Documentation ¶
Index ¶
- Constants
- func NewIBMKpSecretStorage(secretConfig map[string]interface{}) (secrets.Secrets, error)
- func NewKMIPSecretStorage(secretConfig map[string]interface{}) (secrets.Secrets, error)
- func RegisterDriver(name string, ctor DriverCtor) error
- func StatusValid(st corev1.ConditionStatus) bool
- type Driver
- func NewDriver(dType string, name string, namespace string, uid string) Driver
- func NewIBM(name string, namespace string, uid string) Driver
- func NewK8S(name string, namespace string, uid string) Driver
- func NewKMIP(name string, namespace string, uid string) Driver
- func NewVault(name string, namespace string, uid string) Driver
- type DriverCtor
- type IBM
- func (i *IBM) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)
- func (*IBM) DeleteContext() map[string]string
- func (*IBM) GetContext() map[string]string
- func (i *IBM) Name() string
- func (i *IBM) Path() string
- func (*IBM) SetContext() map[string]string
- func (*IBM) Version(kms *KMS) Version
- type K8S
- func (k *K8S) Config(map[string]string, string, string) (map[string]interface{}, error)
- func (k *K8S) DeleteContext() map[string]string
- func (k *K8S) GetContext() map[string]string
- func (*K8S) Name() string
- func (k *K8S) Path() string
- func (k *K8S) SetContext() map[string]string
- func (k *K8S) Version(kms *KMS) Version
- type KMIP
- func (*KMIP) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)
- func (k *KMIP) DeleteContext() map[string]string
- func (k *KMIP) GetContext() map[string]string
- func (k *KMIP) Name() string
- func (k *KMIP) Path() string
- func (k *KMIP) SetContext() map[string]string
- func (k *KMIP) Version(kms *KMS) Version
- type KMIPSecretStorage
- func (*KMIPSecretStorage) Decrypt(secretID string, encryptedData string, keyContext map[string]string) (string, error)
- func (k *KMIPSecretStorage) DeleteSecret(secretID string, keyContext map[string]string) error
- func (*KMIPSecretStorage) Encrypt(secretID string, plaintTextData string, keyContext map[string]string) (string, error)
- func (k *KMIPSecretStorage) GetSecret(secretID string, keyContext map[string]string) (map[string]interface{}, error)
- func (*KMIPSecretStorage) ListSecrets() ([]string, error)
- func (k *KMIPSecretStorage) PutSecret(secretID string, plainText map[string]interface{}, ...) error
- func (*KMIPSecretStorage) Rencrypt(originalSecretID string, newSecretID string, ...) (string, error)
- func (*KMIPSecretStorage) String() string
- type KMS
- type SecretReconciler
- type SecretStorage
- type Vault
- func (*Vault) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)
- func (v *Vault) DeleteContext() map[string]string
- func (v *Vault) GetContext() map[string]string
- func (v *Vault) Name() string
- func (v *Vault) Path() string
- func (v *Vault) SetContext() map[string]string
- func (*Vault) Version(kms *KMS) Version
- type Version
- type VersionBase
- type VersionRotatingSecret
- type VersionSingleSecret
Constants ¶
const ( // IbmKpSecretStorageName is KMS backend name IbmKpSecretStorageName = "ibmkeyprotect" // IbmServiceAPIKey is the service ID API Key IbmServiceAPIKey = "IBM_KP_SERVICE_API_KEY" // IbmInstanceIDKey is the Key Protect Service's Instance ID IbmInstanceIDKey = "IBM_KP_SERVICE_INSTANCE_ID" // IbmBaseURLKey is the Key Protect Service's Base URL IbmBaseURLKey = "IBM_KP_BASE_URL" // IbmTokenURLKey is the Key Protect Service's Token URL IbmTokenURLKey = "IBM_KP_TOKEN_URL" )
const ( KMIPEndpoint = "KMIP_ENDPOINT" KMIPSecret = "KMIP_CERTS_SECRET" KMIPUniqueID = "UniqueIdentifier" KMIPTLSServerName = "TLS_SERVER_NAME" KMIPReadTimeOut = "READ_TIMEOUT" KMIPWriteTimeOut = "WRITE_TIMEOUT" KMPSecret = "secret" KMIPCACERT = "CA_CERT" KMIPCLIENTCERT = "CLIENT_CERT" KMIPCLIENTKEY = "CLIENT_KEY" )
KMIP client config options
const ( // KMIPSecretStorageName is KMS backend name KMIPSecretStorageName = "kmip" // KMIPDefaulReadTimeout is the default read network timeout KMIPDefaulReadTimeout = 10 // KMIPDefaulWriteTimeout is the default write network timeout KMIPDefaulWriteTimeout = 10 )
const ( VaultAddr = "VAULT_ADDR" VaultCaCert = "VAULT_CACERT" VaultClientCert = "VAULT_CLIENT_CERT" VaultClientKey = "VAULT_CLIENT_KEY" VaultSkipVerify = "VAULT_SKIP_VERIFY" VaultToken = "VAULT_TOKEN" RootSecretPath = "NOOBAA_ROOT_SECRET_PATH" )
Vault authentication config options
const (
// ActiveRootKey - pointer to the current key name
ActiveRootKey = "active_root_key"
)
const (
Provider = "KMS_PROVIDER" // backend type configuration key
)
////////////////////////////////////////////////////////////////////////// ///////// KMS provides uniform access to several backend types /////////// //////////////////////////////////////////////////////////////////////////
Variables ¶
This section is empty.
Functions ¶
func NewIBMKpSecretStorage ¶
NewIBMKpSecretStorage is a constructor, returns a new instance of ibmKpSecretStorage
func NewKMIPSecretStorage ¶ added in v5.12.4
NewKMIPSecretStorage is a constructor, returns a new instance of KMIPSecretStorage
func RegisterDriver ¶
func RegisterDriver(name string, ctor DriverCtor) error
RegisterDriver adds a new KMS driver
func StatusValid ¶ added in v5.13.0
func StatusValid(st corev1.ConditionStatus) bool
StatusValid returns true is the status is valid, false otherwise
Types ¶
type Driver ¶
type Driver interface { Path() string Name() string Config(connectionDetails map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error) GetContext() map[string]string SetContext() map[string]string DeleteContext() map[string]string Version(k *KMS) Version }
Driver is a backend type specific driver interface for libopenstorage/secrets framework
func NewDriver ¶
NewDriver returns a new instance of KMS driver identified by the supplied driver type.
type DriverCtor ¶
DriverCtor is a Driver constructor function type
type IBM ¶
type IBM struct {
UID string // NooBaa system UID
}
IBM is a NooBaa root master key ibmKpSecretStorage driver
func (*IBM) Config ¶
func (i *IBM) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)
Config returns ibmKpK8sSecret secret config
func (*IBM) DeleteContext ¶
DeleteContext returns context used for secret delete operation
func (*IBM) GetContext ¶
GetContext returns context used for secret get operation
func (*IBM) SetContext ¶
SetContext returns context used for secret set operation
type K8S ¶
type K8S struct {
// contains filtered or unexported fields
}
K8S is a Kubernetes driver
func (*K8S) DeleteContext ¶
DeleteContext returns context used for secret delete operation
func (*K8S) GetContext ¶
GetContext returns context used for secret get operation
func (*K8S) SetContext ¶
SetContext returns context used for secret set operation
type KMIP ¶ added in v5.12.4
type KMIP struct { }
KMIP is a kmip driver
func (*KMIP) Config ¶ added in v5.12.4
func (*KMIP) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)
Config returns this driver secret config
func (*KMIP) DeleteContext ¶ added in v5.12.4
DeleteContext returns context used for secret delete operation
func (*KMIP) GetContext ¶ added in v5.12.4
GetContext returns context used for secret get operation
func (*KMIP) SetContext ¶ added in v5.12.4
SetContext returns context used for secret set operation
type KMIPSecretStorage ¶ added in v5.12.4
type KMIPSecretStorage struct {
// contains filtered or unexported fields
}
KMIPSecretStorage is a KMIP backend Key Management Systems (KMS) which implements libopenstorage Secrets interface
func (*KMIPSecretStorage) Decrypt ¶ added in v5.12.4
func (*KMIPSecretStorage) Decrypt( secretID string, encryptedData string, keyContext map[string]string, ) (string, error)
Decrypt is no supported
func (*KMIPSecretStorage) DeleteSecret ¶ added in v5.12.4
func (k *KMIPSecretStorage) DeleteSecret( secretID string, keyContext map[string]string, ) error
DeleteSecret deletes the secret data associated with the supplied secretId.
func (*KMIPSecretStorage) Encrypt ¶ added in v5.12.4
func (*KMIPSecretStorage) Encrypt( secretID string, plaintTextData string, keyContext map[string]string, ) (string, error)
Encrypt is no supported
func (*KMIPSecretStorage) GetSecret ¶ added in v5.12.4
func (k *KMIPSecretStorage) GetSecret( secretID string, keyContext map[string]string, ) (map[string]interface{}, error)
GetSecret returns the secret data associated with the supplied secretId.
