vault

package
v0.12.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 14, 2021 License: Apache-2.0 Imports: 21 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuiltIn 

func BuiltIn() catalog.Plugin

BuiltIn constructs a catalog Plugin using a new instance of this plugin.

Types

type AppRoleAuthConfig 

type AppRoleAuthConfig struct {
	// Name of the mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/approle)
	AppRoleMountPoint string `hcl:"approle_auth_mount_point"`
	// An identifier that selects the AppRole
	RoleID string `hcl:"approle_id"`
	// A credential that is required for login.
	SecretID string `hcl:"approle_secret_id"`
}

AppRoleAuth represents parameters for AppRole auth method.

type AuthMethod 

type AuthMethod int
const (
	CERT AuthMethod
	TOKEN
	APPROLE
)

type CertAuthConfig 

type CertAuthConfig struct {
	// Name of the mount point where Client Certificate Auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/cert)
	CertAuthMountPoint string `hcl:"cert_auth_mount_point"`
	// Name of the Vault role.
	// If given, the plugin authenticates against only the named role.
	CertAuthRoleName string `hcl:"cert_auth_role_name"`
	// Path to a client certificate file.
	// Only PEM format is supported.
	ClientCertPath string `hcl:"client_cert_path"`
	// Path to a client private key file.
	// Only PEM format is supported.
	ClientKeyPath string `hcl:"client_key_path"`
}

CertAuth represents parameters for cert auth method

type Client 

type Client struct {
	// contains filtered or unexported fields
}

func (*Client) Auth 

func (c *Client) Auth(path string, body map[string]interface{}) (*vapi.Secret, error)

TLSAuth authenticates to vault server with TLS certificate method

func (*Client) LookupSelf added in v0.12.0 

func (c *Client) LookupSelf(token string) (*vapi.Secret, error)

func (*Client) SetToken 

func (c *Client) SetToken(v string)

SetToken wraps vapi.Client.SetToken()

func (*Client) SignIntermediate 

func (c *Client) SignIntermediate(ttl string, csr *x509.CertificateRequest) (*SignCSRResponse, error)

SignIntermediate requests sign-intermediate endpoint to generate certificate. ttl = TTL for Intermediate CA Certificate csr = Certificate Signing Request see: https://www.vaultproject.io/api/secret/pki/index.html#sign-intermediate

type ClientConfig 

type ClientConfig struct {
	Logger hclog.Logger
	// contains filtered or unexported fields
}

ClientConfig represents configuration parameters for vault client

func NewClientConfig 

func NewClientConfig(cp *ClientParams, logger hclog.Logger) (*ClientConfig, error)

NewClient returns a new *ClientConfig with default parameters.

func (*ClientConfig) NewAuthenticatedClient 

func (c *ClientConfig) NewAuthenticatedClient(method AuthMethod) (client *Client, reusable bool, err error)

NewAuthenticatedClient returns a new authenticated vault client with given authentication method If this returns reusable=false, it means that the token will expire (non-renewable), need to obtain a new token.

type ClientParams 

type ClientParams struct {
	// A URL of Vault server. (e.g., https://vault.example.com:8443/)
	VaultAddr string
	// Name of mount point where PKI secret engine is mounted. (e.e., /<mount_point>/ca/pem )
	PKIMountPoint string
	// token string to use when auth method is 'token'
	Token string
	// Name of mount point where TLS Cert auth method is mounted. (e.g., /auth/<mount_point>/login )
	CertAuthMountPoint string
	// Name of the Vault role.
	// If given, the plugin authenticates against only the named role
	CertAuthRoleName string
	// Path to a client certificate file to be used when auth method is 'cert'
	ClientCertPath string
	// Path to a client private key file to be used when auth method is 'cert'
	ClientKeyPath string
	// Path to a CA certificate file to be used when client verifies a server certificate
	CACertPath string
	// Name of mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login )
	AppRoleAuthMountPoint string
	// An identifier of AppRole
	AppRoleID string
	// A credential set of AppRole
	AppRoleSecretID string
	// If true, client accepts any certificates.
	// It should be used only test environment so on.
	TLSSKipVerify bool
	// MaxRetries controls the number of times to retry to connect
	// Set to 0 to disable retrying.
	// If the value is nil, to use the default in hashicorp/vault/api.
	MaxRetries *int
	// Name of the Vault namespace
	Namespace string
}

type Plugin 

type Plugin struct {
	upstreamauthority.UnsafeUpstreamAuthorityServer
	// contains filtered or unexported fields
}

func New 

func New() *Plugin

func (*Plugin) Configure 

func (p *Plugin) Configure(ctx context.Context, req *spi.ConfigureRequest) (*spi.ConfigureResponse, error)

func (*Plugin) GetPluginInfo 

func (*Plugin) GetPluginInfo(context.Context, *spi.GetPluginInfoRequest) (*spi.GetPluginInfoResponse, error)

func (*Plugin) MintX509CA 

func (p *Plugin) MintX509CA(req *upstreamauthority.MintX509CARequest, stream upstreamauthority.UpstreamAuthority_MintX509CAServer) error

func (*Plugin) PublishJWTKey 

func (*Plugin) PublishJWTKey(*upstreamauthority.PublishJWTKeyRequest, upstreamauthority.UpstreamAuthority_PublishJWTKeyServer) error

PublishJWTKey is not implemented by the wrapper and returns a codes.Unimplemented status

func (*Plugin) SetLogger 

func (p *Plugin) SetLogger(log hclog.Logger)

type PluginConfig 

type PluginConfig struct {
	// A URL of Vault server. (e.g., https://vault.example.com:8443/)
	VaultAddr string `hcl:"vault_addr"`
	// Name of the mount point where PKI secret engine is mounted. (e.g., /<mount_point>/ca/pem)
	PKIMountPoint string `hcl:"pki_mount_point"`
	// Configuration for the Token authentication method
	TokenAuth *TokenAuthConfig `hcl:"token_auth"`
	// Configuration for the Client Certificate authentication method
	CertAuth *CertAuthConfig `hcl:"cert_auth"`
	// Configuration for the AppRole authentication method
	AppRoleAuth *AppRoleAuthConfig `hcl:"approle_auth"`
	// Path to a CA certificate file that the client verifies the server certificate.
	// Only PEM format is supported.
	CACertPath string `hcl:"ca_cert_path"`
	// If true, vault client accepts any server certificates.
	// It should be used only test environment so on.
	InsecureSkipVerify bool `hcl:"insecure_skip_verify"`
	// Name of the Vault namespace
	Namespace string `hcl:"namespace"`
}

type Renew 

type Renew struct {
	Logger hclog.Logger
	// contains filtered or unexported fields
}

func NewRenew 

func NewRenew(client *vapi.Client, secret *vapi.Secret, logger hclog.Logger) (*Renew, error)

func (*Renew) Run 

func (r *Renew) Run()

type SignCSRResponse 

type SignCSRResponse struct {
	// A certificate requested to sign
	CertPEM string
	// A certificate of CA(Vault)
	CACertPEM string
	// Set of Upstream CA certificates
	CACertChainPEM []string
}

SignCSRResponse includes certificates which are generates by Vault

type TokenAuthConfig 

type TokenAuthConfig struct {
	// Token string to set into "X-Vault-Token" header
	Token string `hcl:"token"`
}

TokenAuth represents parameters for token auth method

type TokenStatus added in v0.12.0 

type TokenStatus int
const (
	Renewable TokenStatus
	NotRenewable
	NeverExpire
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.