Documentation ¶
Index ¶
- Constants
- func CreateOrUpdateVault(vault *v1alpha1.Vault, vaultOperatorClient versioned.Interface, ns string) error
- func DeleteVault(vaultOperatorClient versioned.Interface, name string, ns string) error
- func FindVault(vaultOperatorClient versioned.Interface, name string, ns string) bool
- func GetAuthSaName(vault v1alpha1.Vault) string
- func GetVault(vaultOperatorClient versioned.Interface, name string, ns string) (*v1alpha1.Vault, error)
- func GetVaults(client kubernetes.Interface, vaultOperatorClient versioned.Interface, ...) ([]*vault.Vault, error)
- func NewVaultCRD(kubeClient kubernetes.Interface, name string, ns string, ...) (*v1alpha1.Vault, error)
- func SystemVaultName(kuber kube.Kuber) (string, error)
- func SystemVaultNameForCluster(clusterName string) string
- type AWSConfig
- type AWSSealConfig
- type AzureConfig
- type AzureSealConfig
- type AzureStorageConfig
- type CloudProviderConfig
- func PrepareAWSVaultCRD(awsServiceAccountSecretName string, awsConfig *AWSConfig) (CloudProviderConfig, error)
- func PrepareAzureVaultCRD(azureConfig *AzureConfig) (CloudProviderConfig, error)
- func PrepareGKEVaultCRD(gcpServiceAccountSecretName string, gcpConfig *GCPConfig) (CloudProviderConfig, error)
- type DynamoDBConfig
- type GCPConfig
- type GCPSealConfig
- type GCSConfig
- type Listener
- type OptionsInterface
- type Seal
- type SecretEngine
- type Selector
- type Storage
- type Tcp
- type Telemetry
- type VaultAuth
- type VaultAuths
- type VaultClientFactory
- func NewInteractiveVaultClientFactory(options OptionsInterface) (*VaultClientFactory, error)
- func NewVaultClientFactory(kubeClient kubernetes.Interface, vaultOperatorClient versioned.Interface, ...) (*VaultClientFactory, error)
- func NewVaultClientFactoryWithSelector(kubeClient kubernetes.Interface, selector Selector, defaultNamespace string) (*VaultClientFactory, error)
- func NewVaultClientFactoryWithoutSelector(kubeClient kubernetes.Interface, defaultNamespace string) (*VaultClientFactory, error)
- func (v *VaultClientFactory) GetConfigData(name string, namespace string, useIngressURL, insecureSSLWebhook bool) (config *api.Config, jwt string, saName string, err error)
- func (v *VaultClientFactory) NewVaultClient(name string, namespace string, useIngressURL, insecureSSLWebhook bool) (*api.Client, error)
- func (v *VaultClientFactory) NewVaultClientForURL(vaultConfig vault.Vault, insecureSSLWebhook bool) (*api.Client, error)
- type VaultPolicies
- type VaultPolicy
- type VaultRole
Constants ¶
const ( BankVaultsImage = "banzaicloud/bank-vaults" VaultOperatorImage = "banzaicloud/vault-operator" VaultImage = "vault" )
Variables ¶
This section is empty.
Functions ¶
func CreateOrUpdateVault ¶
func CreateOrUpdateVault(vault *v1alpha1.Vault, vaultOperatorClient versioned.Interface, ns string) error
CreateOrUpdateVault creates the specified Vault CRD if it does not exist or updates it otherwise.
func DeleteVault ¶
DeleteVault delete a Vault resource
func GetAuthSaName ¶
GetAuthSaName gets the Auth Service Account name for the vault
func GetVault ¶
func GetVault(vaultOperatorClient versioned.Interface, name string, ns string) (*v1alpha1.Vault, error)
GetVault gets a specific vault
func GetVaults ¶
func GetVaults(client kubernetes.Interface, vaultOperatorClient versioned.Interface, ns string, useIngressURL bool) ([]*vault.Vault, error)
GetVaults returns all vaults available in a given namespaces
func NewVaultCRD ¶
func NewVaultCRD(kubeClient kubernetes.Interface, name string, ns string, images map[string]string, authServiceAccount string, authServiceAccountNamespace string, secretsPathPrefix string) (*v1alpha1.Vault, error)
NewVaultCRD creates and initializes a new Vault instance.
func SystemVaultName ¶
SystemVaultName returns the name of the system vault based on the cluster name
func SystemVaultNameForCluster ¶
SystemVaultNameForCluster returns the system vault name from a given cluster name
Types ¶
type AWSConfig ¶
type AWSConfig struct { v1alpha1.AWSUnsealConfig AutoCreate bool DynamoDBTable string DynamoDBRegion string AccessKeyID string SecretAccessKey string ProvidedIAMUsername string }
AWSConfig keeps the vault configuration for AWS
type AWSSealConfig ¶
type AWSSealConfig struct { Region string `json:"region,omitempty"` AccessKey string `json:"access_key,omitempty"` SecretKey string `json:"secret_key,omitempty"` KmsKeyID string `json:"kms_key_id,omitempty"` Endpoint string `json:"endpoint,omitempty"` }
AWSSealConfig AWS KMS config for vault auto-unseal
type AzureConfig ¶
type AzureConfig struct { v1alpha1.AzureUnsealConfig StorageAccountName string StorageAccountKey string ContainerName string TenantID string VaultName string KeyName string }
AzureConfig keeps the vault configuration for Azure
type AzureSealConfig ¶
type AzureSealConfig struct { TenantID string `json:"tenant_id,omitempty"` VaultName string `json:"vault_name,omitempty"` KeyName string `json:"key_name,omitempty"` }
AzureSealConfig Azure Key Vault config for vault auto-unseal
type AzureStorageConfig ¶
type AzureStorageConfig struct { AccountName string `json:"accountName"` AccountKey string `json:"accountKey"` ContainerName string `json:"container"` }
AzureStorageConfig Azure Storage config for Vault backend
type CloudProviderConfig ¶
type CloudProviderConfig struct { Storage map[string]interface{} Seal map[string]interface{} UnsealConfig v1alpha1.UnsealConfig CredentialsConfig v1alpha1.CredentialsConfig }
CloudProviderConfig is a wrapper around the cloud provider specific elements of the Vault CRD configuration
func PrepareAWSVaultCRD ¶
func PrepareAWSVaultCRD(awsServiceAccountSecretName string, awsConfig *AWSConfig) (CloudProviderConfig, error)
PrepareAWSVaultCRD creates a new vault backed by AWS KMS and DynamoDB storage
func PrepareAzureVaultCRD ¶
func PrepareAzureVaultCRD(azureConfig *AzureConfig) (CloudProviderConfig, error)
PrepareAzureVaultCRD creates a new vault backed by Azure Key Vault and Azure Storage
func PrepareGKEVaultCRD ¶
func PrepareGKEVaultCRD(gcpServiceAccountSecretName string, gcpConfig *GCPConfig) (CloudProviderConfig, error)
PrepareGKEVaultCRD creates a new vault backed by GCP KMS and storage
type DynamoDBConfig ¶
type DynamoDBConfig struct { HaEnabled string `json:"ha_enabled"` Region string `json:"region"` Table string `json:"table"` AccessKeyID string `json:"access_key"` SecretAccessKey string `json:"secret_key"` }
DynamoDBConfig AWS DynamoDB config for Vault backend
type GCPConfig ¶
type GCPConfig struct { ProjectId string KmsKeyring string KmsKey string KmsLocation string GcsBucket string }
GCPConfig keeps the configuration for Google Cloud
type GCPSealConfig ¶
type GCPSealConfig struct { Credentials string `json:"credentials,omitempty"` Project string `json:"project,omitempty"` Region string `json:"region,omitempty"` KeyRing string `json:"key_ring,omitempty"` CryptoKey string `json:"crypto_key,omitempty"` }
GCPSealConfig Google Cloud KMS config for vault auto-unseal
type OptionsInterface ¶
type OptionsInterface interface { KubeClientAndNamespace() (kubernetes.Interface, string, error) VaultOperatorClient() (versioned.Interface, error) GetIn() terminal.FileReader GetOut() terminal.FileWriter GetErr() io.Writer GetIOFileHandles() util.IOFileHandles }
OptionsInterface is an interface to allow passing around of a CommonOptions object without dependencies on the whole of the cmd package
type Seal ¶
type Seal struct { GcpCkms *GCPSealConfig `json:"gcpckms,omitempty"` AWSKms *AWSSealConfig `json:"awskms,omitempty"` AzureKeyVault *AzureSealConfig `json:"azurekeyvault,omitempty"` }
Seal configuration for Vault auto-unseal
type SecretEngine ¶
type SecretEngine struct { vaultapi.MountInput Path string `json:"path"` }
SecretEngine configuration for secret engine
type Selector ¶
type Selector interface {
GetVault(name string, namespace string, useIngressURL bool) (*vault.Vault, error)
}
Selector is an interface for selecting a vault from the installed ones on the platform It should pick the most logical one, or give the user a way of picking a vault if there are multiple installed
func NewVaultSelector ¶
func NewVaultSelector(o OptionsInterface) (Selector, error)
NewVaultSelector creates a new vault selector
type Storage ¶
type Storage struct { GCS *GCSConfig `json:"gcs,omitempty"` DynamoDB *DynamoDBConfig `json:"dynamodb,omitempty"` AzureStorage *AzureStorageConfig `json:"azure,omitempty"` }
Storage configuration for Vault storage
type Telemetry ¶
type Telemetry struct {
StatsdAddress string `json:"statsd_address"`
}
Telemetry address for telemetry server
type VaultClientFactory ¶
type VaultClientFactory struct { Options OptionsInterface Selector Selector DisableURLDiscovery bool // contains filtered or unexported fields }
VaultClientFactory keeps the configuration required to build a new vault client factory
func NewInteractiveVaultClientFactory ¶
func NewInteractiveVaultClientFactory(options OptionsInterface) (*VaultClientFactory, error)
NewInteractiveVaultClientFactory creates a VaultClientFactory that allows the user to pick vaults if necessary
func NewVaultClientFactory ¶
func NewVaultClientFactory(kubeClient kubernetes.Interface, vaultOperatorClient versioned.Interface, defaultNamespace string) (*VaultClientFactory, error)
NewVaultClientFactory creates a new VaultClientFactory with different options to the above. It doesnt' have CLI support so will fail if it needs interactive input (unlikely)
func NewVaultClientFactoryWithSelector ¶
func NewVaultClientFactoryWithSelector(kubeClient kubernetes.Interface, selector Selector, defaultNamespace string) (*VaultClientFactory, error)
NewVaultClientFactoryWithSelector creates a new VaultClientFactory with a provided Selector. This allows to use an external Vault instance using the custom selector.
func NewVaultClientFactoryWithoutSelector ¶
func NewVaultClientFactoryWithoutSelector(kubeClient kubernetes.Interface, defaultNamespace string) (*VaultClientFactory, error)
NewVaultClientFactoryWithoutSelector creates a new VaultClientFactory.
func (*VaultClientFactory) GetConfigData ¶
func (v *VaultClientFactory) GetConfigData(name string, namespace string, useIngressURL, insecureSSLWebhook bool) (config *api.Config, jwt string, saName string, err error)
GetConfigData generates the information necessary to configure an api.Client object Returns the api.Config object, the JWT needed to create the auth user in vault, and an error if present
func (*VaultClientFactory) NewVaultClient ¶
func (v *VaultClientFactory) NewVaultClient(name string, namespace string, useIngressURL, insecureSSLWebhook bool) (*api.Client, error)
NewVaultClient creates a new api.Client if namespace is nil, then the default namespace of the factory will be used if the name is nil, and only one vault is found, then that vault will be used. Otherwise the user will be prompted to select a vault for the client.
func (*VaultClientFactory) NewVaultClientForURL ¶
func (v *VaultClientFactory) NewVaultClientForURL(vaultConfig vault.Vault, insecureSSLWebhook bool) (*api.Client, error)
NewVaultClientForURL creates a new Vault api.Client. If namespace is nil, then the default namespace of the factory will be used
type VaultPolicy ¶
VaultPolicy vault policy
type VaultRole ¶
type VaultRole struct { BoundServiceAccountNames string `json:"bound_service_account_names"` BoundServiceAccountNamespaces string `json:"bound_service_account_namespaces"` Name string `json:"name"` Policies string `json:"policies"` TTL string `json:"ttl"` }
VaultRole role configuration for VaultAuth