certretrieval

package
v0.2.0-beta.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 30, 2022 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package certretrieveal implementation of the certificate retrieval from a Vault server. It handles authentication via Vault token or kubernetes serviceaccount and attempts to issue a new certificate.

Index

Constants

View Source 
const (
	// The canonical path of a service account token in a running k8s pod
	ServiceAccountPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
)

Variables

View Source 
var (
	ErrConfig    = fmt.Errorf("configuration error")
	ErrRetrieval = fmt.Errorf("retrieval error")
)

Functions

This section is empty.

Types

type CertRetrieval 

type CertRetrieval struct {
	Config
}

CertRetrieval manages the retrieval and replacement of certificates

func New 

func New(config Config) (*CertRetrieval, error)

New creates a new CertRetrieval type

func (*CertRetrieval) Retrieve 

func (cr *CertRetrieval) Retrieve() error

Retrieve performs the certificate retrieval

type CertificateData 

type CertificateData struct {
	Certificate    string   `json:"certificate,omitempty"`
	Expiration     UnixTime `json:"expiration,omitempty"`
	IssuingCa      string   `json:"issuing_ca,omitempty"`
	PrivateKey     string   `json:"private_key,omitempty"`
	PrivateKeyType string   `json:"private_key_type,omitempty"`
	SerialNumber   string   `json:"serial_number,omitempty"`
}

CertificateData is a subtype used in CertificateResponse

type CertificateRequest 

type CertificateRequest struct {
	Name              string     `json:"name,omitempty"`
	CommonName        string     `json:"common_name,omitempty"`
	AltNames          string     `json:"alt_names,omitempty"`
	IpSans            StringList `json:"ip_sans,omitempty"`
	UriSans           StringList `json:"uri_sans,omitempty"`
	OtherSans         StringList `json:"other_sans,omitempty"`
	TTL               string     `json:"ttl,omitempty"`
	Format            string     `json:"format,omitempty"`
	PrivateKeyFormat  string     `json:"private_key_format,omitempty"`
	ExcludeCnFromSans bool       `json:"exclude_cn_from_sans,omitempty"`
}

CertificateRequest implements the Vault certificate requests

type CertificateResponse 

type CertificateResponse struct {
	RequestId     string          `json:"request_id,omitempty"`
	LeaseId       string          `json:"lease_id,omitempty"`
	LeaseDuration UnixTime        `json:"lease_duration,omitempty"`
	Renewable     bool            `json:"renewable,omitempty"`
	Data          CertificateData `json:"data,omitempty"`
}

CertificateResponse implementes the Vault response for a certificate request

type Config 

type Config struct {
	// Token is the Vault token that can be passed directly. It is evaluated first.
	// If set, Tokenfile is ignored.
	Token string `json:"token,omitempty"`
	// Tokenfile is the path to the file containing the Vault token. It get's evaluated second only if
	// Token is not set. If Token and Tokenfile are not set, the service account token is used.
	Tokenfile string `json:"tokenfile,omitempty"`
	// Address is the URL of the Vault server, e.g. "https://vault.example.com:8200"
	Address string `json:"vault"`
	// ServerCA is the CA certificate of the Vault server
	ServerCA string `json:"serverca,omitempty"`
	// PKI is the path to the PKI engine in Vault
	PKI string `json:"pki"`
	// Role is the Vault role to use
	Role string `json:"role"`
	// AuthRole is the Vault role to use for authentication
	AuthRole string `json:"authrole"`
	// Name is the name of the certificate to retrieve, e.g. "myservice.example.com"
	Name string `json:"name"`
	// AltNames specifies requested Subject Alternative Names, in a comma-delimited list.
	// These can be host names or email addresses; they will be parsed into their respective fields.
	// If any requested names do not match role policy, the entire request will be denied.
	AltNames string `json:"alt_names,omitempty"`
	// ValidityCheckTolerance is the tolerance in percent for the validity check
	ValidityCheckTolerance int64 `json:"validity_check_tolerance"`
	// Force ignores the validity check and forces retrieval
	Force bool `json:"force"`
	// TTL specifies requested Time To Live for the certificate. Cannot be greater than the role's max_ttl value.
	// If not provided, the role's ttl value will be used.
	TTL time.Duration `json:"ttl,omitempty"`
	// OutCAfile is the path to the file to store the CA certificate
	OutCAfile string `json:"outcafile"`
	// OutCertfile is the path to the file to store the certificate
	OutCertfile string `json:"outcertfile"`
	// OutKeyfile is the path to the file to store the private key
	OutKeyfile string `json:"outkeyfile"`
}

Config is the configuration struct for the certrieval

func (Config) Validate 

func (c Config) Validate() error

Validate the configuration to catch problems early.

type StringList 

type StringList []string

StringList is a wrapper for a string slice with suitable json marshalling when the value is not expressed as a JSON array

func CommaSeperatedToStringList 

func CommaSeperatedToStringList(s string) StringList

func (StringList) MarshalJSON 

func (sl StringList) MarshalJSON() ([]byte, error)

func (*StringList) UnmarshalJSON 

func (sl *StringList) UnmarshalJSON(data []byte) error

type UnixTime 

type UnixTime time.Time

UnixTime is a wrapper type for time.Time. This allows marshalling and unmarshalling JSON representations

func (UnixTime) MarshalJSON 

func (ut UnixTime) MarshalJSON() (data []byte, err error)

func (*UnixTime) UnmarshalJSON 

func (ut *UnixTime) UnmarshalJSON(data []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.