vault

package
v1.17.14 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 3, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source
const DefaultPathPrefix = "secret"

The DefaultPathPrefix may be overridden to allow for non-standard vault mount paths

Variables

View Source
var (
	ErrEmptyToken          = errors.New("unable to authenticate to vault with empty token")
	ErrNoAuthInfo          = errors.New("no auth info was returned after login")
	ErrVaultAuthentication = func(err error) error {
		return errors.Wrap(err, "unable to authenticate to vault")
	}
	ErrPartialCredentials = func(err error) error {
		return errors.Wrap(err, "only partial credentials were provided for vault authorization with AWS IAM auth: ")
	}
	ErrAccessKeyId       = errors.New("access key id must be defined for vault authorization with AWS IAM auth")
	ErrSecretAccessKey   = errors.New("secret access key must be defined for vault authorization with AWS IAM auth")
	ErrInitializeWatcher = func(err error) error {
		return errors.Wrap(err, "unable to initialize new lifetime watcher for renewing auth token.")
	}
)
View Source
var (
	// Login metrics
	MLastLoginSuccess     = statsutils.Int64Measure("gloo.solo.io/vault/last_login_success", "Timestamp of last successful authentication of vault")
	MLastLoginSuccessView = statsutils.ViewForCounter(MLastLoginSuccess, view.LastValue())

	MLastLoginFailure     = statsutils.Int64Measure("gloo.solo.io/vault/last_login_failure", "Timestamp of last failed authentication of vault")
	MLastLoginFailureView = statsutils.ViewForCounter(MLastLoginFailure, view.LastValue())

	MLoginSuccesses     = statsutils.Int64Measure("gloo.solo.io/vault/login_successes", "Number of successful authentications of vault")
	MLoginSuccessesView = statsutils.ViewForCounter(MLoginSuccesses, view.Sum())

	MLoginFailures     = statsutils.Int64Measure("gloo.solo.io/vault/login_failures", "Number of failed authentications of vault")
	MLoginFailuresView = statsutils.ViewForCounter(MLoginFailures, view.Sum())

	// Renew metrics
	MLastRenewSuccess     = statsutils.Int64Measure("gloo.solo.io/vault/last_renew_success", "Timestamp of last successful renewal of vault secret lease")
	MLastRenewSuccessView = statsutils.ViewForCounter(MLastRenewSuccess, view.LastValue())

	MLastRenewFailure     = statsutils.Int64Measure("gloo.solo.io/vault/last_renew_failure", "Timestamp of last failed renewal of vault secret lease")
	MLastRenewFailureView = statsutils.ViewForCounter(MLastRenewFailure, view.LastValue())

	MRenewSuccesses     = statsutils.Int64Measure("gloo.solo.io/vault/renew_successes", "Number of successful renewals of vault secret lease")
	MRenewSuccessesView = statsutils.ViewForCounter(MRenewSuccesses, view.Sum())

	MRenewFailures     = statsutils.Int64Measure("gloo.solo.io/vault/renew_failures", "Number of failed renewals of vault secret lease")
	MRenewFailuresView = statsutils.ViewForCounter(MRenewFailures, view.Sum())
)
View Source
var (
	ErrAuthNotDefined = errors.New("auth method not defined")
)

Functions

func AuthenticateClient

func AuthenticateClient(ctx context.Context, client *vault.Client, clientAuth ClientAuth) (*vault.Secret, error)

AuthenticateClient authenticates the provided vault client with the provided clientAuth.

func NewAuthenticatedClient

func NewAuthenticatedClient(ctx context.Context, vaultSettings *v1.Settings_VaultSecrets, clientAuth ClientAuth) (*vault.Client, error)

NewAuthenticatedClient returns a vault client that has been authenticated with the provided settings, or an error if construction or authentication fails.

func NewUnauthenticatedClient

func NewUnauthenticatedClient(vaultSettings *v1.Settings_VaultSecrets) (*vault.Client, error)

NewUnauthenticatedClient returns a vault client that has not yet been authenticated

func NewVaultSecretClientFactory added in v1.17.9

func NewVaultSecretClientFactory(ctx context.Context, clientInit VaultClientInitFunc, pathPrefix, rootKey string) factory.ResourceClientFactory

NewVaultSecretClientFactory consumes a vault client along with a set of basic configurations for retrieving info with the client

func VaultClientForSettings added in v1.17.9

func VaultClientForSettings(ctx context.Context, vaultSettings *v1.Settings_VaultSecrets) (*api.Client, error)

VaultClientForSettings returns a vault client based on the provided settings.

