Documentation ¶
Index ¶
- Constants
- func EscapeJSONPointer(s string) string
- func Init(pod *corev1.Pod, cfg AgentConfig) error
- func ShouldInject(pod *corev1.Pod) (bool, error)
- type Agent
- func (a *Agent) ContainerConfigMapVolume() corev1.Volume
- func (a *Agent) ContainerEnvVars(init bool) ([]corev1.EnvVar, error)
- func (a *Agent) ContainerInitSidecar() (corev1.Container, error)
- func (a *Agent) ContainerSidecar() (corev1.Container, error)
- func (a *Agent) ContainerTLSSecretVolume() corev1.Volume
- func (a *Agent) ContainerTokenVolume() corev1.Volume
- func (a *Agent) ContainerVolumeMounts() []corev1.VolumeMount
- func (a *Agent) ContainerVolumes() []corev1.Volume
- func (a *Agent) Patch() ([]byte, error)
- func (a *Agent) Validate() error
- type AgentConfig
- type AutoAuth
- type Config
- type Method
- type Secret
- type Sink
- type Template
- type Vault
- type VaultConfig
Constants ¶
const ( DefaultVaultImage = "vault:1.4.2" DefaultVaultAuthPath = "auth/kubernetes" DefaultAgentRunAsUser = 100 DefaultAgentRunAsGroup = 1000 DefaultAgentRunAsSameUser = false DefaultAgentSetSecurityContext = true )
const ( // AnnotationAgentStatus is the key of the annotation that is added to // a pod after an injection is done. // There's only one valid status we care about: "injected". AnnotationAgentStatus = "vault.hashicorp.com/agent-inject-status" // AnnotationAgentInject is the key of the annotation that controls whether // injection is explicitly enabled or disabled for a pod. This should // be set to a true or false value, as parseable by strconv.ParseBool AnnotationAgentInject = "vault.hashicorp.com/agent-inject" // AnnotationAgentInjectSecret is the key annotation that configures Vault // Agent to retrieve the secrets from Vault required by the app. The name // of the secret is any unique string after "vault.hashicorp.com/agent-inject-secret-", // such as "vault.hashicorp.com/agent-inject-secret-foobar". The value is the // path in Vault where the secret is located. AnnotationAgentInjectSecret = "vault.hashicorp.com/agent-inject-secret" // AnnotationAgentInjectTemplate is the key annotation that configures Vault // Agent what template to use for rendering the secrets. The name // of the template is any unique string after "vault.hashicorp.com/agent-inject-template-", // such as "vault.hashicorp.com/agent-inject-template-foobar". This should map // to the same unique value provided in ""vault.hashicorp.com/agent-inject-secret-". // If not provided, a default generic template is used. AnnotationAgentInjectTemplate = "vault.hashicorp.com/agent-inject-template" // AnnotationAgentInjectToken is the annotation key for injecting the token // from auth/token/lookup-self AnnotationAgentInjectToken = "vault.hashicorp.com/agent-inject-token" // AnnotationAgentInjectCommand is the key annotation that configures Vault Agent // to run a command after the secret is rendered. The name of the template is any // unique string after "vault.hashicorp.com/agent-inject-command-". This should map // to the same unique value provided in ""vault.hashicorp.com/agent-inject-secret-". // If not provided (the default), no command is executed. AnnotationAgentInjectCommand = "vault.hashicorp.com/agent-inject-command" // AnnotationAgentImage is the name of the Vault docker image to use. AnnotationAgentImage = "vault.hashicorp.com/agent-image" // AnnotationAgentRequestNamespace is the Kubernetes namespace where the request // originated from. AnnotationAgentRequestNamespace = "vault.hashicorp.com/agent-request-namespace" // AnnotationAgentInitFirst makes the initialization container the first container // to run when a pod starts. Default is last. AnnotationAgentInitFirst = "vault.hashicorp.com/agent-init-first" // AnnotationAgentPrePopulate controls whether an init container is included // to pre-populate the shared memory volume with secrets prior to the application // starting. AnnotationAgentPrePopulate = "vault.hashicorp.com/agent-pre-populate" // AnnotationAgentPrePopulateOnly controls whether an init container is the only // injected container. If true, no sidecar container will be injected at runtime // of the application. AnnotationAgentPrePopulateOnly = "vault.hashicorp.com/agent-pre-populate-only" // AnnotationAgentConfigMap is the name of the configuration map where Vault Agent // configuration file and templates can be found. AnnotationAgentConfigMap = "vault.hashicorp.com/agent-configmap" // AnnotationAgentLimitsCPU sets the CPU limit on the Vault Agent containers. AnnotationAgentLimitsCPU = "vault.hashicorp.com/agent-limits-cpu" // AnnotationAgentLimitsMem sets the memory limit on the Vault Agent containers. AnnotationAgentLimitsMem = "vault.hashicorp.com/agent-limits-mem" // AnnotationAgentRequestsCPU sets the requested CPU amount on the Vault Agent containers. AnnotationAgentRequestsCPU = "vault.hashicorp.com/agent-requests-cpu" // AnnotationAgentRequestsMem sets the requested