vault

package
v0.17.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 11, 2021 License: AGPL-3.0 Imports: 14 Imported by: 0

Documentation

Overview

Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.

Vault is a KMS implementation with many features. This packages only leverages the key-value store. For an introduction to Vault see: https://www.vaultproject.io/ For an K/V API overview see: https://www.vaultproject.io/api/secret/kv/kv-v1.html

Index

Constants

View Source 
const (
	// EngineV1 is the Hashicorp Vault K/V secret engine version 1.
	// This K/V secret store is not versioned.
	EngineV1 = "v1"

	// EngineV2 is the Hashicorp Vault K/V secret engine version 2.
	// This K/V secret store is versioned.
	EngineV2 = "v2"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AppRole 

type AppRole struct {
	Engine string // The AppRole engine path
	ID     string // The AppRole ID
	Secret string // The Approle secret ID
	Retry  time.Duration
}

AppRole holds the Vault AppRole authentication credentials and a duration after which the authentication should be retried whenever it fails.

type Kubernetes added in v0.13.0 

type Kubernetes struct {
	Engine string // The Kubernetes auth engine path
	Role   string // The Kubernetes JWT role
	JWT    string // The Kubernetes JWT
	Retry  time.Duration
}

type Store added in v0.7.0 

type Store struct {
	// Addr is the HTTP address of the Vault server.
	Addr string

	// Engine is the path of the K/V engine to use.
	//
	// Vault allows multiple engines of the same type
	// mounted at the same time and/or engines mounted
	// at arbitrary paths.
	Engine string

	// EngineVersion is the API version of the K/V engine.
	//
	// It has to be set to "v1" for the K/V v1 engine (unversioned)
	// or to "v2" for the K/V v2 engine (versioned).
	//
	// For more information about the K/V engine differences, see:
	// https://www.vaultproject.io/docs/secrets/kv
	EngineVersion string

	// Location is the location on Vault's K/V store
	// where this KeyStore will save secret keys.
	//
	// It can be used to assign an unique or shared
	// prefix. For instance one or more KeyStore can
	// store secret keys under /keys/my-app/. In this
	// case you may set KeyStore.Location = "key/my-app".
	Location string

	// AppRole contains the Vault AppRole authentication
	// credentials.
	AppRole AppRole

	// K8S contains the Vault Kubernetes authentication
	// credentials.
	K8S Kubernetes

	// StatusPingAfter is the duration after which
	// the KeyStore will check the status of the Vault
	// server. Particularly, this status information
	// is used to determine whether the Vault server
	// has been sealed resp. unsealed again.
	StatusPingAfter time.Duration

	// ErrorLog specifies an optional logger for errors
	// when K/V pairs cannot be stored, fetched, deleted
	// or contain invalid content.
	// If nil, logging is done via the log package's
	// standard logger.
	ErrorLog *log.Logger

	// Path to the mTLS client private key to authenticate to
	// the Vault server.
	ClientKeyPath string

	// Path to the mTLS client certificate to authenticate to
	// the Vault server.
	ClientCertPath string

	// Path to the root CA certificate(s) used to verify the
	// TLS certificate of the Vault server. If empty, the
	// host's root CA set is used.
	CAPath string

	// The Vault namespace used to separate and isolate different
	// organizations / tenants at the same Vault instance. If
	// non-empty, the Vault client will send the
	//   X-Vault-Namespace: Namespace
	// HTTP header on each request. For more information see:
	// https://www.vaultproject.io/docs/enterprise/namespaces/index.html
	Namespace string
	// contains filtered or unexported fields
}

Store is a key-value store that saves key-value pairs as entries on Vault's K/V secret backend.

func (*Store) Authenticate added in v0.7.0 

func (s *Store) Authenticate(context context.Context) error

Authenticate tries to establish a connection to a Vault server using the approle credentials. It returns an error if no connection could be established - for instance because of invalid authentication credentials.

func (*Store) Create added in v0.7.0 

func (s *Store) Create(ctx context.Context, name string, key key.Key) error

Create creates the given key-value pair at Vault if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.

func (*Store) Delete added in v0.7.0 

func (s *Store) Delete(ctx context.Context, name string) error

Delete removes a the value associated with the given key from Vault, if it exists.

func (*Store) Get added in v0.7.0 

func (s *Store) Get(_ context.Context, name string) (key.Key, error)

Get returns the value associated with the given key. If no entry for the key exists it returns kes.ErrKeyNotFound.

func (*Store) List added in v0.13.0 

func (s *Store) List(ctx context.Context) (key.Iterator, error)

List returns a new Iterator over the names of all stored keys.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.