env

package
v0.26.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 8, 2024 License: BSD-2-Clause Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BackingStoreForSafe added in v0.22.5 

func BackingStoreForSafe() data.BackingStore

BackingStoreForSafe determines the backing store type for the VSecM Safe. This configuration is retrieved from an environment variable. If the variable is not set or explicitly set to "file", and "file" is used as the default and only supported backing store.

Returns:

  • The configured backing store as a data.BackingStore.
  • Panics if the environment variable is set to anything other than "file", as it is currently the only supported backing store type.

Usage: 

backingStore := config.BackingStoreForSafe()

func BackoffDelay added in v0.24.5 

func BackoffDelay() time.Duration

BackoffDelay reads the "VSECM_BACKOFF_DELAY" environment variable, parses its value as an int64, and returns the parsed number as a time.Duration in milliseconds. If the environment variable is not set or cannot be parsed, a default delay of 1000 milliseconds is returned. This function facilitates configuring the initial delay for backoff algorithms, which is essential for handling operations that might need a waiting period before retrying after a failure.

Returns: time.Duration - the initial backoff delay duration.

func BackoffMaxRetries added in v0.24.5 

func BackoffMaxRetries() int64

BackoffMaxRetries reads the "VSECM_BACKOFF_MAX_RETRIES" environment variable, parses its value as an int64, and returns the parsed number. If the environment variable is not set or cannot be parsed, a default value of 10 is returned. This function is useful for configuring the maximum number of retries in backoff algorithms, particularly in scenarios where operations might fail transiently and require repeated attempts to succeed.

Returns: int64 - the maximum number of retries.

func BackoffMaxWait added in v0.26.0 

func BackoffMaxWait() time.Duration

BackoffMaxWait reads the "VSECM_BACKOFF_MAX_WAIT" environment variable, parses its value as an int64, and returns the parsed number as a time.Duration in milliseconds. If the environment variable is not set or cannot be parsed, a default maximum duration of 30000 milliseconds is returned. This function is crucial for defining the upper limit on the duration to which backoff delay can grow, ensuring that retry mechanisms do not result in excessively long wait times.

Returns: time.Duration - the maximum backoff duration.

func BackoffMode added in v0.24.5 

func BackoffMode() string

BackoffMode reads the "VSECM_BACKOFF_MODE" environment variable and determines the backoff strategy to be used. If the environment variable is not set, or if its value is "exponential", "exponential" is returned. For any other non-empty value, "linear" is returned. This allows for dynamic adjustment of the backoff strategy based on external configuration, supporting both linear and exponential backoff modes depending on the requirements of the operation or the system.

Returns: string - the backoff mode, either "exponential" or "linear".

func BootstrapTimeoutForSafe added in v0.22.5 

func BootstrapTimeoutForSafe() time.Duration

BootstrapTimeoutForSafe returns the allowed time for VSecM Safe to wait before killing the pod to retrieve an SVID, in time.Duration. The interval is determined by the VSECM_SAFE_BOOTSTRAP_TIMEOUT environment variable, with a default value of 300000 milliseconds if the variable is not set or if there is an error in parsing the value.

func DataPathForSafe added in v0.22.5 

func DataPathForSafe() string

DataPathForSafe returns the path to the safe data directory. The path is determined by the VSECM_SAFE_DATA_PATH environment variable. If the environment variable is not set, the default path "/var/local/vsecm/data" is returned.

func EndpointUrlForSafe added in v0.22.5 

func EndpointUrlForSafe() string

EndpointUrlForSafe returns the URL for the VSecM Safe endpoint used in the VMware Secrets Manager system. The URL is obtained from the environment variable VSECM_SAFE_ENDPOINT_URL. If the variable is not set, the default URL is used.

func ErrorThresholdForSidecar added in v0.23.0 

func ErrorThresholdForSidecar() int64

ErrorThresholdForSidecar returns the number of consecutive failed polls before increasing the interval. The value is read from the environment variable `VSECM_SIDECAR_ERROR_THRESHOLD` or returns 2 as default.

func ExponentialBackoffMultiplierForSidecar added in v0.23.0 

func ExponentialBackoffMultiplierForSidecar() int64

ExponentialBackoffMultiplierForSidecar returns the multiplier for exponential backoff by the sidecar process. The value is read from the environment variable `VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER` or returns 2 as default.

func ExportedSecretPathForKeyGen added in v0.23.0 

func ExportedSecretPathForKeyGen() string

ExportedSecretPathForKeyGen returns the path where the exported secrets are stored. It reads the environment variable VSECM_KEYGEN_EXPORTED_SECRET_PATH to determine the path.

If the environment variable is not set, it defaults to "/opt/vsecm/secrets.json".

Returns: 

string: The path to the exported secrets.

func FipsCompliantModeForSafe added in v0.22.5 

func FipsCompliantModeForSafe() bool

FipsCompliantModeForSafe returns a boolean indicating whether VSecM Safe should run in FIPS compliant mode. Note that this is not a guarantee that VSecM Safe will run in FIPS compliant mode, as it depends on the underlying base image. If you are using one of the official FIPS-complaint VMware Secrets Manager Docker images, then it will be FIPS-compliant. Check https://vsecm.com/configuration/ for more details.

func InitCommandPathForSentinel added in v0.23.0 

func InitCommandPathForSentinel() string

InitCommandPathForSentinel returns the path to the initialization commands file for VSecM Sentinel.

It checks for an environment variable "VSECM_SENTINEL_INIT_COMMAND_PATH" and uses its value as the path. If the environment variable is not set, it defaults to "/opt/vsecm-sentinel/init/data".

Returns: 

string: The path to the Sentinel initialization commands file.

func InitCommandRunnerWaitBeforeExecIntervalForSentinel added in v0.25.1 

func InitCommandRunnerWaitBeforeExecIntervalForSentinel() time.Duration

InitCommandRunnerWaitBeforeExecIntervalForSentinel retrieves the interval to wait before executing an init command stanza of Sentinel. The interval is determined by the environment variable "VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC", which is expected to contain an integer value representing the wait time in milliseconds. If the environment variable is not set or cannot be parsed, it defaults to zero milliseconds.

Returns: 

time.Duration: The wait interval in milliseconds before executing an init command.

func InitCommandRunnerWaitIntervalBeforeInitComplete added in v0.24.5 

func InitCommandRunnerWaitIntervalBeforeInitComplete() time.Duration

InitCommandRunnerWaitIntervalBeforeInitComplete retrieves the interval to wait after the init command stanza of Sentinel has been completed. The interval is determined by the environment variable "VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE", which is expected to contain an integer value representing the wait time in milliseconds. If the environment variable is not set or cannot be parsed, it defaults to zero milliseconds.

Returns: 

time.Duration: The wait interval in milliseconds after initialization is
complete.

func IvInitializationIntervalForSafe added in v0.22.5 

func IvInitializationIntervalForSafe() int

IvInitializationIntervalForSafe fetches the Initialization Vector (IV) interval from an environment variable. IV is used in AES encryption.

The environment variable used is VSECM_SAFE_IV_INITIALIZATION_INTERVAL. If the environment variable is not set or contains an invalid integer, the function returns a default value of 50. The returned value is intended to be used for rate-limiting or throttling the initialization of IVs.

Returns: int: The IV initialization interval in milliseconds.

func K8sSecretBufferSizeForSafe added in v0.22.5 

func K8sSecretBufferSizeForSafe() int

K8sSecretBufferSizeForSafe returns the buffer size for the VSecM Safe Kubernetes secret queue.

The buffer size is determined by the environment variable VSECM_SAFE_K8S_SECRET_BUFFER_SIZE.

If the environment variable is not set, the default buffer size is 10. If the environment variable is set and can be parsed as an integer, it will be used as the buffer size. If the environment variable is set but cannot be parsed as an integer, the default buffer size is used.

func KeyGenDecrypt added in v0.22.0 

func KeyGenDecrypt() bool

KeyGenDecrypt determines if VSecM Keygen should decrypt the secrets json file instead of generating a new root key (which is its default behavior).

It reads the environment variable VSECM_KEYGEN_DECRYPT and checks if it is set to "true".

If this value is `false`, VSecM Keygen will generate a new root key.

If this value is `true`, VSecM Keygen will attempt to decrypt the secrets provided to it.

Returns: 

bool: True if decryption should proceed, false otherwise.

func LogLevel 

func LogLevel() int

LogLevel returns the value set by VSECM_LOG_LEVEL environment variable, or a default level.

VSECM_LOG_LEVEL determines the verbosity of the logs. 0: logs are off, 7: highest verbosity (TRACE).

func LogSecretFingerprints added in v0.24.5 

func LogSecretFingerprints() bool

LogSecretFingerprints checks the "VSECM_LOG_SECRET_FINGERPRINTS" environment variable, normalizes its value by trimming whitespace and converting it to lowercase, and evaluates whether logging of secret fingerprints is enabled or not. The function returns true if the environment variable is explicitly set to "true", otherwise, it defaults to false.

When `true`, VSecM logs will include partial hashes for the secrets. This approach will be useful to verify changes to a secret without revealing it in the logs. The partial hash is a cryptographically secure string, and there is no way to retrieve the original secret from it.

If not provided in the environment variables, this flag will be set to `false` by default.

Returns: bool - true if logging of secret fingerprints is enabled, false otherwise.

func MaxPollIntervalForSidecar added in v0.23.0 

func MaxPollIntervalForSidecar() time.Duration

MaxPollIntervalForSidecar returns the maximum interval for polling by the sidecar process. The value is read from the environment variable `VSECM_SIDECAR_MAX_POLL_INTERVAL` or returns 300000 milliseconds as default.

func NameRegExpForWorkload added in v0.26.0 

func NameRegExpForWorkload() string

NameRegExpForWorkload returns the regular expression pattern for extracting the workload name from the SPIFFE ID. The prefix is obtained from the environment variable VSECM_NAME_REGEXP_FOR_WORKLOAD. If the variable is not set, the default pattern is used.

func NamespaceForVSecMSystem added in v0.25.2 

func NamespaceForVSecMSystem() string

NamespaceForVSecMSystem returns the namespace for the VSecM apps. The namespace is determined by the environment variable "VSECM_NAMESPACE_SYSTEM". If the variable is not set or is empty, it defaults to "vsecm-system".

Returns: 

string: The namespace to be used for the VSecM system.

func OIDCProviderBaseUrlForSentinel added in v0.24.5 

func OIDCProviderBaseUrlForSentinel() string

OIDCProviderBaseUrlForSentinel returns the url to be used for the OIDC provider base URL for VSecM Sentinel. This url is used when VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER is set to "true".

func PollIntervalForInitContainer added in v0.23.0 

func PollIntervalForInitContainer() time.Duration

PollIntervalForInitContainer returns the time interval between each poll in the Watch function. The interval is specified in milliseconds as the VSECM_INIT_CONTAINER_POLL_INTERVAL environment variable. If the environment variable is not set or is not a valid integer value, the function returns the default interval of 5000 milliseconds.

func PollIntervalForSidecar added in v0.23.0 

func PollIntervalForSidecar() time.Duration

PollIntervalForSidecar returns the polling interval for sentry in time.Duration The interval is determined by the VSECM_SIDECAR_POLL_INTERVAL environment variable, with a default value of 20000 milliseconds if the variable is not set or if there is an error in parsing the value.

func ProbeLivenessPort 

func ProbeLivenessPort() string

ProbeLivenessPort returns the port for liveness probe. It first checks the environment variable VSECM_PROBE_LIVENESS_PORT. If the variable is not set, it returns the default value ":8081".

func ProbeReadinessPort 

func ProbeReadinessPort() string

ProbeReadinessPort returns the port for readiness probe. It first checks the environment variable VSECM_PROBE_READINESS_PORT. If the variable is not set, it returns the default value ":8082".

func RootKeyInputModeManual added in v0.22.5 

func RootKeyInputModeManual() bool

RootKeyInputModeManual returns a boolean indicating whether to use manual cryptographic key input for VSecM Safe, instead of letting it bootstrap automatically. If the environment variable is not set or its value is not "true", the function returns false. Otherwise, the function returns true.

func RootKeyPathForKeyGen added in v0.23.0 

func RootKeyPathForKeyGen() string

RootKeyPathForKeyGen returns the root key path. Root key is used to decrypt VSecM-encrypted secrets. It reads the environment variable VSECM_KEYGEN_ROOT_KEY_PATH to determine the path. If the environment variable is not set, it defaults to "/opt/vsecm/keys.txt".

Returns: 

string: The path to the root key.

func RootKeyPathForSafe added in v0.22.5 

func RootKeyPathForSafe() string

RootKeyPathForSafe returns the path to the safe age key directory. The path is determined by the VSECM_ROOT_KEY_PATH environment variable. If the environment variable is not set, the default path "/key/key.txt" is returned.

func RootKeySecretNameForSafe added in v0.22.5 

func RootKeySecretNameForSafe() string

RootKeySecretNameForSafe returns the name of the environment variable that holds the VSecM Safe age key. The value is retrieved using the "VSECM_ROOT_KEY_NAME" environment variable. If this variable is not set or is empty, the default value "vsecm-root-key" is returned.

func RootKeyStoreTypeForSafe added in v0.25.2 

func RootKeyStoreTypeForSafe() data.BackingStore

RootKeyStoreTypeForSafe determines the root key store type for VSecM Safe.

The function retrieves this configuration from an environment variable. If the variable is not set or is explicitly set to "k8s", which is the default.

