NationTech/harmony
5
0
Fork 2
Code Issues 37 Pull Requests 16 Actions Packages Projects Releases 1 Wiki Activity

feat/secrets #111

Merged
johnride merged 3 commits from feat/secrets into master 2025-08-19 16:23:52 +00:00
Conversation 0 Commits 3 Files Changed 14 +726 -31
johnride commented 2025-08-16 15:22:38 +00:00
Owner
Copy Link

This pull request introduces a comprehensive and ergonomic secret management system via a new harmony-secret crate.

What's Done

  • New harmony-secret Crate:

    • A new crate dedicated to secret management, providing a clean, static API: SecretManager::get::<MySecret>() and SecretManager::set(&my_secret).
    • A #[derive(Secret)] procedural macro that automatically uses the struct's name as the secret key, simplifying usage.
    • An async SecretStore trait to support various backend implementations.

  • Two Secret Store Implementations:

    • LocalFileSecretStore: A simple file-based store that saves secrets as JSON in the user's data directory. Ideal for local development and testing.
    • InfisicalSecretStore: A production-ready implementation that integrates with Infisical for centralized, secure secret management.

  • Configuration via Environment Variables:

    • The secret store is selected at runtime via the HARMONY_SECRET_STORE environment variable (file or infisical).
    • Infisical integration is configured through HARMONY_SECRET_INFISICAL_* variables.

What's Not Done (Future Work)

  • Automated Infisical Setup: The initial configuration for the Infisical backend is currently manual. Developers must create a project and a Universal Auth identity in Infisical and set the corresponding environment variables to run tests or use the backend. The new test_harmony_secret_infisical.sh script serves as a clear example of the required variables.

This new secrets module provides a solid and secure foundation for managing credentials for components like OPNsense, Kubernetes, and other infrastructure services going forward. Even with the manual first-time setup for Infisical, this architecture is robust enough to serve our needs for the foreseeable future.

This pull request introduces a comprehensive and ergonomic secret management system via a new `harmony-secret` crate. #### **What's Done** * **New `harmony-secret` Crate:** * A new crate dedicated to secret management, providing a clean, static API: `SecretManager::get::<MySecret>()` and `SecretManager::set(&my_secret)`. * A `#[derive(Secret)]` procedural macro that automatically uses the struct's name as the secret key, simplifying usage. * An `async SecretStore` trait to support various backend implementations. * **Two Secret Store Implementations:** * **`LocalFileSecretStore`**: A simple file-based store that saves secrets as JSON in the user's data directory. Ideal for local development and testing. * **`InfisicalSecretStore`**: A production-ready implementation that integrates with [Infisical](https://infisical.com/) for centralized, secure secret management. * **Configuration via Environment Variables:** * The secret store is selected at runtime via the `HARMONY_SECRET_STORE` environment variable (`file` or `infisical`). * Infisical integration is configured through `HARMONY_SECRET_INFISICAL_*` variables. #### **What's Not Done (Future Work)** * **Automated Infisical Setup:** The initial configuration for the Infisical backend is currently manual. Developers must create a project and a Universal Auth identity in Infisical and set the corresponding environment variables to run tests or use the backend. The new `test_harmony_secret_infisical.sh` script serves as a clear example of the required variables. This new secrets module provides a solid and secure foundation for managing credentials for components like OPNsense, Kubernetes, and other infrastructure services going forward. Even with the manual first-time setup for Infisical, this architecture is robust enough to serve our needs for the foreseeable future.
johnride added 1 commit 2025-08-16 15:22:42 +00:00
feat: WIP add secrets module and macro crate 2a6a233fb2
johnride force-pushed feat/secrets from a1e4154da3 to 9c5d1bd27f 2025-08-16 15:29:27 +00:00 Compare
johnride force-pushed feat/secrets from 9c5d1bd27f to 26e8e386b9 2025-08-19 15:59:40 +00:00 Compare
johnride added 1 commit 2025-08-19 16:00:43 +00:00
Merge remote-tracking branch 'origin/master' into feat/secrets
All checks were successful
Run Check Script / check (pull_request) Successful in 1m9s
Details
70a65ed5d0
johnride merged commit 1eaf63417b into master 2025-08-19 16:23:52 +00:00
johnride deleted branch feat/secrets 2025-08-19 16:24:06 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Architecture Decision Record
Good first issue
RFC
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
johnride jvtrudel letian stremblay wjro
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: NationTech/harmony#111
No description provided.
Delete Branch "feat/secrets"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?