feat(managed-secrets): add centrally managed secrets with GITOPS_ prefix pushed to multiple targets

Introduce managed secrets owned by GitOps that can be defined once and pushed to any combination of projects/groups across connections. Values are stored in OS keychain, secrets appear on targets as GITOPS_{key}.
2026-02-28 23:43:32 +00:00
parent 78247c1d41
commit 75d35405dc
17 changed files with 1302 additions and 4 deletions
--- a/ts/classes/gitopsapp.ts
+++ b/ts/classes/gitopsapp.ts
@@ -3,6 +3,7 @@ import { logger } from '../logging.ts';
 import { ConnectionManager } from './connectionmanager.ts';
 import { ActionLog } from './actionlog.ts';
 import { SyncManager } from './syncmanager.ts';
+import { ManagedSecretsManager } from './managedsecrets.manager.ts';
 import { OpsServer } from '../opsserver/index.ts';
 import { StorageManager } from '../storage/index.ts';
 import { CacheDb, CacheCleaner, CachedProject, CachedSecret, SecretsScanService } from '../cache/index.ts';
@@ -20,6 +21,7 @@ export class GitopsApp {
  public cacheDb: CacheDb;
  public cacheCleaner: CacheCleaner;
  public syncManager!: SyncManager;
+  public managedSecretsManager!: ManagedSecretsManager;
  public secretsScanService!: SecretsScanService;
  private scanIntervalId: number | null = null;
  private paths: ReturnType<typeof resolvePaths>;
@@ -55,6 +57,14 @@ export class GitopsApp {
    // Initialize connection manager (loads saved connections)
    await this.connectionManager.init();

+    // Initialize managed secrets manager
+    this.managedSecretsManager = new ManagedSecretsManager(
+      this.storageManager,
+      this.smartSecret,
+      this.connectionManager,
+    );
+    await this.managedSecretsManager.init();
+
    // Initialize sync manager
    this.syncManager = new SyncManager(
      this.storageManager,
--- a/ts/classes/managedsecrets.manager.ts
+++ b/ts/classes/managedsecrets.manager.ts
@@ -0,0 +1,322 @@
+import * as plugins from '../plugins.ts';
+import { logger } from '../logging.ts';
+import type * as interfaces from '../../ts_interfaces/index.ts';
+import type { StorageManager } from '../storage/index.ts';
+import type { ConnectionManager } from './connectionmanager.ts';
+
+const MANAGED_SECRETS_PREFIX = '/managed-secrets/';
+const KEYCHAIN_PREFIX = 'keychain:';
+const KEYCHAIN_ID_PREFIX = 'gitops-msecret-';
+const SECRET_KEY_PREFIX = 'GITOPS_';
+
+export class ManagedSecretsManager {
+  private secrets: interfaces.data.IManagedSecretStored[] = [];
+
+  constructor(
+    private storageManager: StorageManager,
+    private smartSecret: plugins.smartsecret.SmartSecret,
+    private connectionManager: ConnectionManager,
+  ) {}
+
+  async init(): Promise<void> {
+    await this.loadSecrets();
+  }
+
+  // ---- Storage helpers ----
+
+  private keychainId(secretId: string): string {
+    return `${KEYCHAIN_ID_PREFIX}${secretId}`;
+  }
+
+  private prefixedKey(key: string): string {
+    return `${SECRET_KEY_PREFIX}${key}`;
+  }
+
+  private async loadSecrets(): Promise<void> {
+    const keys = await this.storageManager.list(MANAGED_SECRETS_PREFIX);
+    this.secrets = [];
+    for (const key of keys) {
+      const stored = await this.storageManager.getJSON<interfaces.data.IManagedSecretStored>(key);
+      if (stored) {
+        this.secrets.push(stored);
+      }
+    }
+    if (this.secrets.length > 0) {
+      logger.info(`Loaded ${this.secrets.length} managed secret(s)`);
+    }
+  }
+
+  private async persistSecret(stored: interfaces.data.IManagedSecretStored, realValue: string): Promise<void> {
+    // Store real value in keychain
+    await this.smartSecret.setSecret(this.keychainId(stored.id), realValue);
+    // Save JSON with sentinel
+    const jsonStored = { ...stored, value: `${KEYCHAIN_PREFIX}${this.keychainId(stored.id)}` };
+    await this.storageManager.setJSON(`${MANAGED_SECRETS_PREFIX}${stored.id}.json`, jsonStored);
+    // Update in-memory sentinel too
+    stored.value = jsonStored.value;
+  }
+
+  private async removeFromStorage(id: string): Promise<void> {
+    await this.smartSecret.deleteSecret(this.keychainId(id));
+    await this.storageManager.delete(`${MANAGED_SECRETS_PREFIX}${id}.json`);
+  }
+
+  private async getSecretValue(id: string): Promise<string | null> {
+    return await this.smartSecret.getSecret(this.keychainId(id));
+  }
+
+  private toApiModel(stored: interfaces.data.IManagedSecretStored): interfaces.data.IManagedSecret {
+    return {
+      id: stored.id,
+      key: stored.key,
+      description: stored.description,
+      targets: stored.targets,
+      targetStatuses: stored.targetStatuses,
+      createdAt: stored.createdAt,
+      updatedAt: stored.updatedAt,
+      lastPushedAt: stored.lastPushedAt,
+    };
+  }
+
+  // ---- Push logic ----
+
+  private async pushToTargets(
+    stored: interfaces.data.IManagedSecretStored,
+    mode: 'upsert' | 'delete',
+    targetsOverride?: interfaces.data.IManagedSecretTarget[],
+  ): Promise<interfaces.data.IManagedSecretTargetStatus[]> {
+    const targets = targetsOverride || stored.targets;
+    const value = mode === 'upsert' ? await this.getSecretValue(stored.id) : null;
+    const prefixedKey = this.prefixedKey(stored.key);
+    const results: interfaces.data.IManagedSecretTargetStatus[] = [];
+
+    for (const target of targets) {
+      const status: interfaces.data.IManagedSecretTargetStatus = {
+        connectionId: target.connectionId,
+        scope: target.scope,
+        scopeId: target.scopeId,
+        scopeName: target.scopeName,
+        status: 'pending',
+      };
+      try {
+        const provider = this.connectionManager.getProvider(target.connectionId);
+        if (mode === 'upsert') {
+          // Try update first; if it fails, create
+          try {
+            if (target.scope === 'project') {
+              await provider.updateProjectSecret(target.scopeId, prefixedKey, value!);
+            } else {
+              await provider.updateGroupSecret(target.scopeId, prefixedKey, value!);
+            }
+          } catch {
+            // Secret doesn't exist yet — create it
+            if (target.scope === 'project') {
+              await provider.createProjectSecret(target.scopeId, prefixedKey, value!);
+            } else {
+              await provider.createGroupSecret(target.scopeId, prefixedKey, value!);
+            }
+          }
+        } else {
+          // mode === 'delete'
+          try {
+            if (target.scope === 'project') {
+              await provider.deleteProjectSecret(target.scopeId, prefixedKey);
+            } else {
+              await provider.deleteGroupSecret(target.scopeId, prefixedKey);
+            }
+          } catch {
+            // Secret may not exist on target — that's fine
+          }
+        }
+        status.status = 'success';
+        status.lastPushedAt = Date.now();
+      } catch (err) {
+        status.status = 'error';
+        status.error = err instanceof Error ? err.message : String(err);
+      }
+      results.push(status);
+    }
+    return results;
+  }
+
+  // ---- Public API ----
+
+  async getAll(): Promise<interfaces.data.IManagedSecret[]> {
+    return this.secrets.map((s) => this.toApiModel(s));
+  }
+
+  async getById(id: string): Promise<interfaces.data.IManagedSecret | null> {
+    const stored = this.secrets.find((s) => s.id === id);
+    return stored ? this.toApiModel(stored) : null;
+  }
+
+  async create(
+    key: string,
+    value: string,
+    description: string | undefined,
+    targets: interfaces.data.IManagedSecretTarget[],
+  ): Promise<{
+    managedSecret: interfaces.data.IManagedSecret;
+    pushResults: interfaces.data.IManagedSecretTargetStatus[];
+  }> {
+    // Validate key
+    if (key.toUpperCase().startsWith(SECRET_KEY_PREFIX)) {
+      throw new Error(`Key must not start with ${SECRET_KEY_PREFIX} — the prefix is added automatically`);
+    }
+    if (this.secrets.some((s) => s.key === key)) {
+      throw new Error(`A managed secret with key "${key}" already exists`);
+    }
+
+    const now = Date.now();
+    const stored: interfaces.data.IManagedSecretStored = {
+      id: crypto.randomUUID(),
+      key,
+      description,
+      value: '', // will be set by persistSecret
+      targets,
+      targetStatuses: [],
+      createdAt: now,
+      updatedAt: now,
+    };
+
+    this.secrets.push(stored);
+    await this.persistSecret(stored, value);
+
+    // Push to all targets
+    const pushResults = await this.pushToTargets(stored, 'upsert');
+    stored.targetStatuses = pushResults;
+    stored.lastPushedAt = now;
+    stored.updatedAt = now;
+    await this.storageManager.setJSON(`${MANAGED_SECRETS_PREFIX}${stored.id}.json`, {
+      ...stored,
+      value: `${KEYCHAIN_PREFIX}${this.keychainId(stored.id)}`,
+    });
+
+    logger.info(`Created managed secret "${key}" with ${targets.length} target(s)`);
+    return { managedSecret: this.toApiModel(stored), pushResults };
+  }
+
+  async update(
+    id: string,
+    updates: {
+      value?: string;
+      description?: string;
+      targets?: interfaces.data.IManagedSecretTarget[];
+    },
+  ): Promise<{
+    managedSecret: interfaces.data.IManagedSecret;
+    pushResults: interfaces.data.IManagedSecretTargetStatus[];
+  }> {
+    const stored = this.secrets.find((s) => s.id === id);
+    if (!stored) throw new Error(`Managed secret not found: ${id}`);
+
+    const now = Date.now();
+
+    // Update value in keychain if provided
+    if (updates.value !== undefined) {
+      await this.smartSecret.setSecret(this.keychainId(id), updates.value);
+    }
+
+    if (updates.description !== undefined) {
+      stored.description = updates.description;
+    }
+
+    // Handle target changes — delete from removed targets
+    let removedTargets: interfaces.data.IManagedSecretTarget[] = [];
+    if (updates.targets !== undefined) {
+      const oldTargets = stored.targets;
+      const newTargetKeys = new Set(
+        updates.targets.map((t) => `${t.connectionId}:${t.scope}:${t.scopeId}`),
+      );
+      removedTargets = oldTargets.filter(
+        (t) => !newTargetKeys.has(`${t.connectionId}:${t.scope}:${t.scopeId}`),
+      );
+      stored.targets = updates.targets;
+    }
+
+    stored.updatedAt = now;
+
+    // Delete from removed targets
+    if (removedTargets.length > 0) {
+      await this.pushToTargets(stored, 'delete', removedTargets);
+    }
+
+    // Push to current targets
+    const pushResults = await this.pushToTargets(stored, 'upsert');
+    stored.targetStatuses = pushResults;
+    stored.lastPushedAt = now;
+
+    await this.storageManager.setJSON(`${MANAGED_SECRETS_PREFIX}${stored.id}.json`, {
+      ...stored,
+      value: `${KEYCHAIN_PREFIX}${this.keychainId(stored.id)}`,
+    });
+
+    logger.info(`Updated managed secret "${stored.key}"`);
+    return { managedSecret: this.toApiModel(stored), pushResults };
+  }
+
+  async delete(id: string): Promise<{
+    ok: boolean;
+    deleteResults: interfaces.data.IManagedSecretTargetStatus[];
+  }> {
+    const stored = this.secrets.find((s) => s.id === id);
+    if (!stored) throw new Error(`Managed secret not found: ${id}`);
+
+    // Best-effort: remove from all targets
+    const deleteResults = await this.pushToTargets(stored, 'delete');
+
+    // Remove from local storage regardless
+    const idx = this.secrets.indexOf(stored);
+    this.secrets.splice(idx, 1);
+    await this.removeFromStorage(id);
+
+    logger.info(`Deleted managed secret "${stored.key}"`);
