Documentation ¶
Index ¶
- func GetAuthPath(authPath string) string
- func GetKubeSecretDetailsFromVaultPath(credentialsPath string) (string, string, error)
- func PathForReadingKubeSecret(secretNamespace, secretName string) string
- type Connection
- func (c *Connection) AddSecret(path string, credentials map[string]interface{}) error
- func (c *Connection) AddSecretFromStruct(path string, creds interface{}) error
- func (c *Connection) DeletePolicy(policyName string) error
- func (c *Connection) DeleteSecret(vaultPath string) error
- func (c *Connection) GetSecret(vaultPath string) (string, error)
- func (c *Connection) LinkPolicyToIdentity(identity, policyName, boundedNamespace, serviceAccount, auth, ttl string) error
- func (c *Connection) Mount(path string) error
- func (c *Connection) RemovePolicyFromIdentity(identity, policyName, auth string) error
- func (c *Connection) WritePolicy(policyName, policy string) error
- type Dummy
- func (c *Dummy) AddSecret(path string, credentials map[string]interface{}) error
- func (c *Dummy) AddSecretFromStruct(path string, creds interface{}) error
- func (c *Dummy) DeletePolicy(policyName string) error
- func (c *Dummy) DeleteSecret(vaultPath string) error
- func (c *Dummy) GetSecret(vaultPath string) (string, error)
- func (c *Dummy) LinkPolicyToIdentity(identity, policyName, boundedNamespace, serviceAccount, auth, ttl string) error
- func (c *Dummy) Mount(path string) error
- func (c *Dummy) RemovePolicyFromIdentity(identity, policyName, auth string) error
- func (c *Dummy) WritePolicy(policyName, policy string) error
- type Interface
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetAuthPath ¶ added in v1.1.0
GetAuthPath returns the auth method path to use It is of the form v1/auth/<auth path>/login TODO - Different credentials for different data flows (read, write, delete)
func GetKubeSecretDetailsFromVaultPath ¶ added in v0.7.0
Given a path to Vault secret that holds dataset credentials return the name of the secret and its namespace for example, for vault secret path: "/v1/kubernetes-secrets/my-secret?namespace=default" the returned values will be my-secret and default
func PathForReadingKubeSecret ¶
PathForReadingKubeSecret returns the path to Vault secret that holds dataset credentials stored in kubernetes secret. Vault plugin vault-plugin-secrets-kubernetes-reader is used for reading kubernetes secret (https://github.com/fybrik/vault-plugin-secrets-kubernetes-reader) The path contains the following parts: - pluginPath is the Vault path where vault-plugin-secrets-kubernetes-reader plugin is enabled. - secret name - secret namespace for example, for secret name my-secret and namespace default it will be of the form: "/v1/kubernetes-secrets/my-secret?namespace=default"
Types ¶
type Connection ¶
Connection contains required information for connecting to vault
func NewConnection ¶
func NewConnection(addr, token string) (*Connection, error)
NewConnection returns a new Connection object
func (*Connection) AddSecret ¶
func (c *Connection) AddSecret(path string, credentials map[string]interface{}) error
AddSecret adds a secret to vault
func (*Connection) AddSecretFromStruct ¶
func (c *Connection) AddSecretFromStruct(path string, creds interface{}) error
AddSecretFromStruct constructs a vault secret from the given structure
func (*Connection) DeletePolicy ¶
func (c *Connection) DeletePolicy(policyName string) error
DeletePolicy removes the policy with the given name from vault
func (*Connection) DeleteSecret ¶
func (c *Connection) DeleteSecret(vaultPath string) error
DeleteSecret deletes a secret
func (*Connection) GetSecret ¶
func (c *Connection) GetSecret(vaultPath string) (string, error)
GetSecret returns the stored secret as json
func (*Connection) LinkPolicyToIdentity ¶
func (c *Connection) LinkPolicyToIdentity(identity, policyName, boundedNamespace, serviceAccount, auth, ttl string) error
LinkPolicyToIdentity registers a policy for a given identity or role, meaning that when a person or service of that identity logs into vault and tries to read or write a secret the provided policy will determine whether that is allowed or not.
func (*Connection) Mount ¶
func (c *Connection) Mount(path string) error
Mount mounts a key-value secret provider (kv version 1) to manage the storage of the secrets
func (*Connection) RemovePolicyFromIdentity ¶
func (c *Connection) RemovePolicyFromIdentity(identity, policyName, auth string) error
RemovePolicyFromIdentity removes the policy from the authentication identity with which it is associated, meaning this policy will no longer be invoked when a person or service authenticates with this identity.
func (*Connection) WritePolicy ¶
func (c *Connection) WritePolicy(policyName, policy string) error
WritePolicy stores in vault the policy indicated. This can be associated with a vault token or an authentication identity to ensure proper use of secrets. Example policy: "path \"identities/test-identity\" {\n capabilities = [\"read\"]\n }"
NOTE the line returns and the tab. Without them it fails!
type Dummy ¶
type Dummy struct {
// contains filtered or unexported fields
}
Dummy implementation for testing
func NewDummyConnection ¶
func NewDummyConnection() *Dummy
NewDummyConnection returns a new Dummy object
func (*Dummy) AddSecretFromStruct ¶
func (*Dummy) DeletePolicy ¶
func (*Dummy) DeleteSecret ¶
func (*Dummy) LinkPolicyToIdentity ¶
func (*Dummy) RemovePolicyFromIdentity ¶
func (*Dummy) WritePolicy ¶
type Interface ¶
type Interface interface { LinkPolicyToIdentity(identity string, policyName string, boundedNamespace string, serviceAccount string, auth string, ttl string) error RemovePolicyFromIdentity(identity string, policyName string, auth string) error WritePolicy(policyName string, policy string) error DeletePolicy(policyName string) error Mount(path string) error DeleteSecret(vaultPath string) error GetSecret(vaultPath string) (string, error) AddSecret(path string, credentials map[string]interface{}) error AddSecretFromStruct(path string, creds interface{}) error }
Interface provides vault functionality
func InitConnection ¶
InitConnection creates a new connection to vault. Note that it assumes that the home path has been mounted during the vault setup.