Documentation
¶
Overview ¶
Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.
Vault is a KMS implementation with many featues. This packages only leverages the key-value store. For an introduction to Vault see: https://www.vaultproject.io/ For an K/V API overview see: https://www.vaultproject.io/api/secret/kv/kv-v1.html
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AppRole ¶
type AppRole struct {
ID string // The AppRole ID
Secret string // The Approle secret ID
Retry time.Duration
}
AppRole holds the Vault AppRole authentication credentials and a duration after which the authentication should be retried whenever it fails.
type KMS ¶ added in v0.7.0
type KMS struct {
// Addr is the HTTP address of the Vault server.
Addr string
// AppRole contains the Vault AppRole authentication
// credentials.
AppRole AppRole
// StatusPingAfter is the duration after which
// the KMS will check the status of the Vault
// server. Particularly, this status information
// is used to determine whether the Vault server
// has been sealed resp. unsealed again.
StatusPingAfter time.Duration
// ErrorLog specifies an optional logger for errors
// when an encryption or decryption request fails.
// If nil, logging is done via the log package's
// standard logger.
ErrorLog *log.Logger
// Path to the mTLS client private key to authenticate to
// the Vault server.
ClientKeyPath string
// Path to the mTLS client certificate to authenticate to
// the Vault server.
ClientCertPath string
// Path to the root CA certificate(s) used to verify the
// TLS certificate of the Vault server. If empty, the
// host's root CA set is used.
CAPath string
// The Vault namespace used to separate and isolate different
// organizations / tenants at the same Vault instance. If
// non-empty, the Vault client will send the
// X-Vault-Namespace: Namespace
// HTTP header on each request. For more information see:
// https://www.vaultproject.io/docs/enterprise/namespaces/index.html
Namespace string
// contains filtered or unexported fields
}
KMS is a Vault KMS client that implements the secret.KMS interface.
It can be used to encrypt secrets before storing them at a key store resp. decrypt them after fetching them from such a store.
func (*KMS) Authenticate ¶ added in v0.7.0
Authenticate tries to establish a connection to a Vault server using the approle credentials. It returns an error if no connection could be established - for instance because of invalid authentication credentials.
type Store ¶ added in v0.7.0
type Store struct {
// Addr is the HTTP address of the Vault server.
Addr string
// Location is the location on Vault's K/V store
// where this KeyStore will save secret keys.
//
// It can be used to assign an unique or shared
// prefix. For instance one or more KeyStore can
// store secret keys under /keys/my-app/. In this
// case you may set KeyStore.Location = "key/my-app".
Location string
// AppRole contains the Vault AppRole authentication
// credentials.
AppRole AppRole
// StatusPingAfter is the duration after which
// the KeyStore will check the status of the Vault
// server. Particularly, this status information
// is used to determine whether the Vault server
// has been sealed resp. unsealed again.
StatusPingAfter time.Duration
// ErrorLog specifies an optional logger for errors
// when K/V pairs cannot be stored, fetched, deleted
// or contain invalid content.
// If nil, logging is done via the log package's
// standard logger.
ErrorLog *log.Logger
// Path to the mTLS client private key to authenticate to
// the Vault server.
ClientKeyPath string
// Path to the mTLS client certificate to authenticate to
// the Vault server.
ClientCertPath string
// Path to the root CA certificate(s) used to verify the
// TLS certificate of the Vault server. If empty, the
// host's root CA set is used.
CAPath string
// The Vault namespace used to separate and isolate different
// organizations / tenants at the same Vault instance. If
// non-empty, the Vault client will send the
// X-Vault-Namespace: Namespace
// HTTP header on each request. For more information see:
// https://www.vaultproject.io/docs/enterprise/namespaces/index.html
Namespace string
// contains filtered or unexported fields
}
Store is a key-value store that saves key-value pairs as entries on Vault's K/V secret backend.
func (*Store) Authenticate ¶ added in v0.7.0
Authenticate tries to establish a connection to a Vault server using the approle credentials. It returns an error if no connection could be established - for instance because of invalid authentication credentials.
func (*Store) Create ¶ added in v0.7.0
Create creates the given key-value pair at Vault if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.
Source Files