Documentation
¶
Index ¶
Constants ¶
View Source
const ( // Name is the Provider name Name = "vault" // VaultKeysSeparator is the separator between vault keys in KeysEnvVar VaultKeysSeparator = ":" // VaultKeySeparator is the separator between key and version in KeysEnvVar VaultKeySeparator = "@" )
View Source
const ( EnvAwsAccessKeyId = "AWS_ACCESS_KEY_ID" EnvAwsProfile = "AWS_PROFILE" EnvAwsSecretAccessKey = "AWS_SECRET_ACCESS_KEY" EnvAwsSessionToken = "AWS_SESSION_TOKEN" EnvGoogleCredFile = "GOOGLE_CREDENTIALS_FILE" EnvGoogleToken = "GCP_TOKEN" EnvKubernetesServiceHost = "KUBERNETES_SERVICE_HOST" EnvKubernetesServicePort = "KUBERNETES_SERVICE_PORT" EnvVaultAppJWT = "VAULT_APP_JWT" EnvVaultAppRole = "VAULT_APP_ROLE" EnvVaultAppSecret = "VAULT_APP_SECRET" EnvVaultAuthData = "VAULT_AUTH_DATA" EnvVaultAuthMethod = "VAULT_AUTH_METHOD" EnvVaultAuthPath = "VAULT_AUTH_PATH" EnvVaultAwsPath = "VAULT_AWS_PATH" EnvVaultAwsRole = "VAULT_AWS_ROLE" EnvVaultGcpCredType = "VAULT_GCP_CRED_TYPE" EnvVaultGcpPath = "VAULT_GCP_PATH" EnvVaultGcpRole = "VAULT_GCP_ROLE" EnvVaultKeys = "VAULT_KV_KEYS" )
Variables ¶
View Source
var ( // ErrVaultEmptyResponse is returned when vault respondes with no data ErrVaultEmptyResponse = errors.New("no data returned from vault") // ErrVaultUnexpectedResponse is returned when vault does not respond with the expected data ErrVaultUnexpectedResponse = errors.New("unexpected response from vault") // ErrNotInKubernetes is returned when vestibule is not running in a kubernetes cluster ErrNotInKubernetes = errors.New("not running in kubernetes cluster") // ErrInvalidKVKey is returned when the given key is invalid ErrInvalidKVKey = errors.New("invalid vault KV key") // ErrUnexpectedVaultResponse is returned when vault returns something we cannot handle ErrUnexpectedVaultResponse = errors.New("unexpected response from vault") // EnvVars is a map of known vonfiguration environment variables and their usage descriptions EnvVars = map[string]string{ EnvVaultKeys: `If VAULT_KV_KEYS is set, will iterate over each key (colon separated), attempting to get the secret from Vault. Secrets are pulled at the optional version or latest, then injected into Environ. If running in Kubernetes, the Pod's ServiceAccount token will automatically be looked up and used for Vault authentication. e.g. VAULT_KV_KEYS=/path/to/key1[@version]:/path/to/key2[@version]:...`, EnvVaultAwsRole: `Name of the role to generate credentials against. If credentials are returned, the access key and secret key will be injected into the process environment using the standard environment variables and a credentials file will be written to the path from AWS_SHARED_CREDENTIALS_FILE (by default "/var/run/aws/credentials")`, "VAULT_*": "All vault client configuration environment variables are respected. More information at https://www.vaultproject.io/docs/commands/#environment-variables", EnvAwsProfile: `AWS profile to use in the shared credentials file. Defaults to "default"`, EnvAwsSharedCredFile: `Path to the AWS shared credentials file to write credentials to. Defaults to "/var/run/aws/credentials"`, EnvGoogleCredFile: `Path to the GCP service account credentials file to create. Defaults to "/var/run/gcp/creds.json"`, EnvVaultAppJWT: "The jwt for use with OIDC/JWT authentication", EnvVaultAppRole: "Either the role id for AppRole authentication, or the role name fo Kubernetes authentication.", EnvVaultAppSecret: "The secret id for use with AppRole authentication", EnvVaultAuthData: "Data payload to send with authentication request. JSON object.", EnvVaultAuthMethod: `Authentication method for vault. Default is "kubernetes".`, EnvVaultAuthPath: "Authentication path for vault authentication - e.g. okta/login/:user. Overrides VAULT_AUTH_METHOD if set.", EnvVaultAwsPath: `Mountpoint for the vault AWS secret engine. Defaults to "aws".`, EnvVaultGcpCredType: "GCP credential type to generate. Defaults to key. Accepted values are [token key]", EnvVaultGcpPath: `Mountpoint for the vault GCP secret engine. Defaults to "gcp".`, EnvVaultGcpRole: "Name of the GCP role in vault to generate credentials against.", } )
Functions ¶
Types ¶
type Client ¶
type Client struct {
*api.Client
AuthMethod string `env:"VAULT_AUTH_METHOD"`
AuthPath string `env:"VAULT_AUTH_PATH"`
AuthData string `env:"VAULT_AUTH_DATA"`
AppRole string `env:"VAULT_APP_ROLE"`
AppSecret string `env:"VAULT_APP_SECRET"`
AppJWT string `env:"VAULT_APP_JWT"`
AwsRole string `env:"VAULT_AWS_ROLE"`
AwsPath string `env:"VAULT_AWS_PATH" envDefault:"aws"`
AwsCredFile string `env:"AWS_SHARED_CREDENTIALS_FILE" envDefault:"/var/run/aws/credentials"`
AwsProfile string `env:"AWS_PROFILE" envDefault:"default"`
GcpPath string `env:"VAULT_GCP_PATH" envDefault:"gcp"`
GcpRole string `env:"VAULT_GCP_ROLE"`
GcpCredType string `env:"VAULT_GCP_CRED_TYPE" envDefault:"key"`
GcpCredFile string `env:"GOOGLE_CREDENTIALS_FILE" envDefault:"/var/run/gcp/creds.json"`
Keys KVKeys `env:"VAULT_KV_KEYS"`
}
Client is an environ.Provider and github.com/hashicorp/vault/api.Client which will get the requested keys
func (*Client) AddToEnviron ¶
AddToEnviron iterates through the given []VaultKeys, decoding the data returned from each key into a map[string]string and merging it into the environ.Environ
func (*Client) SetAuthMethod ¶ added in v1.2.0
func (client *Client) SetAuthMethod()
SetAuthMethod sets the AuthMethod if not already set
func (*Client) SetLoginPath ¶ added in v1.2.0
func (client *Client) SetLoginPath()
SetLoginPath sets the api path to login with vault for the auth method
func (*Client) SetVaultToken ¶ added in v1.2.0
SetVaultToken sets the AuthMethod and AuthPath if not already set and uses those to request a session token from vault
Source Files
Click to show internal directories.
Click to hide internal directories.