grafana/pkg/registry/apis/secret/contracts/encryption.go

package contracts

import (
	"context"

	"github.com/grafana/grafana/pkg/registry/apis/secret/xkube"
)

// EncryptionManager is an envelope encryption service in charge of encrypting/decrypting secrets.
type EncryptionManager interface {
	// Encrypt MUST NOT be used within database transactions, it may cause database locks.
	// For those specific use cases where the encryption operation cannot be moved outside
	// the database transaction, look at database-specific methods present at the specific
	// implementation present at manager.EncryptionService.
	Encrypt(ctx context.Context, namespace xkube.Namespace, payload []byte) (EncryptedPayload, error)
	Decrypt(ctx context.Context, namespace xkube.Namespace, payload EncryptedPayload) ([]byte, error)
}

type EncryptedPayload struct {
	DataKeyID     string
	EncryptedData []byte
}

type EncryptedValue struct {
	EncryptedPayload

	Namespace string
	Name      string
	Version   int64
	Created   int64
	Updated   int64
}

// ListOpts defines pagination options for listing encrypted values.
type ListOpts struct {
	Limit  int64
	Offset int64
}

type EncryptedValueStorage interface {
	Create(ctx context.Context, namespace xkube.Namespace, name string, version int64, encryptedData EncryptedPayload) (*EncryptedValue, error)
	Update(ctx context.Context, namespace xkube.Namespace, name string, version int64, encryptedData EncryptedPayload) error
	Get(ctx context.Context, namespace xkube.Namespace, name string, version int64) (*EncryptedValue, error)
	Delete(ctx context.Context, namespace xkube.Namespace, name string, version int64) error
}

type GlobalEncryptedValueStorage interface {
	ListAll(ctx context.Context, opts ListOpts, untilTime *int64) ([]*EncryptedValue, error)
	CountAll(ctx context.Context, untilTime *int64) (int64, error)
}

type EncryptedValueMigrationExecutor interface {
	Execute(ctx context.Context) (int, error)
}

type ConsolidationService interface {
	Consolidate(ctx context.Context) error
}
SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`package contracts`

Secrets: Refactor data_key_id out of the encoded secure value payload (#111852) * everything compiles * tests pass * remove file included by accident * add entry to gitignore * some scaffolding for the migration executor * remove file * implement and test the migration * use xkube.Namespace in our interfaces * add todo * update wire deps * add some logs * fix wire dependency ordering * create tests to validate error conditions during migrations 2025-10-04 03:25:46 +08:00			`import (`
			`"context"`

			`"github.com/grafana/grafana/pkg/registry/apis/secret/xkube"`
			`)`
SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00
			`// EncryptionManager is an envelope encryption service in charge of encrypting/decrypting secrets.`
			`type EncryptionManager interface {`
			`// Encrypt MUST NOT be used within database transactions, it may cause database locks.`
			`// For those specific use cases where the encryption operation cannot be moved outside`
			`// the database transaction, look at database-specific methods present at the specific`
			`// implementation present at manager.EncryptionService.`
Secrets: Refactor data_key_id out of the encoded secure value payload (#111852) * everything compiles * tests pass * remove file included by accident * add entry to gitignore * some scaffolding for the migration executor * remove file * implement and test the migration * use xkube.Namespace in our interfaces * add todo * update wire deps * add some logs * fix wire dependency ordering * create tests to validate error conditions during migrations 2025-10-04 03:25:46 +08:00			`Encrypt(ctx context.Context, namespace xkube.Namespace, payload []byte) (EncryptedPayload, error)`
			`Decrypt(ctx context.Context, namespace xkube.Namespace, payload EncryptedPayload) ([]byte, error)`
Secrets: Refactor data_key_id out of the encoded secure value payload (#111852) * everything compiles * tests pass * remove file included by accident * add entry to gitignore * some scaffolding for the migration executor * remove file * implement and test the migration * use xkube.Namespace in our interfaces * add todo * update wire deps * add some logs * fix wire dependency ordering * create tests to validate error conditions during migrations 2025-10-04 03:25:46 +08:00			`}`

Secrets: Refactor data_key_id out of the encoded secure value payload (#111852) * everything compiles * tests pass * remove file included by accident * add entry to gitignore * some scaffolding for the migration executor * remove file * implement and test the migration * use xkube.Namespace in our interfaces * add todo * update wire deps * add some logs * fix wire dependency ordering * create tests to validate error conditions during migrations 2025-10-04 03:25:46 +08:00			`type EncryptedPayload struct {`
			`DataKeyID string`
Revert "Secrets: Refactor data_key_id out of the encoded secure value payload" (#112034) Revert "Secrets: Refactor data_key_id out of the encoded secure value payload…" This reverts commit acad92864ecb83a9cd8a9b6a4680e72db5bdb437. 2025-10-05 14:53:43 +08:00			`EncryptedData []byte`
Secrets: Refactor data_key_id out of the encoded secure value payload (#111852) * everything compiles * tests pass * remove file included by accident * add entry to gitignore * some scaffolding for the migration executor * remove file * implement and test the migration * use xkube.Namespace in our interfaces * add todo * update wire deps * add some logs * fix wire dependency ordering * create tests to validate error conditions during migrations 2025-10-04 03:25:46 +08:00			`}`

			`type EncryptedValue struct {`
			`EncryptedPayload`

			`Namespace string`
			`Name string`
			`Version int64`
			`Created int64`
			`Updated int64`
SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`}`

SecretsManager: Add ability to list all encrypted values (#108512) * list all encrypted values and count * separate interfaces * add time filter to global queries * fix lint 2025-07-28 17:50:24 +08:00			`// ListOpts defines pagination options for listing encrypted values.`
			`type ListOpts struct {`
			`Limit int64`
			`Offset int64`
			`}`

SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`type EncryptedValueStorage interface {`
Secrets: Refactor data_key_id out of the encoded secure value payload (#111852) * everything compiles * tests pass * remove file included by accident * add entry to gitignore * some scaffolding for the migration executor * remove file * implement and test the migration * use xkube.Namespace in our interfaces * add todo * update wire deps * add some logs * fix wire dependency ordering * create tests to validate error conditions during migrations 2025-10-04 03:25:46 +08:00			`Create(ctx context.Context, namespace xkube.Namespace, name string, version int64, encryptedData EncryptedPayload) (*EncryptedValue, error)`
			`Update(ctx context.Context, namespace xkube.Namespace, name string, version int64, encryptedData EncryptedPayload) error`
			`Get(ctx context.Context, namespace xkube.Namespace, name string, version int64) (*EncryptedValue, error)`
			`Delete(ctx context.Context, namespace xkube.Namespace, name string, version int64) error`
SecretsManager: Add Keeper service and SQL Keeper (#102554) Co-authored-by: Dana Axinte <53751979+dana-axinte@users.noreply.github.com> Co-authored-by: Michael Mandrus <michael.mandrus@grafana.com> 2025-03-21 18:38:43 +08:00			`}`
SecretsManager: Add ability to list all encrypted values (#108512) * list all encrypted values and count * separate interfaces * add time filter to global queries * fix lint 2025-07-28 17:50:24 +08:00
			`type GlobalEncryptedValueStorage interface {`
			`ListAll(ctx context.Context, opts ListOpts, untilTime int64) ([]EncryptedValue, error)`
			`CountAll(ctx context.Context, untilTime *int64) (int64, error)`
			`}`
SecretsManager: Consolidation service and ability to run via cli (#108774) * list all encrypted values and count * separate interfaces * add time filter to global queries * initial secrets consolidation * Revert defaults * More verbose description of the operation * Add consolidation tests and tracing * Fix lint * Revert debug log 2025-07-31 21:45:59 +08:00
Secrets: Refactor data_key_id out of the encoded secure value payload (#111852) * everything compiles * tests pass * remove file included by accident * add entry to gitignore * some scaffolding for the migration executor * remove file * implement and test the migration * use xkube.Namespace in our interfaces * add todo * update wire deps * add some logs * fix wire dependency ordering * create tests to validate error conditions during migrations 2025-10-04 03:25:46 +08:00			`type EncryptedValueMigrationExecutor interface {`
			`Execute(ctx context.Context) (int, error)`
			`}`

SecretsManager: Consolidation service and ability to run via cli (#108774) * list all encrypted values and count * separate interfaces * add time filter to global queries * initial secrets consolidation * Revert defaults * More verbose description of the operation * Add consolidation tests and tracing * Fix lint * Revert debug log 2025-07-31 21:45:59 +08:00			`type ConsolidationService interface {`
			`Consolidate(ctx context.Context) error`
			`}`