vault

package
v1.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 23, 2024 License: Apache-2.0 Imports: 22 Imported by: 1

Documentation

Index

Constants

View Source
const (
	PluginConfigMalformed = "plugin configuration is malformed"
)

Variables

This section is empty.

Functions

func BuiltIn

func BuiltIn() catalog.BuiltIn

BuiltIn constructs a catalog.BuiltIn using a new instance of this plugin.

Types

type AppRoleAuthConfig

type AppRoleAuthConfig struct {
	// Name of the mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/approle)
	AppRoleMountPoint string `hcl:"approle_auth_mount_point" json:"approle_auth_mount_point"`
	// An identifier that selects the AppRole
	RoleID string `hcl:"approle_id" json:"approle_id"`
	// A credential that is required for login.
	SecretID string `hcl:"approle_secret_id" json:"approle_secret_id"`
}

AppRoleAuthConfig represents parameters for AppRole auth method.

type AuthMethod

type AuthMethod int
const (
	CERT AuthMethod
	TOKEN
	APPROLE
	K8S
)

type CertAuthConfig

type CertAuthConfig struct {
	// Name of the mount point where Client Certificate Auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/cert)
	CertAuthMountPoint string `hcl:"cert_auth_mount_point" json:"cert_auth_mount_point"`
	// Name of the Vault role.
	// If given, the plugin authenticates against only the named role.
	CertAuthRoleName string `hcl:"cert_auth_role_name" json:"cert_auth_role_name"`
	// Path to a client certificate file.
	// Only PEM format is supported.
	ClientCertPath string `hcl:"client_cert_path" json:"client_cert_path"`
	// Path to a client private key file.
	// Only PEM format is supported.
	ClientKeyPath string `hcl:"client_key_path" json:"client_key_path"`
}

CertAuthConfig represents parameters for cert auth method

type Client

type Client struct {
	// contains filtered or unexported fields
}

func (*Client) Auth

func (c *Client) Auth(path string, body map[string]any) (*vapi.Secret, error)

Auth authenticates to vault server with TLS certificate method

func (*Client) LookupSelf added in v0.12.0

func (c *Client) LookupSelf(token string) (*vapi.Secret, error)

func (*Client) SetToken

func (c *Client) SetToken(v string)

SetToken wraps vapi.Client.SetToken()

func (*Client) SignIntermediate

func (c *Client) SignIntermediate(ttl string, csr *x509.CertificateRequest) (*SignCSRResponse, error)

SignIntermediate requests sign-intermediate endpoint to generate certificate. ttl = TTL for Intermediate CA Certificate csr = Certificate Signing Request see: https://www.vaultproject.io/api/secret/pki/index.html#sign-intermediate

type ClientConfig

type ClientConfig struct {
	Logger hclog.Logger
	// contains filtered or unexported fields
}

ClientConfig represents configuration parameters for vault client

func NewClientConfig

func NewClientConfig(cp *ClientParams, logger hclog.Logger) (*ClientConfig, error)

NewClientConfig returns a new *ClientConfig with default parameters.

func (*ClientConfig) NewAuthenticatedClient

func (c *ClientConfig) NewAuthenticatedClient(method AuthMethod, renewCh chan struct{}) (client *Client, err error)

NewAuthenticatedClient returns a new authenticated vault client with given authentication method

type ClientParams

type ClientParams struct {
	// A URL of Vault server. (e.g., https://vault.example.com:8443/)
	VaultAddr string
	// Name of mount point where PKI secret engine is mounted. (e.e., /<mount_point>/ca/pem )
	PKIMountPoint string
	// token string to use when auth method is 'token'
	Token string
	// Name of mount point where TLS Cert auth method is mounted. (e.g., /auth/<mount_point>/login )
	CertAuthMountPoint string
	// Name of the Vault role.
	// If given, the plugin authenticates against only the named role
	CertAuthRoleName string
	// Path to a client certificate file to be used when auth method is 'cert'
	ClientCertPath string
	// Path to a client private key file to be used when auth method is 'cert'
	ClientKeyPath string
	// Path to a CA certificate file to be used when client verifies a server certificate
	CACertPath string
	// Name of mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login )
	AppRoleAuthMountPoint string
	// An identifier of AppRole
	AppRoleID string
	// A credential set of AppRole
	AppRoleSecretID string
	// Name of the mount point where Kubernetes auth method is mounted. (e.g., /auth/<mount_point>/login)
	K8sAuthMountPoint string
	// Name of the Vault role.
	// The plugin authenticates against the named role.
	K8sAuthRoleName string
	// Path to a K8s Service Account Token to be used when auth method is 'k8s'
	K8sAuthTokenPath string
	// If true, client accepts any certificates.
	// It should be used only test environment so on.
	TLSSKipVerify bool
	// MaxRetries controls the number of times to retry to connect
	// Set to 0 to disable retrying.
	// If the value is nil, to use the default in hashicorp/vault/api.
	MaxRetries *int
	// Name of the Vault namespace
	Namespace string
}