Types

type ClientAuth

type ClientAuth interface {
	// vault.AuthMethod provides Login(ctx context.Context, client *Client) (*Secret, error)
	vault.AuthMethod
	// ManageTokenRenewal should be called after a successful login to start the renewal process
	// This method may have many different types of implementation, from just a noop to spinning up a separate go routine
	ManageTokenRenewal(ctx context.Context, client *vault.Client, secret *vault.Secret)
}

func ClientAuthFactory

func ClientAuthFactory(vaultSettings *v1.Settings_VaultSecrets) (ClientAuth, error)

ClientAuthFactory returns a vault ClientAuth based on the provided settings.

func NewRemoteTokenAuth

func NewRemoteTokenAuth(authMethod vault.AuthMethod, t TokenRenewer, retryOptions ...retry.Option) ClientAuth

NewRemoteTokenAuth is a constructor for RemoteTokenAuth

func NewStaticTokenAuth

func NewStaticTokenAuth(token string) ClientAuth

NewStaticTokenAuth is a constructor for StaticTokenAuth

type NewVaultTokenRenewerParams

type NewVaultTokenRenewerParams struct {
	// LeaseIncrement is the amount of time in seconds for which the lease should be renewed
	LeaseIncrement int
	// A function to provide the watcher and provide a point to inject a test function for testing.
	GetWatcher getWatcherFunc
	// retryOnNonRenewableSleep is the amount of time in seconds to sleep before retrying if the token is not renewable
	RetryOnNonRenewableSleep int
}

type RemoteTokenAuth

type RemoteTokenAuth struct {
	// contains filtered or unexported fields
}

func (*RemoteTokenAuth) Login

func (r *RemoteTokenAuth) Login(ctx context.Context, client *vault.Client) (*vault.Secret, error)

Login wraps the low-level login with retry logic

func (*RemoteTokenAuth) ManageTokenRenewal

func (r *RemoteTokenAuth) ManageTokenRenewal(ctx context.Context, client *vault.Client, secret *vault.Secret)

type StaticTokenAuth

type StaticTokenAuth struct {
	// contains filtered or unexported fields
}

func (*StaticTokenAuth) GetToken

func (s *StaticTokenAuth) GetToken() string

GetToken returns the value of the token field

func (*StaticTokenAuth) Login

func (s *StaticTokenAuth) Login(ctx context.Context, _ *vault.Client) (*vault.Secret, error)

Login logs in to vault using a static token

func (*StaticTokenAuth) ManageTokenRenewal

func (*StaticTokenAuth) ManageTokenRenewal(ctx context.Context, client *vault.Client, secret *vault.Secret)

ManageTokenRenewal for StaticTokenAuth is a no-op

type TokenRenewer

type TokenRenewer interface {
	ManageTokenRenewal(ctx context.Context, client *vault.Client, clientAuth ClientAuth, secret *vault.Secret)
}

TokenRenewer is an interface that wraps the ManageTokenRenewal method. This lets us inject a noop function when we want to disable token renewal/the goroutine for testing

type TokenWatcher

type TokenWatcher interface {
	DoneCh() <-chan error
	RenewCh() <-chan *vault.RenewOutput
	Stop()
	Start()
}

TokenWatcher is an interface that wraps the DoneCh, RenewCh, Start, and Stop functions of the vault LifetimeWatcher

type VaultClientInitFunc added in v1.17.9

type VaultClientInitFunc func(ctx context.Context) *api.Client

func NoopVaultClientInitFunc added in v1.17.9

func NoopVaultClientInitFunc(c *api.Client) VaultClientInitFunc

type VaultTokenRenewer

type VaultTokenRenewer struct {
	// contains filtered or unexported fields
}

VaultTokenRewner is a struct that implements the TokenRenewer interface in a manner based on the vault examples https://github.com/hashicorp/vault-examples/blob/main/examples/token-renewal/go/example.go

func NewVaultTokenRenewer

func NewVaultTokenRenewer(params *NewVaultTokenRenewerParams) *VaultTokenRenewer

NewVaultTokenRenewer returns a new VaultTokenRenewer and will set the default GetWatcher Function

func (*VaultTokenRenewer) ManageTokenRenewal

func (t *VaultTokenRenewer) ManageTokenRenewal(ctx context.Context, client *vault.Client, clientAuth ClientAuth, secret *vault.Secret)

ManageTokenRenewal wraps the renewal process in a go routine

func (*VaultTokenRenewer) RenewToken

func (r *VaultTokenRenewer) RenewToken(ctx context.Context, client *vault.Client, clientAuth ClientAuth, secret *vault.Secret) error

Once you've set the token for your Vault client, you will need to periodically renew its lease. taken from https://github.com/hashicorp/vault-examples/blob/main/examples/token-renewal/go/example.go the error that gets returned is dropped by the goroutine that calls this function, but is useful for testing

Directories

Path Synopsis
Package mocks is a generated GoMock package.
Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL