Documentation
¶
Index ¶
- Constants
- func EscapeJSONPointer(s string) string
- func Init(pod *corev1.Pod, image, address, namespace string) error
- func ShouldInject(pod *corev1.Pod) (bool, error)
- type Agent
- func (a *Agent) ContainerConfigMapVolume() corev1.Volume
- func (a *Agent) ContainerEnvVars(init bool) ([]corev1.EnvVar, error)
- func (a *Agent) ContainerInitSidecar() (corev1.Container, error)
- func (a *Agent) ContainerSidecar() (corev1.Container, error)
- func (a *Agent) ContainerTLSSecretVolume() corev1.Volume
- func (a *Agent) ContainerVolume() corev1.Volume
- func (a *Agent) ContainerVolumeMount() corev1.VolumeMount
- func (a *Agent) Patch() ([]byte, error)
- func (a *Agent) Validate() error
- type AutoAuth
- type Config
- type Method
- type Secret
- type Sink
- type Template
- type Vault
- type VaultConfig
Constants ¶
View Source
const ( // AnnotationAgentStatus is the key of the annotation that is added to // a pod after an injection is done. // There's only one valid status we care about: "injected". AnnotationAgentStatus = "vault.hashicorp.com/agent-inject-status" // AnnotationAgentInject is the key of the annotation that controls whether // injection is explicitly enabled or disabled for a pod. This should // be set to a true or false value, as parseable by strconv.ParseBool AnnotationAgentInject = "vault.hashicorp.com/agent-inject" // AnnotationAgentInjectSecret is the key annotation that configures Vault // Agent to retrieve the secrets from Vault required by the app. The name // of the secret is any unique string after "vault.hashicorp.com/agent-inject-secret-", // such as "vault.hashicorp.com/agent-inject-secret-foobar". The value is the // path in Vault where the secret is located. AnnotationAgentInjectSecret = "vault.hashicorp.com/agent-inject-secret" // AnnotationAgentInjectTemplate is the key annotation that configures Vault // Agent what template to use for rendering the secrets. The name // of the template is any unique string after "vault.hashicorp.com/agent-inject-template-", // such as "vault.hashicorp.com/agent-inject-template-foobar". This should map // to the same unique value provided in ""vault.hashicorp.com/agent-inject-secret-". // If not provided, a default generic template is used. AnnotationAgentInjectTemplate = "vault.hashicorp.com/agent-inject-template" // AnnotationAgentImage is the name of the Vault docker image to use. AnnotationAgentImage = "vault.hashicorp.com/agent-image" // AnnotationAgentRequestNamespace is the Kubernetes namespace where the request // originated from. AnnotationAgentRequestNamespace = "vault.hashicorp.com/agent-request-namespace" // AnnotationAgentPrePopulate controls whether an init container is included // to pre-populate the shared memory volume with secrets prior to the application // starting. AnnotationAgentPrePopulate = "vault.hashicorp.com/agent-pre-populate" // AnnotationAgentPrePopulateOnly controls whether an init container is the only // injected container. If true, no sidecar container will be injected at runtime // of the application. AnnotationAgentPrePopulateOnly = "vault.hashicorp.com/agent-pre-populate-only" // AnnotationAgentConfigMap is the name of the configuration map where Vault Agent // configuration file and templates can be found. AnnotationAgentConfigMap = "vault.hashicorp.com/agent-configmap" // AnnotationAgentLimitsCPU sets the CPU limit on the Vault Agent containers. AnnotationAgentLimitsCPU = "vault.hashicorp.com/agent-limits-cpu" // AnnotationAgentLimitsMem sets the memory limit on the Vault Agent containers. AnnotationAgentLimitsMem = "vault.hashicorp.com/agent-limits-mem" // AnnotationAgentRequestsCPU sets the requested CPU amount on the Vault Agent containers. AnnotationAgentRequestsCPU = "vault.hashicorp.com/agent-requests-cpu" // AnnotationAgentRequestsMem sets the requested memory amount on the Vault Agent containers. AnnotationAgentRequestsMem = "vault.hashicorp.com/agent-requests-mem" // AnnotationVaultService is the name of the Vault server. This can be overridden by the // user but will be set by a flag on the deployment. AnnotationVaultService = "vault.hashicorp.com/service" // AnnotationVaultTLSSkipVerify allows users to configure verifying TLS // when communicating with Vault. AnnotationVaultTLSSkipVerify = "vault.hashicorp.com/tls-skip-verify" // AnnotationVaultTLSSecret is the name of the Kubernetes secret containing // client TLS certificates and keys. AnnotationVaultTLSSecret = "vault.hashicorp.com/tls-secret" // AnnotationVaultTLSServerName is the name of the Vault server to verify the // authenticity of the server when communicating with Vault over TLS. AnnotationVaultTLSServerName = "vault.hashicorp.com/tls-server-name" // AnnotationVaultCACert is the path of the CA certificate used to verify Vault's // CA certificate. AnnotationVaultCACert = "vault.hashicorp.com/ca-cert" // AnnotationVaultCAKey is the path of the CA key used to verify Vault's CA. AnnotationVaultCAKey = "vault.hashicorp.com/ca-key" // AnnotationVaultClientCert is the path of the client certificate used to communicate // with Vault over TLS. AnnotationVaultClientCert = "vault.hashicorp.com/client-cert" // AnnotationVaultClientKey is the path of the client key used to communicate // with Vault over TLS. AnnotationVaultClientKey = "vault.hashicorp.com/client-key" // AnnotationVaultClientMaxRetries is the number of retry attempts when 5xx errors are encountered. AnnotationVaultClientMaxRetries = "vault.hashicorp.com/client-max-retries" // AnnotationVaultClientTimeout sets the request timeout when communicating with Vault. AnnotationVaultClientTimeout = "vault.hashicorp.com/client-timeout" // AnnotationVaultRole specifies the role to be used for the Kubernetes auto-auth // method. AnnotationVaultRole = "vault.hashicorp.com/role" )
View Source
const ( DefaultTemplate = "{{ with secret \"%s\" }}{{ range $k, $v := .Data }}{{ $k }}: {{ $v }}\n{{ end }}{{ end }}" PidFile = "/home/vault/.pid" TokenFile = "/home/vault/.token" )
View Source
const ( // https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu DefaultResourceLimitCPU = "500m" DefaultResourceLimitMem = "128Mi" DefaultResourceRequestCPU = "250m" DefaultResourceRequestMem = "64Mi" DefaultContainerArg = "echo ${VAULT_CONFIG?} | base64 -d > /tmp/config.json && vault agent -config=/tmp/config.json" )
View Source
const (
DefaultVaultImage = "vault:1.3.1"
)
Variables ¶
This section is empty.
Functions ¶
func EscapeJSONPointer ¶
EscapeJSONPointer escapes a JSON string to be compliant with the JavaScript Object Notation (JSON) Pointer syntax RFC: https://tools.ietf.org/html/rfc6901.
Types ¶
type Agent ¶
type Agent struct {
// Annotations are the current pod annotations used to
// configure the Vault Agent container.
Annotations map[string]string
// ImageName is the name of the Vault image to use for the
// sidecar container.
ImageName string
// Inject is the flag used to determine if a container should be requested
// in a pod request.
Inject bool
// LimitsCPU is the upper CPU limit the sidecar container is allowed to consume.
LimitsCPU string
// LimitsMem is the upper memory limit the sidecar container is allowed to consume.
LimitsMem string
// Namespace is the Kubernetes namespace the request originated from.
Namespace string
// Patches are all the mutations we will make to the pod request.
Patches []*jsonpatch.JsonPatchOperation
// Pod is the original Kubernetes pod spec.
Pod *corev1.Pod
// PrePopulate controls whether an init container is added to the request.
PrePopulate bool
// PrePopulateOnly controls whether an init container is the _only_ container
//added to the request.
PrePopulateOnly bool
// RequestsCPU is the requested minimum CPU amount required when being scheduled to deploy.
RequestsCPU string
// RequestsMem is the requested minimum memory amount required when being scheduled to deploy.
RequestsMem string
// Secrets are all the templates, the path in Vault where the secret can be
//found, and the unique name of the secret which will be used for the filename.
Secrets []*Secret
// ServiceAccountName is the Kubernetes service account name for the pod.
// This is used when we mount the service account to the Vault Agent container(s).
ServiceAccountName string
// ServiceAccountPath is the path on disk where the service account JWT
// can be located. This is used when we mount the service account to the
// Vault Agent container(s).
ServiceAccountPath string
// Status is the current injection status. The only status considered is "injected",
// which prevents further mutations. A user can patch this annotation to force a new
// mutation.
Status string
// ConfigMapName is the name of the configmap a user wants to mount to Vault Agent
// container(s).
ConfigMapName string
// Vault is the structure holding all the Vault specific configurations.
