vault

package
v3.14.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 6, 2018 License: Apache-2.0 Imports: 14 Imported by: 19

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewVaultFactory

func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string) *vaultFactory

func NewVaultManagerFactory

func NewVaultManagerFactory() creds.ManagerFactory

Types

type APIClient

type APIClient struct {
	// contains filtered or unexported fields
}

The APIClient is a SecretReader which maintains an authorized client using the Login and Renew functions.

func NewAPIClient

func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig *vaultapi.TLSConfig, authConfig AuthConfig) (*APIClient, error)

NewAPIClient with the associated authorization config and underlying vault client.

func (*APIClient) Login

func (ac *APIClient) Login() (time.Duration, error)

Login the APIClient using the credentials passed at construction. Returns a duration after which renew must be called.

func (*APIClient) Read

func (ac *APIClient) Read(path string) (*vaultapi.Secret, error)

Read must be called after a successful login has occurred or an un-authorized client will be used.

func (*APIClient) Renew

func (ac *APIClient) Renew() (time.Duration, error)

Renew the APIClient login using the credentials passed at construction. Must be called after a successful login. Returns a duration after which renew must be called again.

type AuthConfig

type AuthConfig struct {
	ClientToken string `long:"client-token" description:"Client token for accessing secrets within the Vault server."`

	Backend       string        `long:"auth-backend"               description:"Auth backend to use for logging in to Vault."`
	BackendMaxTTL time.Duration `` /* 142-byte string literal not displayed */
	RetryMax      time.Duration `long:"retry-max"     default:"5m" description:"The maximum time between retries when logging in or re-authing a secret."`
	RetryInitial  time.Duration `long:"retry-initial" default:"1s" description:"The initial time between retries when logging in or re-authing a secret."`

	Params []template.VarKV `` /* 139-byte string literal not displayed */
}

type Auther

type Auther interface {
	Login() (time.Duration, error)
	Renew() (time.Duration, error)
}

An Auther is anything which needs to be logged in and then have that login renewed on a regulary basis.

type Cache

type Cache struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

A Cache caches secrets read from a SecretReader until the lease on the secret expires. Once expired the credential is proactively deleted from cache to maintain a smaller cache footprint.

func NewCache

func NewCache(sr SecretReader, maxLease time.Duration) *Cache

NewCache using the underlying vault client.

func (*Cache) Read

func (c *Cache) Read(path string) (*vaultapi.Secret, error)

Read a secret from the cache or the underlying client if not present.

type ReAuther

type ReAuther struct {
	// contains filtered or unexported fields
}

The ReAuther runs the authorization loop (login, renew) and retries using a bounded exponential backoff strategy. If maxTTL is set, a new login will be done _regardless_ of the available leaseDuration.

func NewReAuther

func NewReAuther(auther Auther, maxTTL, retry, max time.Duration) *ReAuther

NewReAuther with a retry time and a max retry time.

func (*ReAuther) LoggedIn

func (ra *ReAuther) LoggedIn() <-chan struct{}

LoggedIn will receive a signal after every login. Multiple logins may result in a single signal as this channel is not blocked.

type SecretReader

type SecretReader interface {
	Read(path string) (*vaultapi.Secret, error)
}

A SecretReader reads a vault secret from the given path. It should be thread safe!

type Vault

type Vault struct {
	SecretReader SecretReader

	PathPrefix   string
	TeamName     string
	PipelineName string
}

Vault converts a vault secret to our completely untyped secret data.

func (Vault) Get

func (v Vault) Get(varDef template.VariableDefinition) (interface{}, bool, error)

func (Vault) List

func (v Vault) List() ([]template.VariableDefinition, error)

type VaultManager

type VaultManager struct {
	URL string `long:"url" description:"Vault server address used to access secrets."`

	PathPrefix string `long:"path-prefix" default:"/concourse" description:"Path under which to namespace credential lookup."`

	Cache    bool          `bool:"cache" default:"false" description:"Cache returned secrets for their lease duration in memory"`
	MaxLease time.Duration `long:"max-lease" description:"If the cache is enabled, and this is set, override secrets lease duration with a maximum value"`

	TLS struct {
		CACert     string `long:"ca-cert"              description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
		CAPath     string `` /* 127-byte string literal not displayed */
		ClientCert string `long:"client-cert"          description:"Path to the client certificate for Vault authorization."`
		ClientKey  string `long:"client-key"           description:"Path to the client private key for Vault authorization."`
		ServerName string `long:"server-name"          description:"If set, is used to set the SNI host when connecting via TLS."`
		Insecure   bool   `long:"insecure-skip-verify" description:"Enable insecure SSL verification."`
	}

	Auth AuthConfig
}

func (VaultManager) IsConfigured

func (manager VaultManager) IsConfigured() bool

func (VaultManager) NewVariablesFactory

func (manager VaultManager) NewVariablesFactory(logger lager.Logger) (creds.VariablesFactory, error)

func (VaultManager) Validate

func (manager VaultManager) Validate() error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL