env

package
v0.24.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 1, 2024 License: BSD-2-Clause Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BackingStoreForSafe added in v0.22.5 

func BackingStoreForSafe() data.BackingStore

BackingStoreForSafe returns the storage type for the data, as specified in the VSECM_SAFE_BACKING_STORE environment variable. If the environment variable is not set, it defaults to "file". Any value that is not "file" will mean VSecM Safe will store its state in-memory

func BootstrapTimeoutForSafe added in v0.22.5 

func BootstrapTimeoutForSafe() time.Duration

BootstrapTimeoutForSafe returns the allowed time for VSecM Safe to wait before killing the pod to retrieve an SVID, in time.Duration. The interval is determined by the VSECM_SAFE_BOOTSTRAP_TIMEOUT environment variable, with a default value of 300000 milliseconds if the variable is not set or if there is an error in parsing the value.

func DataPathForSafe added in v0.22.5 

func DataPathForSafe() string

DataPathForSafe returns the path to the safe data directory. The path is determined by the VSECM_SAFE_DATA_PATH environment variable. If the environment variable is not set, the default path "/data" is returned.

func EndpointUrlForSafe added in v0.22.5 

func EndpointUrlForSafe() string

EndpointUrlForSafe returns the URL for the VSecM Safe endpoint used in the VMware Secrets Manager system. The URL is obtained from the environment variable VSECM_SAFE_ENDPOINT_URL. If the variable is not set, the default URL is used.

func ErrorThresholdForSidecar added in v0.23.0 

func ErrorThresholdForSidecar() int64

ErrorThresholdForSidecar returns the number of consecutive failed polls before increasing the interval. The value is read from the environment variable `VSECM_SIDECAR_ERROR_THRESHOLD` or returns 2 as default.

func ExponentialBackoffMultiplierForSidecar added in v0.23.0 

func ExponentialBackoffMultiplierForSidecar() int64

ExponentialBackoffMultiplierForSidecar returns the multiplier for exponential backoff by the sidecar process. The value is read from the environment variable `VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER` or returns 2 as default.

func ExportedSecretPathForKeyGen added in v0.23.0 

func ExportedSecretPathForKeyGen() string

ExportedSecretPathForKeyGen returns the path where the exported secrets are stored. It reads the environment variable VSECM_KEYGEN_EXPORTED_SECRET_PATH to determine the path. If the environment variable is not set, it defaults to "/opt/vsecm/secrets.json".

Returns: 

string: The path to the exported secrets.

func FipsCompliantModeForSafe added in v0.22.5 

func FipsCompliantModeForSafe() bool

FipsCompliantModeForSafe returns a boolean indicating whether VSecM Safe should run in FIPS compliant mode. Note that this is not a guarantee that VSecM Safe will run in FIPS compliant mode, as it depends on the underlying base image. If you are using one of the official FIPS-complaint VMware Secrets Manager Docker images, then it will be FIPS-compliant. Check https://vsecm.com/configuration/ for more details.

func InitCommandPathForSentinel added in v0.23.0 

func InitCommandPathForSentinel() string

InitCommandPathForSentinel returns the path to the initialization commands file for VSecM Sentinel.

It checks for an environment variable "VSECM_SENTINEL_INIT_COMMAND_PATH" and uses its value as the path. If the environment variable is not set, it defaults to "/opt/vsecm-sentinel/init/data".

Returns: 

string: The path to the Sentinel initialization commands file.

func InitCommandRunnerWaitTimeoutForSentinel added in v0.23.0 

func InitCommandRunnerWaitTimeoutForSentinel() time.Duration

InitCommandRunnerWaitTimeoutForSentinel initializes and returns the timeout duration for waiting for Sentinel to acquire an SVID.

If the environment variable "VSECM_SENTINEL_INIT_COMMAND_RUNNER_WAIT_TIMEOUT" is set and valid, it uses the value provided by the environment variable as the timeout duration. If the environment variable is not set or invalid, a default timeout of 300,000 milliseconds (5 minutes)

Returns: 

time.Duration: The max time duration that the Sentinel will wait for an SVID.

func InitCommandTombstonePathForSentinel added in v0.23.0 

func InitCommandTombstonePathForSentinel() string

InitCommandTombstonePathForSentinel returns the path for the VSecM Sentinel initialization command tombstone file.

It looks for the environment variable "VSECM_SENTINEL_INIT_COMMAND_TOMBSTONE_PATH" and uses its value as the path. If the environment variable is not set, it defaults to "/opt/vsecm-sentinel/tombstone/init".

This path is usually used to store a "tombstone" file or data indicating that the initialization command has been executed or is no longer valid.

Returns: 

string: The path to the Sentinel initialization command tombstone.

func IvInitializationIntervalForSafe added in v0.22.5 

func IvInitializationIntervalForSafe() int

IvInitializationIntervalForSafe fetches the Initialization Vector (IV) interval from an environment variable. IV is used in AES encryption.

The environment variable used is VSECM_SAFE_IV_INITIALIZATION_INTERVAL. If the environment variable is not set or contains an invalid integer, the function returns a default value of 50. The returned value is intended to be used for rate-limiting or throttling the initialization of IVs.

Returns: int: The IV initialization interval in milliseconds.

func K8sSecretBufferSizeForSafe added in v0.22.5 

func K8sSecretBufferSizeForSafe() int

K8sSecretBufferSizeForSafe returns the buffer size for the VSecM Safe Kubernetes secret queue.

The buffer size is determined by the environment variable VSECM_SAFE_K8S_SECRET_BUFFER_SIZE.

If the environment variable is not set, the default buffer size is 10. If the environment variable is set and can be parsed as an integer, it will be used as the buffer size. If the environment variable is set but cannot be parsed as an integer, the default buffer size is used.

func K8sSecretDeleteBufferSizeForSafe added in v0.22.5 

func K8sSecretDeleteBufferSizeForSafe() int

K8sSecretDeleteBufferSizeForSafe returns the buffer size for the VSecM Safe Kubernetes secret deletion queue.

The buffer size is determined by the environment variable VSECM_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE.

If the environment variable is not set, the default buffer size is 10. If the environment variable is set and can be parsed as an integer, it will be used as the buffer size. If the environment variable is set but cannot be parsed as an integer, the default buffer size is used.

func KeyGenDecrypt added in v0.22.0 

func KeyGenDecrypt() bool

KeyGenDecrypt determines if VSecM Keygen should decrypt the secrets json file instead of generating a new root key (which is its default behavior).

It reads the environment variable VSECM_KEYGEN_DECRYPT and checks if it is set to "true".

If this value is `false`, VSecM Keygen will generate a new root key.

If this value is `true`, VSecM Keygen will attempt to decrypt the secrets provided to it.

Returns: 

bool: True if decryption should proceed, false otherwise.

func LogLevel 

func LogLevel() int

LogLevel returns the value set by VSECM_LOG_LEVEL environment variable, or a default level.

VSECM_LOG_LEVEL determines the verbosity of the logs. 0: logs are off, 7: highest verbosity (TRACE).

func ManualRootKeyUpdatesK8sSecret added in v0.24.0 

func ManualRootKeyUpdatesK8sSecret() bool

ManualRootKeyUpdatesK8sSecret returns a boolean indicating whether to update the Kubernetes secret when the root key is provided manually to VSecM Safe. If the environment variable is not set or its value is not "true", the function returns false. Otherwise, the function returns true.

func MaxPollIntervalForSidecar added in v0.23.0 

func MaxPollIntervalForSidecar() time.Duration

MaxPollIntervalForSidecar returns the maximum interval for polling by the sidecar process. The value is read from the environment variable `VSECM_SIDECAR_MAX_POLL_INTERVAL` or returns 300000 milliseconds as default.

func PollIntervalForInitContainer added in v0.23.0 

func PollIntervalForInitContainer() time.Duration

PollIntervalForInitContainer returns the time interval between each poll in the Watch function. The interval is specified in milliseconds as the VSECM_INIT_CONTAINER_POLL_INTERVAL environment variable. If the environment variable is not set or is not a valid integer value, the function returns the default interval of 5000 milliseconds.

func PollIntervalForSidecar added in v0.23.0 

func PollIntervalForSidecar() time.Duration

PollIntervalForSidecar returns the polling interval for sentry in time.Duration The interval is determined by the VSECM_SIDECAR_POLL_INTERVAL environment variable, with a default value of 20000 milliseconds if the variable is not set or if there is an error in parsing the value.

func ProbeLivenessPort 

func ProbeLivenessPort() string

ProbeLivenessPort returns the port for liveness probe. It first checks the environment variable VSECM_PROBE_LIVENESS_PORT. If the variable is not set, it returns the default value ":8081".

func ProbeReadinessPort 

func ProbeReadinessPort() string

ProbeReadinessPort returns the port for readiness probe. It first checks the environment variable VSECM_PROBE_READINESS_PORT. If the variable is not set, it returns the default value ":8082".

func RemoveLinkedK8sSecretsModeForSafe added in v0.22.5 

func RemoveLinkedK8sSecretsModeForSafe() bool

RemoveLinkedK8sSecretsModeForSafe returns a boolean indicating whether VSecM Safe should delete linked Kubernetes secrets when as safe managed secret is deleted.

