nyl 0.4.1

Kubernetes manifest generator with Helm integration
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317

/// Secrets management module
///
/// This module provides a pluggable secret provider system for managing
/// sensitive configuration values.
///
/// Phase 2: NullProvider only
/// Phase 3: SOPS and Kubernetes providers
use crate::{NylError, Result};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::path::{Path, PathBuf};

mod null;
pub use null::NullProvider;

/// A secret value that can be a string or structured data
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
#[serde(untagged)]
pub enum SecretValue {
    /// Simple string secret
    String(String),

    /// Structured secret (JSON object)
    Object(HashMap<String, serde_json::Value>),

    /// Array secret
    Array(Vec<serde_json::Value>),

    /// Other JSON value
    Value(serde_json::Value),
}

impl From<String> for SecretValue {
    fn from(s: String) -> Self {
        SecretValue::String(s)
    }
}

impl From<&str> for SecretValue {
    fn from(s: &str) -> Self {
        SecretValue::String(s.to_string())
    }
}

/// Trait for secret providers
///
/// Secret providers manage encrypted or external secret storage
pub trait SecretProvider: Send + Sync {
    /// Initialize the provider with a configuration file
    ///
    /// # Arguments
    /// * `config_file` - Path to the secrets configuration file
    fn init(&mut self, config_file: &Path) -> Result<()>;

    /// List all available secret keys
    fn keys(&self) -> Result<Vec<String>>;

    /// Get a secret value by key
    ///
    /// # Arguments
    /// * `key` - Secret key to retrieve
    fn get(&self, key: &str) -> Result<SecretValue>;

    /// Set a secret value
    ///
    /// # Arguments
    /// * `key` - Secret key to set
    /// * `value` - Secret value to store
    fn set(&mut self, key: &str, value: SecretValue) -> Result<()>;

    /// Remove a secret
    ///
    /// # Arguments
    /// * `key` - Secret key to remove
    fn unset(&mut self, key: &str) -> Result<()>;
}

/// Configuration for secret providers
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "lowercase")]
pub enum SecretProviderConfig {
    /// Null provider (no encryption, in-memory only)
    Null(NullProviderConfig),
    // Phase 3: Additional providers
    // Sops(SopsProviderConfig),
    // Kubernetes(KubernetesProviderConfig),
}

/// Configuration for the null provider
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct NullProviderConfig {
    // No configuration needed for null provider
}

impl Default for SecretProviderConfig {
    fn default() -> Self {
        SecretProviderConfig::Null(NullProviderConfig::default())
    }
}

/// Secrets configuration manager
///
/// Manages loading and accessing secret providers
pub struct SecretsConfig {
    /// Path to the secrets configuration file
    pub file: Option<PathBuf>,

    /// The configured secret provider
    provider: Box<dyn SecretProvider>,
}

impl std::fmt::Debug for SecretsConfig {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("SecretsConfig")
            .field("file", &self.file)
            .field("provider", &"<SecretProvider>")
            .finish()
    }
}

impl SecretsConfig {
    /// Secrets configuration filenames in priority order
    pub const FILENAMES: &'static [&'static str] = &["nyl-secrets.yaml", "nyl-secrets.json"];

    /// Load secrets configuration
    ///
    /// # Arguments
    /// * `file` - Optional explicit file path
    ///
    /// # Returns
    /// SecretsConfig with initialized provider
    pub fn load(file: Option<PathBuf>) -> Result<Self> {
        Self::load_from_dir(file, None)
    }

    /// Load secrets configuration from a specific directory context
    ///
    /// # Arguments
    /// * `file` - Optional explicit file path
    /// * `dir` - Optional directory to search from (defaults to current directory)
    ///
    /// # Returns
    /// SecretsConfig with initialized provider
    pub fn load_from_dir(file: Option<PathBuf>, dir: Option<&Path>) -> Result<Self> {
        let file = match file {
            Some(f) => Some(f),
            None => Self::find_secrets_file_in_dir(dir)?,
        };

        if let Some(ref path) = file {
            Self::load_from_file(path)
        } else {
            // No secrets file found, use default (Null provider)
            Ok(Self {
                file: None,
                provider: Box::new(NullProvider::new()),
            })
        }
    }

    /// Find secrets configuration file in a specific directory
    fn find_secrets_file_in_dir(dir: Option<&Path>) -> Result<Option<PathBuf>> {
        crate::util::fs::find_config_file(Self::FILENAMES, dir, false)
    }

    /// Load secrets configuration from file
    fn load_from_file(path: &Path) -> Result<Self> {
        if !path.exists() {
            return Err(NylError::Config(format!(
                "Secrets file does not exist: {}",
                path.display()
            )));
        }

        tracing::debug!("Reading secrets file: {}", path.display());

        let contents = std::fs::read_to_string(path)?;

        let config: SecretProviderConfig = if path.extension().and_then(|s| s.to_str()) == Some("json") {
            serde_json::from_str(&contents)
                .map_err(|e| NylError::Config(format!("Failed to parse secrets JSON: {}", e)))?
        } else {
            serde_norway::from_str(&contents)
                .map_err(|e| NylError::Config(format!("Failed to parse secrets YAML: {}", e)))?
        };

        let mut provider = Self::create_provider(&config)?;
        provider.init(path)?;

        Ok(Self {
            file: Some(path.to_path_buf()),
            provider,
        })
    }

    /// Create a provider instance from configuration
    fn create_provider(config: &SecretProviderConfig) -> Result<Box<dyn SecretProvider>> {
        match config {
            SecretProviderConfig::Null(_) => Ok(Box::new(NullProvider::new())),
            // Phase 3: Add other providers
        }
    }

    /// Get a secret value
    pub fn get(&self, key: &str) -> Result<SecretValue> {
        self.provider.get(key)
    }

    /// Set a secret value
    pub fn set(&mut self, key: &str, value: SecretValue) -> Result<()> {
        self.provider.set(key, value)
    }

    /// Remove a secret
    pub fn unset(&mut self, key: &str) -> Result<()> {
        self.provider.unset(key)
    }

    /// List all secret keys
    pub fn keys(&self) -> Result<Vec<String>> {
        self.provider.keys()
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::fs;
    use tempfile::TempDir;

    #[test]
    fn test_secret_value_string() {
        let value = SecretValue::from("test-secret");
        match value {
            SecretValue::String(s) => assert_eq!(s, "test-secret"),
            _ => panic!("Expected String variant"),
        }
    }

    #[test]
    fn test_secret_value_deserialization() {
        let json = r#""simple-string""#;
        let value: SecretValue = serde_json::from_str(json).unwrap();
        assert_eq!(value, SecretValue::String("simple-string".to_string()));

        let json = r#"{"key": "value"}"#;
        let value: SecretValue = serde_json::from_str(json).unwrap();
        match value {
            SecretValue::Object(map) => {
                assert_eq!(map.get("key").unwrap(), "value");
            }
            _ => panic!("Expected Object variant"),
        }
    }

    #[test]
    fn test_secrets_config_default() {
        let temp = TempDir::new().unwrap();

        let config = SecretsConfig::load_from_dir(None, Some(temp.path())).unwrap();
        assert!(config.file.is_none());

        // Default provider should be NullProvider - it returns empty keys
        assert!(config.keys().unwrap().is_empty());
    }

    #[test]
    fn test_secrets_config_load_null_provider() {
        let temp = TempDir::new().unwrap();
        let secrets_path = temp.path().join("nyl-secrets.yaml");

        fs::write(&secrets_path, "type: null\n").unwrap();

        let config = SecretsConfig::load_from_file(&secrets_path).unwrap();
        assert_eq!(config.file, Some(secrets_path));
        assert!(config.keys().unwrap().is_empty());
    }

    #[test]
    fn test_secrets_config_operations() {
        let mut config = SecretsConfig {
            file: None,
            provider: Box::new(NullProvider::new()),
        };

        // Set a secret
        config.set("api_key", SecretValue::from("secret-123")).unwrap();

        // Get the secret
        let value = config.get("api_key").unwrap();
        assert_eq!(value, SecretValue::String("secret-123".to_string()));

        // List keys
        let keys = config.keys().unwrap();
        assert_eq!(keys, vec!["api_key"]);

        // Unset the secret
        config.unset("api_key").unwrap();
        assert!(config.keys().unwrap().is_empty());
    }

    #[test]
    fn test_secrets_config_missing_file() {
        let temp = TempDir::new().unwrap();
        let missing = temp.path().join("missing.yaml");

        let result = SecretsConfig::load_from_file(&missing);
        assert!(result.is_err());
    }

    #[test]
    fn test_secret_provider_config_deserialization() {
        let yaml = "type: null\n";
        let config: SecretProviderConfig = serde_norway::from_str(yaml).unwrap();
        assert!(matches!(config, SecretProviderConfig::Null(_)));
    }
}