vault

package
v3.14.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 6, 2018 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewVaultFactory 

func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string) *vaultFactory

func NewVaultManagerFactory 

func NewVaultManagerFactory() creds.ManagerFactory

Types

type APIClient 

type APIClient struct {
	// contains filtered or unexported fields
}

The APIClient is a SecretReader which maintains an authorized client using the Login and Renew functions.

func NewAPIClient 

func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig *vaultapi.TLSConfig, authConfig AuthConfig) (*APIClient, error)

NewAPIClient with the associated authorization config and underlying vault client.

func (*APIClient) Login 

func (ac *APIClient) Login() (time.Duration, error)

Login the APIClient using the credentials passed at construction. Returns a duration after which renew must be called.

func (*APIClient) Read 

func (ac *APIClient) Read(path string) (*vaultapi.Secret, error)

Read must be called after a successful login has occurred or an un-authorized client will be used.

func (*APIClient) Renew 

func (ac *APIClient) Renew() (time.Duration, error)

Renew the APIClient login using the credentials passed at construction. Must be called after a successful login. Returns a duration after which renew must be called again.

type AuthConfig 

type AuthConfig struct {
	ClientToken string `long:"client-token" description:"Client token for accessing secrets within the Vault server."`

	Backend       string        `long:"auth-backend"               description:"Auth backend to use for logging in to Vault."`
	BackendMaxTTL time.Duration `` /* 142-byte string literal not displayed */
	RetryMax      time.Duration `long:"retry-max"     default:"5m" description:"The maximum time between retries when logging in or re-authing a secret."`
	RetryInitial  time.Duration `long:"retry-initial" default:"1s" description:"The initial time between retries when logging in or re-authing a secret."`

	Params []template.VarKV `` /* 139-byte string literal not displayed */
}

type Auther 

type Auther interface {
	Login() (time.Duration, error)
	Renew() (time.Duration, error)
}

An Auther is anything which needs to be logged in and then have that login renewed on a regulary basis.

type Cache 

type Cache struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

A Cache caches secrets read from a SecretReader until the lease on the secret expires. Once expired the credential is proactively deleted from cache to maintain a smaller cache footprint.

func NewCache 

func NewCache(sr SecretReader, maxLease time.Duration) *Cache

NewCache using the underlying vault client.

func (*Cache) Read 

func (c *Cache) Read(path string) (*vaultapi.Secret, error)

Read a secret from the cache or the underlying client if not present.

type ReAuther 

type ReAuther struct {
	// contains filtered or unexported fields
}

The ReAuther runs the authorization loop (login, renew) and retries using a bounded exponential backoff strategy. If maxTTL is set, a new login will be done _regardless_ of the available leaseDuration.

func NewReAuther 

func NewReAuther(auther Auther, maxTTL, retry, max time.Duration) *ReAuther

NewReAuther with a retry time and a max retry time.

func (*ReAuther) LoggedIn 

func (ra *ReAuther) LoggedIn() <-chan struct{}

LoggedIn will receive a signal after every login. Multiple logins may result in a single signal as this channel is not blocked.

type SecretReader 

type SecretReader interface {
	Read(path string) (*vaultapi.Secret, error)
}

A SecretReader reads a vault secret from the given path. It should be thread safe!

type Vault 

type Vault struct {
	SecretReader SecretReader

	PathPrefix   string
	TeamName     string
	PipelineName string
}

Vault converts a vault secret to our completely untyped secret data.

func (Vault) Get 

func (v Vault) Get(varDef template.VariableDefinition) (interface{}, bool, error)

func (Vault) List 

func (v Vault) List() ([]template.VariableDefinition, error)

type VaultManager 

type VaultManager struct {
	URL string `long:"url" description:"Vault server address used to access secrets."`

	PathPrefix string `long:"path-prefix" default:"/concourse" description:"Path under which to namespace credential lookup."`

	Cache    bool          `bool:"cache" default:"false" description:"Cache returned secrets for their lease duration in memory"`
	MaxLease time.Duration `long:"max-lease" description:"If the cache is enabled, and this is set, override secrets lease duration with a maximum value"`

	TLS struct {
		CACert     string `long:"ca-cert"              description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
		CAPath     string `` /* 127-byte string literal not displayed */
		ClientCert string `long:"client-cert"          description:"Path to the client certificate for Vault authorization."`
		ClientKey  string `long:"client-key"           description:"Path to the client private key for Vault authorization."`
		ServerName string `long:"server-name"          description:"If set, is used to set the SNI host when connecting via TLS."`
		Insecure   bool   `long:"insecure-skip-verify" description:"Enable insecure SSL verification."`
	}

	Auth AuthConfig
}

func (VaultManager) IsConfigured 

func (manager VaultManager) IsConfigured() bool

func (VaultManager) NewVariablesFactory 

func (manager VaultManager) NewVariablesFactory(logger lager.Logger) (creds.VariablesFactory, error)

func (VaultManager) Validate 

func (manager VaultManager) Validate() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.