The removal of linked Kubernetes secrets is determined by the environment variable VSECM_SAFE_REMOVE_LINKED_K8S_SECRETS.

If the environment variable is not set or its value is not "true", the function returns false. Otherwise, the function returns true.

func RootKeyInputModeManual added in v0.22.5 

func RootKeyInputModeManual() bool

RootKeyInputModeManual returns a boolean indicating whether to use manual cryptographic key input for VSecM Safe, instead of letting it bootstrap automatically. If the environment variable is not set or its value is not "true", the function returns false. Otherwise, the function returns true.

func RootKeyPathForKeyGen added in v0.23.0 

func RootKeyPathForKeyGen() string

RootKeyPathForKeyGen returns the root key path. Root key is used to decrypt VSecM-encrypted secrets. It reads the environment variable VSECM_KEYGEN_ROOT_KEY_PATH to determine the path. If the environment variable is not set, it defaults to "/opt/vsecm/keys.txt".

Returns: 

string: The path to the root key.

func RootKeyPathForSafe added in v0.22.5 

func RootKeyPathForSafe() string

RootKeyPathForSafe returns the path to the safe age key directory. The path is determined by the VSECM_ROOT_KEY_PATH environment variable. If the environment variable is not set, the default path "/key/key.txt" is returned.

func RootKeySecretNameForSafe added in v0.22.5 

func RootKeySecretNameForSafe() string

RootKeySecretNameForSafe returns the name of the environment variable that holds the VSecM Safe age key. The value is retrieved using the "VSECM_ROOT_KEY_NAME" environment variable. If this variable is not set or is empty, the default value "vsecm-root-key" is returned.

func SecretBackupCountForSafe added in v0.22.5 

func SecretBackupCountForSafe() int

SecretBackupCountForSafe retrieves the number of backups to keep for VSecM Safe secrets. If the environment variable VSECM_SAFE_SECRET_BACKUP_COUNT is not set or is not a valid integer, the default value of 3 will be returned.

func SecretBufferSizeForSafe added in v0.22.5 

func SecretBufferSizeForSafe() int

SecretBufferSizeForSafe returns the buffer size for the VSecM Safe secret queue.

The buffer size is determined by the environment variable VSECM_SAFE_SECRET_BUFFER_SIZE.

If the environment variable is not set, the default buffer size is 10. If the environment variable is set and can be parsed as an integer, it will be used as the buffer size. If the environment variable is set but cannot be parsed as an integer, the default buffer size is used.

func SecretDeleteBufferSizeForSafe added in v0.22.5 

func SecretDeleteBufferSizeForSafe() int

SecretDeleteBufferSizeForSafe returns the buffer size for the VSecM Safe secret deletion queue.

The buffer size is determined by the environment variable VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE.

If the environment variable is not set, the default buffer size is 10. If the environment variable is set and can be parsed as an integer, it will be used as the buffer size. If the environment variable is set but cannot be parsed as an integer, the default buffer size is used.

func SecretGenerationPrefix added in v0.22.0 

func SecretGenerationPrefix() string

SecretGenerationPrefix returns a prefix that's used by VSecM Sentinel to generate random pattern-based secrets. If a secret is prefixed with this value, then VSecM Sentinel will consider it as a "template" rather than a literal value.

It retrieves this prefix from the environment variable "VSECM_SENTINEL_SECRET_GENERATION_PREFIX". If the environment variable is not set or is empty, it defaults to "gen:".

func SecretsPathForSidecar added in v0.23.0 

func SecretsPathForSidecar() string

SecretsPathForSidecar returns the path to the secrets file used by the sidecar. The path is determined by the VSECM_SIDECAR_SECRETS_PATH environment variable, with a default value of "/opt/vsecm/secrets.json" if the variable is not set.

func SentinelEnableOIDCResourceServer added in v0.23.2 

func SentinelEnableOIDCResourceServer() bool

SentinelEnableOIDCResourceServer returns the prefix to be used for the names of secrets that VSecM Safe stores, when it is configured to persist the secret in the Kubernetes cluster as Kubernetes `Secret` objects.

The prefix is retrieved using the "VSECM_SENTINEL_ENABLE_OIDC_RESOURCE_SERVER" environment variable. If this variable is not set or is empty, the default value "FALSE" is returned.

func SentinelOIDCProviderBaseUrl added in v0.23.2 

func SentinelOIDCProviderBaseUrl() string

SentinelOIDCProviderBaseUrl returns the prefix to be used for the names of secrets that VSecM Safe stores, when it is configured to persist the secret in the Kubernetes cluster as Kubernetes `Secret` objects.

The prefix is retrieved using the "VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL" environment variable. If this variable is not set or is empty, the default value "" is returned.

func SourceAcquisitionTimeoutForSafe added in v0.22.5 

func SourceAcquisitionTimeoutForSafe() time.Duration

SourceAcquisitionTimeoutForSafe returns the timeout duration for acquiring a SPIFFE source bundle. It reads an environment variable `VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT` to determine the timeout. If the environment variable is not set, or cannot be parsed, it defaults to 10000 milliseconds.

The returned duration is in milliseconds.

Returns: 

time.Duration: The time duration in milliseconds for acquiring the source.

func SpiffeIdPrefixForSafe added in v0.22.5 

func SpiffeIdPrefixForSafe() string

SpiffeIdPrefixForSafe returns the prefix for the Safe SPIFFE ID. The prefix is obtained from the environment variable VSECM_SAFE_SPIFFEID_PREFIX. If the variable is not set, the default prefix is used.

func SpiffeIdPrefixForSentinel added in v0.23.0 

func SpiffeIdPrefixForSentinel() string

SpiffeIdPrefixForSentinel returns the prefix for the Safe SPIFFE ID. The prefix is obtained from the environment variable VSECM_SENTINEL_SPIFFEID_PREFIX. If the variable is not set, the default prefix is used.

func SpiffeIdPrefixForWorkload added in v0.23.0 

func SpiffeIdPrefixForWorkload() string

SpiffeIdPrefixForWorkload returns the prefix for the Workload's SPIFFE ID. The prefix is obtained from the environment variable VSECM_WORKLOAD_SPIFFEID_PREFIX. If the variable is not set, the default prefix is used.

func SpiffeSocketUrl 

func SpiffeSocketUrl() string

SpiffeSocketUrl returns the URL for the SPIFFE endpoint socket used in the VMware Secrets Manager system. The URL is obtained from the environment variable SPIFFE_ENDPOINT_SOCKET. If the variable is not set, the default URL is used.

func StoreWorkloadAsK8sSecretPrefix added in v0.22.2 

func StoreWorkloadAsK8sSecretPrefix() string

StoreWorkloadAsK8sSecretPrefix retrieves the prefix for storing workload data as a Kubernetes secret.

It fetches the value of the environment variable VSECM_SAFE_STORE_WORKLOAD_AS_K8S_SECRET_PREFIX. If this environment variable is not set or is empty, it defaults to "k8s:".

This way, you can use VSecM to generate Kubernetes Secrets instead of associating secrets to workloads. This approach is especially useful in legacy use case where you cannot use VSecM SDK, or VSecM Sidecar to associate secrets to workloads, or doing so is not feasible because it would introduce deviation from the upstream dependencies.

Returns:

  • A string representing the prefix for Kubernetes secrets. The default value is "k8s:" if the environment variable is not set or empty.

func SuccessThresholdForSidecar added in v0.23.0 

func SuccessThresholdForSidecar() int64

SuccessThresholdForSidecar returns the number of consecutive successful polls before reducing the interval. The value is read from the environment variable `VSECM_SIDECAR_SUCCESS_THRESHOLD` or returns 3 as default.

func SystemNamespace added in v0.21.1 

func SystemNamespace() string

SystemNamespace returns namespace from metadata, metadata.namespace should be passed as environment variable as VSECM_SYSTEM_NAMESPACE to the container.

func TlsPort 

func TlsPort() string

TlsPort returns the secure port for VSecM Safe to listen on. It checks the VSECM_SAFE_TLS_PORT environment variable. If the variable is not set, it defaults to ":8443".

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.