Documentation ¶
Overview ¶
Package secrets implements a high throughput vault client.
Index ¶
- Constants
- func ServiceConfigPath(config Config) string
- func URL(format string, args ...interface{}) *url.URL
- type Buffer
- type BufferPool
- type CertPool
- type Client
- type Config
- func (c Config) GetAddr(inherited ...string) string
- func (c Config) GetMount() string
- func (c Config) GetRootCAs() []string
- func (c Config) GetServicePath() string
- func (c Config) GetTimeout() time.Duration
- func (c Config) GetToken() string
- func (c Config) IsZero() bool
- func (c Config) MustAddr() *url.URL
- type Event
- func (e *Event) Key() string
- func (e *Event) Method() string
- func (e *Event) Remote() string
- func (e *Event) WithKey(key string) *Event
- func (e *Event) WithMethod(method string) *Event
- func (e *Event) WithRemote(remote string) *Event
- func (e *Event) WriteJSON() map[string]interface{}
- func (e *Event) WriteText(tf logger.TextFormatter, buf *bytes.Buffer)
- type HTTPClient
- type KV
- type MockClient
- type MockHTTPClient
- type Mount
- type MountConfig
- type MountConfigInput
- type MountInput
- type MountResponse
- type Option
- type SecretAuth
- type SecretData
- type SecretV1
- type SecretV2
- type SecretWrapInfo
- type Values
- type VaultClient
- func (c *VaultClient) CertPool() *CertPool
- func (c *VaultClient) Delete(key string, options ...Option) error
- func (c *VaultClient) Get(key string, options ...Option) (Values, error)
- func (c *VaultClient) HTTPClient() HTTPClient
- func (c *VaultClient) Logger() *logger.Logger
- func (c *VaultClient) Mount() string
- func (c *VaultClient) Put(key string, data Values, options ...Option) error
- func (c *VaultClient) ReadInto(key string, obj interface{}, options ...Option) error
- func (c *VaultClient) Remote() *url.URL
- func (c *VaultClient) Token() string
- func (c *VaultClient) WithHTTPClient(hc HTTPClient) *VaultClient
- func (c *VaultClient) WithLogger(log *logger.Logger) *VaultClient
- func (c *VaultClient) WithMount(mount string) *VaultClient
- func (c *VaultClient) WithRemote(remote *url.URL) *VaultClient
- func (c *VaultClient) WithToken(token string) *VaultClient
- func (c *VaultClient) WriteInto(key string, obj interface{}, options ...Option) error
Constants ¶
const ( // DefaultAddr is the default addr. DefaultAddr = "http://127.0.0.1:8200" // DefaultTimeout is the default timeout. DefaultTimeout = time.Second // DefaultMount is the default kv mount. DefaultMount = "/secret" )
const ( // MethodGet is a request method. MethodGet = "GET" // MethodPost is a request method. MethodPost = "POST" // MethodPut is a request method. MethodPut = "PUT" // MethodDelete is a request method. MethodDelete = "DELETE" // HeaderVaultToken is the vault token header. HeaderVaultToken = "X-Vault-Token" // HeaderContentType is the content type header. HeaderContentType = "Content-Type" // ContentTypeApplicationJSON is a content type. ContentTypeApplicationJSON = "application/json" // DefaultBufferPoolSize is the default buffer pool size. DefaultBufferPoolSize = 1024 // ReflectTagName is a reflect tag name. ReflectTagName = "secret" // Version1 is a constant. Version1 = "1" // Version2 is a constant. Version2 = "2" )
const (
// Flag is the logger flag.
Flag = "secrets"
)
Variables ¶
This section is empty.
Functions ¶
func ServiceConfigPath ¶
ServiceConfigPath returns the service config path.
Types ¶
type Buffer ¶
Buffer is a bytes.Buffer with a reference back to the buffer pool. It returns itself to the pool on close.
type BufferPool ¶
BufferPool is a sync.Pool of bytes.Buffer.
func NewBufferPool ¶
func NewBufferPool(bufferSize int) *BufferPool
NewBufferPool returns a new BufferPool. bufferSize is the size of the returned buffers pre-allocated size in bytes. Typically this is something between 256 bytes and 1kb.
func (*BufferPool) Get ¶
func (bp *BufferPool) Get() *Buffer
Get returns a pooled bytes.Buffer instance.
type CertPool ¶
type CertPool struct {
// contains filtered or unexported fields
}
CertPool is a wrapper for x509.CertPool.
func NewCertPool ¶
NewCertPool creates a new cert pool. This cert pool starts with the system certs.
type Client ¶
type Client interface { Put(key string, data Values, options ...Option) error Get(key string, options ...Option) (Values, error) Delete(key string, options ...Option) error }
Client is the general interface for a Secrets client
type Config ¶
type Config struct { // Addr is the remote address of the secret store. Addr string `json:"addr" yaml:"addr" env:"VAULT_ADDR"` // Token is the authentication token used to talk to the secret store. Token string `json:"token" yaml:"token" env:"VAULT_TOKEN"` // Mount is the default mount path, it prefixes any keys. Mount string `json:"mount" yaml:"mount"` // Timeout is the dial timeout for requests to the secrets store. Timeout time.Duration `json:"timeout" yaml:"timeout"` // RootCAs is a list of certificate authority paths. RootCAs []string `json:"rootCAs" yaml:"rootCAs" env:"VAULT_CACERT,csv"` // ServicePath is the path that service secrets live under ServicePath string `json:"servicePath" yaml:"servicePath" env:"SECRETS_SERVICE_PATH"` }
Config is the secrets config object.
func MustNewConfigFromEnv ¶
func MustNewConfigFromEnv() (cfg *Config)
MustNewConfigFromEnv returns a config set from the env, and panics on error.
func NewConfigFromEnv ¶
NewConfigFromEnv returns a config populated by the env.
func (Config) GetServicePath ¶
GetServicePath returns the service path
func (Config) GetTimeout ¶
GetTimeout returns the client timeout.
type Event ¶
Event is an event.
func (*Event) WithMethod ¶
WithMethod sets the event method.
func (*Event) WithRemote ¶
WithRemote sets the event remote.
type HTTPClient ¶
HTTPClient is a client that can send http requests.
type KV ¶
type KV interface { Put(key string, data Values, options ...Option) error Get(key string, options ...Option) (Values, error) Delete(key string, options ...Option) error }
KV is a basic key value store.
type MockClient ¶
MockClient is a mock events client
func (*MockClient) Delete ¶
func (c *MockClient) Delete(key string, options ...Option) error
Delete deletes a key.
type MockHTTPClient ¶
type MockHTTPClient struct {
// contains filtered or unexported fields
}
MockHTTPClient is a mock http client.
func NewMockHTTPClient ¶
func NewMockHTTPClient() *MockHTTPClient
NewMockHTTPClient returns a new mock http client.
func (*MockHTTPClient) With ¶
func (mh *MockHTTPClient) With(verb string, url *url.URL, response *http.Response) *MockHTTPClient
With adds a mocked endpoint.
func (*MockHTTPClient) WithString ¶
func (mh *MockHTTPClient) WithString(verb string, url *url.URL, contents string) *MockHTTPClient
WithString adds a mocked endpoint.
type Mount ¶
type Mount struct { Type string `json:"type"` Description string `json:"description"` Accessor string `json:"accessor"` Config MountConfig `json:"config"` Options map[string]string `json:"options"` Local bool `json:"local"` SealWrap bool `json:"seal_wrap" mapstructure:"seal_wrap"` }
Mount is a vault mount.
type MountConfig ¶
type MountConfig struct { DefaultLeaseTTL int `json:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL int `json:"max_lease_ttl" mapstructure:"max_lease_ttl"` ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"` PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"` AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"` ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"` PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"` }
MountConfig is a vault mount config.
type MountConfigInput ¶
type MountConfigInput struct { Options map[string]string `json:"options" mapstructure:"options"` DefaultLeaseTTL string `json:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL string `json:"max_lease_ttl" mapstructure:"max_lease_ttl"` ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"` PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"` AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"` ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"` PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"` }
MountConfigInput is a vault mount config input.
type MountInput ¶
type MountInput struct { Type string `json:"type"` Description string `json:"description"` Config MountConfigInput `json:"config"` Options map[string]string `json:"options"` Local bool `json:"local"` PluginName string `json:"plugin_name,omitempty"` SealWrap bool `json:"seal_wrap" mapstructure:"seal_wrap"` }
MountInput is a vault mount input.
type MountResponse ¶
MountResponse is the result of a call to a mount.
type SecretAuth ¶
type SecretAuth struct { ClientToken string `json:"client_token"` Accessor string `json:"accessor"` Policies []string `json:"policies"` Metadata map[string]string `json:"metadata"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` }
SecretAuth is the structure containing auth information if we have it.