Returns:

  • The configured root key store as a data.BackingStore.
  • Panics if the environment variable is set to anything other than "k8s", as it is currently the only supported root key store type.

Usage: 

storeType := config.RootKeyStoreTypeForSafe()

func RootKeySyncIntervalForSafe added in v0.25.2 

func RootKeySyncIntervalForSafe() time.Duration

RootKeySyncIntervalForSafe retrieves the synchronization interval for root keys from an environment variable. If the variable is unset or set to "never", it returns an infinite duration, effectively disabling the synchronization.

Returns:

  • A time.Duration representing the interval at which root keys should be synchronized.
  • Returns an infinite duration if the interval is set to "never" or if there is an error in parsing the interval.

func SecretBackupCountForSafe added in v0.22.5 

func SecretBackupCountForSafe() int

SecretBackupCountForSafe retrieves the number of backups to keep for VSecM Safe secrets. If the environment variable VSECM_SAFE_SECRET_BACKUP_COUNT is not set or is not a valid integer, the default value of 3 will be returned.

Note: there are plans to deprecate this feature in the future in favor of a more robust database-driven changelog solution for secrets.

func SecretBufferSizeForSafe added in v0.22.5 

func SecretBufferSizeForSafe() int

SecretBufferSizeForSafe returns the buffer size for the VSecM Safe secret queue.

The buffer size is determined by the environment variable VSECM_SAFE_SECRET_BUFFER_SIZE.

If the environment variable is not set, the default buffer size is 10. If the environment variable is set and can be parsed as an integer, it will be used as the buffer size. If the environment variable is set but cannot be parsed as an integer, the default buffer size is used.

func SecretDeleteBufferSizeForSafe added in v0.22.5 

func SecretDeleteBufferSizeForSafe() int

SecretDeleteBufferSizeForSafe returns the buffer size for the VSecM Safe secret deletion queue.

The buffer size is determined by the environment variable VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE.

If the environment variable is not set, the default buffer size is 10. If the environment variable is set and can be parsed as an integer, it will be used as the buffer size. If the environment variable is set but cannot be parsed as an integer, the default buffer size is used.

func SecretGenerationPrefix added in v0.22.0 

func SecretGenerationPrefix() string

SecretGenerationPrefix returns a prefix that's used by VSecM Sentinel to generate random pattern-based secrets. If a secret is prefixed with this value, then VSecM Sentinel will consider it as a "template" rather than a literal value.

It retrieves this prefix from the environment variable "VSECM_SENTINEL_SECRET_GENERATION_PREFIX". If the environment variable is not set or is empty, it defaults to "gen:".

func SecretsPathForSidecar added in v0.23.0 

func SecretsPathForSidecar() string

SecretsPathForSidecar returns the path to the secrets file used by the sidecar. The path is determined by the VSECM_SIDECAR_SECRETS_PATH environment variable, with a default value of "/opt/vsecm/secrets.json" if the variable is not set.

func SecretsSyncIntervalForSafe added in v0.26.0 

func SecretsSyncIntervalForSafe() time.Duration

SecretsSyncIntervalForSafe retrieves the synchronization interval for secrets from an environment variable. Similar to RootKeySyncIntervalForSafe, it returns an infinite duration if the interval is set to "never" or on error.

Returns:

  • A time.Duration representing the interval at which secrets should be synchronized.

func SentinelEnableOIDCResourceServer added in v0.23.2 

func SentinelEnableOIDCResourceServer() bool

SentinelEnableOIDCResourceServer is a flag that enables the OIDC resource server functionality in VSecM Sentinel.

func SourceAcquisitionTimeoutForSafe added in v0.22.5 

func SourceAcquisitionTimeoutForSafe() time.Duration

SourceAcquisitionTimeoutForSafe returns the timeout duration for acquiring a SPIFFE source bundle. It reads an environment variable `VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT` to determine the timeout. If the environment variable is not set, or cannot be parsed, it defaults to 10000 milliseconds.

The returned duration is in milliseconds.

Returns: 

time.Duration: The time duration in milliseconds for acquiring the source.

func SpiffeIdPrefixForSafe added in v0.22.5 

func SpiffeIdPrefixForSafe() string

SpiffeIdPrefixForSafe returns the prefix for the Safe SPIFFE ID. The prefix is obtained from the environment variable VSECM_SPIFFEID_PREFIX_SAFE. If the variable is not set, the default prefix is used.

func SpiffeIdPrefixForSentinel added in v0.23.0 

func SpiffeIdPrefixForSentinel() string

SpiffeIdPrefixForSentinel returns the prefix for the Safe SPIFFE ID. The prefix is obtained from the environment variable VSECM_SPIFFEID_PREFIX_SENTINEL. If the variable is not set, the default prefix is used.

func SpiffeIdPrefixForWorkload added in v0.23.0 

func SpiffeIdPrefixForWorkload() string

SpiffeIdPrefixForWorkload returns the prefix for the Workload's SPIFFE ID. The prefix is obtained from the environment variable VSECM_SPIFFEID_PREFIX_WORKLOAD. If the variable is not set, the default prefix is used.

func SpiffeSocketUrl 

func SpiffeSocketUrl() string

SpiffeSocketUrl returns the URL for the SPIFFE endpoint socket used in the VMware Secrets Manager system. The URL is obtained from the environment variable SPIFFE_ENDPOINT_SOCKET. If the variable is not set, the default URL is used.

func SpiffeTrustDomain added in v0.26.0 

func SpiffeTrustDomain() string

SpiffeTrustDomain retrieves the SPIFFE trust domain from environment variables.

This function looks for the trust domain using the environment variable defined by `constants.SpiffeTrustDomain`. If the environment variable is not set or is an empty string, it defaults to the value specified by `constants.SpiffeTrustDomainDefault`.

Returns:

  • A string representing the SPIFFE trust domain.

func StoreWorkloadAsK8sSecretPrefix added in v0.22.2 

func StoreWorkloadAsK8sSecretPrefix() string

StoreWorkloadAsK8sSecretPrefix retrieves the prefix for storing workload data as a Kubernetes secret.

It fetches the value of the environment variable VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX. If this environment variable is not set or is empty, it defaults to "k8s:".

This way, you can use VSecM to generate Kubernetes Secrets instead of associating secrets to workloads. This approach is especially useful in legacy use case where you cannot use VSecM SDK, or VSecM Sidecar to associate secrets to workloads, or doing so is not feasible because it would introduce deviation from the upstream dependencies.

Returns:

  • A string representing the prefix for Kubernetes secrets. The default value is "k8s:" if the environment variable is not set or empty.

func SuccessThresholdForSidecar added in v0.23.0 

func SuccessThresholdForSidecar() int64

SuccessThresholdForSidecar returns the number of consecutive successful polls before reducing the interval. The value is read from the environment variable `VSECM_SIDECAR_SUCCESS_THRESHOLD` or returns 3 as default.

func SyncDeletedSecretsForSafe added in v0.25.2 

func SyncDeletedSecretsForSafe() bool

SyncDeletedSecretsForSafe checks if deleted secrets should be synchronized. It reads from an environment variable and returns true if synchronization is enabled.

Returns:

  • A bool indicating whether deleted secrets should be synchronized.

func SyncExpiredSecretsSecretsForSafe added in v0.25.2 

func SyncExpiredSecretsSecretsForSafe() bool

SyncExpiredSecretsSecretsForSafe checks if expired secrets should be synchronized. It returns true if the respective environment variable is set to "true".

Returns:

  • A bool indicating whether expired secrets should be synchronized.

func SyncInterpolatedKubernetesSecretsForSafe added in v0.25.2 

func SyncInterpolatedKubernetesSecretsForSafe() bool

SyncInterpolatedKubernetesSecretsForSafe checks if interpolated Kubernetes secrets should be synchronized. It returns true if the respective environment variable is set to "true".

Returns:

  • A bool indicating whether interpolated Kubernetes secrets should be synchronized.

func TlsPort 

func TlsPort() string

TlsPort returns the secure port for VSecM Safe to listen on. It checks the VSECM_SAFE_TLS_PORT environment variable. If the variable is not set, it defaults to ":8443".

func WaitBeforeExitForInitContainer added in v0.24.5 

func WaitBeforeExitForInitContainer() time.Duration

WaitBeforeExitForInitContainer retrieves the wait time before exit for an init container. The duration is determined by the environment variable "VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT" and defaults to zero if the variable is not set or cannot be parsed.

The environment variable is expected to be an integer value representing the wait time in milliseconds. If parsing fails, the function will return 0 milliseconds.

Returns: 

time.Duration: The wait time before exit, in milliseconds.

Types

type Level added in v0.26.0 

type Level int
const (
	Off Level = iota
	Fatal
	Error
	Warn
	Info
	Audit
	Debug
	Trace
)

Redefine log levels to avoid import cycle.

type Mode added in v0.26.0 

type Mode string

Mode is the type for backoff mode. 

var Exponential Mode = "exponential"
var Linear Mode = "linear"

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.