Documentation ¶
Index ¶
- Constants
- func BuiltIn() catalog.BuiltIn
- type AppRoleAuthConfig
- type AuthMethod
- type CertAuthConfig
- type Client
- type ClientConfig
- type ClientParams
- type Configuration
- type K8sAuthConfig
- type Plugin
- func (p *Plugin) Configure(_ context.Context, req *configv1.ConfigureRequest) (*configv1.ConfigureResponse, error)
- func (p *Plugin) MintX509CAAndSubscribe(req *upstreamauthorityv1.MintX509CARequest, ...) error
- func (*Plugin) PublishJWTKeyAndSubscribe(*upstreamauthorityv1.PublishJWTKeyRequest, ...) error
- func (p *Plugin) SetLogger(log hclog.Logger)
- func (p *Plugin) Validate(_ context.Context, req *configv1.ValidateRequest) (*configv1.ValidateResponse, error)
- type Renew
- type SignCSRResponse
- type TokenAuthConfig
Constants ¶
const (
PluginConfigMalformed = "plugin configuration is malformed"
)
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AppRoleAuthConfig ¶
type AppRoleAuthConfig struct { // Name of the mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login) // If the value is empty, use default mount point (/auth/approle) AppRoleMountPoint string `hcl:"approle_auth_mount_point" json:"approle_auth_mount_point"` // An identifier that selects the AppRole RoleID string `hcl:"approle_id" json:"approle_id"` // A credential that is required for login. SecretID string `hcl:"approle_secret_id" json:"approle_secret_id"` }
AppRoleAuthConfig represents parameters for AppRole auth method.
type CertAuthConfig ¶
type CertAuthConfig struct { // Name of the mount point where Client Certificate Auth method is mounted. (e.g., /auth/<mount_point>/login) // If the value is empty, use default mount point (/auth/cert) CertAuthMountPoint string `hcl:"cert_auth_mount_point" json:"cert_auth_mount_point"` // Name of the Vault role. // If given, the plugin authenticates against only the named role. CertAuthRoleName string `hcl:"cert_auth_role_name" json:"cert_auth_role_name"` // Path to a client certificate file. // Only PEM format is supported. ClientCertPath string `hcl:"client_cert_path" json:"client_cert_path"` // Path to a client private key file. // Only PEM format is supported. ClientKeyPath string `hcl:"client_key_path" json:"client_key_path"` }
CertAuthConfig represents parameters for cert auth method
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
func (*Client) LookupSelf ¶ added in v0.12.0
func (*Client) SignIntermediate ¶
func (c *Client) SignIntermediate(ttl string, csr *x509.CertificateRequest) (*SignCSRResponse, error)
SignIntermediate requests sign-intermediate endpoint to generate certificate. ttl = TTL for Intermediate CA Certificate csr = Certificate Signing Request see: https://www.vaultproject.io/api/secret/pki/index.html#sign-intermediate
type ClientConfig ¶
type ClientConfig struct { Logger hclog.Logger // contains filtered or unexported fields }
ClientConfig represents configuration parameters for vault client
func NewClientConfig ¶
func NewClientConfig(cp *ClientParams, logger hclog.Logger) (*ClientConfig, error)
NewClientConfig returns a new *ClientConfig with default parameters.
