Crate zlayer_secrets

Source

Expand description

ZLayer Secrets Management

Provides secure storage and retrieval of secrets for container workloads.

§Scoping

Secrets are organized hierarchically:

Deployment-level: Shared by all services in a deployment
Service-level: Specific to a single service

§Syntax

$S:secret-name - Deployment-level secret
$S:@service/secret-name - Service-specific secret
$secret://<env>/<KEY> - Environment-scoped secret (requires an EnvScopeProvider wired via SecretsResolver::with_env_resolver)
$secret://<env>/<KEY>/<field> - With JSON field extraction

Re-exports§

pub use cluster_dek::ClusterDek;
pub use node_effects::NodeSideEffects;
pub use raft_sm::SecretsState;
pub use raft_store::RaftSecretsHandle;
pub use raft_store::RaftSecretsStore;
pub use sealed::RecipientPrivateKey;
pub use client_keys::ClientKeyStore;
pub use client_keys::PersistentClientKeyStore;
pub use credentials::CredentialStore;
pub use git_credentials::GitCredentialStore;
pub use registry_credentials::RegistryCredentialStore;

Modules§

client_keys: Persistent storage for SDK / browser client public keys, used as recipients for sealed-box secret reads. Shares the secrets SQLite database with PersistentSecretsStore.
cluster_dek: Cluster Data Encryption Key (DEK) primitives for Phase 1 cluster-replicated secrets.
credentials: Credential store for API authentication.
git_credentials: Typed credential store for Git authentication (PAT or SSH key).
node_effects: Node-local side-effect channel fired by the Raft apply wrapper.
raft_sm: In-memory state and apply logic for the cluster secrets state machine.
raft_store: Cluster-replicated secrets store backed by openraft.
registry_credentials: Typed credential store for Docker/OCI registry authentication.
sealed: NaCl sealed-box wrapper for recipient-encrypted secret reads.

Structs§

ClientPublicKey: A registered client public key bound to an actor.
ClusterCa: Long-lived cluster CA keypair.
ClusterSigner: Ed25519 keypair used to sign cluster join tokens.
EncryptionKey: Encryption key with secure memory handling.
FileBackend: File-backed SigningBackend implementation.
GitCredential: Git authentication credential metadata.
JwtSecretManager: Manages the API daemon’s JWT signing secret.
KeyManager: Manages encryption keys for secret storage.
KeystoreRotationResult: The outcome of a rotate_keystore call.
PersistentSecretsStore: Persistent secrets store backed by SQLite with encryption.
PubkeyInfo: One entry in the result of list_valid_pubkeys.
RecipientPublicKey: A 32-byte X25519 recipient public key.
RegistryCredential: Docker/OCI registry credential metadata.
RotationResult: Result of a secret rotation — records the version before and after the rotate call.
SealedSecret: A sealed secret payload — recipient-encrypted ciphertext plus identifying metadata.
Secret: A secure secret wrapper that provides memory safety guarantees.
SecretMetadata: Metadata associated with a stored secret.
SecretRef: A reference to a secret, parsed from the $S: prefix syntax.
SecretsResolver: Resolver for secret references in configuration values.
WorkerBootstrapClaims: Token claims (the signed portion).
WorkerBootstrapToken: Full signed token (claims + signer kid + signature).
WorkerCa: Worker certificate authority.

Enums§

ActorKind: The kind of actor a registered client key belongs to.
GitCredentialKind: The kind of Git credential.
PubkeyStatus: Status of a key returned by list_valid_pubkeys.
RegistryAuthType: Authentication method for a registry credential.
SealedError: Errors produced by sealed-box operations.
SecretScope: The scope of a secret - determines visibility and access.
SecretsError: Error type for secrets operations.

Constants§

DEFAULT_CA_VALIDITY_YEARS: Default CA-cert validity (10 years). The CA is long-lived; rotation is a separate (manual, future) op.
DEFAULT_LEAF_VALIDITY_DAYS: Default leaf-cert validity (90 days). Workers must re-register before this expires; the control plane should rotate well in advance.
ENV_JWT_SECRET: Environment variable name for the operator-supplied JWT secret.
WORKER_CA_CERT_FILE: File name of the CA certificate (PEM, mode 0644).
WORKER_CA_KEY_FILE: File name of the CA private key (PEM PKCS#8, mode 0600).

Traits§

EnvScopeProvider: Resolves an environment name-or-id to the scope string used by the underlying SecretsStore.
SecretsProvider: Read-only secrets provider trait.
SecretsStore: Read-write secrets store trait.
SigningBackend: Abstract interface over a cluster-signing-key store.

Functions§

issue_worker_bootstrap_token: Issue a fresh bootstrap token signed by the supplied ClusterSigner.
list_valid_pubkeys: List every key in the keystore that is currently valid (active or in-grace and not yet expired).
load_or_generate_node_keypair: Load the existing node keypair from {base_dir}/node_secrets.key, or generate a new one and persist it (Unix mode 0600) if the file does not exist yet.
load_signer_for_kid: Load a ClusterSigner for a specific kid from the keystore at path if and only if that kid is currently trusted.
node_secrets_key_path: Path of the on-disk node X25519 keypair (raw 32-byte private key bytes, Unix mode 0600).
prune_expired_grace: Remove every keystore entry whose grace window has expired.
rotate_keystore: Rotate the cluster signing keystore at path: generate a fresh keypair, set it as active, and move the previous active key into the grace map with expiration now + grace.
verify_worker_bootstrap_token: Verify a token’s signature, domain tag, and expiry. The caller is responsible for max_uses tracking (typically via the Raft FSM).

Type Aliases§

Result: Convenience Result alias parameterised over SecretsError.

Crate zlayer_secrets

Crate zlayer_secrets Copy item path

§Scoping

§Syntax

Re-exports§

Modules§

Structs§

Enums§

Constants§

Traits§

Functions§

Type Aliases§

Crate zlayer_secrets