greentic-secrets-core 0.3.0

Core runtime and backend orchestration for Greentic secrets.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

# Greentic Secrets Core

`greentic-secrets-core` is the embedded runtime that powers the Greentic
secrets platform. It provides a pluggable `SecretsCore` builder, optional local
cache, and a common trait surface so credential providers can be swapped without
changing application logic.

The library compiles down to a single dependency-free crate by default while
allowing cloud backends to be pulled in behind feature flags. When published to
crates.io the crate name is `greentic-secrets-core`, but the compiled library
exports as `secrets_core` for continuity with earlier versions.

## Installation

```shell
cargo add greentic-secrets-core
```

By default the crate enables the lightweight `env` and `file` backends. You can
opt into additional integrations through feature flags:

| Feature | Purpose | Notes |
| --- | --- | --- |
| `env` (default) | Pull secrets from process environment variables | No async runtime required |
| `file` (default) | Read secrets from disk snapshots | Useful for local development |
| `aws` | AWS Secrets Manager integration | Pair with `greentic-secrets-provider-aws-sm` |
| `gcp` | Google Secret Manager integration | Pair with `greentic-secrets-provider-gcp-sm` |
| `azure` | Azure Key Vault integration | Pair with `greentic-secrets-provider-azure-kv` |
| `k8s` | Kubernetes Secrets integration | Pair with `greentic-secrets-provider-k8s` |
| `nats` | Emit invalidation events over NATS | Pulls in `tokio` and `async-nats` |
| `imds` | Access cloud metadata services | Activates `reqwest` (Rustls TLS only) |
| `schema` | Generate JSON schema for `SecretSpec` | Enables `schemars` |
| `xchacha` | Use XChaCha20-Poly1305 envelopes | Optional stronger envelope encryption |

## Quick Start

```rust
use secrets_core::SecretsCore;
use std::time::Duration;

# tokio::runtime::Runtime::new().unwrap().block_on(async {
let core = SecretsCore::builder()
    .tenant("example-tenant")
    .default_ttl(Duration::from_secs(600))
    .build()
    .await?;

let password = core
    .get_text("secrets://dev/example-tenant/_/configs/db_password")
    .await?;
println!("db_password: {password:?}");
# Ok::<(), secrets_core::Error>(())
# });
```

See the repository root [`docs/embedded.md`](../docs/embedded.md) for
configuration knobs (TTL, cache backends, invalidation semantics) and
[`docs/backends.md`](../docs/backends.md) for backend mapping rules.

## Working with Providers

Cloud-specific providers live in sibling crates (for example
`greentic-secrets-provider-aws-sm`). Each provider implements
`SecretsBackend` and `KeyProvider`, so you can compose the pieces that match
your deployment while still depending on `greentic-secrets-core` from your
application crate.

```toml
[dependencies]
greentic-secrets-core = { version = "0.1", features = ["aws"] }
greentic-secrets-provider-aws-sm = "0.1"
```

```rust
use secrets_core::{SecretsBroker, SecretsCore};
use secrets_provider_aws_sm::build_backend;

let SecretsBroker { backend, key_provider } = build_backend()?;
let core = SecretsCore::builder()
    .with_backend(backend)
    .with_key_provider(key_provider)
    .build()
    .await?;
```

For additional samples, browse the `examples/` directory or run
`cargo run --example put_get_json` inside the workspace.

## License

Licensed under the terms of the MIT license.