vault

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 14, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

README

Vault Keykeeper Plugin

The vault keykeeper plugins allows to read configuration keys from Hashicorp Vault.

Key request format is %path to secret without mount path%#%secret key%.

For example, with neptunus/kv engine, secret path staging/inputs and kafka_password key:

  • request should be staging/inputs#kafka_password;
  • plugin mount_path parameter - neptunus/kv;
  • optionally, you can set path_prefix parameter to staging - without trailing and leading slashes - and write request as inputs#kafka_password.

Configuration

[[keykeepers]]
  [keykeepers.vault]
    alias = "vault"

    # Vault address
    address = "http://localhost:8200"

    # Engine mount path
    mount_path = "neptunus/kv"

    # Secrets path prefix
    # May be useful for changing environments using one parameter
    # Instead of change it in each key request
    path_prefix = "test"

    # Kv engine version, "v1" or "v2"
    kv_version = "v2"

    # Vault namespace
    # https://developer.hashicorp.com/vault/tutorials/enterprise/namespace-structure
    namespace = "my-neptunus-namespace"

    ## TLS configuration
    # if true, TLS client will be used
    tls_enable = false
    # trusted root certificates for server
    tls_ca_file = "/etc/neptunus/ca.pem"
    # used for TLS client certificate authentication
    tls_key_file = "/etc/neptunus/key.pem"
    tls_cert_file = "/etc/neptunus/cert.pem"
    # minimum TLS version, not limited by default
    tls_min_version = "TLS12"
    # send the specified TLS server name via SNI
    tls_server_name = "exmple.svc.local"
    # use TLS but skip chain & host verification
    tls_insecure_skip_verify = false

    ## Authentication settings
    ## if approle.role_id and approle.secret_id is set, approle method used
    ## if k8s.role and k8s.token_path set, kubernetes method used
    #
    # Approle authentication settings
    # https://developer.hashicorp.com/vault/docs/auth/approle
    [keykeepers.vault.approle]
      mount_path = "approle"
      role_id = "0a72eb67-..."
      secret_id = "e58e2b0d-..."

    # Kubernetes authentication settings
    # https://developer.hashicorp.com/vault/docs/auth/kubernetes
    [keykeepers.vault.k8s]
      mount_path = "kubernetes"
      role_name = "neptunus-role"
      token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Approle 

type Approle struct {
	MountPath string `mapstructure:"mount_path"`
	RoleId    string `mapstructure:"role_id"`
	SecretId  string `mapstructure:"secret_id"`
}

type K8s 

type K8s struct {
	MountPath string `mapstructure:"mount_path"`
	RoleName  string `mapstructure:"role_name"`
	TokenPath string `mapstructure:"token_path"`
}

type Vault 

type Vault struct {
	*core.BaseKeykeeper `mapstructure:"-"`
	Address             string  `mapstructure:"address"`
	MountPath           string  `mapstructure:"mount_path"`
	PathPrefix          string  `mapstructure:"path_prefix"` // e.g. dev/, test/, prod/
	KvVersion           string  `mapstructure:"kv_version"`  // v1, v2
	Namespace           string  `mapstructure:"namespace"`
	Approle             Approle `mapstructure:"approle"`
	K8s                 K8s     `mapstructure:"k8s"`

	*pkgtls.TLSClientConfig `mapstructure:",squash"`
	// contains filtered or unexported fields
}

func (*Vault) Close 

func (k *Vault) Close() error

func (*Vault) Get 

func (k *Vault) Get(key string) (any, error)

func (*Vault) Init 

func (k *Vault) Init() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.