func (*ClientConfig) NewAuthenticatedClient ¶
func (c *ClientConfig) NewAuthenticatedClient(method AuthMethod, renewCh chan struct{}) (client *Client, err error)
NewAuthenticatedClient returns a new authenticated vault client with given authentication method
type ClientParams ¶
type ClientParams struct { // A URL of Vault server. (e.g., https://vault.example.com:8443/) VaultAddr string // Name of mount point where PKI secret engine is mounted. (e.e., /<mount_point>/ca/pem ) PKIMountPoint string // token string to use when auth method is 'token' Token string // Name of mount point where TLS Cert auth method is mounted. (e.g., /auth/<mount_point>/login ) CertAuthMountPoint string // Name of the Vault role. // If given, the plugin authenticates against only the named role CertAuthRoleName string // Path to a client certificate file to be used when auth method is 'cert' ClientCertPath string // Path to a client private key file to be used when auth method is 'cert' ClientKeyPath string // Path to a CA certificate file to be used when client verifies a server certificate CACertPath string // Name of mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login ) AppRoleAuthMountPoint string // An identifier of AppRole AppRoleID string // A credential set of AppRole AppRoleSecretID string // Name of the mount point where Kubernetes auth method is mounted. (e.g., /auth/<mount_point>/login) K8sAuthMountPoint string // Name of the Vault role. // The plugin authenticates against the named role. K8sAuthRoleName string // Path to a K8s Service Account Token to be used when auth method is 'k8s' K8sAuthTokenPath string // If true, client accepts any certificates. // It should be used only test environment so on. TLSSKipVerify bool // MaxRetries controls the number of times to retry to connect // Set to 0 to disable retrying. // If the value is nil, to use the default in hashicorp/vault/api. MaxRetries *int // Name of the Vault namespace Namespace string }
type Configuration ¶ added in v1.0.0
type Configuration struct { // A URL of Vault server. (e.g., https://vault.example.com:8443/) VaultAddr string `hcl:"vault_addr" json:"vault_addr"` // Name of the mount point where PKI secret engine is mounted. (e.g., /<mount_point>/ca/pem) PKIMountPoint string `hcl:"pki_mount_point" json:"pki_mount_point"` // Configuration for the Token authentication method TokenAuth *TokenAuthConfig `hcl:"token_auth" json:"token_auth,omitempty"` // Configuration for the Client Certificate authentication method CertAuth *CertAuthConfig `hcl:"cert_auth" json:"cert_auth,omitempty"` // Configuration for the AppRole authentication method AppRoleAuth *AppRoleAuthConfig `hcl:"approle_auth" json:"approle_auth,omitempty"` // Configuration for the Kubernetes authentication method K8sAuth *K8sAuthConfig `hcl:"k8s_auth" json:"k8s_auth,omitempty"` // Path to a CA certificate file that the client verifies the server certificate. // Only PEM format is supported. CACertPath string `hcl:"ca_cert_path" json:"ca_cert_path"` // If true, vault client accepts any server certificates. // It should be used only test environment so on. InsecureSkipVerify bool `hcl:"insecure_skip_verify" json:"insecure_skip_verify"` // Name of the Vault namespace Namespace string `hcl:"namespace" json:"namespace"` }
type K8sAuthConfig ¶ added in v1.0.0
type K8sAuthConfig struct { // Name of the mount point where Kubernetes auth method is mounted. (e.g., /auth/<mount_point>/login) // If the value is empty, use default mount point (/auth/kubernetes) K8sAuthMountPoint string `hcl:"k8s_auth_mount_point" json:"k8s_auth_mount_point"` // Name of the Vault role. // The plugin authenticates against the named role. K8sAuthRoleName string `hcl:"k8s_auth_role_name" json:"k8s_auth_role_name"` // Path to the Kubernetes Service Account Token to use authentication with the Vault. TokenPath string `hcl:"token_path" json:"token_path"` }
K8sAuthConfig represents parameters for Kubernetes auth method.
type Plugin ¶
type Plugin struct { upstreamauthorityv1.UnsafeUpstreamAuthorityServer configv1.UnsafeConfigServer // contains filtered or unexported fields }
func (*Plugin) Configure ¶
func (p *Plugin) Configure(_ context.Context, req *configv1.ConfigureRequest) (*configv1.ConfigureResponse, error)
func (*Plugin) MintX509CAAndSubscribe ¶ added in v1.0.0
func (p *Plugin) MintX509CAAndSubscribe(req *upstreamauthorityv1.MintX509CARequest, stream upstreamauthorityv1.UpstreamAuthority_MintX509CAAndSubscribeServer) error
func (*Plugin) PublishJWTKeyAndSubscribe ¶ added in v1.0.0
func (*Plugin) PublishJWTKeyAndSubscribe(*upstreamauthorityv1.PublishJWTKeyRequest, upstreamauthorityv1.UpstreamAuthority_PublishJWTKeyAndSubscribeServer) error
PublishJWTKeyAndSubscribe is not implemented by the wrapper and returns a codes.Unimplemented status
func (*Plugin) Validate ¶ added in v1.11.0
func (p *Plugin) Validate(_ context.Context, req *configv1.ValidateRequest) (*configv1.ValidateResponse, error)
type SignCSRResponse ¶
type SignCSRResponse struct { // A certificate requested to sign CACertPEM string // A certificate of CA(Vault) UpstreamCACertPEM string // Set of Upstream CA certificates UpstreamCACertChainPEM []string }
SignCSRResponse includes certificates which are generates by Vault
type TokenAuthConfig ¶
type TokenAuthConfig struct { // Token string to set into "X-Vault-Token" header Token string `hcl:"token" json:"token"` }
TokenAuthConfig represents parameters for token auth method