Skip to content

Add proxymock secrets guide #684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kenahrens merged 1 commit into from
Jun 9, 2026
Merged

Add proxymock secrets guide #684

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 121 additions & 0 deletions docs/proxymock/guides/secrets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
---
description: "Use the ${{secret:name/key}} syntax to inject sensitive values like database credentials, JWT signing keys, and API tokens into proxymock transforms without storing them in your recording."
sidebar_position: 8
---

# Secrets

Recorded traffic often contains credentials that differ between environments β€” database passwords, JWT signing keys, AWS access keys. The `${{secret:name/key}}` syntax lets proxymock resolve these values from local files at runtime, so transforms can re-sign tokens or re-authenticate connections without hardcoding secrets into your recording or blueprint.

## Directory layout

proxymock discovers secrets automatically by walking up from your `--in` directory. Place a `secrets/` directory alongside (or inside) your `proxymock/` workspace:

```
my-project/
β”œβ”€β”€ proxymock/
β”‚ β”œβ”€β”€ secrets/ ← preferred location
β”‚ β”‚ β”œβ”€β”€ mongo-creds/
β”‚ β”‚ β”‚ β”œβ”€β”€ host
β”‚ β”‚ β”‚ β”œβ”€β”€ username
β”‚ β”‚ β”‚ └── password
β”‚ β”‚ └── jwt-signing/
β”‚ β”‚ └── key
β”‚ └── recorded-2026-06-01T120000Z/
β”‚ └── ...
```

Each secret is a plain file whose contents are the value. For example, `secrets/mongo-creds/password` might contain `s3cret123` with no trailing newline.

An alternative layout places `secrets/` one level up from `proxymock/`:

```
my-project/
β”œβ”€β”€ secrets/
β”‚ └── mongo-creds/
β”‚ └── ...
└── proxymock/
└── recorded-.../
```

Both layouts work. proxymock checks `<workspace>/proxymock/secrets/` first, then `<workspace>/secrets/`.

## Referencing secrets in transforms

Use the `${{secret:name/key}}` syntax in transform configuration fields that accept secret references. The `name` maps to the directory and `key` maps to the filename inside it.

### MongoDB SASL authentication

The `sasl_auth` transform re-authenticates MongoDB connections using SCRAM. Point each field at the appropriate secret file:

```json
{
"type": "sasl_auth",
"config": {
"host": "${{secret:mongo-creds/host}}",
"username": "${{secret:mongo-creds/username}}",
"password": "${{secret:mongo-creds/password}}"
}
}
```

This resolves to `secrets/mongo-creds/host`, `secrets/mongo-creds/username`, and `secrets/mongo-creds/password` on disk.

For multiple MongoDB hosts, add one `sasl_auth` transform per host, each referencing its own secret directory.

### JWT re-signing

The `jwt_resign` transform re-signs JWT tokens using a local key:

```json
{
"type": "jwt_resign",
"config": {
"secretPath": "${{secret:jwt-signing/key}}"
}
}
```

### AWS Signature V4

The `aws_auth` transform re-signs AWS requests:

```json
{
"type": "aws_auth",
"config": {
"secretPath": "${{secret:aws-creds/secret}}",
"idPath": "${{secret:aws-creds/id}}"
}
}
```

## CLI usage

No extra flags are needed. When you run `proxymock mock` or `proxymock replay`, the secrets directory is discovered automatically from the `--in` path:

```bash
proxymock replay --in ./proxymock/recorded-2026-06-01T120000Z
```

proxymock walks up from the `--in` directory looking for a `secrets/` folder. If it finds one, all `${{secret:name/key}}` references in your transforms resolve against it.

## Security notes

- **Never commit secrets to version control.** Add `secrets/` to your `.gitignore`.
- Path traversal is blocked β€” references like `${{secret:../etc/passwd}}` are rejected and treated as a missing file.
- In Kubernetes, the Speedscale operator mounts secrets from the cluster's secret store. The local `secrets/` directory is only used for out-of-cluster (CLI) runs.

## Troubleshooting

**Transform fails with "file not found" for a secret path**
The `secrets/` directory wasn't discovered. Verify the directory exists and is reachable by walking up from your `--in` path. The directory must be named exactly `secrets` (not `.secrets` or `_secrets`).

**Secret value has unexpected whitespace**
Secret files are read as-is. Make sure the file doesn't contain a trailing newline. On macOS/Linux:

```bash
printf 's3cret123' > secrets/mongo-creds/password
```

Using `echo` adds a trailing newline by default β€” use `printf` or `echo -n` instead.
Loading