memory amount on the Vault Agent containers. AnnotationAgentRequestsMem = "vault.hashicorp.com/agent-requests-mem" // AnnotationAgentRevokeOnShutdown controls whether a sidecar container will revoke its // own Vault token before shutting down. If you are using a custom agent template, you must // make sure it's written to `/home/vault/.vault-token`. Only supported for sidecar containers. AnnotationAgentRevokeOnShutdown = "vault.hashicorp.com/agent-revoke-on-shutdown" // AnnotationAgentRevokeGrace sets the number of seconds after receiving the signal for pod // termination that the container will attempt to revoke its own Vault token. Defaults to 5s. AnnotationAgentRevokeGrace = "vault.hashicorp.com/agent-revoke-grace" // AnnotationVaultNamespace is the Vault namespace where secrets can be found. AnnotationVaultNamespace = "vault.hashicorp.com/namespace" // AnnotationAgentRunAsUser sets the User ID to run the Vault Agent containers as. AnnotationAgentRunAsUser = "vault.hashicorp.com/agent-run-as-user" // AnnotationAgentRunAsGroup sets the Group ID to run the Vault Agent containers as. AnnotationAgentRunAsGroup = "vault.hashicorp.com/agent-run-as-group" // AnnotationAgentRunAsSameUser sets the User ID of the injected Vault Agent // containers to the User ID of the first application container in the Pod. // Requires Spec.Containers[0].SecurityContext.RunAsUser to be set in the // Pod Spec. AnnotationAgentRunAsSameUser = "vault.hashicorp.com/agent-run-as-same-user" // AnnotationAgentSetSecurityContext controls whether a SecurityContext (uid // and gid) is set on the injected Vault Agent containers AnnotationAgentSetSecurityContext = "vault.hashicorp.com/agent-set-security-context" // AnnotationVaultService is the name of the Vault server. This can be overridden by the // user but will be set by a flag on the deployment. AnnotationVaultService = "vault.hashicorp.com/service" // AnnotationVaultTLSSkipVerify allows users to configure verifying TLS // when communicating with Vault. AnnotationVaultTLSSkipVerify = "vault.hashicorp.com/tls-skip-verify" // AnnotationVaultTLSSecret is the name of the Kubernetes secret containing // client TLS certificates and keys. AnnotationVaultTLSSecret = "vault.hashicorp.com/tls-secret" // AnnotationVaultTLSServerName is the name of the Vault server to verify the // authenticity of the server when communicating with Vault over TLS. AnnotationVaultTLSServerName = "vault.hashicorp.com/tls-server-name" // AnnotationVaultCACert is the path of the CA certificate used to verify Vault's // CA certificate. AnnotationVaultCACert = "vault.hashicorp.com/ca-cert" // AnnotationVaultCAKey is the path of the CA key used to verify Vault's CA. AnnotationVaultCAKey = "vault.hashicorp.com/ca-key" // AnnotationVaultClientCert is the path of the client certificate used to communicate // with Vault over TLS. AnnotationVaultClientCert = "vault.hashicorp.com/client-cert" // AnnotationVaultClientKey is the path of the client key used to communicate // with Vault over TLS. AnnotationVaultClientKey = "vault.hashicorp.com/client-key" // AnnotationVaultClientMaxRetries is the number of retry attempts when 5xx errors are encountered. AnnotationVaultClientMaxRetries = "vault.hashicorp.com/client-max-retries" // AnnotationVaultClientTimeout sets the request timeout when communicating with Vault. AnnotationVaultClientTimeout = "vault.hashicorp.com/client-timeout" // AnnotationVaultLogLevel sets the Vault Agent log level. AnnotationVaultLogLevel = "vault.hashicorp.com/log-level" // AnnotationVaultRole specifies the role to be used for the Kubernetes auto-auth // method. AnnotationVaultRole = "vault.hashicorp.com/role" // AnnotationVaultAuthPath specifies the mount path to be used for the Kubernetes auto-auth // method. AnnotationVaultAuthPath = "vault.hashicorp.com/auth-path" // AnnotationVaultSecretVolumePath specifies where the secrets are to be // Mounted after fetching. AnnotationVaultSecretVolumePath = "vault.hashicorp.com/secret-volume-path" // AnnotationPreserveSecretCase if enabled will preserve the case of secret name // by default the name is converted to lower case. AnnotationPreserveSecretCase = "vault.hashicorp.com/preserve-secret-case" )
const ( DefaultTemplate = "{{ with secret \"%s\" }}{{ range $k, $v := .Data }}{{ $k }}: {{ $v }}\n{{ end }}{{ end }}" TokenTemplate = "{{ with secret \"auth/token/lookup-self\" }}{{ .Data.id }}\n{{ end }}" TokenSecret = "auth/token/lookup-self" PidFile = "/home/vault/.pid" TokenFile = "/home/vault/.vault-token" )
const ( // https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu DefaultResourceLimitCPU = "500m" DefaultResourceLimitMem = "128Mi" DefaultResourceRequestCPU = "250m" DefaultResourceRequestMem = "64Mi" DefaultContainerArg = "echo ${VAULT_CONFIG?} | base64 -d > /tmp/config.json && vault agent -config=/tmp/config.json" DefaultRevokeGrace = 5 DefaultAgentLogLevel = "info" )
Variables ¶
This section is empty.
Functions ¶
func EscapeJSONPointer ¶
EscapeJSONPointer escapes a JSON string to be compliant with the JavaScript Object Notation (JSON) Pointer syntax RFC: https://tools.ietf.org/html/rfc6901.
Types ¶
type Agent ¶
type Agent struct { // Annotations are the current pod annotations used to // configure the Vault Agent container. Annotations map[string]string // ImageName is the name of the Vault image to use for the // sidecar container. ImageName string // Inject is the flag used to determine if a container should be requested // in a pod request. Inject bool // InitFirst controls whether an init container is first to run. InitFirst bool // LimitsCPU is the upper CPU limit the sidecar container is allowed to consume. LimitsCPU string // LimitsMem is the upper memory limit the sidecar container is allowed to consume. LimitsMem string // Namespace is the Kubernetes namespace the request originated from. Namespace string // Patches are all the mutations we will make to the pod request. Patches []*jsonpatch.JsonPatchOperation // Pod is the original Kubernetes pod spec. Pod *corev1.Pod // PrePopulate controls whether an init container is added to the request. PrePopulate bool // PrePopulateOnly controls whether an init container is the _only_ container // added to the request. PrePopulateOnly bool // RevokeOnShutdown controls whether a sidecar container will attempt to revoke its Vault // token on shutting down. RevokeOnShutdown bool // RevokeGrace controls after receiving the signal for pod // termination that the container will attempt to revoke its own Vault token. RevokeGrace uint64 // RequestsCPU is the requested minimum CPU amount required when being scheduled to deploy. RequestsCPU string // RequestsMem is the requested minimum memory amount required when being scheduled to deploy. RequestsMem string // Secrets are all the templates, the path in Vault where the secret can be //found, and the unique name of the secret which will be used for the filename. Secrets []*Secret // ServiceAccountName is the Kubernetes service account name for the pod. // This is used when we mount the service account to the Vault Agent container(s). ServiceAccountName string // ServiceAccountPath is the path on disk where the service account JWT // can be located. This is used when we mount the service account to the // Vault Agent container(s). ServiceAccountPath string // Status is the current injection status. The only status considered is "injected", // which prevents further mutations. A user can patch this annotation to force a new // mutation. Status string // ConfigMapName is the name of the configmap a user wants to mount to Vault Agent // container(s). ConfigMapName string // Vault is the structure holding all the Vault specific configurations. Vault Vault // RunAsUser is the user ID to run the Vault agent container(s) as. RunAsUser int64 // RunAsGroup is the group ID to run the Vault agent container(s) as. RunAsGroup int64 // RunAsSameID sets the user ID of the Vault agent container(s) to be the // same as the first application container RunAsSameID bool // SetSecurityContext controls whether the injected containers have a // SecurityContext set. SetSecurityContext bool }
Agent is the top level structure holding all the configurations for the Vault Agent container.
func (*Agent) ContainerConfigMapVolume ¶
ContainerConfigMapVolume returns a volume to mount a config map if the user supplied any.
func (*Agent) ContainerEnvVars ¶
ContainerEnvVars adds the applicable environment vars for the Vault Agent sidecar.
func (*Agent) ContainerInitSidecar ¶
ContainerInitSidecar creates a new init container to be added to the pod being mutated. After Vault 1.4 is released, this can be removed because an exit_after_auth environment variable is available for the agent. This means we won't need to generate two config files.
func (*Agent) ContainerSidecar ¶
ContainerSidecar creates a new container to be added to the pod being mutated.
func (*Agent) ContainerTLSSecretVolume ¶
ContainerTLSSecretVolume returns a volume to mount TLS secrets if the user supplied any.
func (*Agent) ContainerTokenVolume ¶ added in v0.4.0
ContainerTokenVolume returns a volume to mount the home directory where the token sink will write to.
func (*Agent) ContainerVolumeMounts ¶ added in v0.3.0
func (a *Agent) ContainerVolumeMounts() []corev1.VolumeMount
ContainerVolumeMounts mounts the shared memory volume where secrets will be rendered.
func (*Agent) ContainerVolumes ¶ added in v0.3.0
ContainerVolume returns the volume data to add to the pod. This volumes are used for shared data between containers.
type AgentConfig ¶ added in v0.4.0
type AutoAuth ¶
type AutoAuth struct { Method *Method `json:"method,omitempty"` Sinks []*Sink `json:"sink,omitempty"` }
AutoAuth is the configured authentication method and sinks
type Config ¶
type Config struct { AutoAuth *AutoAuth `json:"auto_auth"` ExitAfterAuth bool `json:"exit_after_auth"` PidFile string `json:"pid_file"` Vault *VaultConfig `json:"vault"` Templates []*Template `json:"template"` }
Config is the top level struct that composes a Vault Agent configuration file.
type Method ¶
type Method struct { Type string `json:"type"` MountPath string `json:"mount_path,omitempty"` WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"` WrapTTL time.Duration `json:"-"` Namespace string `json:"namespace,omitempty"` Config map[string]interface{} `json:"config,omitempty"` }
Method represents the configuration for the authentication backend
type Secret ¶
type Secret struct { // Name of the secret used as the filename for the rendered secret file. Name string // Path in Vault where the secret desired can be found. Path string // Template is the optional custom template to use when rendering the secret. Template string // Mount Path MountPath string // Command is the optional command to run after rendering the secret. Command string }
type Sink ¶
type Sink struct { Type string `json:"type"` WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"` WrapTTL time.Duration `json:"-"` DHType string `json:"dh_type,omitempty"` DHPath string `json:"dh_path,omitempty"` AAD string `json:"aad,omitempty"` AADEnvVar string `json:"aad_env_var,omitempty"` Config map[string]interface{} `json:"config,omitempty"` }
Sink defines a location to write the authenticated token
type Template ¶
type Template struct { CreateDestDirs bool `json:"create_dest_dirs,omitempty"` Destination string `json:"destination"` Contents string `json:"contents"` LeftDelim string `json:"left_delimiter,omitempty"` RightDelim string `json:"right_delimiter,omitempty"` Command string `json:"command,omitempty"` }
Template defines the Consul Template parameters
type Vault ¶
type Vault struct { // Address is the Vault service address. Address string // AuthPath is the Mount Path of Vault Kubernetes Auth Method. AuthPath string // CACert is the name of the Certificate Authority certificate // to use when validating Vault's server certificates. CACert string // CAKey is the name of the Certificate Authority key // to use when validating Vault's server certificates. CAKey string // ClientCert is the name of the client certificate to use when communicating // with Vault over TLS. ClientCert string // ClientKey is the name of the client key to use when communicating // with Vault over TLS. ClientKey string // ClientMaxRetries configures the number of retries the client should make // when 5-- errors are received from the Vault server. Default is 2. ClientMaxRetries string // ClientTimeout is the max number in seconds the client should attempt to // make a request to the Vault server. ClientTimeout string // LogLevel sets the Vault Agent log level. Defaults to info. LogLevel string // Namespace is the Vault namespace to prepend to secret paths. Namespace string // Role is the name of the Vault role to use for authentication. Role string // TLSSecret is the name of the secret to be mounted to the Vault Agent container // containing the TLS certificates required to communicate with Vault. TLSSecret string // TLSSkipVerify toggles verification of Vault's certificates. TLSSkipVerify bool // TLSServerName is the name of the Vault server to use when validating Vault's // TLS certificates. TLSServerName string }
type VaultConfig ¶
type VaultConfig struct { Address string `json:"address"` CACert string `json:"ca_cert,omitempty"` CAPath string `json:"ca_path,omitempty"` TLSSkipVerify bool `json:"tls_skip_verify,omitempty"` ClientCert string `json:"client_cert,omitempty"` ClientKey string `json:"client_key,omitempty"` TLSServerName string `json:"tls_server_name,omitempty"` }
Vault contains configuration for connecting to Vault servers