func (*KMIPSecretStorage) ListSecrets ¶ added in v5.12.4
func (*KMIPSecretStorage) ListSecrets() ([]string, error)
ListSecrets is no supported
func (*KMIPSecretStorage) PutSecret ¶ added in v5.12.4
func (k *KMIPSecretStorage) PutSecret( secretID string, plainText map[string]interface{}, keyContext map[string]string, ) error
PutSecret will associate an secretId to its secret data provided in the arguments and store it into the secret backend
func (*KMIPSecretStorage) Rencrypt ¶ added in v5.12.4
func (*KMIPSecretStorage) Rencrypt( originalSecretID string, newSecretID string, originalKeyContext map[string]string, newKeyContext map[string]string, encryptedData string, ) (string, error)
Rencrypt is no supported
func (*KMIPSecretStorage) String ¶ added in v5.12.4
func (*KMIPSecretStorage) String() string
String representation of this implementation
type KMS ¶
type KMS struct { secrets.Secrets // secrets interface Version // KMS backend version, single secret or rotating/map Type string // backend system type, k8s, vault & ibm are supported // contains filtered or unexported fields }
KMS implements SingleSecret interface using backend implementation of secrets.Secrets interface and using backend type specific driver
type SecretReconciler ¶ added in v5.13.0
type SecretReconciler interface { ReconcileSecretString(val string) error ReconcileSecretMap(val map[string]string) error }
SecretReconciler is interface exposed and implemented by the System reconciler The Version interface implementation is reponsible to call the appropriate method: either string or map
type SecretStorage ¶ added in v5.13.0
type SecretStorage interface { // Get the secret string/map from KMS Get() error // Set active master root key secret value in KMS Set(value string) error // Delete the secret string/map from KMS Delete() error // Reconcile secret data with system reconciler // expose secret data to NooBaa pods Reconcile(r SecretReconciler) error }
SecretStorage represents a key secret storage several backend types are implemented, more types could be added
type Vault ¶
type Vault struct {
UID string // NooBaa system UID
}
Vault is a vault driver
func (*Vault) Config ¶
func (*Vault) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)
Config returns this driver secret config
func (*Vault) DeleteContext ¶
DeleteContext returns context used for secret delete operation
func (*Vault) GetContext ¶
GetContext returns context used for secret get operation
func (*Vault) SetContext ¶
SetContext returns context used for secret set operation
type Version ¶ added in v5.13.0
type Version interface { SecretStorage Upgrade() error }
Version extracts version specific code for two existing KMS models: single secret and rotating secret, a.k.a. map Those two flavors implement KMS SecretStorage interface
type VersionBase ¶ added in v5.13.0
type VersionBase struct {
// contains filtered or unexported fields
}
VersionBase contains the base fields of both string and map models of the KMS
type VersionRotatingSecret ¶ added in v5.13.0
type VersionRotatingSecret struct { VersionBase // contains filtered or unexported fields }
VersionRotatingSecret implements SecretStorage interface for the rotating root master key modeled as map
func (*VersionRotatingSecret) Delete ¶ added in v5.13.0
func (v *VersionRotatingSecret) Delete() error
Delete implements SecretStorage interface for the secret map, i.e. rotating master root key
func (*VersionRotatingSecret) Get ¶ added in v5.13.0
func (v *VersionRotatingSecret) Get() error
Get implements SecretStorage interface for the secret map, i.e. rotating master root key
func (*VersionRotatingSecret) Reconcile ¶ added in v5.13.0
func (v *VersionRotatingSecret) Reconcile(r SecretReconciler) error
Reconcile sets the secret map, i.e. rotating master root key with the system reconciler
func (*VersionRotatingSecret) Set ¶ added in v5.13.0
func (v *VersionRotatingSecret) Set(val string) error
Set implements SecretStorage interface for the secret map, i.e. rotating master root key
func (*VersionRotatingSecret) Upgrade ¶ added in v5.13.0
func (v *VersionRotatingSecret) Upgrade() error
Upgrade implements SecretStorage interface for the secret map, i.e. rotating master root key
type VersionSingleSecret ¶ added in v5.13.0
type VersionSingleSecret VersionBase
VersionSingleSecret implements Version interface for the single string KMS secret
func (*VersionSingleSecret) Delete ¶ added in v5.13.0
func (v *VersionSingleSecret) Delete() error
Delete implements SecretStorage interface for single string secret
func (*VersionSingleSecret) Get ¶ added in v5.13.0
func (v *VersionSingleSecret) Get() error
Get implements SecretStorage interface for single string secret
func (*VersionSingleSecret) Reconcile ¶ added in v5.13.0
func (v *VersionSingleSecret) Reconcile(r SecretReconciler) error
Reconcile sets the single string master root key with the system reconciler
func (*VersionSingleSecret) Set ¶ added in v5.13.0
func (v *VersionSingleSecret) Set(val string) error
Set implements SecretStorage interface for single string secret
func (*VersionSingleSecret) Upgrade ¶ added in v5.13.0
func (v *VersionSingleSecret) Upgrade() error
Upgrade implements SecretStorage interface for single string secret