vault

package
v0.5.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 16, 2023 License: MPL-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	KVSecretScheme  = "vault+kv"
	PKISecretScheme = "vault+pki"
)

Variables

View Source
var (
	ErrInvalidSecret = errors.New("invalid vault secret")
)

Functions

This section is empty.

Types

type KVClient added in v0.5.0

type KVClient interface {
	Get(context.Context, string) (*api.KVSecret, error)
}

type KVSecret added in v0.5.0

type KVSecret struct {
	Path            string
	CertField       string
	PrivateKeyField string
}

func NewKVSecret added in v0.5.0

func NewKVSecret(path, certField, privateKeyField string) KVSecret

func ParseKVSecret added in v0.5.0

func ParseKVSecret(ref string) (KVSecret, error)

func (KVSecret) String added in v0.5.0

func (s KVSecret) String() string

type KVSecretClient added in v0.5.0

type KVSecretClient struct {
	// contains filtered or unexported fields
}

KVSecretClient acts as a certificate retriever using Vault's KV store.

This Vault-specific implementation corresponds with the K8s-specific implementation, k8s.K8sSecretClient.

func NewKVSecretClient added in v0.5.0

func NewKVSecretClient(logger hclog.Logger, kvPath string) (*KVSecretClient, error)

NewKVSecretClient relies on having standard VAULT_x envars set such as VAULT_TOKEN, VAULT_ADDR, etc. In the future, we may need to construct the config externally to allow for custom flags, etc.

func (*KVSecretClient) FetchSecret added in v0.5.0

func (c *KVSecretClient) FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)

FetchSecret accepts an opaque string containing necessary values for retrieving a certificate and private key from Vault KV. It retrieves the certificate and private key, stores them in memory, and returns a tls.Secret acceptable for Envoy SDS.

type LogicalClient

type LogicalClient interface {
	WriteWithContext(context.Context, string, map[string]interface{}) (*api.Secret, error)
}

type PKISecret added in v0.5.0

type PKISecret struct {
	AltNames   string
	CommonName string
	IPSANs     string
	OtherSANs  string
	TTL        string
}

PKISecret is a wrapper to a certificate secret to be generated by Vault.

This Vault-specific implementation corresponds with the K8s-specific implementation, utils.K8sSecret.

func NewPKISecret added in v0.5.0

func NewPKISecret(commonName, altNames, ipSANs, otherSANs, ttl string) PKISecret

NewPKISecret creates a descriptor for a certificate to be generated via Vault's PKI API. The arguments correspond with inputs to the cert + key generation endpoint. https://www.vaultproject.io/api-docs/secret/pki#generate-certificate-and-key

func ParsePKISecret added in v0.5.0

func ParsePKISecret(ref string) (PKISecret, error)

ParsePKISecret accepts an opaque string reference and returns a PKISecret. The expected format is vault://<common_name>?ttl=<ttl>&ipSans=<sans>... where "common_name", "ttl", etc. correlate with values accepted by Vault's PKI API. Plural vars are generally comma-delimited lists as described in the docs.

https://www.vaultproject.io/api-docs/secret/pki

Some components such as the issuer and issue are configured globally today. In the future, we could include those as additional query parameters.

func (PKISecret) String added in v0.5.0

func (s PKISecret) String() string

String serializes a PKISecret into an opaque string that can later be parsed and restored to an equivalent PKISecret.

type PKISecretClient added in v0.5.0

type PKISecretClient struct {
	// contains filtered or unexported fields
}

PKISecretClient acts as a certificate generator using Vault's PKI engine.

This Vault-specific implementation corresponds with the K8s-specific implementation, k8s.K8sSecretClient.

func NewPKISecretClient added in v0.5.0

func NewPKISecretClient(logger hclog.Logger, pkiPath, issue string) (*PKISecretClient, error)

NewPKISecretClient relies on having standard VAULT_x envars set such as VAULT_TOKEN, VAULT_ADDR, etc. In the future, we may need to construct the config externally to allow for custom flags, etc.

func (*PKISecretClient) FetchSecret added in v0.5.0

func (c *PKISecretClient) FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)

FetchSecret accepts an opaque string containing necessary values for generating a certificate and private key with Vault's PKI engine. It generates the certificate and private key, stores them in memory, and returns a tls.Secret acceptable for Envoy SDS.

Directories

Path Synopsis
Package mocks is a generated GoMock package.
Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL