feat: secrets manager interface (#75)

Author: leoparente

agent/agent.go

@@ -15,6 +15,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/configmgr"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 	"github.com/netboxlabs/orb-agent/agent/version"
 )
 
@@ -49,8 +50,9 @@ type orbAgent struct {
 	// AgentGroup channels sent from core
 	groupsInfos map[string]groupInfo
 
-	policyManager policymgr.PolicyManager
-	configManager configmgr.Manager
+	policyManager  policymgr.PolicyManager
+	configManager  configmgr.Manager
+	secretsManager secretsmgr.Manager
 }
 
 type groupInfo struct {
@@ -71,9 +73,15 @@ func New(logger *zap.Logger, c config.Config) (Agent, error) {
 		logger.Error("policy manager failed to get repository", zap.Error(err))
 		return nil, err
 	}
-	cm := configmgr.New(logger, pm, c.OrbAgent.ConfigManager)
 
-	return &orbAgent{logger: logger, config: c, policyManager: pm, configManager: cm, groupsInfos: make(map[string]groupInfo)}, nil
+	sm := secretsmgr.New(logger, c.OrbAgent.SecretsManger)
+
+	cm := configmgr.New(logger, pm, sm, c.OrbAgent.ConfigManager)
+
+	return &orbAgent{
+		logger: logger, config: c, policyManager: pm, configManager: cm,
+		secretsManager: sm, groupsInfos: make(map[string]groupInfo),
+	}, nil
 }
 
 func (a *orbAgent) startBackends(agentCtx context.Context) error {
@@ -143,6 +151,11 @@ func (a *orbAgent) Start(ctx context.Context, cancelFunc context.CancelFunc) err
 	a.cancelFunction = cancelFunc
 	a.logger.Info("agent started", zap.String("version", version.GetBuildVersion()), zap.Any("routine", agentCtx.Value(routineKey)))
 
+	if err := a.secretsManager.Start(ctx); err != nil {
+		a.logger.Error("error during start secrets manager", zap.Error(err))
+		return err
+	}
+
 	if err := a.startBackends(ctx); err != nil {
 		return err
 	}

agent/config/types.go

@@ -32,16 +32,37 @@ type GitManager struct {
 	PrivateKey string  `mapstructure:"private_key"`
 }
 
-// ManagerSources represents the configuration for manager sources, including cloud, local and git.
-type ManagerSources struct {
+// Sources represents the configuration for manager sources, including cloud, local and git.
+type Sources struct {
 	Local LocalManager `mapstructure:"local"`
 	Git   GitManager   `mapstructure:"git"`
 }
 
 // ManagerConfig represents the configuration for the Config Manager
 type ManagerConfig struct {
+	Active  string  `mapstructure:"active"`
+	Sources Sources `mapstructure:"sources"`
+}
+
+// VaultManager represents the configuration for the Vault manager
+type VaultManager struct {
+	Auth      string         `yaml:"auth"`
+	AuthArgs  map[string]any `mapstructure:"auth_args"`
+	Address   string         `yaml:"address"`
+	Namespace string         `yaml:"namespace"`
+	Timeout   *int           `yaml:"timeout,omitempty"`
+	Schedule  *string        `yaml:"schedule,omitempty"`
+}
+
+// SecretsSources represents the configuration for manager sources, including vault.
+type SecretsSources struct {
+	Vault VaultManager `mapstructure:"vault"`
+}
+
+// ManagerSecrets represents the configuration for the Secrets Manager
+type ManagerSecrets struct {
 	Active  string         `mapstructure:"active"`
-	Sources ManagerSources `mapstructure:"sources"`
+	Sources SecretsSources `mapstructure:"sources"`
 }
 
 // BackendCommons represents common configuration for backends
@@ -64,6 +85,7 @@ type OrbAgent struct {
 	Policies      map[string]map[string]any `mapstructure:"policies"`
 	Labels        map[string]string         `mapstructure:"labels"`
 	ConfigManager ManagerConfig             `mapstructure:"config_manager"`
+	SecretsManger ManagerSecrets            `mapstructure:"secrets_manager"`
 	Debug         struct {
 		Enable bool `mapstructure:"enable"`
 	} `mapstructure:"debug"`

agent/configmgr/git.go

@@ -24,13 +24,15 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 )
 
 var _ Manager = (*gitConfigManager)(nil)
 
 type gitConfigManager struct {
 	logger           *zap.Logger
 	pMgr             policymgr.PolicyManager
+	sMgr             secretsmgr.Manager
 	config           config.GitManager
 	scheduler        gocron.Scheduler
 	repo             *gitv5.Repository
@@ -157,6 +159,11 @@ func (gc *gitConfigManager) applyPolicies(policies policyData, backends map[stri
 				Version:   gc.version,
 				Data:      data,
 			}
+			var err error
+			payload, err = gc.sMgr.SolveSecrets(payload)
+			if err != nil {
+				return err
+			}
 			gc.pMgr.ManagePolicy(payload)
 		}
 	}

agent/configmgr/local.go

@@ -10,13 +10,15 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 )
 
 var _ Manager = (*localConfigManager)(nil)
 
 type localConfigManager struct {
 	logger *zap.Logger
 	pMgr   policymgr.PolicyManager
+	sMgr   secretsmgr.Manager
 	config config.LocalManager
 }
 
@@ -37,6 +39,11 @@ func (lc *localConfigManager) Start(cfg config.Config, backends map[string]backe
 				ID: policyID, Action: "manage",
 				Name: pName, DatasetID: id, Backend: beName, Version: 1, Data: data,
 			}
+			var err error
+			payload, err = lc.sMgr.SolveSecrets(payload)
+			if err != nil {
+				return err
+			}
 			lc.pMgr.ManagePolicy(payload)
 		}
 

agent/configmgr/manager.go

@@ -8,6 +8,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 )
 
 // Manager is the interface for configuration manager
@@ -17,13 +18,13 @@ type Manager interface {
 }
 
 // New creates a new instance of ConfigManager based on the configuration
-func New(logger *zap.Logger, mgr policymgr.PolicyManager, c config.ManagerConfig) Manager {
+func New(logger *zap.Logger, pMgr policymgr.PolicyManager, sMgr secretsmgr.Manager, c config.ManagerConfig) Manager {
 	switch c.Active {
 	case "local":
-		return &localConfigManager{logger: logger, pMgr: mgr, config: c.Sources.Local}
+		return &localConfigManager{logger: logger, pMgr: pMgr, sMgr: sMgr, config: c.Sources.Local}
 	case "git":
-		return &gitConfigManager{logger: logger, pMgr: mgr, config: c.Sources.Git}
+		return &gitConfigManager{logger: logger, pMgr: pMgr, sMgr: sMgr, config: c.Sources.Git}
 	default:
-		return &localConfigManager{logger: logger, pMgr: mgr, config: c.Sources.Local}
+		return &localConfigManager{logger: logger, pMgr: pMgr, sMgr: sMgr, config: c.Sources.Local}
 	}
 }

agent/secretsmgr/manager.go

@@ -0,0 +1,41 @@
+package secretsmgr
+
+import (
+	"context"
+
+	"go.uber.org/zap"
+
+	"github.com/netboxlabs/orb-agent/agent/config"
+)
+
+// Manager is an interface for managing secrets
+type Manager interface {
+	Start(ctx context.Context) error
+	RegisterUpdateCallback(callback func([]string))
+	SolveSecrets(payload config.PolicyPayload) (config.PolicyPayload, error)
+}
+
+// New creates a new instance of ConfigManager based on the configuration
+func New(logger *zap.Logger, c config.ManagerSecrets) Manager {
+	switch c.Active {
+	case "vault":
+		return &vaultManager{logger: logger, config: c.Sources.Vault}
+	default:
+		return &dummyManager{}
+	}
+}
+
+var _ Manager = (*dummyManager)(nil)
+
+type dummyManager struct{}
+
+func (v *dummyManager) Start(_ context.Context) error {
+	return nil
+}
+
+func (v *dummyManager) RegisterUpdateCallback(_ func([]string)) {
+}
+
+func (v *dummyManager) SolveSecrets(payload config.PolicyPayload) (config.PolicyPayload, error) {
+	return payload, nil
+}