Documentation
¶
Overview ¶
Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.
Vault is a KMS implementation with many features. This packages only leverages the key-value store. For an introduction to Vault see: https://www.vaultproject.io/ For an K/V API overview see: https://www.vaultproject.io/api/secret/kv/kv-v1.html
Index ¶
- Constants
- type AppRole
- type Config
- type Conn
- func (s *Conn) Create(ctx context.Context, name string, value []byte) error
- func (s *Conn) Delete(ctx context.Context, name string) error
- func (s *Conn) Get(_ context.Context, name string) ([]byte, error)
- func (s *Conn) List(ctx context.Context) (kms.Iter, error)
- func (s *Conn) Status(ctx context.Context) (kms.State, error)
- type Kubernetes
Constants ¶
const ( // APIv1 is the Vault K/V secret engine API version 1. // The v1 K/V secret engine does not support version'ed // secrets. APIv1 = "v1" // APIv2 is the Vault K/V secret engine API version 2. // The v1 K/V secret engine supports version'ed secrets. APIv2 = "v2" )
const ( // EngineKV is the Hashicorp Vault default KV secret engine path. EngineKV = "kv" // EngineAppRole is the Hashicorp Vault default AppRole authentication // engine path. EngineAppRole = "approle" // EngineKubernetes is the Hashicorp Vault default Kubernetes // authentication engine path. EngineKubernetes = "kubernetes" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AppRole ¶
type AppRole struct {
// Engine is the authentication engine path
//
// Hashicorp Vault allows multiple engines of the
// same type mounted at the same time and/or engines
// mounted at arbitrary paths.
Engine string
// ID is the AppRole authentication ID
ID string
// Secret is the AppRole authentication secret.
Secret string
// Retry is the duration after which another
// authentication attempt is performed once
// an authentication attempt failed.
Retry time.Duration
}
AppRole contains authentication information for the Hashicorp Vault AppRole authentication API.
type Config ¶ added in v0.17.3
type Config struct {
// Endpoint is the HTTP Vault server endpoint
Endpoint string
// Engine is the path of the K/V engine to use.
//
// Vault allows multiple engines of the same type
// mounted at the same time and/or engines mounted
// at arbitrary paths.
Engine string
// APIVersion is the API version of the K/V engine.
//
// If empty, it defaults to APIv1.
//
// Ref: https://www.vaultproject.io/docs/secrets/kv
APIVersion string
// The Vault namespace used to separate and isolate different
// organizations / tenants at the same Vault instance. If
// non-empty, the Vault client will send the
// X-Vault-Namespace: Namespace
// HTTP header on each request.
//
// Ref: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
Namespace string
// Prefix is the key prefix on Vault's K/V store
// similar to a directory. Keys will be fetched
// from and stored within this prefix.
Prefix string
// AppRole contains the Vault AppRole authentication
// credentials.
AppRole AppRole
// K8S contains the Vault Kubernetes authentication
// credentials.
K8S Kubernetes
// StatusPingAfter is the duration after which
// the KeyStore will check the status of the Vault
// server. Particularly, this status information
// is used to determine whether the Vault server
// has been sealed resp. unsealed again.
StatusPingAfter time.Duration
// Path to the mTLS client private key to authenticate to
// the Vault server.
PrivateKey string
// Path to the mTLS client certificate to authenticate to
// the Vault server.
Certificate string
// Path to the root CA certificate(s) used to verify the
// TLS certificate of the Vault server. If empty, the
// host's root CA set is used.
CAPath string
// contains filtered or unexported fields
}
Config is a structure containing configuration options for connecting to a Hashicorp Vault server.
type Conn ¶ added in v0.22.0
type Conn struct {
// contains filtered or unexported fields
}
Conn is a connection to a Hashicorp Vault server.
func Connect ¶ added in v0.17.3
Connect connects to a Hashicorp Vault server with the given configuration.
func (*Conn) Create ¶ added in v0.22.0
Create creates the given key-value pair at Vault if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.
func (*Conn) Delete ¶ added in v0.22.0
Delete removes a the value associated with the given key from Vault, if it exists.
func (*Conn) Get ¶ added in v0.22.0
Get returns the value associated with the given key. If no entry for the key exists it returns kes.ErrKeyNotFound.
type Kubernetes ¶ added in v0.13.0
type Kubernetes struct {
// Engine is the authentication engine path
//
// Hashicorp Vault allows multiple engines of the
// same type mounted at the same time and/or engines
// mounted at arbitrary paths.
Engine string
// Role is the JWT role.
Role string
// JWT is the issued authentication token.
JWT string
// Retry is the duration after which another
// authentication attempt is performed once
// an authentication attempt failed.
Retry time.Duration
}
Kubernetes contains authentication information for the Hashicorp Vault Kubernetes authentication API.
Source Files