secret

Documentation

Overview

Package secret provides the ability for Vela to integrate with different supported Secret backends.

Usage:

import "github.com/go-vela/server/secret"

Index

• Variables
• func ToContext(c Setter, key string, s Service)
• type Service
  • func FromContext(c context.Context, key string) Service
  • func New(s *Setup) (Service, error)
• type Setter
• type Setup
  • func (s *Setup) Native() (Service, error)
  • func (s *Setup) Validate() error
  • func (s *Setup) Vault() (Service, error)

Variables

var Flags = []cli.Flag{

	&cli.BoolFlag{
		EnvVars:  []string{"VELA_SECRET_VAULT", "SECRET_VAULT"},
		FilePath: "/vela/secret/vault/driver",
		Name:     "secret.vault.driver",
		Usage:    "enables the vault secret driver",
	},
	&cli.StringFlag{
		EnvVars:  []string{"VELA_SECRET_VAULT_ADDR", "SECRET_VAULT_ADDR"},
		FilePath: "/vela/secret/vault/addr",
		Name:     "secret.vault.addr",
		Usage:    "fully qualified url (<scheme>://<host>) for the vault system",
	},
	&cli.StringFlag{
		EnvVars:  []string{"VELA_SECRET_VAULT_AUTH_METHOD", "SECRET_VAULT_AUTH_METHOD"},
		FilePath: "/vela/secret/vault/auth_method",
		Name:     "secret.vault.auth-method",
		Usage:    "authentication method used to obtain token from vault system",
	},
	&cli.StringFlag{
		EnvVars:  []string{"VELA_SECRET_VAULT_AWS_ROLE", "SECRET_VAULT_AWS_ROLE"},
		FilePath: "/vela/secret/vault/aws_role",
		Name:     "secret.vault.aws-role",
		Usage:    "vault role used to connect to the auth/aws/login endpoint",
	},
	&cli.StringFlag{
		EnvVars:  []string{"VELA_SECRET_VAULT_PREFIX", "SECRET_VAULT_PREFIX"},
		FilePath: "/vela/secret/vault/prefix",
		Name:     "secret.vault.prefix",
		Usage:    "prefix for k/v secrets in vault system e.g. secret/data/<prefix>/<path>",
	},
	&cli.DurationFlag{
		EnvVars:  []string{"VELA_SECRET_VAULT_RENEWAL", "SECRET_VAULT_RENEWAL"},
		FilePath: "/vela/secret/vault/renewal",
		Name:     "secret.vault.renewal",
		Usage:    "frequency which the vault token should be renewed",
		Value:    30 * time.Minute,
	},
	&cli.StringFlag{
		EnvVars:  []string{"VELA_SECRET_VAULT_TOKEN", "SECRET_VAULT_TOKEN"},
		FilePath: "/vela/secret/vault/token",
		Name:     "secret.vault.token",
		Usage:    "token used to access vault system",
	},
	&cli.StringFlag{
		EnvVars:  []string{"VELA_SECRET_VAULT_VERSION", "SECRET_VAULT_VERSION"},
		FilePath: "/vela/secret/vault/version",
		Name:     "secret.vault.version",
		Usage:    "version for the kv backend for the vault system",
		Value:    "2",
	},
}

Flags represents all supported command line interface (CLI) flags for the secret.

https://pkg.go.dev/github.com/urfave/cli?tab=doc#Flag

Functions

func ToContext

func ToContext(c Setter, key string, s Service)

ToContext adds the secret Service to this context if it supports the Setter interface.

Types

type Service

type Service interface {

	// Driver defines a function that outputs
	// the configured source driver.
	Driver() string

	// Get defines a function that captures a secret.
	Get(string, string, string, string) (*library.Secret, error)
	// List defines a function that captures a list of secrets.
	List(string, string, string, int, int, []string) ([]*library.Secret, error)
	// Count defines a function that counts a list of secrets.
	Count(string, string, string, []string) (int64, error)
	// Create defines a function that creates a new secret.
	Create(string, string, string, *library.Secret) error
	// Update defines a function that updates an existing secret.
	Update(string, string, string, *library.Secret) error
	// Delete defines a function that deletes a secret.
	Delete(string, string, string, string) error
}

Service represents the interface for Vela integrating with the different supported secret providers.

func FromContext

func FromContext(c context.Context, key string) Service

FromContext returns the secret Service associated with this context.

func New

func New(s *Setup) (Service, error)

nolint: godot // top level comment ends in a list

New creates and returns a Vela service capable of integrating with the configured secret provider.

Currently the following secret providers are supported:

* Native * Vault

type Setter

type Setter interface {
	Set(string, interface{})
}

Setter defines a context that enables setting values.

type Setup

type Setup struct {

	// specifies the driver to use for the secret client
	Driver string

	// specifies the database service to use for the secret client
	Database database.Service

	// specifies the address to use for the secret client
	Address string
	// specifies the authentication method to use for the secret client
	AuthMethod string
	// specifies the AWS role to use for the secret client
	AwsRole string
	// specifies the prefix to use for the secret client
	Prefix string
	// specifies the token to use for the secret client
	Token string
	// specifies the token duration to use for the secret client
	TokenDuration time.Duration
	// specifies the version to use for the secret client
	Version string
}

Setup represents the configuration necessary for creating a Vela service capable of integrating with a configured secret system.

func (*Setup) Native

func (s *Setup) Native() (Service, error)

Native creates and returns a Vela service capable of integrating with a Native (Database) secret system.

func (*Setup) Validate

func (s *Setup) Validate() error

Validate verifies the necessary fields for the provided configuration are populated correctly.

func (*Setup) Vault

func (s *Setup) Vault() (Service, error)

Vault creates and returns a Vela service capable of integrating with a Hashicorp Vault secret system.