Vault Vault
}
Agent is the top level structure holding all the configurations for the Vault Agent container.
func (*Agent) ContainerConfigMapVolume ¶
ContainerConfigMapVolume returns a volume to mount a config map if the user supplied any.
func (*Agent) ContainerEnvVars ¶
ContainerEnvVars adds the applicable environment vars for the Vault Agent sidecar.
func (*Agent) ContainerInitSidecar ¶
ContainerInitSidecar creates a new init container to be added to the pod being mutated. After Vault 1.4 is released, this can be removed because an exit_after_auth environment variable is available for the agent. This means we won't need to generate two config files.
func (*Agent) ContainerSidecar ¶
ContainerSidecar creates a new container to be added to the pod being mutated.
func (*Agent) ContainerTLSSecretVolume ¶
ContainerTLSSecretVolume returns a volume to mount TLS secrets if the user supplied any.
func (*Agent) ContainerVolume ¶
ContainerVolume returns the volume data to add to the pod. This volume is used for shared data between containers.
func (*Agent) ContainerVolumeMount ¶
func (a *Agent) ContainerVolumeMount() corev1.VolumeMount
ContainerVolumeMount mounts the shared memory volume where secrets will be rendered.
type AutoAuth ¶
type AutoAuth struct {
Method *Method `json:"method,omitempty"`
Sinks []*Sink `json:"sink,omitempty"`
}
AutoAuth is the configured authentication method and sinks
type Config ¶
type Config struct {
AutoAuth *AutoAuth `json:"auto_auth"`
ExitAfterAuth bool `json:"exit_after_auth"`
PidFile string `json:"pid_file"`
Vault *VaultConfig `json:"vault"`
Templates []*Template `json:"template"`
}
Config is the top level struct that composes a Vault Agent configuration file.
type Method ¶
type Method struct {
Type string `json:"type"`
MountPath string `json:"mount_path,omitempty"`
WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"`
WrapTTL time.Duration `json:"-"`
Namespace string `json:"namespace,omitempty"`
Config map[string]interface{} `json:"config,omitempty"`
}
Method represents the configuration for the authentication backend
type Sink ¶
type Sink struct {
Type string `json:"type"`
WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"`
WrapTTL time.Duration `json:"-"`
DHType string `json:"dh_type,omitempty"`
DHPath string `json:"dh_path,omitempty"`
AAD string `json:"aad,omitempty"`
AADEnvVar string `json:"aad_env_var,omitempty"`
Config map[string]interface{} `json:"config,omitempty"`
}
Sink defines a location to write the authenticated token
type Template ¶
type Template struct {
CreateDestDirs bool `json:"create_dest_dirs,omitempty"`
Destination string `json:"destination"`
Contents string `json:"contents"`
LeftDelim string `json:"left_delimiter,omitempty"`
RightDelim string `json:"right_delimiter,omitempty"`
}
Template defines the Consul Template parameters
type Vault ¶
type Vault struct {
// Address is the Vault service address.
Address string
// CACert is the name of the Certificate Authority certificate
// to use when validating Vault's server certificates.
CACert string
// CAKey is the name of the Certificate Authority key
// to use when validating Vault's server certificates.
CAKey string
// ClientCert is the name of the client certificate to use when communicating
// with Vault over TLS.
ClientCert string
// ClientKey is the name of the client key to use when communicating
// with Vault over TLS.
ClientKey string
// ClientMaxRetries configures the number of retries the client should make
// when 5-- errors are received from the Vault server. Default is 2.
ClientMaxRetries string
// ClientTimeout is the max number in seconds the client should attempt to
// make a request to the Vault server.
ClientTimeout string
// Role is the name of the Vault role to use for authentication.
Role string
// TLSSecret is the name of the secret to be mounted to the Vault Agent container
// containing the TLS certificates required to communicate with Vault.
TLSSecret string
// TLSSkipVerify toggles verification of Vault's certificates.
TLSSkipVerify bool
// TLSServerName is the name of the Vault server to use when validating Vault's
// TLS certificates.
TLSServerName string
}
type VaultConfig ¶
type VaultConfig struct {
Address string `json:"address"`
CACert string `json:"ca_cert,omitempty"`
CAPath string `json:"ca_path,omitempty"`
TLSSkipVerify bool `json:"tls_skip_verify,omitempty"`
ClientCert string `json:"client_cert,omitempty"`
ClientKey string `json:"client_key,omitempty"`
TLSServerName string `json:"tls_server_name,omitempty"`
}
Vault contains configuration for connecting to Vault servers
Source Files
Click to show internal directories.
Click to hide internal directories.