vault

package

v0.4.0 Latest Latest Go to latest Published: Aug 16, 2022 License: MPL-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hashicorp/consul-api-gateway

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type LogicalClient
type Secret
- func NewSecret(commonName, altNames, ipSANs, otherSANs, ttl string) Secret
- func ParseSecret(ref string) (Secret, error)
- func (s Secret) String() string
type SecretClient
- func NewSecretClient(logger hclog.Logger, pkiPath, issue string) (*SecretClient, error)
- func (c *SecretClient) FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)

Constants ¶

View Source

const (
	SecretScheme = "vault"
)

Variables ¶

View Source

var (
	ErrInvalidSecret = errors.New("invalid vault secret")
)

Functions ¶

This section is empty.

Types ¶

type LogicalClient ¶

type LogicalClient interface {
	WriteWithContext(context.Context, string, map[string]interface{}) (*api.Secret, error)
}

type Secret ¶

type Secret struct {
	AltNames   string
	CommonName string
	IPSANs     string
	OtherSANs  string
	TTL        string
}

Secret is a wrapper to a certificate secret stored in Vault.

This Vault-specific implementation corresponds with the K8s-specific implementation, utils.K8sSecret.

func NewSecret ¶

func NewSecret(commonName, altNames, ipSANs, otherSANs, ttl string) Secret

NewSecret creates a descriptor for a certificate to be generated via Vault's PKI API. The arguments correspond with inputs to the cert + key generation endpoint. https://www.vaultproject.io/api-docs/secret/pki#generate-certificate-and-key

func ParseSecret ¶

func ParseSecret(ref string) (Secret, error)

ParseSecret accepts an opaque string reference and returns a Secret. The expected format is vault://<common_name>?ttl=<ttl>&ipSans=<sans>... where "common_name", "ttl", etc. correlate with values accepted by Vault's PKI API. Plural vars are generally comma-delimited lists as described in the docs.

https://www.vaultproject.io/api-docs/secret/pki

Some components such as the issuer and issue are configured globally today. In the future, we could include those as additional query parameters.

func (Secret) String ¶

func (s Secret) String() string

String serializes a Secret into an opaque string that can later be parsed and restored to an equivalent Secret.

type SecretClient ¶

type SecretClient struct {
	// contains filtered or unexported fields
}

SecretClient acts as a secret fetcher for Vault.

This Vault-specific implementation corresponds with the K8s-specific implementation, k8s.K8sSecretClient.

func NewSecretClient ¶

func NewSecretClient(logger hclog.Logger, pkiPath, issue string) (*SecretClient, error)

NewSecretClient relies on having standard VAULT_x envars set such as VAULT_TOKEN, VAULT_ADDR, etc. In the future, we may need to construct the config externally to allow for custom flags, etc.

func (*SecretClient) FetchSecret ¶

func (c *SecretClient) FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)

FetchSecret accepts an opaque string containing necessary values for retrieving a certificate and private key from Vault. It retrieves the certificate and private key, stores them in memory, and returns a tls.Secret acceptable for Envoy SDS.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
mocks Package mocks is a generated GoMock package.	Package mocks is a generated GoMock package.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL