Skip to main content

Crate cellos_broker_file

Crate cellos_broker_file 

Source
Expand description

SecretBroker that reads secret values from filesystem paths.

§Motivation

Many production runtimes deliver secrets as files rather than environment variables:

  • Kubernetes mounted secrets (/run/secrets/<name> or a volume mount path)
  • Docker secrets (/run/secrets/<name>)
  • systemd credentials (/run/credentials/<unit>/name)
  • HashiCorp Vault Agent writing rendered templates to tmpfs
  • CI systems injecting secrets into a tmpfs path before the job starts

This broker maps each logical secret key to a file path via an environment variable, reads the file at resolve time, and returns its contents as a SecretView.

§Configuration

For each secret key, set:

CELLOS_SECRET_FILE_<UPPER_KEY>=<path>

The key is uppercased and hyphens are replaced with underscores to form the env var suffix.

Examples:

CELLOS_SECRET_FILE_DB_PASSWORD=/run/secrets/db-password
CELLOS_SECRET_FILE_API_TOKEN=/run/credentials/myapp.service/api-token

These would resolve for secretRefs: ["DB_PASSWORD", "API_TOKEN"] in the cell spec.

§Security properties

  • File path is operator-controlled via env var — the broker reads only the configured path.
  • No persistent in-process state. Credentials are not cached between resolve calls.
  • Contents are returned as SecretView which is ZeroizeOnDrop — bytes are overwritten when the supervisor is done with them, before export or destroy phases.
  • Trailing newlines are stripped (standard file-based secret convention).
  • O_NOFOLLOW on the final path component (Unix) — if an attacker with write access to the parent directory swaps the configured secret file for a symlink to /etc/shadow, the open errors out instead of exfiltrating the target. Mirrors cellos-core::trust_keys::load_trust_verify_keys_file (SEC-15b). Windows lacks an O_NOFOLLOW analogue in std, so it falls back to tokio::fs::read_to_string.

§Revocation

revoke_for_cell is a documented no-op: this broker holds no persistent state between calls. Isolation relies on the cell model’s teardown semantics (cleared subprocess env, short TTLs) and the file’s own lifecycle on the host.

§Correlation propagation (Tranche-1 seam-freeze G1)

Filesystem secrets are stamped before the supervisor starts (Kubernetes / systemd / Vault Agent / CI) so this broker has no upstream session of its own and returns None from SecretBroker::broker_correlation_id. The supervisor falls back to the operator-supplied spec.correlation.correlationId for cross-tool correlation in that case.

Structs§

FileSecretBroker
Resolves secrets from filesystem files using CELLOS_SECRET_FILE_<UPPER_KEY>=<path>.