klvault

package
v0.8.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 4, 2019 License: MIT Imports: 13 Imported by: 0

README

Vault Loader

Loads config values from a vault secrets engine

Usage

Basic usage with Kubernetes auth provider and renewal

vaultLoader := klvault.New(&klvault.Config{
	Secrets: []klvault.Secret{
		{
			Key: "/database/creds/db"
		},
	},
	Client: vaultClient, // from github.com/hashicorp/vault/api
	AuthProvider: k8s.New(&k8s.Config{
		Client: vaultClient,
		K8sTokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token",
	}),
	Renew: true,
})

It is possible to pass additional params to the vault secrets engine in the following manner:

Key: "/aws/creds/example-role?ttl=20m"

KV Secrets Engine - Version 2 (Versioned KV Store) is also supported by the loader, key from the versioned KV store can be accessed as follows:

Key: "/secret/data/my-versioned-key"

This will return the latest version of the key, a particular version of the secret can be accessed as follows:

Key: "/secret/data/my-versioned-key?version=1"

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (

	// ErrNoClient is the error thrown when trying to create a Loader without vault.Client
	ErrNoClient = errors.New("No vault client provided")
	// ErrNoAuthProvider is the error thrown when trying to create a Loader without an AuthProvider
	ErrNoAuthProvider = errors.New("No auth provider given")
	// ErrNoSecretKey is the error thrown when trying to create a Loader without a SecretKey
	ErrNoSecretKey = errors.New("No secret key given")
)

Functions

This section is empty.

Types

type AuthProvider

type AuthProvider interface {
	Token() (string, time.Duration, error)
}

AuthProvider is the interface for a Vault authentication provider

type Config

type Config struct {
	// Name is the name of the loader
	Name string
	// StopOnFailure tells whether a failure to load configs should closed the config and all registered closers
	StopOnFailure bool
	// Secrets is the list of secrets to load
	Secrets []Secret
	// AuthProvider is the vault auth provider
	AuthProvider AuthProvider
	// Client is the vault client for the vault loader
	Client *vault.Client
	// MaxRetry is the maximum number of times the load method can be retried
	MaxRetry int
	// RetryDelay is the time between each retry
	RetryDelay time.Duration
	// Debug enables debug mode
	Debug bool
	// Logger is the logger used for debug logs
	Logger nlogger.Provider
	// TTLRatio is the factor to multiply the key's TTL by to deduce the moment
	// the Loader should ask vault for new credentials. Default value is 75.
	// Example: ttl = 1h, ttl * 75 / 100 = 45m, the loader will refresh key after 45m
	TTLRatio int
	// Renew sets whether the vault loader should renew it self
	Renew bool
}

Config is the config for the Loader

type Loader

type Loader struct {
	*kwpoll.PollWatcher
	// contains filtered or unexported fields
}

Loader is the structure representing a Loader

func New

func New(cfg *Config) *Loader

New creates a new Loader with the given config

func (*Loader) Load

func (vl *Loader) Load(cs konfig.Values) error

Load implements konfig.Loader interface. It fetches a token from the auth provider and sets the token in the vault client. Then it loads the secret and assigns it values to the konfig.Store.

func (*Loader) MaxRetry

func (vl *Loader) MaxRetry() int

MaxRetry is the maximum number of times the load method can be retried

func (*Loader) Name

func (vl *Loader) Name() string

Name returns the name of the loader

func (*Loader) RetryDelay

func (vl *Loader) RetryDelay() time.Duration

RetryDelay is the delay between each retry

func (*Loader) StopOnFailure

func (vl *Loader) StopOnFailure() bool

StopOnFailure returns whether a load failure should stop the config and the registered closers

func (*Loader) Time

func (vl *Loader) Time() time.Duration

Time returns the TTL of the vault loader It is used in the ticker watcher a source.

type LogicalClient

type LogicalClient interface {
	Read(key string) (*vault.Secret, error)
	Write(key string, data map[string]interface{}) (*vault.Secret, error)
	ReadWithData(key string, data map[string][]string) (*vault.Secret, error)
}

LogicalClient is a interface for the vault logical client

type Secret

type Secret struct {
	// Key is the URL to fetch the secret from (e.g. /v1/database/creds/mydb)
	Key string
	// KeysPrefix sets a prefix to be prepended to all keys in the config store
	KeysPrefix string
	// Replacer transforms vault secret's keys
	Replacer nstrings.Replacer
}

Secret is a secret to load

Directories

Path Synopsis
auth
k8s

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL