Expand description
ZLayer Secrets Management
Provides secure storage and retrieval of secrets for container workloads.
§Scoping
Secrets are organized hierarchically:
- Deployment-level: Shared by all services in a deployment
- Service-level: Specific to a single service
§Syntax
$S:secret-name- Deployment-level secret$S:@service/secret-name- Service-specific secret$secret://<env>/<KEY>- Environment-scoped secret (requires anEnvScopeProviderwired viaSecretsResolver::with_env_resolver)$secret://<env>/<KEY>/<field>- With JSON field extraction
Re-exports§
pub use cluster_dek::ClusterDek;pub use raft_sm::SecretsState;pub use raft_store::RaftSecretsHandle;pub use raft_store::RaftSecretsStore;pub use sealed::RecipientPrivateKey;pub use client_keys::ClientKeyStore;pub use client_keys::PersistentClientKeyStore;pub use credentials::CredentialStore;pub use git_credentials::GitCredentialStore;pub use registry_credentials::RegistryCredentialStore;
Modules§
- client_
keys - Persistent storage for SDK / browser client public keys, used as
recipients for sealed-box secret reads. Shares the secrets
SQLitedatabase withPersistentSecretsStore. - cluster_
dek - Cluster Data Encryption Key (DEK) primitives for Phase 1 cluster-replicated secrets.
- credentials
- Credential store for API authentication.
- git_
credentials - Typed credential store for Git authentication (PAT or SSH key).
- raft_sm
- In-memory state and apply logic for the cluster secrets state machine.
- raft_
store - Cluster-replicated secrets store backed by openraft.
- registry_
credentials - Typed credential store for Docker/OCI registry authentication.
- sealed
NaClsealed-box wrapper for recipient-encrypted secret reads.
Structs§
- Client
Public Key - A registered client public key bound to an actor.
- Encryption
Key - Encryption key with secure memory handling.
- GitCredential
- Git authentication credential metadata.
- JwtSecret
Manager - Manages the API daemon’s JWT signing secret.
- KeyManager
- Manages encryption keys for secret storage.
- Persistent
Secrets Store - Persistent secrets store backed by
SQLitewith encryption. - Recipient
Public Key - A 32-byte X25519 recipient public key.
- Registry
Credential - Docker/OCI registry credential metadata.
- Rotation
Result - Result of a secret rotation — records the version before and after the rotate call.
- Sealed
Secret - A sealed secret payload — recipient-encrypted ciphertext plus identifying metadata.
- Secret
- A secure secret wrapper that provides memory safety guarantees.
- Secret
Metadata - Metadata associated with a stored secret.
- Secret
Ref - A reference to a secret, parsed from the
$S:prefix syntax. - Secrets
Resolver - Resolver for secret references in configuration values.
Enums§
- Actor
Kind - The kind of actor a registered client key belongs to.
- GitCredential
Kind - The kind of Git credential.
- Registry
Auth Type - Authentication method for a registry credential.
- Sealed
Error - Errors produced by sealed-box operations.
- Secret
Scope - The scope of a secret - determines visibility and access.
- Secrets
Error - Error type for secrets operations.
Constants§
- ENV_
JWT_ SECRET - Environment variable name for the operator-supplied JWT secret.
Traits§
- EnvScope
Provider - Resolves an environment name-or-id to the scope string used by the
underlying
SecretsStore. - Secrets
Provider - Read-only secrets provider trait.
- Secrets
Store - Read-write secrets store trait.
Functions§
- load_
or_ generate_ node_ keypair - Load the existing node keypair from
{base_dir}/node_secrets.key, or generate a new one and persist it (Unix mode 0600) if the file does not exist yet. - node_
secrets_ key_ path - Path of the on-disk node X25519 keypair (raw 32-byte private key bytes, Unix mode 0600).
Type Aliases§
- Result
- Convenience
Resultalias parameterised overSecretsError.