encryption operation cannot be moved outside
	// the database transaction, look at database-specific methods present at the specific
	// implementation present at manager.EncryptionService.
	Encrypt(ctx context.Context, namespace string, payload []byte) ([]byte, error)
	Decrypt(ctx context.Context, namespace string, payload []byte) ([]byte, error)
}

type EncryptedValue struct {
	Namespace     string
	Name          string
	Version       int64
	EncryptedData []byte
	Created       int64
	Updated       int64
}

// ListOpts defines pagination options for listing encrypted values.
type ListOpts struct {
	Limit  int64
	Offset int64
}

type EncryptedValueStorage interface {
	Create(ctx context.Context, namespace, name string, version int64, encryptedData []byte) (*EncryptedValue, error)
	Update(ctx context.Context, namespace, name string, version int64, encryptedData []byte) error
	Get(ctx context.Context, namespace, name string, version int64) (*EncryptedValue, error)
	Delete(ctx context.Context, namespace, name string, version int64) error
}

type GlobalEncryptedValueStorage interface {
	ListAll(ctx context.Context, opts ListOpts, untilTime *int64) ([]*EncryptedValue, error)
	CountAll(ctx context.Context, untilTime *int64) (int64, error)
}

type ConsolidationService interface {
	Consolidate(ctx context.Context) error
}
SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`package contracts`

			`import "context"`

			`// EncryptionManager is an envelope encryption service in charge of encrypting/decrypting secrets.`
			`type EncryptionManager interface {`
			`// Encrypt MUST NOT be used within database transactions, it may cause database locks.`
			`// For those specific use cases where the encryption operation cannot be moved outside`
			`// the database transaction, look at database-specific methods present at the specific`
			`// implementation present at manager.EncryptionService.`
SecretsManager: Various utils for usage insights, outbox and secretkeeper (#106010) * SecretsManager: utils for usage insights on ST mode Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * SecretsManager: add assert Co-authored-by: PoorlyDefinedBehaviour <brunotj2015@hotmail.com> * SecretsManager: Remove encryption scope option Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * SecretsManager: add fake keeper Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: PoorlyDefinedBehaviour <brunotj2015@hotmail.com> Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> --------- Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> Co-authored-by: PoorlyDefinedBehaviour <brunotj2015@hotmail.com> 2025-05-28 19:46:54 +08:00			`Encrypt(ctx context.Context, namespace string, payload []byte) ([]byte, error)`
SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`Decrypt(ctx context.Context, namespace string, payload []byte) ([]byte, error)`
			`}`

			`type EncryptedValue struct {`
			`Namespace string`
Secrets: encryption encryption storage uses versioning (#108036) * Secrets: delete unused FakeKeeper * Secrets: encrypted value storage stores versions * add version to span * trigger build * remove ineffectual assignment * lint * drop secret_encrypted_value.uid / add name and version columns 2025-07-14 20:28:07 +08:00			`Name string`
			`Version int64`
SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`EncryptedData []byte`
			`Created int64`
			`Updated int64`
			`}`

SecretsManager: Add ability to list all encrypted values (#108512) * list all encrypted values and count * separate interfaces * add time filter to global queries * fix lint 2025-07-28 17:50:24 +08:00			`// ListOpts defines pagination options for listing encrypted values.`
			`type ListOpts struct {`
			`Limit int64`
			`Offset int64`
			`}`

SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`type EncryptedValueStorage interface {`
Secrets: encryption encryption storage uses versioning (#108036) * Secrets: delete unused FakeKeeper * Secrets: encrypted value storage stores versions * add version to span * trigger build * remove ineffectual assignment * lint * drop secret_encrypted_value.uid / add name and version columns 2025-07-14 20:28:07 +08:00			`Create(ctx context.Context, namespace, name string, version int64, encryptedData []byte) (*EncryptedValue, error)`
			`Update(ctx context.Context, namespace, name string, version int64, encryptedData []byte) error`
			`Get(ctx context.Context, namespace, name string, version int64) (*EncryptedValue, error)`
			`Delete(ctx context.Context, namespace, name string, version int64) error`
SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`}`
SecretsManager: Add ability to list all encrypted values (#108512) * list all encrypted values and count * separate interfaces * add time filter to global queries * fix lint 2025-07-28 17:50:24 +08:00
			`type GlobalEncryptedValueStorage interface {`
			`ListAll(ctx context.Context, opts ListOpts, untilTime int64) ([]EncryptedValue, error)`
			`CountAll(ctx context.Context, untilTime *int64) (int64, error)`
			`}`
SecretsManager: Consolidation service and ability to run via cli (#108774) * list all encrypted values and count * separate interfaces * add time filter to global queries * initial secrets consolidation * Revert defaults * More verbose description of the operation * Add consolidation tests and tracing * Fix lint * Revert debug log 2025-07-31 21:45:59 +08:00
			`type ConsolidationService interface {`
			`Consolidate(ctx context.Context) error`
			`}`