Documentation ¶
Index ¶
- type Briefcase
- func (b *Briefcase) AWSCredentialExpiresBefore(awsConfig config.AWSType, expiresBefore time.Time) bool
- func (b *Briefcase) AWSCredentialShouldRefreshBefore(awsConfig config.AWSType, refreshBefore time.Time) bool
- func (b *Briefcase) EnrollAWSCredential(ctx context.Context, awsCreds *api.Secret, awsConfig config.AWSType, ...)
- func (b *Briefcase) EnrollComposite(composite config.CompositeSecretFile)
- func (b *Briefcase) EnrollSSHCertificate(ctx context.Context, sshCertConfig config.SSHCertificateType, ...) error
- func (b *Briefcase) EnrollSecret(secret config.SecretType)
- func (b *Briefcase) EnrollTemplate(tmpl config.TemplateType)
- func (b *Briefcase) EnrollVaultToken(ctx context.Context, token *util.WrappedToken) error
- func (b *Briefcase) GetSecrets(lifetime util.SecretLifetime) []SimpleSecret
- func (b *Briefcase) HasCachedSecrets(lifetime util.SecretLifetime) bool
- func (b *Briefcase) ResetBriefcase() *Briefcase
- func (b *Briefcase) SaveAs(filename string) error
- func (b *Briefcase) ShouldRefreshComposite(composite config.CompositeSecretFile) bool
- func (b *Briefcase) ShouldRefreshSSHCertificate(sshCertConfig config.SSHCertificateType, expiresBefore time.Time) bool
- func (b *Briefcase) ShouldRefreshSecret(secret config.SecretType) bool
- func (b *Briefcase) ShouldRefreshTemplate(tmpl config.TemplateType) bool
- func (b *Briefcase) ShouldRefreshVaultToken(ctx context.Context) bool
- func (b *Briefcase) StoreSecrets(lifetime util.SecretLifetime, secrets []SimpleSecret)
- type LeasedAuthToken
- type SecretsCache
- type SimpleSecret
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Briefcase ¶
type Briefcase struct { AuthTokenLease LeasedAuthToken `json:"auth"` SSHCertificates map[string]sshCert `json:"ssh,omitempty"` AWSCredentialLeases map[string]leasedAWSCredential `json:"aws,omitempty"` TokenScopedTemplates map[string]bool `json:"tokenscoped_templates,omitempty"` StaticTemplates map[string]bool `json:"static_templates,omitempty"` TokenScopedSecrets map[string]bool `json:"tokenscoped_secrets,omitempty"` StaticScopedSecrets map[string]bool `json:"static_secrets,omitempty"` VersionScopedSecrets map[string]int64 `json:"versioned_secrets,omitempty"` TokenScopedComposites map[string]bool `json:"tokenscoped_composites,omitempty"` StaticScopedComposites map[string]bool `json:"static_composites,omitempty"` // contains filtered or unexported fields }
Briefcase is a serialized file that contains all the information needed for the tool, running in sidecar mode, to keep all the associated leases, secrets, etc refreshed. It also keeps a non-serialized copy of secrets that are used to populate templates.
func LoadBriefcase ¶
func NewBriefcase ¶
NewBriefcase creates an empty briefcase.
func (*Briefcase) AWSCredentialExpiresBefore ¶
func (b *Briefcase) AWSCredentialExpiresBefore(awsConfig config.AWSType, expiresBefore time.Time) bool
STS credentials have a maximum lifetime enforced by AWS. The current expiry is kept in the briefcase and checked to determine if it needs to be refreshed. Services using STS credentials are expected to handle credentials expiring underneath them at any time.
func (*Briefcase) AWSCredentialShouldRefreshBefore ¶
func (b *Briefcase) AWSCredentialShouldRefreshBefore(awsConfig config.AWSType, refreshBefore time.Time) bool
AWSCredentialsShouldRefresh checks if a set of AWS credentials should be force refreshed according to it's refresh_expiry.
func (*Briefcase) EnrollAWSCredential ¶
func (b *Briefcase) EnrollAWSCredential(ctx context.Context, awsCreds *api.Secret, awsConfig config.AWSType, forceRefreshTTL time.Duration)
EnrollAWSCredenntial adds or replaces a managed AWS credential to briefcase. If forceRefreshTTL is not zero then it will associate refresh expirty time with the certificate.
func (*Briefcase) EnrollComposite ¶
func (b *Briefcase) EnrollComposite(composite config.CompositeSecretFile)
func (*Briefcase) EnrollSSHCertificate ¶
func (b *Briefcase) EnrollSSHCertificate(ctx context.Context, sshCertConfig config.SSHCertificateType, forceRefreshTTL time.Duration) error
EnrollSSHCertificate adds a managed SSH certificate to briefcase. If forceRefreshTTL is not zero, then it will associate a refresh expiry time with the certificate.
func (*Briefcase) EnrollSecret ¶
func (b *Briefcase) EnrollSecret(secret config.SecretType)
func (*Briefcase) EnrollTemplate ¶
func (b *Briefcase) EnrollTemplate(tmpl config.TemplateType)
func (*Briefcase) EnrollVaultToken ¶
EnrollVaultToken adds the specified vault token (from Vault) to the briefcase. It captures some expiry information so it knows when it needs to be refreshed.
func (*Briefcase) GetSecrets ¶
func (b *Briefcase) GetSecrets(lifetime util.SecretLifetime) []SimpleSecret
func (*Briefcase) HasCachedSecrets ¶
func (b *Briefcase) HasCachedSecrets(lifetime util.SecretLifetime) bool
func (*Briefcase) ResetBriefcase ¶
ResetBriefcase is used when a vault token from a briefcase is no longer usable. This means any secrets that weren't "static" will likely soon expire and disappear. By resetting the briefcase, it will cause all the non-static secrets to be recreated.
func (*Briefcase) ShouldRefreshComposite ¶
func (b *Briefcase) ShouldRefreshComposite(composite config.CompositeSecretFile) bool
func (*Briefcase) ShouldRefreshSSHCertificate ¶
func (*Briefcase) ShouldRefreshSecret ¶
func (b *Briefcase) ShouldRefreshSecret(secret config.SecretType) bool
func (*Briefcase) ShouldRefreshTemplate ¶
func (b *Briefcase) ShouldRefreshTemplate(tmpl config.TemplateType) bool
func (*Briefcase) ShouldRefreshVaultToken ¶
ShouldRefreshVaultToken will return true if it's time to do periodic refresh of the Vault token being used by the tool. This time is established when the token is enrolled into the briefcase. It will return false if the token is not renewable. If the token is needs a refresh but is non-renewable, then it will log (but not throw) an error.
func (*Briefcase) StoreSecrets ¶
func (b *Briefcase) StoreSecrets(lifetime util.SecretLifetime, secrets []SimpleSecret)
type LeasedAuthToken ¶
type SecretsCache ¶
type SecretsCache interface { HasCachedSecrets(lifetime util.SecretLifetime) bool StoreSecrets(lifetime util.SecretLifetime, secrets []SimpleSecret) GetSecrets(lifetime util.SecretLifetime) []SimpleSecret }
SecretsCache is the interface to the non-persisted secrets that are kept in the briefcase. This could probably be kept outside the briefcase, but we use the briefcase as blackboard style runtime state right now.