Documentation
¶
Index ¶
- Constants
- func AbsolutePath(prefix string, filename string) string
- func MustMkdirAllForFile(filename string)
- func StringToFileMode(fileMode string) (*os.FileMode, error)
- func TouchFile(absFilename string) error
- type AuthMechanismType
- type CliFlags
- type LockHandle
- type RunMode
- type SecretLifetime
- type WrappedToken
Constants ¶
const EnableKubernetesVaultTokenAuthentication = true
EnableKubernetesVaultTokenAuthentication (see references for description) Disable this at compile time if you don't use this feature.
const EncodingBase64 = "base64"
fields can be encoded - those base64 encoded are decoded before being written to output files. They're not decoded if they're part of a template / etc / etc.
const EncodingNone = "none"
const SSHCertificate = "id_rsa-cert.pub"
SSHCertificate is public key, signed by Vault.
const VaultEC2AuthPath = "/v1/auth/aws-ec2/login"
Variables ¶
This section is empty.
Functions ¶
func AbsolutePath ¶
func MustMkdirAllForFile ¶
func MustMkdirAllForFile(filename string)
Types ¶
type AuthMechanismType ¶
type AuthMechanismType int
const ( EC2AMIAuth AuthMechanismType = iota EC2IAMAuth KubernetesAuth UnknownAuth )
type CliFlags ¶
type CliFlags struct {
ShowVersion bool // Display version and exit
PerformInit bool // run in "init" mode
PerformSidecar bool // run in "sidecar" mode
PerformOneShot bool // even though running in sidecar mode, only run things once and then exit.
PerformCleanup bool // cleanup everything in the leases file
RevokeOnCleanup bool // also revoke everything when cleaning up
RenewInterval time.Duration // when in sidecar mode, this is the expected period between checks
BriefcaseFilename string // absolute location of briefcase
ShutdownTriggerFile string // if this file exists, the sidecar will shutdown
VaultTokenArg string // v-c-t will accept a vault token as a command line arg
EC2AuthEnabled bool // use "registered AMI" to authenticate an EC2 instance
EC2Nonce string // Nonce used for re-authenticating EC2 instances
IAMAuthRole string // Role to use when performing IAM authentication of EC2 instances
IAMVaultAuthBackend string // Override IAM auth path in Vault
ConfigFile string // location of vault-config, either relative to input prefix, or absolute
ConfigDir string // location of vault-config directory, either relative to input prefix, or absolute
OutputPrefix string // prefix to use when writing output files
InputPrefix string // prefix to use when looking for input files
ServiceSecretPrefix string // override prefix for relative KV secrets
KubernetesLoginPath string // path to use in Vault for Kubernetes authentication
ServiceAccountToken string // path to the ServiceAccount token file for Kubernetes authentication
KubernetesAuthRole string // enables Kubernetes auth, and sets role to use with Kubernetes authentication
DebugLogLevel bool // enable debug logging
CliVaultTokenRenewable bool // is the vault token supplied on the command line renewable?
ForceRefreshTTL time.Duration // secrets will be refreshed after this duration, regardless of their expiry.
STSTTL time.Duration // configures what TTL to use for AWS STS tokens.
EnablePrometheusMetrics bool // configures whether to enable prometheus metrics server for sidecar mode.
PrometheusPort int // configures port on which to serve prometheus metrics endpoint
VaultClientTimeout time.Duration // configures HTTP timeouts for Vault client connections.
VaultClientRetries int // configures HTTP retries for Vault client connections.
TerminateOnSyncFailure bool // If enabled in sidecar mode, will cause tool to terminate if there is a failure to perform sync.
}
CliFlags contains all flags for the vault-ctrl-tool application. v1 of vault-ctrl-tool had some bad ideas about parsing command line arguments. This is kept for compatibility.
func ProcessFlags ¶
func (*CliFlags) AuthMechanism ¶
func (f *CliFlags) AuthMechanism() AuthMechanismType
type LockHandle ¶
type LockHandle struct {
// contains filtered or unexported fields
}
func LockFile ¶
func LockFile(filename string) (*LockHandle, error)
LockFile sets an exclusive provisional file lock on a file (creating it if needed). It's basically a wrapper around flock(, LOCK_EX), but hides the file descriptor from the caller since file descriptors aren't very Go-like. Returns a non-nil lock handle which can be passed to lh.Unlock(). Note that "Unlock" will attempt to delete the file.
func (*LockHandle) Unlock ¶
func (lh *LockHandle) Unlock(panicOnUnlockFailure bool) error
Unlock calls flock(, LOCK_UN) on the file being used for locking. If panicOnUnlockFailure is true, and the syscall to unlock it fails, it will panic (vs just return an error). The panic is only for the flock syscall, other errors (already unlocked / bad args / couldn't delete file, etc) will always be returned as an error.
type SecretLifetime ¶
type SecretLifetime string
SecretLifetime is used to describe secrets lifetime description.
const LifetimeStatic SecretLifetime = "static"
Secrets and templates can have a lifetime associated with them, those without an explicit lifetime have a "static" lifetime for backwards expectations.
const LifetimeToken SecretLifetime = "token"
const LifetimeVersion SecretLifetime = "version"
LifetimeVersion is a hack. It will refresh fields of secrets when the version of the secret increases. It does not support composite secrets, or anything else. If this winds up being valuable, the interactions between briefcase<->config will need to be rewritten since both other lifetimes operate with the exact opposite philosophy.
type WrappedToken ¶
func NewWrappedToken ¶
func NewWrappedToken(secret *api.Secret, renewable bool) *WrappedToken
Source Files
Directories