vault

package

v6.7.3-0...-1f455d7 Latest Latest Go to latest Published: Dec 7, 2020 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pf-qiu/concourse

Links

Open Source Insights

Documentation ¶

Index ¶

func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string, ...) *vaultFactory
func NewVaultManagerFactory() creds.ManagerFactory
type APIClient
- func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig TLSConfig, authConfig AuthConfig, ...) (*APIClient, error)
type AuthConfig
type Auther
type ReAuther
- func NewReAuther(logger lager.Logger, auther Auther, maxTTL, retry, max time.Duration) *ReAuther
- func (ra *ReAuther) Close()
- func (ra *ReAuther) LoggedIn() <-chan struct{}
type SecretReader
type TLSConfig
type Vault
- func (v Vault) Get(secretPath string) (interface{}, *time.Time, bool, error)
- func (v Vault) NewSecretLookupPaths(teamName string, pipelineName string, allowRootPath bool) []creds.SecretLookupPath
type VaultManager

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewVaultFactory ¶

func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string, lookupTemplates []*creds.SecretTemplate, sharedPath string) *vaultFactory

func NewVaultManagerFactory ¶

func NewVaultManagerFactory() creds.ManagerFactory

Types ¶

type APIClient ¶

type APIClient struct {
	// contains filtered or unexported fields
}

The APIClient is a SecretReader which maintains an authorized client using the Login and Renew functions.

func NewAPIClient ¶

func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig TLSConfig, authConfig AuthConfig, namespace string) (*APIClient, error)

NewAPIClient with the associated authorization config and underlying vault client.

func (ac *APIClient) Login() (time.Duration, error)

Login the APIClient using the credentials passed at construction. Returns a duration after which renew must be called.

func (*APIClient) Read ¶

func (ac *APIClient) Read(path string) (*vaultapi.Secret, error)

Read must be called after a successful login has occurred or an un-authorized client will be used.

func (*APIClient) Renew ¶

func (ac *APIClient) Renew() (time.Duration, error)

Renew the APIClient login using the credentials passed at construction. Must be called after a successful login. Returns a duration after which renew must be called again.

type AuthConfig ¶

type AuthConfig struct {
	ClientToken string `mapstructure:"client_token" long:"client-token" description:"Client token for accessing secrets within the Vault server."`

	Backend       string        `mapstructure:"auth_backend" long:"auth-backend"               description:"Auth backend to use for logging in to Vault."`
	BackendMaxTTL time.Duration `` /* 178-byte string literal not displayed */
	RetryMax      time.Duration `` /* 150-byte string literal not displayed */
	RetryInitial  time.Duration `` /* 154-byte string literal not displayed */

	Params map[string]string `` /* 166-byte string literal not displayed */
}

type Auther ¶

type Auther interface {
	Login() (time.Duration, error)
	Renew() (time.Duration, error)
}

An Auther is anything which needs to be logged in and then have that login renewed on a regulary basis.

type ReAuther ¶

type ReAuther struct {
	// contains filtered or unexported fields
}

The ReAuther runs the authorization loop (login, renew) and retries using a bounded exponential backoff strategy. If maxTTL is set, a new login will be done _regardless_ of the available leaseDuration.

func NewReAuther ¶

func NewReAuther(logger lager.Logger, auther Auther, maxTTL, retry, max time.Duration) *ReAuther

NewReAuther with a retry time and a max retry time.

func (*ReAuther) Close ¶

func (ra *ReAuther) Close()

func (*ReAuther) LoggedIn ¶

func (ra *ReAuther) LoggedIn() <-chan struct{}

LoggedIn will receive a signal after every login. Multiple logins may result in a single signal as this channel is not blocked.

type SecretReader ¶

type SecretReader interface {
	Read(path string) (*vaultapi.Secret, error)
}

A SecretReader reads a vault secret from the given path. It should be thread safe!

type TLSConfig ¶

type TLSConfig struct {
	CACert     string `mapstructure:"ca_cert"`
	CACertFile string `long:"ca-cert"              description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
	CAPath     string `` /* 127-byte string literal not displayed */

	ClientCert     string `mapstructure:"client_cert"`
	ClientCertFile string `long:"client-cert"          description:"Path to the client certificate for Vault authorization."`

	ClientKey     string `mapstructure:"client_key"`
	ClientKeyFile string `long:"client-key"           description:"Path to the client private key for Vault authorization."`

	ServerName string `` /* 129-byte string literal not displayed */
	Insecure   bool   `mapstructure:"insecure_skip_verify" long:"insecure-skip-verify" description:"Enable insecure SSL verification."`
}

type Vault ¶

type Vault struct {
	SecretReader    SecretReader
	Prefix          string
	LookupTemplates []*creds.SecretTemplate
	SharedPath      string
}

Vault converts a vault secret to our completely untyped secret data.

func (Vault) Get ¶

func (v Vault) Get(secretPath string) (interface{}, *time.Time, bool, error)

Get retrieves the value and expiration of an individual secret

func (Vault) NewSecretLookupPaths ¶

func (v Vault) NewSecretLookupPaths(teamName string, pipelineName string, allowRootPath bool) []creds.SecretLookupPath

NewSecretLookupPaths defines how variables will be searched in the underlying secret manager

type VaultManager ¶

type VaultManager struct {
	URL string `mapstructure:"url" long:"url" description:"Vault server address used to access secrets."`

	PathPrefix      string   `` /* 129-byte string literal not displayed */
	LookupTemplates []string `` /* 186-byte string literal not displayed */
	SharedPath      string   `mapstructure:"shared_path" long:"shared-path" description:"Path under which to lookup shared credentials."`
	Namespace       string   `mapstructure:"namespace" long:"namespace"   description:"Vault namespace to use for authentication and secret lookup."`

	TLS  TLSConfig  `mapstructure:",squash"`
	Auth AuthConfig `mapstructure:",squash"`

	Client        *APIClient
	ReAuther      *ReAuther
	SecretFactory *vaultFactory
}

func (VaultManager) Close ¶

func (manager VaultManager) Close(logger lager.Logger)

func (*VaultManager) Config ¶

func (manager *VaultManager) Config(config map[string]interface{}) error

func (VaultManager) Health ¶

func (manager VaultManager) Health() (*creds.HealthResponse, error)

func (*VaultManager) Init ¶

func (manager *VaultManager) Init(log lager.Logger) error

func (VaultManager) IsConfigured ¶

func (manager VaultManager) IsConfigured() bool

func (*VaultManager) MarshalJSON ¶

func (manager *VaultManager) MarshalJSON() ([]byte, error)

func (*VaultManager) NewSecretsFactory ¶

func (manager *VaultManager) NewSecretsFactory(logger lager.Logger) (creds.SecretsFactory, error)

func (VaultManager) Validate ¶

func (manager VaultManager) Validate() error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL