vault

package

v2.7.6 Latest Latest Go to latest Published: Apr 12, 2024 License: MIT Imports: 8 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/influxdata/influxdb

Links

Open Source Insights

README ¶

Vault Secret Service

This package implements platform.SecretService using vault.

Key layout

All secrets are stored in vault as key value pairs that can be found under the key /secret/data/:orgID.

For example

/secret/data/031c8cbefe101000 ->
  github_api_key: foo
  some_other_key: bar
  a_secret: key

Configuration

When a new secret service is instatiated with vault.NewSecretService() we read the environment for the standard vault environment variables.

It is expected that the vault provided is unsealed and that the VAULT_TOKEN has sufficient privileges to access the key space described above.

Test/Dev

The vault secret service may be used by starting a vault server

vault server -dev

VAULT_ADDR='<vault address>' VAULT_TOKEN='<vault token>' influxd --secret-store vault

Once the vault and influxdb servers have been started and initialized, you may test the service by executing the following:

curl --request GET \
  --url http://localhost:8086/api/v2/orgs/<org id>/secrets \
  --header 'authorization: Token <authorization token>

# should return
#
#  {
#    "links": {
#      "org": "/api/v2/orgs/031c8cbefe101000",
#      "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
#    },
#    "secrets": []
#  }

curl --request PATCH \
  --url http://localhost:8086/api/v2/orgs/<org id>/secrets \
  --header 'authorization: Token <authorization token> \
  --header 'content-type: application/json' \
  --data '{
	"foo": "bar",
	"hello": "world"
}'

# should return 204 no content

curl --request GET \
  --url http://localhost:8086/api/v2/orgs/<org id>/secrets \
  --header 'authorization: Token <authorization token>

# should return
#
#  {
#    "links": {
#      "org": "/api/v2/orgs/031c8cbefe101000",
#      "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
#    },
#    "secrets": [
#      "foo",
#      "hello"
#    ]
#  }

Documentation ¶

Index ¶

type Config
type ConfigOptFn
- func WithConfig(config Config) ConfigOptFn
- func WithTLSConfig(tlsCFG TLSConfig) ConfigOptFn
type SecretService
- func NewSecretService(cfgOpts ...ConfigOptFn) (*SecretService, error)
type TLSConfig

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	Address       string
	AgentAddress  string
	ClientTimeout time.Duration
	MaxRetries    int
	Token         string
	TLSConfig
}

Config may setup the vault client configuration. If any field is a zero value, it will be ignored and the default used.

type ConfigOptFn ¶

type ConfigOptFn func(Config) Config

ConfigOptFn is a functional input option to configure a vault service.

func WithConfig ¶

func WithConfig(config Config) ConfigOptFn

WithConfig provides a configuration to the service constructor.

func WithTLSConfig ¶

func WithTLSConfig(tlsCFG TLSConfig) ConfigOptFn

WithTLSConfig allows one to set the TLS config only.

type SecretService ¶

type SecretService struct {
	Client *api.Client
}

SecretService is service for storing user secrets

func NewSecretService ¶

func NewSecretService(cfgOpts ...ConfigOptFn) (*SecretService, error)

NewSecretService creates an instance of a SecretService. The service is configured using the standard vault environment variables. https://www.vaultproject.io/docs/commands/index.html#environment-variables

func (*SecretService) DeleteSecret ¶

func (s *SecretService) DeleteSecret(ctx context.Context, orgID platform2.ID, ks ...string) error

DeleteSecret removes a single secret from the secret store.

func (*SecretService) GetSecretKeys ¶

func (s *SecretService) GetSecretKeys(ctx context.Context, orgID platform2.ID) ([]string, error)

GetSecretKeys retrieves all secret keys that are stored for the organization orgID.

func (*SecretService) LoadSecret ¶

func (s *SecretService) LoadSecret(ctx context.Context, orgID platform2.ID, k string) (string, error)

LoadSecret retrieves the secret value v found at key k for organization orgID.

func (*SecretService) PatchSecrets ¶

func (s *SecretService) PatchSecrets(ctx context.Context, orgID platform2.ID, m map[string]string) error

PatchSecrets patches all provided secrets and updates any previous values.

func (*SecretService) PutSecret ¶

func (s *SecretService) PutSecret(ctx context.Context, orgID platform2.ID, k string, v string) error

PutSecret stores the secret pair (k,v) for the organization orgID.

func (*SecretService) PutSecrets ¶

func (s *SecretService) PutSecrets(ctx context.Context, orgID platform2.ID, m map[string]string) error

PutSecrets puts all provided secrets and overwrites any previous values.

type TLSConfig ¶

type TLSConfig struct {
	CACert             string
	CAPath             string
	ClientCert         string
	ClientKey          string
	InsecureSkipVerify bool
	TLSServerName      string
}

TLSConfig is the configuration for TLS.

Source Files ¶

View all Source files

secret.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL