Documentation
¶
Index ¶
- type APIConfig
- type APIPathConfig
- type AWSSecretsManagerKeyStore
- type AzureKeyVaultKeyStore
- type CacheConfig
- type EntrustKeyControlKeyStore
- type FSKeyStore
- type File
- type FortanixKeyStore
- type GCPSecretManagerKeyStore
- type Key
- type KeySecureKeyStore
- type KeyStore
- type LogConfig
- type Policy
- type TLSConfig
- type VaultAppRoleAuth
- type VaultKeyStore
- type VaultKubernetesAuth
- type VaultTransit
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type APIConfig ¶
type APIConfig struct {
// Paths contains a set of API paths and there
// API configuration.
Paths map[string]APIPathConfig
}
APIConfig is a structure that holds the API configuration for a KES server.
type APIPathConfig ¶
type APIPathConfig struct {
// Timeout is the duration after which the API response
// with a HTTP timeout error response. If Timeout is
// zero the API default is used.
Timeout time.Duration
// InsecureSkipAuth controls whether the API verifies
// client identities. If InsecureSkipAuth is true,
// the API accepts requests from arbitrary identities.
// In this mode, the API can be used by anyone who can
// communicate to the KES server over HTTPS.
// This should only be set for testing or in certain
// cases for APIs that don't expose sensitive information,
// like metrics.
InsecureSkipAuth bool
}
APIPathConfig is a structure that holds the API configuration for one particular KES API.
type AWSSecretsManagerKeyStore ¶
type AWSSecretsManagerKeyStore struct {
// Endpoint is the AWS SecretsManager endpoint.
// AWS SecretsManager endpoints have the following
// schema:
// secrestmanager[-fips].<region>.amanzonaws.com
Endpoint string
// Region is the AWS region the SecretsManager is
// located.
Region string
// KMSKey is the AWS-KMS key ID (CMK-ID) used to
// to en/decrypt secrets managed by the SecretsManager.
// If empty, the default AWS KMS key is used.
KMSKey string
// AccessKey is the access key for authenticating to AWS.
AccessKey string
// SecretKey is the secret key for authenticating to AWS.
SecretKey string
// SessionToken is an optional session token for authenticating
// to AWS.
SessionToken string
}
AWSSecretsManagerKeyStore is a structure containing the configuration for AWS SecretsManager.
type AzureKeyVaultKeyStore ¶
type AzureKeyVaultKeyStore struct {
// Endpoint is the Azure KeyVault endpoint.
Endpoint string
// TenantID is the ID of the Azure KeyVault tenant.
TenantID string
// ClientID is the ID of the client accessing
// Azure KeyVault.
ClientID string
// ClientSecret is the client secret accessing the
// Azure KeyVault.
ClientSecret string
// ManagedIdentityClientID is the client ID of the
// Azure managed identity that access the KeyVault.
ManagedIdentityClientID string
}
AzureKeyVaultKeyStore is a structure containing the configuration for Azure KeyVault.
type CacheConfig ¶
type CacheConfig struct {
// Expiry is the time period after which any cache entries in
// the key cache are discarded. It determines how often the KES
// server has to fetch a secret key from the KMS backend.
Expiry time.Duration
// ExpiryUnused is the time period after which all unused
// cache entries in the key cache are discarded. It determines
// how often "not frequently" used secret keys must be fetched from
// the KMS backend.
ExpiryUnused time.Duration
// ExpiryOffline is the time period after which any cache
// entries in the offline cache are discarded.
//
// It determines how long the KES server can serve stateless
// requests when the keystore has become unavailable -
// e.g. due to a network outage.
//
// ExpiryOffline is only used while the keystore backend is not
// available. As long as the keystore is available, the regular
// cache expiry periods apply.
ExpiryOffline time.Duration
}
CacheConfig is a structure that holds the Cache configuration for a KES server.
type EntrustKeyControlKeyStore ¶
type EntrustKeyControlKeyStore struct {
// Endpoint is the Entrust KeyControl endpoint.
Endpoint string
// VaultID is the KeyControl Vault UUID.
VaultID string
// BoxID is the KeyControl box ID or name within the Vault.
BoxID string
// Username is the username used for authentication.
Username string
// Password is the password associated with the provided username.
Password string
// CAPath is an optional path to the root
// CA certificate(s) for verifying the TLS
// certificate of the KeyControl server.
//
// If empty, the OS default root CA set is
// used.
CAPath string
}
EntrustKeyControlKeyStore is a structure containing the configuration for Entrust KeyControl.
type FSKeyStore ¶
type FSKeyStore struct {
// Path is the path to the directory that
// contains the keys.
//
// If the directory does not exist, it
// will be created.
Path string
}
FSKeyStore is a structure containing the configuration for a simple filesystem keystore.
A FSKeyStore should only be used when testing a KES server.
type File ¶
type File struct {
// Addr is the network interface address
// and optional port the KES server will
// listen on and accept HTTP requests.
//
// If only a port number is specified,
// e.g. ":7373", the KES server listens
// on all available network interfaces.
//
// When a specific IP address is specified,
// e.g. "127.0.0.1:7373", then KES server
// listens on only this specific network
// interface.
Addr string
// Admin is the KES server admin identity.
Admin kes.Identity
// TLS contains the KES server TLS configuration.
TLS *TLSConfig
// Cache contains the KES server cache configuration.
Cache *CacheConfig
// Log contains the KES server logging configuration.
Log *LogConfig
// API contains the KES server API configuration.
API *APIConfig
// Policies contains the KES server policy definitions
// and statical identity assignments.
Policies map[string]Policy
// Keys contains pre-defined keys that the KES server will
// either create, or expect to exist, before accepting requests.
Keys []Key
// KeyStore contains the KES server keystore configuration.
// The KeyStore manages the keys used by the KES server for
// encryption and decryption.
KeyStore KeyStore
}
File is a structure that holds the content of a KES server configuration file.
func ReadFile ¶
ReadFile opens the given file and reads the KES configuration from it by calling ReadFrom.
type FortanixKeyStore ¶
type FortanixKeyStore struct {
// Endpoint is the endpoint of the Fortanix KMS.
Endpoint string
// GroupID is the ID of the access control group.
GroupID string
// APIKey is the API key for authenticating to
// the Fortanix KMS.
APIKey string
// CAPath is an optional path to the root
// CA certificate(s) for verifying the TLS
// certificate of the Hashicorp Vault server.
//
// If empty, the OS default root CA set is
// used.
CAPath string
}
FortanixKeyStore is a structure containing the configuration for Fortanix SDKMS.
type GCPSecretManagerKeyStore ¶
type GCPSecretManagerKeyStore struct {
// ProjectID is the GCP project ID.
ProjectID string
// Endpoint is the GCP project ID. If empty,
// defaults to:
// secretmanager.googleapis.com:443
Endpoint string
// Scopes are GCP OAuth2 scopes for accessing
// GCP APIs. If empty, defaults to the GCP
// default scopes.
Scopes []string
// ClientEmail is the Client email of the
// GCP service account used to access the
// SecretManager.
ClientEmail string
// ClientID is the Client ID of the GCP
// service account used to access the
// SecretManager.
ClientID string
// KeyID is the private key ID of the GCP
// service account used to access the
// SecretManager.
KeyID string
// Key is the private key of the GCP
// service account used to access the
// SecretManager.
Key string
}
GCPSecretManagerKeyStore is a structure containing the configuration for GCP SecretManager.
type Key ¶
type Key struct {
// Name is the name of the cryptographic key.
Name string
}
Key is a structure defining a cryptographic key that the KES server will create or ensure exists before startup.
type KeySecureKeyStore ¶
type KeySecureKeyStore struct {
// Endpoint is the endpoint to the KeySecure server.
Endpoint string
// Token is the refresh authentication token to
// access the KeySecure server.
Token string
// Domain is the isolated namespace within the
// KeySecure server. If empty, defaults to the
// top-level / root domain.
Domain string
// CAPath is an optional path to the root
// CA certificate(s) for verifying the TLS
// certificate of the KeySecure server.
//
// If empty, the OS default root CA set is
// used.
CAPath string
}
KeySecureKeyStore is a structure containing the configuration for Gemalto KeySecure / Thales CipherTrust Manager.
type KeyStore ¶
type KeyStore interface {
// Connect establishes and returns a new connection
// to the keystore.
Connect(ctx context.Context) (kes.KeyStore, error)
}
KeyStore is a KES keystore configuration.
Concrete instances implement Connect to return a connection to a concrete keystore.
type LogConfig ¶
type LogConfig struct {
// Error determines whether the KES server logs error events to STDERR.
// It does not en/disable error logging in general.
ErrLevel slog.Level
// Audit determines whether the KES server logs audit events to STDOUT.
// It does not en/disable audit logging in general.
AuditLevel slog.Level
}
LogConfig is a structure that holds the logging configuration for a KES server.
type Policy ¶
type Policy struct {
// Allow is the list of API path patterns
// that are explicitly allowed.
Allow []string
// Deny is the list of API path patterns
// that are explicitly denied.
Deny []string
// Identities is a list of KES identities
// that are assigned to this policy.
//
// It must not contain the admin or any
// TLS proxy identity.
Identities []kes.Identity
}
Policy is a structure defining a KES policy.
Any request issued by a KES identity is validated by the associated allow and deny patterns. A request is accepted if and only if no deny pattern and at least one allow pattern matches the request.
type TLSConfig ¶
type TLSConfig struct {
// PrivateKey is the path to the KES server's TLS private key.
PrivateKey string
// Certificate is the path to the KES server's TLS certificate.
Certificate string
// Password is an optional password to decrypt the KES server's
// private key.
Password string
// ClientAuth is the client authentication type the KES server
// uses to verify client certificates.
//
// Most applications should use tls.RequestClientCert.
ClientAuth tls.ClientAuthType
// CAPath is an optional path to a X.509 certificate or directory
// containing X.509 certificates that the KES server uses, in
// addition to the system root certificates, as authorities when
// verify client certificates.
//
// If empty, the KES server will only use the system root
// certificates.
CAPath string
// Proxies contains a list of TLS proxy identities.
// The KES identity of any TLS/HTTPS proxy sitting directly
// in-front of KES has to be included in this list. A KES
// server will only accept forwarded client requests from
// proxies listed here.
Proxies []kes.Identity
// ForwardCertHeader is the HTTP header key used by any
// TLS / HTTPS proxy to forward the actual client certificate
// to KES.
ForwardCertHeader string
}
TLSConfig is a structure that holds the TLS configuration for a KES server.
type VaultAppRoleAuth ¶
type VaultAppRoleAuth struct {
// Engine is the AppRole authentication engine path.
// If empty, defaults to "approle".
Engine string
// AppRoleID is the AppRole access ID for authenticating
// to Hashicorp Vault via the AppRole method.
ID string
// AppRoleSecret is the AppRole access secret for authenticating
// to Hashicorp Vault via the AppRole method.
Secret string
}
VaultAppRoleAuth is a structure containing the configuration for the Hashicorp Vault AppRole authentication method.
type VaultKeyStore ¶
type VaultKeyStore struct {
// Endpoint is the Hashicorp Vault endpoint.
Endpoint string
// Namespace is an optional Hashicorp Vault namespace.
// An empty namespace means no particular namespace
// is used.
Namespace string
// APIVersion is the API version of the Hashicorp Vault
// K/V engine. Valid values are: "v1" and "v2".
// If empty, defaults to "v1".
APIVersion string
// Engine is the Hashicorp Vault K/V engine path.
// If empty, defaults to "kv".
Engine string
// Prefix is an optional prefix / directory within the
// K/V engine.
// If empty, keys will be stored at the K/V engine top
// level.
Prefix string
// AppRole contains the Vault AppRole authentication
// method credentials.
AppRole *VaultAppRoleAuth
// Kubernetes contains the Vault Kubernetes authentication
// method credentials.
Kubernetes *VaultKubernetesAuth
// Transit contains the Vault transit encryption engine
// configuration for en/decrypting K/V entries with a
// key managed by Vault.
//
// This is an optional and additional layer of encryption.
// Since Vault manages and encrypts K/V values in any case,
// using the transit engine is usually not necessary.
Transit *VaultTransit
// PrivateKey is an optional path to a
// TLS private key file containing a
// TLS private key for mTLS authentication.
//
// If empty, mTLS authentication is disabled.
PrivateKey string
// Certificate is an optional path to a
// TLS certificate file containing a
// TLS certificate for mTLS authentication.
//
// If empty, mTLS authentication is disabled.
Certificate string
// CAPath is an optional path to the root
// CA certificate(s) for verifying the TLS
// certificate of the Hashicorp Vault server.
//
// If empty, the OS default root CA set is
// used.
CAPath string
// StatusPing controls how often to Vault health status
// is checked.
// If not set, defaults to 10s.
StatusPing time.Duration
}
VaultKeyStore is a structure containing the configuration for Hashicorp Vault.
type VaultKubernetesAuth ¶
type VaultKubernetesAuth struct {
// Engine is the Kubernetes authentication engine path.
// If empty, defaults to "kubernetes".
Engine string
// KubernetesRole is the login role for authenticating via the
// kubernetes authentication method.
Role string
// KubernetesJWT is either the JWT or a path to a file containing
// the JWT for for authenticating via the kubernetes authentication
// method.
JWT string
}
VaultKubernetesAuth is a structure containing the configuration for the Hashicorp Vault Kubernetes authentication method.
type VaultTransit ¶
type VaultTransit struct {
// Engine is the Transit encryption engine path.
// If empty, defaults to "transit".
Engine string
// KeyName is the name of the key used for en/decryption.
KeyName string
}
VaultTransit is a structure containing the configuration for the Hashicorp Vault transit encryption engine.
Source Files
Click to show internal directories.
Click to hide internal directories.