Documentation ¶
Index ¶
- Constants
- Variables
- func AdminSecretPath(secret AdminSecret) string
- func AuthSecretPath(secret string) string
- func GitOpsSecretPath(secret string) string
- func WriteBasicAuth(client Client, path string, auth config.BasicAuth) error
- func WriteMap(client Client, path string, secret map[string]interface{}) error
- func WriteYamlFiles(client Client, path string, files ...string) error
- type AdminSecret
- type Client
- type PathPolicy
- type PathRule
- type Vault
Constants ¶
const ( // SystemVaultNamePrefix name prefix of the system vault used by the jenkins-x platform SystemVaultNamePrefix = "jx-vault" // GitOpsSecretsPath the path of secrets generated for GitOps GitOpsSecretsPath = "gitops/" // GitOpsTemplatesPath the path of gitops templates secrets GitOpsTemplatesPath = "templates/" // AdminSecretsPath the path of admin secrets AdminSecretsPath = "admin/" // AuthSecretsPath the path of auth secrets AuthSecretsPath = "auth/" // LocalVaultEnvVar defines the address to search for when using kubectl port-forward to access Vault without an ingress LocalVaultEnvVar = "LOCAL_VAULT_ADDR" //DefaultVaultPort defines the port to access vault DefaultVaultPort = "8200" )
const ( // JenkinsAdminSecret the secret name for Jenkins admin password JenkinsAdminSecret = "jenkins" // NexusAdminSecret the secret name for Nexus credentials NexusAdminSecret = "nexus" // ChartmuseumAdminSecret the secret name for ChartMuseum credentials ChartmuseumAdminSecret = "chartmuseum" // GrafanaAdminSecret the secret name for Grafana credentials GrafanaAdminSecret = "grafana" // IngressAdminSecret the secret name for Ingress basic authentication IngressAdminSecret = "ingress" )
const ( DenyCapability = "deny" CreateCapability = "create" ReadCapability = "read" UpdateCapability = "update" DeleteCapability = "delete" ListCapability = "list" SudoCapability = "sudo" RootCapability = "root" PathRulesName = "allow_secrets" DefaultSecretsPathPrefix = "secret/*" PoliciesName = "policies" DefaultSecretsPath = "secret" )
const ( // SystemVaultName stores the name of the Vault instance created and managed by Jenkins X unless an external Vault // instance is used in which case this name will be empty. SystemVaultName = "systemVaultName" // URL stores the URL of the external Vault instance if no system internal Vault instance is used. URL = "vaultURL" // ServiceAccount stores the name of the service account used to connect to Vault. ServiceAccount = "vaultServiceAccount" // Namespace stores the service account namespace which is allowed to connect to Vault. Namespace = "vaultNamespace" // SecretEngineMountPoint defines the Vault mount point for the KV secret engine. SecretEngineMountPoint = "vaultSecretEngineMountPoint" // KubernetesAuthPath defines the path under which the Kubernetes auth method is configured. KubernetesAuthPath = "vaultKubernetesAuthPath" // DefaultKVEngineMountPoint default mount point for the KV V2 engine DefaultKVEngineMountPoint = "secret" // DefaultKubernetesAuthPath is the default Kubernetes auth path DefaultKubernetesAuthPath = "kubernetes" )
Variables ¶
var (
DefaultSecretsCapabiltities = []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability}
)
Functions ¶
func AdminSecretPath ¶
func AdminSecretPath(secret AdminSecret) string
AdminSecretPath returns the admin secret path for a given admin secret
func AuthSecretPath ¶
AuthSecretPath returns the path of an auth secret
func GitOpsSecretPath ¶
GitOpsSecretsPath returns the path of an install secret
func WriteBasicAuth ¶
WriteBasicAuth stores the basic authentication credentials in vault at the given path.
Types ¶
type Client ¶
type Client interface { // Write writes a named secret to the vault Write(secretName string, data map[string]interface{}) (map[string]interface{}, error) // WriteObject writes a generic named object to the vault. // The secret _must_ be serializable to JSON. WriteObject(secretName string, secret interface{}) (map[string]interface{}, error) // WriteYaml writes a yaml object to a named secret WriteYaml(secretName string, yamlstring string) (map[string]interface{}, error) // List lists the secrets under the specified path List(path string) ([]string, error) // Read reads a named secret from the vault Read(secretName string) (map[string]interface{}, error) // ReadObject reads a generic named object from vault. // The secret _must_ be serializable to JSON. ReadObject(secretName string, secret interface{}) error // ReadYaml reads a yaml object from a named secret ReadYaml(secretName string) (string, error) // Config gets the config required for configuring the official Vault CLI Config() (vaultURL url.URL, vaultToken string, err error) // ReplaceURIs will replace any vault: URIs in a string (or whatever URL scheme the secret URL client supports ReplaceURIs(text string) (string, error) }
Client is an interface for interacting with Vault
func NewVaultClient ¶
NewVaultClient creates a new Vault Client wrapping the provided api.Client. The provided secretEngineMountPoint determines the prefix (mount point) for the KV engine used by this client. If the empty string is specified, the string 'secret' is assumed as the default prefix.
type PathPolicy ¶
type PathPolicy struct { Prefix string `hcl:",key"` Capabilities []string `hcl:"capabilities" hcle:"omitempty"` }
PathPolicy defiens a vault path policy
type PathRule ¶
type PathRule struct {
Path []PathPolicy `hcl:"path" hcle:"omitempty"`
}
PathRule defines a path rule
type Vault ¶
type Vault struct { // Name defines the name of the Vault instance, provided we are dealing with an Jenkins X managed Vault instance Name string // ServiceAccountName is the name of the service account allowed to authenticate against Vault. ServiceAccountName string // Namespace of the service account authorized to authenticate against Vault. Namespace string // URL specifies the Vault URL to connect to. URL string // SecretEngineMountPoint is the mount point to be used for writing data into the KV engine. SecretEngineMountPoint string // KubernetesAuthPath is the path under which the Vault Kubernetes auth method is configured. KubernetesAuthPath string }
Vault stores the required information to connect and authenticate against a Vault instance.
func FromMap ¶
FromMap reads the configuration of a Vault instance from a map. defaultNamespace is used when there is no namespace value provided in the map (for backwards compatibility reasons).
func NewExternalVault ¶
func NewExternalVault(url string, serviceAccountName string, namespace string, secretEngineMountPoint string, kubernetesAuthPath string) (Vault, error)
NewExternalVault creates an external Vault instance configuration from the provided parameters.
func NewInternalVault ¶
NewInternalVault creates an internal Vault instance configuration from the provided parameters.
func (*Vault) IsExternal ¶
IsExternal returns true if the Vault instance represents an externally managed Vault instance or one managed by Jenkins X.