Documentation ¶
Overview ¶
Package certretrieveal implementation of the certificate retrieval from a Vault server. It handles authentication via Vault token or kubernetes serviceaccount and attempts to issue a new certificate.
Index ¶
Constants ¶
const (
// The canonical path of a service account token in a running k8s pod
ServiceAccountPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
)
Variables ¶
var ( ErrConfig = fmt.Errorf("configuration error") ErrRetrieval = fmt.Errorf("retrieval error") )
Functions ¶
This section is empty.
Types ¶
type CertRetrieval ¶
type CertRetrieval struct {
Config
}
CertRetrieval manages the retrieval and replacement of certificates
func (*CertRetrieval) Retrieve ¶
func (cr *CertRetrieval) Retrieve() error
Retrieve performs the certificate retrieval
type CertificateData ¶
type CertificateData struct { Certificate string `json:"certificate,omitempty"` Expiration UnixTime `json:"expiration,omitempty"` IssuingCa string `json:"issuing_ca,omitempty"` PrivateKey string `json:"private_key,omitempty"` PrivateKeyType string `json:"private_key_type,omitempty"` SerialNumber string `json:"serial_number,omitempty"` }
CertificateData is a subtype used in CertificateResponse
type CertificateRequest ¶
type CertificateRequest struct { Name string `json:"name,omitempty"` CommonName string `json:"common_name,omitempty"` AltNames StringList `json:"alt_names,omitempty"` IpSans StringList `json:"ip_sans,omitempty"` UriSans StringList `json:"uri_sans,omitempty"` OtherSans StringList `json:"other_sans,omitempty"` TTL string `json:"ttl,omitempty"` Format string `json:"format,omitempty"` PrivateKeyFormat string `json:"private_key_format,omitempty"` ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"` }
CertificateRequest implements the Vault certificate requests
type CertificateResponse ¶
type CertificateResponse struct { RequestId string `json:"request_id,omitempty"` LeaseId string `json:"lease_id,omitempty"` LeaseDuration UnixTime `json:"lease_duration,omitempty"` Renewable bool `json:"renewable,omitempty"` Data CertificateData `json:"data,omitempty"` }
CertificateResponse implementes the Vault response for a certificate request
type Config ¶
type Config struct { // Tokenfile is the path to the file containing the Vault token Tokenfile string // Token is the Vault token Token string // Vault is the URL of the Vault server Vault string // ServerCA is the CA certificate of the Vault server ServerCA string // PKI is the path to the PKI engine in Vault PKI string // Role is the Vault role to use Role string // AuthRole is the Vault role to use for authentication AuthRole string // Name is the name of the certificate to retrieve Name string // ValidityCheckTolerance is the tolerance in percent for the validity check ValidityCheckTolerance int64 // Force ignores the validity check and forces retrieval Force bool // TTL is the requested TTL for the certificate TTL time.Duration // OutCAfile is the path to the file to store the CA certificate OutCAfile string // OutCertfile is the path to the file to store the certificate OutCertfile string // OutKeyfile is the path to the file to store the private key OutKeyfile string }
Config is the configuration struct for the certrieval
type StringList ¶
type StringList []string
StringList is a wrapper for a string slice with suitable json marshalling when the value is not expressed as a JSON array
func (StringList) MarshalJSON ¶
func (sl StringList) MarshalJSON() ([]byte, error)
func (*StringList) UnmarshalJSON ¶
func (sl *StringList) UnmarshalJSON(data []byte) error
type UnixTime ¶
UnixTime is a wrapper type for time.Time. This allows marshalling and unmarshalling JSON representations