type SecretV1 ¶
type SecretV1 struct { // The request ID that generated this response RequestID string `json:"request_id"` LeaseID string `json:"lease_id"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` // Data is the actual contents of the secret. The format of the data // is arbitrary and up to the secret backend. Data Values `json:"data"` // Warnings contains any warnings related to the operation. These // are not issues that caused the command to fail, but that the // client should be aware of. Warnings []string `json:"warnings"` // Auth, if non-nil, means that there was authentication information // attached to this response. Auth *SecretAuth `json:"auth,omitempty"` // WrapInfo, if non-nil, means that the initial response was wrapped in the // cubbyhole of the given token (which has a TTL of the given number of // seconds) WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` }
SecretV1 is the structure returned for every secret within Vault.
type SecretV2 ¶
type SecretV2 struct { // The request ID that generated this response RequestID string `json:"request_id"` LeaseID string `json:"lease_id"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` // Data is the actual contents of the secret. The format of the data // is arbitrary and up to the secret backend. Data SecretData `json:"data"` // Warnings contains any warnings related to the operation. These // are not issues that caused the command to fail, but that the // client should be aware of. Warnings []string `json:"warnings"` // Auth, if non-nil, means that there was authentication information // attached to this response. Auth *SecretAuth `json:"auth,omitempty"` // WrapInfo, if non-nil, means that the initial response was wrapped in the // cubbyhole of the given token (which has a TTL of the given number of // seconds) WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` }
SecretV2 is the structure returned for every secret within Vault.
type SecretWrapInfo ¶
type SecretWrapInfo struct { Token string `json:"token"` Accessor string `json:"accessor"` TTL int `json:"ttl"` CreationTime time.Time `json:"creation_time"` CreationPath string `json:"creation_path"` WrappedAccessor string `json:"wrapped_accessor"` }
SecretWrapInfo contains wrapping information if we have it. If what is contained is an authentication token, the accessor for the token will be available in WrappedAccessor.
type VaultClient ¶
type VaultClient struct {
// contains filtered or unexported fields
}
VaultClient is a client to talk to the secrets store.
func Must ¶
func Must(c *VaultClient, err error) *VaultClient
Must does things with the error such as panic.
func NewVaultClient ¶
func NewVaultClient() (*VaultClient, error)
NewVaultClient returns a new client.
func NewVaultClientFromConfig ¶
func NewVaultClientFromConfig(cfg *Config) (*VaultClient, error)
NewVaultClientFromConfig returns a new client from a config.
func NewVaultClientFromEnv ¶
func NewVaultClientFromEnv() (*VaultClient, error)
NewVaultClientFromEnv is a helper to create a client from a config read from the environment.
func (*VaultClient) CertPool ¶
func (c *VaultClient) CertPool() *CertPool
CertPool returns the cert pool.
func (*VaultClient) Delete ¶
func (c *VaultClient) Delete(key string, options ...Option) error
Delete puts a key.
func (*VaultClient) Get ¶
func (c *VaultClient) Get(key string, options ...Option) (Values, error)
Get gets a value at a given key.
func (*VaultClient) HTTPClient ¶
func (c *VaultClient) HTTPClient() HTTPClient
HTTPClient sets the http client.
func (*VaultClient) Logger ¶
func (c *VaultClient) Logger() *logger.Logger
Logger returns the logger.
func (*VaultClient) Put ¶
func (c *VaultClient) Put(key string, data Values, options ...Option) error
Put puts a value.
func (*VaultClient) ReadInto ¶
func (c *VaultClient) ReadInto(key string, obj interface{}, options ...Option) error
ReadInto reads a secret into an object.
func (*VaultClient) Remote ¶
func (c *VaultClient) Remote() *url.URL
Remote returns the client remote addr.
func (*VaultClient) WithHTTPClient ¶
func (c *VaultClient) WithHTTPClient(hc HTTPClient) *VaultClient
WithHTTPClient sets the http client.
func (*VaultClient) WithLogger ¶
func (c *VaultClient) WithLogger(log *logger.Logger) *VaultClient
WithLogger sets the logger.
func (*VaultClient) WithMount ¶
func (c *VaultClient) WithMount(mount string) *VaultClient
WithMount sets the token.
func (*VaultClient) WithRemote ¶
func (c *VaultClient) WithRemote(remote *url.URL) *VaultClient
WithRemote set the client remote url.
func (*VaultClient) WithToken ¶
func (c *VaultClient) WithToken(token string) *VaultClient
WithToken sets the token.