+    return { ok: true, deleteResults };
+  }
+
+  async pushOne(id: string): Promise<{
+    managedSecret: interfaces.data.IManagedSecret;
+    pushResults: interfaces.data.IManagedSecretTargetStatus[];
+  }> {
+    const stored = this.secrets.find((s) => s.id === id);
+    if (!stored) throw new Error(`Managed secret not found: ${id}`);
+
+    const now = Date.now();
+    const pushResults = await this.pushToTargets(stored, 'upsert');
+    stored.targetStatuses = pushResults;
+    stored.lastPushedAt = now;
+    stored.updatedAt = now;
+
+    await this.storageManager.setJSON(`${MANAGED_SECRETS_PREFIX}${stored.id}.json`, {
+      ...stored,
+      value: `${KEYCHAIN_PREFIX}${this.keychainId(stored.id)}`,
+    });
+
+    return { managedSecret: this.toApiModel(stored), pushResults };
+  }
+
+  async pushAll(): Promise<
+    Array<{
+      managedSecretId: string;
+      key: string;
+      pushResults: interfaces.data.IManagedSecretTargetStatus[];
+    }>
+  > {
+    const results: Array<{
+      managedSecretId: string;
+      key: string;
+      pushResults: interfaces.data.IManagedSecretTargetStatus[];
+    }> = [];
+
+    for (const stored of this.secrets) {
+      const { pushResults } = await this.pushOne(stored.id);
+      results.push({
+        managedSecretId: stored.id,
+        key: stored.key,
+        pushResults,
+      });
+    }
+
+    return results;
+  }
+}
--- a/ts/opsserver/classes.opsserver.ts
+++ b/ts/opsserver/classes.opsserver.ts
@@ -21,6 +21,7 @@ export class OpsServer {
  public actionsHandler!: handlers.ActionsHandler;
  public actionLogHandler!: handlers.ActionLogHandler;
  public syncHandler!: handlers.SyncHandler;
+  public managedSecretsHandler!: handlers.ManagedSecretsHandler;

  constructor(gitopsAppRef: GitopsApp) {
    this.gitopsAppRef = gitopsAppRef;
@@ -65,6 +66,7 @@ export class OpsServer {
    this.actionsHandler = new handlers.ActionsHandler(this);
    this.actionLogHandler = new handlers.ActionLogHandler(this);
    this.syncHandler = new handlers.SyncHandler(this);
+    this.managedSecretsHandler = new handlers.ManagedSecretsHandler(this);

    logger.success('OpsServer TypedRequest handlers initialized');
  }
--- a/ts/opsserver/handlers/index.ts
+++ b/ts/opsserver/handlers/index.ts
@@ -9,3 +9,4 @@ export { WebhookHandler } from './webhook.handler.ts';
 export { ActionsHandler } from './actions.handler.ts';
 export { ActionLogHandler } from './actionlog.handler.ts';
 export { SyncHandler } from './sync.handler.ts';
+export { ManagedSecretsHandler } from './managedsecrets.handler.ts';
--- a/ts/opsserver/handlers/managedsecrets.handler.ts
+++ b/ts/opsserver/handlers/managedsecrets.handler.ts
@@ -0,0 +1,158 @@
+import * as plugins from '../../plugins.ts';
+import type { OpsServer } from '../classes.opsserver.ts';
+import * as interfaces from '../../../ts_interfaces/index.ts';
+import { requireValidIdentity } from '../helpers/guards.ts';
+
+export class ManagedSecretsHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private get actionLog() {
+    return this.opsServerRef.gitopsAppRef.actionLog;
+  }
+
+  private get manager() {
+    return this.opsServerRef.gitopsAppRef.managedSecretsManager;
+  }
+
+  private registerHandlers(): void {
+    // List all managed secrets
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetManagedSecrets>(
+        'getManagedSecrets',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const managedSecrets = await this.manager.getAll();
+          return { managedSecrets };
+        },
+      ),
+    );
+
+    // Get single managed secret
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetManagedSecret>(
+        'getManagedSecret',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const managedSecret = await this.manager.getById(dataArg.managedSecretId);
+          if (!managedSecret) throw new Error(`Managed secret not found: ${dataArg.managedSecretId}`);
+          return { managedSecret };
+        },
+      ),
+    );
+
+    // Create managed secret
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateManagedSecret>(
+        'createManagedSecret',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.manager.create(
+            dataArg.key,
+            dataArg.value,
+            dataArg.description,
+            dataArg.targets,
+          );
+          this.actionLog.append({
+            actionType: 'create',
+            entityType: 'managed-secret',
+            entityId: result.managedSecret.id,
+            entityName: `GITOPS_${dataArg.key}`,
+            details: `Created managed secret "${dataArg.key}" with ${dataArg.targets.length} target(s)`,
+            username: dataArg.identity.username,
+          });
+          return result;
+        },
+      ),
+    );
+
+    // Update managed secret
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateManagedSecret>(
+        'updateManagedSecret',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.manager.update(dataArg.managedSecretId, {
+            value: dataArg.value,
+            description: dataArg.description,
+            targets: dataArg.targets,
+          });
+          this.actionLog.append({
+            actionType: 'update',
+            entityType: 'managed-secret',
+            entityId: dataArg.managedSecretId,
+            entityName: `GITOPS_${result.managedSecret.key}`,
+            details: `Updated managed secret "${result.managedSecret.key}"`,
+            username: dataArg.identity.username,
+          });
+          return result;
+        },
+      ),
+    );
+
+    // Delete managed secret
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteManagedSecret>(
+        'deleteManagedSecret',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const secret = await this.manager.getById(dataArg.managedSecretId);
+          const result = await this.manager.delete(dataArg.managedSecretId);
+          this.actionLog.append({
+            actionType: 'delete',
+            entityType: 'managed-secret',
+            entityId: dataArg.managedSecretId,
+            entityName: secret ? `GITOPS_${secret.key}` : dataArg.managedSecretId,
+            details: `Deleted managed secret${secret ? ` "${secret.key}"` : ''}`,
+            username: dataArg.identity.username,
+          });
+          return result;
+        },
+      ),
+    );
+
+    // Push single managed secret
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PushManagedSecret>(
+        'pushManagedSecret',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.manager.pushOne(dataArg.managedSecretId);
+          this.actionLog.append({
+            actionType: 'push',
+            entityType: 'managed-secret',
+            entityId: dataArg.managedSecretId,
+            entityName: `GITOPS_${result.managedSecret.key}`,
+            details: `Pushed managed secret "${result.managedSecret.key}" to ${result.pushResults.length} target(s)`,
+            username: dataArg.identity.username,
+          });
+          return result;
+        },
+      ),
+    );
+
+    // Push all managed secrets
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PushAllManagedSecrets>(
+        'pushAllManagedSecrets',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const results = await this.manager.pushAll();
+          this.actionLog.append({
+            actionType: 'push',
+            entityType: 'managed-secret',
+            entityId: 'all',
+            entityName: 'All managed secrets',
+            details: `Pushed ${results.length} managed secret(s) to their targets`,
+            username: dataArg.identity.username,
+          });
+          return { results };
+        },
+      ),
+    );
+  }
+}