type Configuration added in v1.0.0

type Configuration struct {
	// A URL of Vault server. (e.g., https://vault.example.com:8443/)
	VaultAddr string `hcl:"vault_addr" json:"vault_addr"`
	// Name of the mount point where PKI secret engine is mounted. (e.g., /<mount_point>/ca/pem)
	PKIMountPoint string `hcl:"pki_mount_point" json:"pki_mount_point"`
	// Configuration for the Token authentication method
	TokenAuth *TokenAuthConfig `hcl:"token_auth" json:"token_auth,omitempty"`
	// Configuration for the Client Certificate authentication method
	CertAuth *CertAuthConfig `hcl:"cert_auth" json:"cert_auth,omitempty"`
	// Configuration for the AppRole authentication method
	AppRoleAuth *AppRoleAuthConfig `hcl:"approle_auth" json:"approle_auth,omitempty"`
	// Configuration for the Kubernetes authentication method
	K8sAuth *K8sAuthConfig `hcl:"k8s_auth" json:"k8s_auth,omitempty"`
	// Path to a CA certificate file that the client verifies the server certificate.
	// Only PEM format is supported.
	CACertPath string `hcl:"ca_cert_path" json:"ca_cert_path"`
	// If true, vault client accepts any server certificates.
	// It should be used only test environment so on.
	InsecureSkipVerify bool `hcl:"insecure_skip_verify" json:"insecure_skip_verify"`
	// Name of the Vault namespace
	Namespace string `hcl:"namespace" json:"namespace"`
}

type K8sAuthConfig added in v1.0.0

type K8sAuthConfig struct {
	// Name of the mount point where Kubernetes auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/kubernetes)
	K8sAuthMountPoint string `hcl:"k8s_auth_mount_point" json:"k8s_auth_mount_point"`
	// Name of the Vault role.
	// The plugin authenticates against the named role.
	K8sAuthRoleName string `hcl:"k8s_auth_role_name" json:"k8s_auth_role_name"`
	// Path to the Kubernetes Service Account Token to use authentication with the Vault.
	TokenPath string `hcl:"token_path" json:"token_path"`
}

K8sAuthConfig represents parameters for Kubernetes auth method.

type Plugin

type Plugin struct {
	upstreamauthorityv1.UnsafeUpstreamAuthorityServer
	configv1.UnsafeConfigServer
	// contains filtered or unexported fields
}

func New

func New() *Plugin

func (*Plugin) Configure

func (*Plugin) PublishJWTKeyAndSubscribe added in v1.0.0

PublishJWTKeyAndSubscribe is not implemented by the wrapper and returns a codes.Unimplemented status

func (*Plugin) SetLogger

func (p *Plugin) SetLogger(log hclog.Logger)

func (*Plugin) Validate added in v1.11.0

type Renew

type Renew struct {
	// contains filtered or unexported fields
}

func NewRenew

func NewRenew(client *vapi.Client, secret *vapi.Secret, logger hclog.Logger) (*Renew, error)

func (*Renew) Run

func (r *Renew) Run()

type SignCSRResponse

type SignCSRResponse struct {
	// A certificate requested to sign
	CACertPEM string
	// A certificate of CA(Vault)
	UpstreamCACertPEM string
	// Set of Upstream CA certificates
	UpstreamCACertChainPEM []string
}

SignCSRResponse includes certificates which are generates by Vault

type TokenAuthConfig

type TokenAuthConfig struct {
	// Token string to set into "X-Vault-Token" header
	Token string `hcl:"token" json:"token"`
}

TokenAuthConfig represents parameters for token auth method

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL