feat: engine management API

Signed-off-by: Johannes Großmann <grossmann.johannes@t-online.de>

Author: joe0BAB

client/client.go

@@ -28,8 +28,6 @@ import (
 	healthv1 "github.com/docker/secrets-engine/x/api/health/v1"
 	"github.com/docker/secrets-engine/x/api/health/v1/healthv1connect"
 	"github.com/docker/secrets-engine/x/api/resolver"
-	v1 "github.com/docker/secrets-engine/x/api/resolver/v1"
-	"github.com/docker/secrets-engine/x/api/resolver/v1/resolverv1connect"
 	"github.com/docker/secrets-engine/x/secrets"
 )
 
@@ -122,7 +120,6 @@ type config struct {
 
 type client struct {
 	resolverClient secrets.Resolver
-	listClient     resolverv1connect.ListServiceClient
 	versionClient  healthv1connect.VersionServiceClient
 }
 
@@ -158,8 +155,6 @@ type Client interface {
 
 	// Version returns the name and version reported by the daemon.
 	Version(ctx context.Context) (DaemonVersion, error)
-
-	ListPlugins(ctx context.Context) ([]PluginInfo, error)
 }
 
 func isDialError(err error) bool {
@@ -173,7 +168,7 @@ func isDialError(err error) bool {
 	return false
 }
 
-func New(options ...Option) (Client, error) {
+func applyOptions(options []Option) (*config, error) {
 	cfg := &config{
 		requestTimeout:  api.DefaultClientRequestTimeout,
 		responseTimeout: api.DefaultClientResponseHeaderTimeout,
@@ -186,7 +181,11 @@ func New(options ...Option) (Client, error) {
 	if cfg.dialContext == nil {
 		cfg.dialContext = dialFromPath(api.DaemonSocketPath())
 	}
-	c := &http.Client{
+	return cfg, nil
+}
+
+func newHTTPClient(cfg *config) *http.Client {
+	return &http.Client{
 		Transport: &http.Transport{
 			// re-use the same connection to the runtime, this speeds up subsequent
 			// calls.
@@ -207,53 +206,18 @@ func New(options ...Option) (Client, error) {
 		// it can be overwritten with [WithTimeout]
 		Timeout: cfg.requestTimeout,
 	}
-	return &client{
-		resolverClient: resolver.NewResolverClient(c),
-		listClient:     resolverv1connect.NewListServiceClient(c, "http://unix"),
-		versionClient:  healthv1connect.NewVersionServiceClient(c, "http://unix"),
-	}, nil
 }
 
-func (c client) ListPlugins(ctx context.Context) ([]PluginInfo, error) {
-	req := connect.NewRequest(v1.ListPluginsRequest_builder{}.Build())
-	resp, err := c.listClient.ListPlugins(ctx, req)
-	if isDialError(err) {
-		return nil, fmt.Errorf("%w: %w", ErrSecretsEngineNotAvailable, err)
-	}
+func New(options ...Option) (Client, error) {
+	cfg, err := applyOptions(options)
 	if err != nil {
 		return nil, err
 	}
-	var result []PluginInfo
-	for _, item := range resp.Msg.GetPlugins() {
-		name, err := api.NewName(item.GetName())
-		if err != nil {
-			continue
-		}
-		version, err := api.NewVersion(item.GetVersion())
-		if err != nil {
-			continue
-		}
-		pattern, err := secrets.ParsePattern(item.GetPattern())
-		if err != nil {
-			continue
-		}
-		result = append(result, PluginInfo{
-			Name:         name,
-			Version:      version,
-			Pattern:      pattern,
-			External:     item.GetExternal(),
-			Configurable: item.GetConfigurable(),
-		})
-	}
-	return result, nil
-}
-
-type PluginInfo struct {
-	Name         api.Name
-	Version      api.Version
-	Pattern      secrets.Pattern
-	External     bool
-	Configurable bool
+	c := newHTTPClient(cfg)
+	return &client{
+		resolverClient: resolver.NewResolverClient(c),
+		versionClient:  healthv1connect.NewVersionServiceClient(c, "http://unix"),
+	}, nil
 }
 
 func dialFromPath(path string) dial {

client/client_test.go

@@ -29,10 +29,10 @@ import (
 	"google.golang.org/protobuf/proto"
 
 	"github.com/docker/secrets-engine/x/api"
+	enginev1 "github.com/docker/secrets-engine/x/api/engine/v1"
+	"github.com/docker/secrets-engine/x/api/engine/v1/enginev1connect"
 	healthv1 "github.com/docker/secrets-engine/x/api/health/v1"
 	"github.com/docker/secrets-engine/x/api/health/v1/healthv1connect"
-	resolverv1 "github.com/docker/secrets-engine/x/api/resolver/v1"
-	"github.com/docker/secrets-engine/x/api/resolver/v1/resolverv1connect"
 	"github.com/docker/secrets-engine/x/secrets"
 	"github.com/docker/secrets-engine/x/testhelper"
 )
@@ -60,14 +60,14 @@ func mockVersionEngine(t *testing.T, version, date, commitHash string) string {
 	return socketPath
 }
 
-var _ resolverv1connect.ListServiceHandler = &mockPluginsList{}
+var _ enginev1connect.PluginManagementServiceHandler = &mockPluginsList{}
 
 type mockPluginsList struct {
 	list []PluginInfo
 }
 
-func (m mockPluginsList) ListPlugins(context.Context, *connect.Request[resolverv1.ListPluginsRequest]) (*connect.Response[resolverv1.ListPluginsResponse], error) {
-	var plugins []*resolverv1.Plugin
+func (m mockPluginsList) ListPlugins(_ context.Context, _ *connect.Request[enginev1.ListPluginsRequest]) (*connect.Response[enginev1.ListPluginsResponse], error) {
+	var plugins []*enginev1.Plugin
 	for _, plugin := range m.list {
 		var name string
 		if plugin.Name != nil {
@@ -77,23 +77,32 @@ func (m mockPluginsList) ListPlugins(context.Context, *connect.Request[resolverv
 		if plugin.Version != nil {
 			version = plugin.Version.String()
 		}
-		var pattern string
-		if plugin.Pattern != nil {
-			pattern = plugin.Pattern.String()
-		}
-		plugins = append(plugins, resolverv1.Plugin_builder{
+		b := enginev1.Plugin_builder{
 			Name:         proto.String(name),
 			Version:      proto.String(version),
-			Pattern:      proto.String(pattern),
 			External:     proto.Bool(plugin.External),
 			Configurable: proto.Bool(plugin.Configurable),
-		}.Build())
+		}
+		if plugin.SecretsProvider != nil {
+			b.SecretsProvider = enginev1.SecretsProvider_builder{
+				Pattern: proto.String(plugin.SecretsProvider.Pattern.String()),
+			}.Build()
+		}
+		plugins = append(plugins, b.Build())
 	}
-	return connect.NewResponse(resolverv1.ListPluginsResponse_builder{
+	return connect.NewResponse(enginev1.ListPluginsResponse_builder{
 		Plugins: plugins,
 	}.Build()), nil
 }
 
+func (m mockPluginsList) EnablePlugin(_ context.Context, _ *connect.Request[enginev1.EnablePluginRequest]) (*connect.Response[enginev1.EnablePluginResponse], error) {
+	return connect.NewResponse(enginev1.EnablePluginResponse_builder{}.Build()), nil
+}
+
+func (m mockPluginsList) DisablePlugin(_ context.Context, _ *connect.Request[enginev1.DisablePluginRequest]) (*connect.Response[enginev1.DisablePluginResponse], error) {
+	return connect.NewResponse(enginev1.DisablePluginResponse_builder{}.Build()), nil
+}
+
 type handler struct {
 	pattern string
 	handler http.Handler
@@ -133,7 +142,7 @@ func wrapHandler(pattern string, h http.Handler) handler {
 func mockListPluginsEngine(t *testing.T, plugins []PluginInfo) string {
 	t.Helper()
 	socketPath := testhelper.RandomShortSocketName()
-	muxServer(t, socketPath, []handler{wrapHandler(resolverv1connect.NewListServiceHandler(&mockPluginsList{list: plugins}))})
+	muxServer(t, socketPath, []handler{wrapHandler(enginev1connect.NewPluginManagementServiceHandler(&mockPluginsList{list: plugins}))})
 	return socketPath
 }
 
@@ -142,20 +151,20 @@ func Test_ListPlugins(t *testing.T) {
 	t.Run("external and internal configurable plugins", func(t *testing.T) {
 		plugins := []PluginInfo{
 			{
-				Name:         api.MustNewName("foo"),
-				Version:      api.MustNewVersion("v1"),
-				Pattern:      secrets.MustParsePattern("**"),
-				Configurable: true,
+				Name:            api.MustNewName("foo"),
+				Version:         api.MustNewVersion("v1"),
+				SecretsProvider: &SecretsProviderMetadata{Pattern: secrets.MustParsePattern("**")},
+				Configurable:    true,
 			},
 			{
-				Name:     api.MustNewName("bar"),
-				Version:  api.MustNewVersion("v1"),
-				Pattern:  secrets.MustParsePattern("**"),
-				External: true,
+				Name:            api.MustNewName("bar"),
+				Version:         api.MustNewVersion("v1"),
+				SecretsProvider: &SecretsProviderMetadata{Pattern: secrets.MustParsePattern("**")},
+				External:        true,
 			},
 		}
 		socket := mockListPluginsEngine(t, plugins)
-		client, err := New(WithSocketPath(socket))
+		client, err := NewPluginManagement(WithSocketPath(socket))
 		require.NoError(t, err)
 		result, err := client.ListPlugins(t.Context())
 		require.NoError(t, err)
@@ -164,7 +173,7 @@ func Test_ListPlugins(t *testing.T) {
 	t.Run("no plugins", func(t *testing.T) {
 		var plugins []PluginInfo
 		socket := mockListPluginsEngine(t, plugins)
-		client, err := New(WithSocketPath(socket))
+		client, err := NewPluginManagement(WithSocketPath(socket))
 		require.NoError(t, err)
 		result, err := client.ListPlugins(t.Context())
 		require.NoError(t, err)
@@ -176,21 +185,21 @@ func Test_ListPlugins(t *testing.T) {
 				Name: api.MustNewName("foo"),
 			},
 			{
-				Name:    api.MustNewName("bar"),
-				Version: api.MustNewVersion("v1"),
-				Pattern: secrets.MustParsePattern("**"),
+				Name:            api.MustNewName("bar"),
+				Version:         api.MustNewVersion("v1"),
+				SecretsProvider: &SecretsProviderMetadata{Pattern: secrets.MustParsePattern("**")},
 			},
 		}
 		socket := mockListPluginsEngine(t, plugins)
-		client, err := New(WithSocketPath(socket))
+		client, err := NewPluginManagement(WithSocketPath(socket))
 		require.NoError(t, err)
 		result, err := client.ListPlugins(t.Context())
 		require.NoError(t, err)
 		assert.Equal(t, []PluginInfo{
 			{
-				Name:    api.MustNewName("bar"),
-				Version: api.MustNewVersion("v1"),
-				Pattern: secrets.MustParsePattern("**"),
+				Name:            api.MustNewName("bar"),
+				Version:         api.MustNewVersion("v1"),
+				SecretsProvider: &SecretsProviderMetadata{Pattern: secrets.MustParsePattern("**")},
 			},
 		}, result)
 	})
@@ -219,11 +228,14 @@ func Test_Version(t *testing.T) {
 
 func TestSecretsEngineUnavailable(t *testing.T) {
 	socketPath := testhelper.RandomShortSocketName()
-	client, err := New(WithSocketPath(socketPath))
+	c, err := New(WithSocketPath(socketPath))
 	require.NoError(t, err)
-	_, err = client.ListPlugins(t.Context())
+	_, err = c.GetSecrets(t.Context(), secrets.MustParsePattern("**"))
 	require.ErrorIs(t, err, ErrSecretsEngineNotAvailable)
-	_, err = client.GetSecrets(t.Context(), secrets.MustParsePattern("**"))
+
+	pm, err := NewPluginManagement(WithSocketPath(socketPath))
+	require.NoError(t, err)
+	_, err = pm.ListPlugins(t.Context())
 	require.ErrorIs(t, err, ErrSecretsEngineNotAvailable)
 }
 

client/plugin_management.go

@@ -0,0 +1,118 @@
+// Copyright 2025-2026 Docker, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"connectrpc.com/connect"
+
+	"github.com/docker/secrets-engine/x/api"
+	enginev1 "github.com/docker/secrets-engine/x/api/engine/v1"
+	"github.com/docker/secrets-engine/x/api/engine/v1/enginev1connect"
+	"github.com/docker/secrets-engine/x/secrets"
+)
+
+// PluginManagement is the interface for managing plugins in the secrets engine daemon.
+type PluginManagement interface {
+	ListPlugins(ctx context.Context) ([]PluginInfo, error)
+	EnablePlugin(ctx context.Context, name string) error
+	DisablePlugin(ctx context.Context, name string) error
+}
+
+type pluginManagementClient struct {
+	engineClient enginev1connect.PluginManagementServiceClient
+}
+
+func NewPluginManagement(options ...Option) (PluginManagement, error) {
+	cfg, err := applyOptions(options)
+	if err != nil {
+		return nil, err
+	}
+	c := newHTTPClient(cfg)
+	return &pluginManagementClient{
+		engineClient: enginev1connect.NewPluginManagementServiceClient(c, "http://unix"),
+	}, nil
+}
+
+func (c pluginManagementClient) ListPlugins(ctx context.Context) ([]PluginInfo, error) {
+	req := connect.NewRequest(enginev1.ListPluginsRequest_builder{}.Build())
+	resp, err := c.engineClient.ListPlugins(ctx, req)
+	if isDialError(err) {
+		return nil, fmt.Errorf("%w: %w", ErrSecretsEngineNotAvailable, err)
+	}
+	if err != nil {
+		return nil, err
+	}
+	var result []PluginInfo
+	for _, item := range resp.Msg.GetPlugins() {
+		name, err := api.NewName(item.GetName())
+		if err != nil {
+			continue
+		}
+		version, err := api.NewVersion(item.GetVersion())
+		if err != nil {
+			continue
+		}
+		info := PluginInfo{
+			Name:         name,
+			Version:      version,
+			External:     item.GetExternal(),
+			Configurable: item.GetConfigurable(),
+		}
+		if sp := item.GetSecretsProvider(); sp != nil {
+			pattern, err := secrets.ParsePattern(sp.GetPattern())
+			if err != nil {
+				continue
+			}
+			info.SecretsProvider = &SecretsProviderMetadata{Pattern: pattern}
+		}
+		result = append(result, info)
+	}
+	return result, nil
+}
+
+func (c pluginManagementClient) EnablePlugin(ctx context.Context, name string) error {
+	r := enginev1.EnablePluginRequest_builder{}.Build()
+	r.SetName(name)
+	_, err := c.engineClient.EnablePlugin(ctx, connect.NewRequest(r))
+	if isDialError(err) {
+		return fmt.Errorf("%w: %w", ErrSecretsEngineNotAvailable, err)
+	}
+	return err
+}
+
+func (c pluginManagementClient) DisablePlugin(ctx context.Context, name string) error {
+	r := enginev1.DisablePluginRequest_builder{}.Build()
+	r.SetName(name)
+	_, err := c.engineClient.DisablePlugin(ctx, connect.NewRequest(r))
+	if isDialError(err) {
+		return fmt.Errorf("%w: %w", ErrSecretsEngineNotAvailable, err)
+	}
+	return err
+}
+
+type PluginInfo struct {
+	Name            api.Name
+	Version         api.Version
+	External        bool
+	Configurable    bool
+	SecretsProvider *SecretsProviderMetadata
+}
+
+type SecretsProviderMetadata struct {
+	Pattern secrets.Pattern
+}