Documentation ¶
Index ¶
- func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string) *vaultFactory
- func NewVaultManagerFactory() creds.ManagerFactory
- type APIClient
- type AuthConfig
- type Auther
- type Cache
- type ReAuther
- type SecretReader
- type TLS
- type Vault
- type VaultManager
- func (manager VaultManager) Health() (*creds.HealthResponse, error)
- func (manager *VaultManager) Init(log lager.Logger) error
- func (manager VaultManager) IsConfigured() bool
- func (manager *VaultManager) MarshalJSON() ([]byte, error)
- func (manager VaultManager) NewVariablesFactory(logger lager.Logger) (creds.VariablesFactory, error)
- func (manager VaultManager) Validate() error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewVaultFactory ¶
func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string) *vaultFactory
func NewVaultManagerFactory ¶
func NewVaultManagerFactory() creds.ManagerFactory
Types ¶
type APIClient ¶
type APIClient struct {
// contains filtered or unexported fields
}
The APIClient is a SecretReader which maintains an authorized client using the Login and Renew functions.
func NewAPIClient ¶
func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig *vaultapi.TLSConfig, authConfig AuthConfig) (*APIClient, error)
NewAPIClient with the associated authorization config and underlying vault client.
func (*APIClient) Login ¶
Login the APIClient using the credentials passed at construction. Returns a duration after which renew must be called.
type AuthConfig ¶
type AuthConfig struct { ClientToken string `long:"client-token" description:"Client token for accessing secrets within the Vault server."` Backend string `long:"auth-backend" description:"Auth backend to use for logging in to Vault."` BackendMaxTTL time.Duration `` /* 142-byte string literal not displayed */ RetryMax time.Duration `long:"retry-max" default:"5m" description:"The maximum time between retries when logging in or re-authing a secret."` RetryInitial time.Duration `long:"retry-initial" default:"1s" description:"The initial time between retries when logging in or re-authing a secret."` Params []template.VarKV `` /* 139-byte string literal not displayed */ }
type Auther ¶
An Auther is anything which needs to be logged in and then have that login renewed on a regulary basis.
type Cache ¶
A Cache caches secrets read from a SecretReader until the lease on the secret expires. Once expired the credential is proactively deleted from cache to maintain a smaller cache footprint.
type ReAuther ¶
type ReAuther struct {
// contains filtered or unexported fields
}
The ReAuther runs the authorization loop (login, renew) and retries using a bounded exponential backoff strategy. If maxTTL is set, a new login will be done _regardless_ of the available leaseDuration.
func NewReAuther ¶
NewReAuther with a retry time and a max retry time.
type SecretReader ¶
A SecretReader reads a vault secret from the given path. It should be thread safe!
type TLS ¶
type TLS struct { CACert string `long:"ca-cert" description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."` CAPath string `` /* 127-byte string literal not displayed */ ClientCert string `long:"client-cert" description:"Path to the client certificate for Vault authorization."` ClientKey string `long:"client-key" description:"Path to the client private key for Vault authorization."` ServerName string `long:"server-name" description:"If set, is used to set the SNI host when connecting via TLS."` Insecure bool `long:"insecure-skip-verify" description:"Enable insecure SSL verification."` }
type Vault ¶
type Vault struct { SecretReader SecretReader PathPrefix string TeamName string PipelineName string }
Vault converts a vault secret to our completely untyped secret data.
type VaultManager ¶
type VaultManager struct { URL string `long:"url" description:"Vault server address used to access secrets."` PathPrefix string `long:"path-prefix" default:"/concourse" description:"Path under which to namespace credential lookup."` Cache bool `long:"cache" description:"Cache returned secrets for their lease duration in memory"` MaxLease time.Duration `long:"max-lease" description:"If the cache is enabled, and this is set, override secrets lease duration with a maximum value"` TLS TLS Auth AuthConfig Client *APIClient }
func (VaultManager) Health ¶
func (manager VaultManager) Health() (*creds.HealthResponse, error)
func (VaultManager) IsConfigured ¶
func (manager VaultManager) IsConfigured() bool
func (*VaultManager) MarshalJSON ¶
func (manager *VaultManager) MarshalJSON() ([]byte, error)
func (VaultManager) NewVariablesFactory ¶
func (manager VaultManager) NewVariablesFactory(logger lager.Logger) (creds.VariablesFactory, error)
func (VaultManager) Validate ¶
func (manager VaultManager) Validate() error