Documentation ¶
Index ¶
- Constants
- Variables
- func AuthenticateClient(ctx context.Context, client *vault.Client, clientAuth ClientAuth) (*vault.Secret, error)
- func NewAuthenticatedClient(ctx context.Context, vaultSettings *v1.Settings_VaultSecrets, ...) (*vault.Client, error)
- func NewUnauthenticatedClient(vaultSettings *v1.Settings_VaultSecrets) (*vault.Client, error)
- func NewVaultSecretClientFactory(ctx context.Context, clientInit VaultClientInitFunc, ...) factory.ResourceClientFactory
- func VaultClientForSettings(ctx context.Context, vaultSettings *v1.Settings_VaultSecrets) (*api.Client, error)
- type ClientAuth
- type NewVaultTokenRenewerParams
- type RemoteTokenAuth
- type StaticTokenAuth
- type TokenRenewer
- type TokenWatcher
- type VaultClientInitFunc
- type VaultTokenRenewer
Constants ¶
const DefaultPathPrefix = "secret"
The DefaultPathPrefix may be overridden to allow for non-standard vault mount paths
Variables ¶
var ( ErrEmptyToken = errors.New("unable to authenticate to vault with empty token") ErrNoAuthInfo = errors.New("no auth info was returned after login") ErrVaultAuthentication = func(err error) error { return errors.Wrap(err, "unable to authenticate to vault") } ErrPartialCredentials = func(err error) error { return errors.Wrap(err, "only partial credentials were provided for vault authorization with AWS IAM auth: ") } ErrAccessKeyId = errors.New("access key id must be defined for vault authorization with AWS IAM auth") ErrSecretAccessKey = errors.New("secret access key must be defined for vault authorization with AWS IAM auth") ErrInitializeWatcher = func(err error) error { return errors.Wrap(err, "unable to initialize new lifetime watcher for renewing auth token.") } )
var ( // Login metrics MLastLoginSuccess = statsutils.Int64Measure("gloo.solo.io/vault/last_login_success", "Timestamp of last successful authentication of vault") MLastLoginSuccessView = statsutils.ViewForCounter(MLastLoginSuccess, view.LastValue()) MLastLoginFailure = statsutils.Int64Measure("gloo.solo.io/vault/last_login_failure", "Timestamp of last failed authentication of vault") MLastLoginFailureView = statsutils.ViewForCounter(MLastLoginFailure, view.LastValue()) MLoginSuccesses = statsutils.Int64Measure("gloo.solo.io/vault/login_successes", "Number of successful authentications of vault") MLoginSuccessesView = statsutils.ViewForCounter(MLoginSuccesses, view.Sum()) MLoginFailures = statsutils.Int64Measure("gloo.solo.io/vault/login_failures", "Number of failed authentications of vault") MLoginFailuresView = statsutils.ViewForCounter(MLoginFailures, view.Sum()) // Renew metrics MLastRenewSuccess = statsutils.Int64Measure("gloo.solo.io/vault/last_renew_success", "Timestamp of last successful renewal of vault secret lease") MLastRenewSuccessView = statsutils.ViewForCounter(MLastRenewSuccess, view.LastValue()) MLastRenewFailure = statsutils.Int64Measure("gloo.solo.io/vault/last_renew_failure", "Timestamp of last failed renewal of vault secret lease") MLastRenewFailureView = statsutils.ViewForCounter(MLastRenewFailure, view.LastValue()) MRenewSuccesses = statsutils.Int64Measure("gloo.solo.io/vault/renew_successes", "Number of successful renewals of vault secret lease") MRenewSuccessesView = statsutils.ViewForCounter(MRenewSuccesses, view.Sum()) MRenewFailures = statsutils.Int64Measure("gloo.solo.io/vault/renew_failures", "Number of failed renewals of vault secret lease") MRenewFailuresView = statsutils.ViewForCounter(MRenewFailures, view.Sum()) )
var (
ErrAuthNotDefined = errors.New("auth method not defined")
)
Functions ¶
func AuthenticateClient ¶
func AuthenticateClient(ctx context.Context, client *vault.Client, clientAuth ClientAuth) (*vault.Secret, error)
AuthenticateClient authenticates the provided vault client with the provided clientAuth.
func NewAuthenticatedClient ¶
func NewAuthenticatedClient(ctx context.Context, vaultSettings *v1.Settings_VaultSecrets, clientAuth ClientAuth) (*vault.Client, error)
NewAuthenticatedClient returns a vault client that has been authenticated with the provided settings, or an error if construction or authentication fails.
func NewUnauthenticatedClient ¶
func NewUnauthenticatedClient(vaultSettings *v1.Settings_VaultSecrets) (*vault.Client, error)
NewUnauthenticatedClient returns a vault client that has not yet been authenticated
func NewVaultSecretClientFactory ¶ added in v1.17.9
func NewVaultSecretClientFactory(ctx context.Context, clientInit VaultClientInitFunc, pathPrefix, rootKey string) factory.ResourceClientFactory
NewVaultSecretClientFactory consumes a vault client along with a set of basic configurations for retrieving info with the client
func VaultClientForSettings ¶ added in v1.17.9
func VaultClientForSettings(ctx context.Context, vaultSettings *v1.Settings_VaultSecrets) (*api.Client, error)
VaultClientForSettings returns a vault client based on the provided settings.
Types ¶
type ClientAuth ¶
type ClientAuth interface { // vault.AuthMethod provides Login(ctx context.Context, client *Client) (*Secret, error) vault.AuthMethod // ManageTokenRenewal should be called after a successful login to start the renewal process // This method may have many different types of implementation, from just a noop to spinning up a separate go routine ManageTokenRenewal(ctx context.Context, client *vault.Client, secret *vault.Secret) }
func ClientAuthFactory ¶
func ClientAuthFactory(vaultSettings *v1.Settings_VaultSecrets) (ClientAuth, error)
ClientAuthFactory returns a vault ClientAuth based on the provided settings.
func NewRemoteTokenAuth ¶
func NewRemoteTokenAuth(authMethod vault.AuthMethod, t TokenRenewer, retryOptions ...retry.Option) ClientAuth
NewRemoteTokenAuth is a constructor for RemoteTokenAuth
func NewStaticTokenAuth ¶
func NewStaticTokenAuth(token string) ClientAuth
NewStaticTokenAuth is a constructor for StaticTokenAuth
type NewVaultTokenRenewerParams ¶
type NewVaultTokenRenewerParams struct { // LeaseIncrement is the amount of time in seconds for which the lease should be renewed LeaseIncrement int // A function to provide the watcher and provide a point to inject a test function for testing. GetWatcher getWatcherFunc // retryOnNonRenewableSleep is the amount of time in seconds to sleep before retrying if the token is not renewable RetryOnNonRenewableSleep int }
type RemoteTokenAuth ¶
type RemoteTokenAuth struct {
// contains filtered or unexported fields
}
func (*RemoteTokenAuth) ManageTokenRenewal ¶
type StaticTokenAuth ¶
type StaticTokenAuth struct {
// contains filtered or unexported fields
}
func (*StaticTokenAuth) GetToken ¶
func (s *StaticTokenAuth) GetToken() string
GetToken returns the value of the token field
func (*StaticTokenAuth) ManageTokenRenewal ¶
func (*StaticTokenAuth) ManageTokenRenewal(ctx context.Context, client *vault.Client, secret *vault.Secret)
ManageTokenRenewal for StaticTokenAuth is a no-op
type TokenRenewer ¶
type TokenRenewer interface {
ManageTokenRenewal(ctx context.Context, client *vault.Client, clientAuth ClientAuth, secret *vault.Secret)
}
TokenRenewer is an interface that wraps the ManageTokenRenewal method. This lets us inject a noop function when we want to disable token renewal/the goroutine for testing
type TokenWatcher ¶
type TokenWatcher interface { DoneCh() <-chan error RenewCh() <-chan *vault.RenewOutput Stop() Start() }
TokenWatcher is an interface that wraps the DoneCh, RenewCh, Start, and Stop functions of the vault LifetimeWatcher
type VaultClientInitFunc ¶ added in v1.17.9
func NoopVaultClientInitFunc ¶ added in v1.17.9
func NoopVaultClientInitFunc(c *api.Client) VaultClientInitFunc
type VaultTokenRenewer ¶
type VaultTokenRenewer struct {
// contains filtered or unexported fields
}
VaultTokenRewner is a struct that implements the TokenRenewer interface in a manner based on the vault examples https://github.com/hashicorp/vault-examples/blob/main/examples/token-renewal/go/example.go
func NewVaultTokenRenewer ¶
func NewVaultTokenRenewer(params *NewVaultTokenRenewerParams) *VaultTokenRenewer
NewVaultTokenRenewer returns a new VaultTokenRenewer and will set the default GetWatcher Function
func (*VaultTokenRenewer) ManageTokenRenewal ¶
func (t *VaultTokenRenewer) ManageTokenRenewal(ctx context.Context, client *vault.Client, clientAuth ClientAuth, secret *vault.Secret)
ManageTokenRenewal wraps the renewal process in a go routine
func (*VaultTokenRenewer) RenewToken ¶
func (r *VaultTokenRenewer) RenewToken(ctx context.Context, client *vault.Client, clientAuth ClientAuth, secret *vault.Secret) error
Once you've set the token for your Vault client, you will need to periodically renew its lease. taken from https://github.com/hashicorp/vault-examples/blob/main/examples/token-renewal/go/example.go the error that gets returned is dropped by the goroutine that calls this function, but is useful for testing