vault

package
v0.39.0-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2024 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var DefaultArguments = Arguments{
	ClientOptions: ClientOptions{
		MinRetryWait: 1000 * time.Millisecond,
		MaxRetryWait: 1500 * time.Millisecond,
		MaxRetries:   2,
		Timeout:      60 * time.Second,
	},
}

DefaultArguments holds default settings for Arguments.

View Source 
var DefaultAuthAWS = AuthAWS{
	MountPath:        "aws",
	Type:             authAWSTypeIAM,
	Region:           "us-east-1",
	EC2SignatureType: "pkcs7",
}

DefaultAuthAWS provides default settings for AuthAWS.

View Source 
var DefaultAuthAppRole = AuthAppRole{
	MountPath: "approle",
}

DefaultAuthAppRole provides default settings for AuthAppRole.

View Source 
var DefaultAuthAzure = AuthAzure{
	MountPath:   "azure",
	ResourceURL: "https://management.azure.com/",
}

DefaultAuthAzure provides default settings for AuthAzure.

View Source 
var DefaultAuthGCP = AuthGCP{
	MountPath: "gcp",
	Type:      authGCPTypeGCE,
}

DefaultAuthGCP provides default settings for AuthGCP.

View Source 
var DefaultAuthKubernetes = AuthKubernetes{
	MountPath:               "kubernetes",
	ServiceAccountTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token",
}

DefaultAuthKubernetes provides default settings for AuthKubernetes.

View Source 
var DefaultAuthLDAP = AuthLDAP{
	MountPath: "ldap",
}

DefaultAuthLDAP provides default settings for AuthLDAP.

View Source 
var DefaultAuthUserPass = AuthUserPass{
	MountPath: "userpass",
}

DefaultAuthUserPass provides default settings for AuthUserPass.

Functions

This section is empty.

Types

type Arguments 

type Arguments struct {
	Server    string `river:"server,attr"`
	Namespace string `river:"namespace,attr,optional"`

	Path string `river:"path,attr"`

	RereadFrequency time.Duration `river:"reread_frequency,attr,optional"`

	ClientOptions ClientOptions `river:"client_options,block,optional"`

	Auth []AuthArguments `river:"auth,enum,optional"`
}

Arguments configures remote.vault.

func (*Arguments) SetToDefault added in v0.35.0 

func (a *Arguments) SetToDefault()

SetToDefault implements river.Defaulter.

func (*Arguments) Validate added in v0.35.0 

func (a *Arguments) Validate() error

Validate implements river.Validator.

type AuthAWS 

type AuthAWS struct {
	// Type specifies the mechanism used to authenticate with AWS. Should be
	// either ec2 or iam.
	Type              string `river:"type,attr"`
	Region            string `river:"region,attr,optional"`
	Role              string `river:"role,attr,optional"`
	IAMServerIDHeader string `river:"iam_server_id_header,attr,optional"`
	// EC2SignatureType specifies the signature to use against EC2. Only used
	// when Type is ec2. Valid options are identity and pkcs7 (default).
	EC2SignatureType string `river:"ec2_signature_type,attr,optional"`
	MountPath        string `river:"mount_path,attr,optional"`
}

AuthAWS authenticates against Vault with AWS.

func (*AuthAWS) SetToDefault added in v0.35.0 

func (a *AuthAWS) SetToDefault()

SetToDefault implements river.Defaulter.

func (*AuthAWS) Validate 

func (a *AuthAWS) Validate() error

Validate implements river.Validator.

type AuthAppRole 

type AuthAppRole struct {
	RoleID        string            `river:"role_id,attr"`
	Secret        rivertypes.Secret `river:"secret,attr"`
	WrappingToken bool              `river:"wrapping_token,attr,optional"`
	MountPath     string            `river:"mount_path,attr,optional"`
}

AuthAppRole authenticates against Vault with AppRole.

func (*AuthAppRole) SetToDefault added in v0.35.0 

func (a *AuthAppRole) SetToDefault()

SetToDefault implements river.Defaulter.

type AuthArguments 

type AuthArguments struct {
	AuthToken      *AuthToken      `river:"token,block,optional"`
	AuthAppRole    *AuthAppRole    `river:"approle,block,optional"`
	AuthAWS        *AuthAWS        `river:"aws,block,optional"`
	AuthAzure      *AuthAzure      `river:"azure,block,optional"`
	AuthGCP        *AuthGCP        `river:"gcp,block,optional"`
	AuthKubernetes *AuthKubernetes `river:"kubernetes,block,optional"`
	AuthLDAP       *AuthLDAP       `river:"ldap,block,optional"`
	AuthUserPass   *AuthUserPass   `river:"userpass,block,optional"`
	AuthCustom     *AuthCustom     `river:"custom,block,optional"`
}

AuthArguments defines a single authenticationstring type in a remote.vault component instance. These are embedded as an enum field so only one may be set per AuthArguments.

type AuthAzure 

type AuthAzure struct {
	Role        string `river:"role,attr"`
	ResourceURL string `river:"resource_url,attr,optional"`
	MountPath   string `river:"mount_path,attr,optional"`
}

AuthAzure authenticates against Vault with Azure.

func (*AuthAzure) SetToDefault added in v0.35.0 

func (a *AuthAzure) SetToDefault()

SetToDefault implements river.Defaulter.

type AuthCustom 

type AuthCustom struct {
	// Path to use for logging in (e.g., auth/kubernetes/login, etc.)
	Path string                       `river:"path,attr"`
	Data map[string]rivertypes.Secret `river:"data,attr"`
}

AuthCustom provides a custom authentication method.

func (*AuthCustom) Login 

func (a *AuthCustom) Login(ctx context.Context, client *vault.Client) (*vault.Secret, error)

Login implements vault.AuthMethod.

type AuthGCP 

type AuthGCP struct {
	Role string `river:"role,attr"`
	// Type specifies the mechanism used to authenticate with GCS. Should be
	// either gce or iam.
	Type              string `river:"type,attr"`
	IAMServiceAccount string `river:"iam_service_account,attr,optional"`
	MountPath         string `river:"mount_path,attr,optional"`
}

AuthGCP authenticates against Vault with GCP.

func (*AuthGCP) SetToDefault added in v0.35.0 

func (a *AuthGCP) SetToDefault()

SetToDefault implements river.Defaulter.

func (*AuthGCP) Validate 

func (a *AuthGCP) Validate() error

Validate implements river.Validator.

type AuthKubernetes 

type AuthKubernetes struct {
	Role                    string `river:"role,attr"`
	ServiceAccountTokenFile string `river:"service_account_file,attr,optional"`
	MountPath               string `river:"mount_path,attr,optional"`
}

AuthKubernetes authenticates against Vault with Kubernetes.

func (*AuthKubernetes) SetToDefault added in v0.35.0 

func (a *AuthKubernetes) SetToDefault()

SetToDefault implements river.Defaulter.

type AuthLDAP 

type AuthLDAP struct {
	Username  string            `river:"username,attr"`
	Password  rivertypes.Secret `river:"password,attr"`
	MountPath string            `river:"mount_path,attr,optional"`
}

AuthLDAP authenticates against Vault with LDAP.

func (*AuthLDAP) SetToDefault added in v0.35.0 

func (a *AuthLDAP) SetToDefault()

SetToDefault implements river.Defaulter.

type AuthToken 

type AuthToken struct {
	Token rivertypes.Secret `river:"token,attr"`
}

AuthToken authenticates against Vault with a token.

type AuthUserPass 

type AuthUserPass struct {
	Username  string            `river:"username,attr"`
	Password  rivertypes.Secret `river:"password,attr"`
	MountPath string            `river:"mount_path,attr,optional"`
}

AuthUserPass authenticates against Vault with a username and password.

func (*AuthUserPass) SetToDefault added in v0.35.0 

func (a *AuthUserPass) SetToDefault()

SetToDefault implements river.Defaulter.

type ClientOptions 

type ClientOptions struct {
	MinRetryWait time.Duration `river:"min_retry_wait,attr,optional"`
	MaxRetryWait time.Duration `river:"max_retry_wait,attr,optional"`
	MaxRetries   int           `river:"max_retries,attr,optional"`
	Timeout      time.Duration `river:"timeout,attr,optional"`
}

ClientOptions sets extra options on the Client.

type Component 

type Component struct {
	// contains filtered or unexported fields
}

Component implements the remote.vault component.

func New 

func New(opts component.Options, args Arguments) (*Component, error)

New creates a new remote.vault component. It will try to immediately read the secret from Vault and return an error if the secret can't be read or if authentication against the Vault server fails.

func (*Component) CurrentHealth 

func (c *Component) CurrentHealth() component.Health

CurrentHealth returns the current health of the remote.vault component. It will be healthy as long as the latest read or renewal was successful.

func (*Component) DebugInfo 

func (c *Component) DebugInfo() interface{}

DebugInfo returns debug information about the remote.vault component. It includes non-sensitive metadata about the current secret.

func (*Component) Run 

func (c *Component) Run(ctx context.Context) error

Run runs the remote.vault component, managing the lifetime of the retrieved secret and renewing/rereading it as necessary.

func (*Component) Update 

func (c *Component) Update(args component.Arguments) error

Update updates the remote.vault component. It will try to immediately read the secret from Vault and return an error if the secret can't be read.

type Exports 

type Exports struct {
	// Data holds key-value pairs returned from Vault after retrieving the key.
	// Any keys-value pairs returned from Vault which are not []byte or strings
	// cannot be represented as secrets and are therefore ignored.
	//
	// However, it seems that most secrets engines don't actually return
	// arbitrary data, so this limitation shouldn't cause any issues in practice.
	Data map[string]rivertypes.Secret `river:"data,attr"`
}

Exports is the values exported by remote.vault.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.