vault

package
v0.34.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 12, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var DefaultArguments = Arguments{
	ClientOptions: ClientOptions{
		MinRetryWait: 1000 * time.Millisecond,
		MaxRetryWait: 1500 * time.Millisecond,
		MaxRetries:   2,
		Timeout:      60 * time.Second,
	},
}

DefaultArguments holds default settings for Arguments.

View Source
var DefaultAuthAWS = AuthAWS{
	MountPath:        "aws",
	Type:             authAWSTypeIAM,
	Region:           "us-east-1",
	EC2SignatureType: "pkcs7",
}

DefaultAuthAWS provides default settings for AuthAWS.

View Source
var DefaultAuthAppRole = AuthAppRole{
	MountPath: "approle",
}

DefaultAuthAppRole provides default settings for AuthAppRole.

View Source
var DefaultAuthAzure = AuthAzure{
	MountPath:   "azure",
	ResourceURL: "https://management.azure.com/",
}

DefaultAuthAzure provides default settings for AuthAzure.

View Source
var DefaultAuthGCP = AuthGCP{
	MountPath: "gcp",
	Type:      authGCPTypeGCE,
}

DefaultAuthGCP provides default settings for AuthGCP.

View Source
var DefaultAuthKubernetes = AuthKubernetes{
	MountPath:               "kubernetes",
	ServiceAccountTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token",
}

DefaultAuthKubernetes provides default settings for AuthKubernetes.

View Source
var DefaultAuthLDAP = AuthLDAP{
	MountPath: "ldap",
}

DefaultAuthLDAP provides default settings for AuthLDAP.

View Source
var DefaultAuthUserPass = AuthUserPass{
	MountPath: "userpass",
}

DefaultAuthUserPass provides default settings for AuthUserPass.

Functions

This section is empty.

Types

type Arguments

type Arguments struct {
	Server    string `river:"server,attr"`
	Namespace string `river:"namespace,attr,optional"`

	Path string `river:"path,attr"`

	RereadFrequency time.Duration `river:"reread_frequency,attr,optional"`

	ClientOptions ClientOptions `river:"client_options,block,optional"`

	Auth []AuthArguments `river:"auth,enum,optional"`
}

Arguments configures remote.vault.

func (*Arguments) UnmarshalRiver

func (a *Arguments) UnmarshalRiver(f func(interface{}) error) error

UnmarshalRiver implements river.Unmarshaler.

type AuthAWS

type AuthAWS struct {
	// Type specifies the mechanism used to authenticate with AWS. Should be
	// either ec2 or iam.
	Type              string `river:"type,attr"`
	Region            string `river:"region,attr,optional"`
	Role              string `river:"role,attr,optional"`
	IAMServerIDHeader string `river:"iam_server_id_header,attr,optional"`
	// EC2SignatureType specifies the signature to use against EC2. Only used
	// when Type is ec2. Valid options are identity and pkcs7 (default).
	EC2SignatureType string `river:"ec2_signature_type,attr,optional"`
	MountPath        string `river:"mount_path,attr,optional"`
}

AuthAWS authenticates against Vault with AWS.

func (*AuthAWS) UnmarshalRiver

func (a *AuthAWS) UnmarshalRiver(f func(interface{}) error) error

UnmarshalRiver implements river.Unmarshaler and applies default settings.

func (*AuthAWS) Validate

func (a *AuthAWS) Validate() error

Validate validates settings for AuthAWS.

type AuthAppRole

type AuthAppRole struct {
	RoleID        string            `river:"role_id,attr"`
	Secret        rivertypes.Secret `river:"secret,attr"`
	WrappingToken bool              `river:"wrapping_token,attr,optional"`
	MountPath     string            `river:"mount_path,attr,optional"`
}

AuthAppRole authenticates against Vault with AppRole.

func (*AuthAppRole) UnmarshalRiver

func (a *AuthAppRole) UnmarshalRiver(f func(interface{}) error) error

UnmarshalRiver implements river.Unmarshaler and applies default settings.

type AuthArguments

type AuthArguments struct {
	AuthToken      *AuthToken      `river:"token,block,optional"`
	AuthAppRole    *AuthAppRole    `river:"approle,block,optional"`
	AuthAWS        *AuthAWS        `river:"aws,block,optional"`
	AuthAzure      *AuthAzure      `river:"azure,block,optional"`
	AuthGCP        *AuthGCP        `river:"gcp,block,optional"`
	AuthKubernetes *AuthKubernetes `river:"kubernetes,block,optional"`
	AuthLDAP       *AuthLDAP       `river:"ldap,block,optional"`
	AuthUserPass   *AuthUserPass   `river:"userpass,block,optional"`
	AuthCustom     *AuthCustom     `river:"custom,block,optional"`
}

AuthArguments defines a single authenticationstring type in a remote.vault component instance. These are embedded as an enum field so only one may be set per AuthArguments.

type AuthAzure

type AuthAzure struct {
	Role        string `river:"role,attr"`
	ResourceURL string `river:"resource_url,attr,optional"`
	MountPath   string `river:"mount_path,attr,optional"`
}

AuthAzure authenticates against Vault with Azure.

func (*AuthAzure) UnmarshalRiver

func (a *AuthAzure) UnmarshalRiver(f func(interface{}) error) error

UnmarshalRiver implements river.Unmarshaler and applies default settings.

type AuthCustom

type AuthCustom struct {
	// Path to use for logging in (e.g., auth/kubernetes/login, etc.)
	Path string                       `river:"path,attr"`
	Data map[string]rivertypes.Secret `river:"data,attr"`
}

AuthCustom provides a custom authentication method.

func (*AuthCustom) Login

func (a *AuthCustom) Login(ctx context.Context, client *vault.Client) (*vault.Secret, error)

Login implements vault.AuthMethod.

type AuthGCP

type AuthGCP struct {
	Role string `river:"role,attr"`
	// Type specifies the mechanism used to authenticate with GCS. Should be
	// either gce or iam.
	Type              string `river:"type,attr"`
	IAMServiceAccount string `river:"iam_service_account,attr,optional"`
	MountPath         string `river:"mount_path,attr,optional"`
}

AuthGCP authenticates against Vault with GCP.

func (*AuthGCP) UnmarshalRiver

func (a *AuthGCP) UnmarshalRiver(f func(interface{}) error) error

UnmarshalRiver implements river.Unmarshaler and applies default settings.

func (*AuthGCP) Validate

func (a *AuthGCP) Validate() error

Validate returns a non-nil error if AuthGCP is invalid.

type AuthKubernetes

type AuthKubernetes struct {
	Role                    string `river:"role,attr"`
	ServiceAccountTokenFile string `river:"service_account_file,attr,optional"`
	MountPath               string `river:"mount_path,attr,optional"`
}

AuthKubernetes authenticates against Vault with Kubernetes.

func (*AuthKubernetes) UnmarshalRiver

func (a *AuthKubernetes) UnmarshalRiver(f func(interface{}) error) error

UnmarshalRiver implements river.Unmarshaler and applies default settings.

type AuthLDAP

type AuthLDAP struct {
	Username  string            `river:"username,attr"`
	Password  rivertypes.Secret `river:"password,attr"`
	MountPath string            `river:"mount_path,attr,optional"`
}

AuthLDAP authenticates against Vault with LDAP.

func (*AuthLDAP) UnmarshalRiver

func (a *AuthLDAP) UnmarshalRiver(f func(interface{}) error) error

UnmarshalRiver implements river.Unmarshaler and applies default settings.

type AuthToken

type AuthToken struct {
	Token rivertypes.Secret `river:"token,attr"`
}

AuthToken authenticates against Vault with a token.

type AuthUserPass

type AuthUserPass struct {
	Username  string            `river:"username,attr"`
	Password  rivertypes.Secret `river:"password,attr"`
	MountPath string            `river:"mount_path,attr,optional"`
}

AuthUserPass authenticates against Vault with a username and password.

func (*AuthUserPass) UnmarshalRiver

func (a *AuthUserPass) UnmarshalRiver(f func(interface{}) error) error

UnmarshalRiver implements river.Unmarshaler and applies default settings.

type ClientOptions

type ClientOptions struct {
	MinRetryWait time.Duration `river:"min_retry_wait,attr,optional"`
	MaxRetryWait time.Duration `river:"max_retry_wait,attr,optional"`
	MaxRetries   int           `river:"max_retries,attr,optional"`
	Timeout      time.Duration `river:"timeout,attr,optional"`
}

ClientOptions sets extra options on the Client.

type Component

type Component struct {
	// contains filtered or unexported fields
}

Component implements the remote.vault component.

func New

func New(opts component.Options, args Arguments) (*Component, error)

New creates a new remote.vault component. It will try to immediately read the secret from Vault and return an error if the secret can't be read or if authentication against the Vault server fails.

func (*Component) CurrentHealth

func (c *Component) CurrentHealth() component.Health

CurrentHealth returns the current health of the remote.vault component. It will be healthy as long as the latest read or renewal was successful.

func (*Component) DebugInfo

func (c *Component) DebugInfo() interface{}

DebugInfo returns debug information about the remote.vault component. It includes non-sensitive metadata about the current secret.

func (*Component) Run

func (c *Component) Run(ctx context.Context) error

Run runs the remote.vault component, managing the lifetime of the retrieved secret and renewing/rereading it as necessary.

func (*Component) Update

func (c *Component) Update(args component.Arguments) error

Update updates the remote.vault component. It will try to immediately read the secret from Vault and return an error if the secret can't be read.

type Exports

type Exports struct {
	// Data holds key-value pairs returned from Vault after retrieving the key.
	// Any keys-value pairs returned from Vault which are not []byte or strings
	// cannot be represented as secrets and are therefore ignored.
	//
	// However, it seems that most secrets engines don't actually return
	// arbitrary data, so this limitation shouldn't cause any issues in practice.
	Data map[string]rivertypes.Secret `river:"data,attr"`
}

Exports is the values exported by remote.vault.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL