service

package
v0.0.0-...-e9719be Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 21, 2018 License: Apache-2.0 Imports: 31 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	InvalidArgumentError = errgo.New("invalid argument")
	VaultError           = errgo.New("vault error")
	SecretNotFoundError  = errgo.New("secret not found")
)

Functions

func Describe 

func Describe(err error) string

func IsSecretNotFound 

func IsSecretNotFound(err error) bool

func IsVault 

func IsVault(err error) bool

func Migrate 

func Migrate(from, to migration.Backend, log *logging.Logger) error

Types

type AggregateError 

type AggregateError struct {
	// contains filtered or unexported fields
}

func (*AggregateError) Error 

func (ae *AggregateError) Error() string

type AuthMethod 

type AuthMethod uint

AuthMethod specifies a mask of authentication methods. 

const (
	// AuthMethodAppID indicates the app-id authentication method
	AuthMethodAppID AuthMethod = 0x01
	// AuthMethodAppRole indicates the approle authentication method
	AuthMethodAppRole AuthMethod = 0x02
)

func (AuthMethod) IsEnabled 

func (mask AuthMethod) IsEnabled(specific AuthMethod) bool

IsEnabled returns true if the given specific authentication method is contained in the given mask.

type AuthenticatedVaultClient 

type AuthenticatedVaultClient struct {
	// contains filtered or unexported fields
}

AuthenticatedVaultClient holds a vault client that is already authenticated.

func (*AuthenticatedVaultClient) CA 

func (c *AuthenticatedVaultClient) CA() CA

CA returns a helper to configure certificate authority authentication secrets.

func (*AuthenticatedVaultClient) Cluster 

func (c *AuthenticatedVaultClient) Cluster() Cluster

Cluster returns a helper to configure cluster authentication secrets.

func (*AuthenticatedVaultClient) CreateEnvironmentFile 

func (c *AuthenticatedVaultClient) CreateEnvironmentFile(path string, secrets []EnvSecret) error

CreateEnvironmentFile extracts one or more secrets and creates a key=secretValue environment file for them.

func (*AuthenticatedVaultClient) CreateOrUpdateKubernetesSecret 

func (c *AuthenticatedVaultClient) CreateOrUpdateKubernetesSecret(client *K8sClient, secretName string, secrets ...EnvSecret) error

CreateOrUpdateKubernetesSecret extracts one or more secrets and updates fields in a Kubernetes secret.

func (*AuthenticatedVaultClient) CreateSecretFile 

func (c *AuthenticatedVaultClient) CreateSecretFile(path string, secret FileSecret) error

CreateSecretFile extracts one secret and creates a file containing the secret value.

func (*AuthenticatedVaultClient) CreateTokenFile 

func (c *AuthenticatedVaultClient) CreateTokenFile(path string, tokenConfig TokenConfig) error

CreateTokenFile creates a new token with given config and stores it in a file.

func (*AuthenticatedVaultClient) Job 

func (c *AuthenticatedVaultClient) Job() Job

Job returns a helper to configure job authentication secrets.

func (*AuthenticatedVaultClient) Token 

func (c *AuthenticatedVaultClient) Token() string

Token returns the current token of the vault client.

type CA 

type CA interface {
	// CreateETCDMembers creates a CA that issues ETCD member certificates.
	CreateETCDMembers(clusterID, domainName string, force bool) error
	// CreateK8sAll creates CA's that issues K8S member certificates for all K8S components.
	// Each component gets its own CA.
	CreateK8sAll(clusterID, domainName string, force bool) error
	// CreateK8s creates a CA that issues K8S member certificates for the various K8S components.
	CreateK8s(clusterID, component, domainName string, force bool) error
	// IssueETCDCertificate issues a new certificate for a specific service.
	IssueETCDCertificate(clusterID string, config IssueConfig) error
	// IssueK8sCertificate issues a new certificate for a specific service.
	IssueK8sCertificate(clusterID string, config IssueConfig) error
	// IssueCertificate issues a new certificate for a specific service.
	IssueCertificate(clusterID, service string, config IssueConfig) error
	// ListETCDCertificates issues a new certificate for a specific service.
	ListETCDCertificates(clusterID string) error
	// ListK8sCertificates issues a new certificate for a specific service.
	ListK8sCertificates(clusterID string) error
	// ListCertificates issues a new certificate for a specific service.
	ListCertificates(clusterID, service string) error
	// TidyETCDCertificates performs cleanup of the expired ETCD certificates.
	TidyETCDCertificates(clusterID string, options TidyOptions) error
	// TidyK8sCertificates performs cleanup of the expired kubernetes certificates.
	TidyK8sCertificates(clusterID string, options TidyOptions) error
	// TidyCertificates performs cleanup of expired certificates for a specific service.
	TidyCertificates(clusterID, service string, options TidyOptions) error
}

CA contains all functions to configure CA secrets

func NewCA 

func NewCA(log *logging.Logger, vaultClient *api.Client, methods AuthMethod) CA

NewCA creates a new CA manipulator for the given vault client.

type Cluster 

type Cluster interface {
	// Create creates the app-id mapping for a cluster with given id.
	// It also creates and uses a policy for accessing only the jobs within the cluster.
	Create(clusterID string) error
	// Delete removes the app-id mapping for a cluster with given id.
	// It also removes the policy for accessing only the jobs within the cluster.
	Delete(clusterID string) error
	// AddMachine creates the user-id mapping for adding a machine to a cluster.
	AddMachine(clusterID, machineID, cidrBlock string) error
	// RemoveMachine removes the user-id mapping for removing a machine from a cluster.
	RemoveMachine(clusterID, machineID string) error
}

Cluster contains all vault methods to configure secrets for a cluster.

func NewCluster 

func NewCluster(vaultClient *api.Client, methods AuthMethod) Cluster

NewCluster creates a new Cluster manipulator for the given vault client.

type EnvSecret 

type EnvSecret struct {
	SecretPath     string
	SecretField    string
	EnvironmentKey string
}

type FileSecret 

type FileSecret struct {
	SecretPath  string
	SecretField string
}

type GithubLoginData 

type GithubLoginData struct {
	GithubToken string
	Mount       string // defaults to "github"
}

type IssueConfig 

type IssueConfig struct {
	Role                string
	CommonName          string
	AltNames            []string
	IPSans              []string
	OutputDir           string
	CertificateFileName string
	KeyFileName         string
	CAFileName          string
	FileMode            uint32
}

func (*IssueConfig) IssueIsNeeded 

func (config *IssueConfig) IssueIsNeeded(log *logging.Logger) bool

IssueIsNeeded checks the certificate files that will be created by an issue command. If they exist and are valid, an issue is not needed and false will be returned.

func (*IssueConfig) SetupDefaults 

func (config *IssueConfig) SetupDefaults(clusterID string)

SetupDefaults ensures all fields are set to their defaults if they are not yet set

type Job 

type Job interface {
	// Create creates the authentication mapping for a job with given id.
	Create(jobID, policyName string) error
	// Delete removes the authentication mapping for a job with given id.
	Delete(jobID string) error
	// AllowCluster creates the user-id mapping for allowing a cluster access to the secrets of a job.
	AllowCluster(jobID, clusterID string) error
	// DenyCluster removes the user-id mapping so the cluster is denied access to the secrets of a job.
	DenyCluster(jobID, clusterID string) error
}

Job contains all vault methods to configure secrets for a job.

func NewJob 

func NewJob(vaultClient *api.Client, methods AuthMethod) Job

NewJob creates a new Job manipulator for the given vault client.

type K8sClient 

type K8sClient struct {
	// contains filtered or unexported fields
}

func NewKubernetesClient 

func NewKubernetesClient(podName, podIP, clusterInfoSecretName, clusterIDSecretKey string) (*K8sClient, error)

NewKubernetesClient creates a kubernetes client.

func (*K8sClient) ClusterID 

func (c *K8sClient) ClusterID() (string, error)

func (*K8sClient) JobID 

func (c *K8sClient) JobID() (string, error)

func (*K8sClient) MachineID 

func (c *K8sClient) MachineID() (string, error)

func (*K8sClient) ServerLoginData 

func (c *K8sClient) ServerLoginData(next ServerLoginData) ServerLoginData

type ServerLoginData 

type ServerLoginData interface {
	JobID() (string, error)
	ClusterID() (string, error)
	MachineID() (string, error)
}

func NewEnvServerLoginData 

func NewEnvServerLoginData(next ServerLoginData) ServerLoginData

NewEnvServerLoginData creates a ServerLoginData that attempts to fetch the data from env variables.

func NewFileSystemServerLoginData 

func NewFileSystemServerLoginData(jobIDPath, clusterIDPath, machineIDPath string, next ServerLoginData) ServerLoginData

NewFileSystemServerLoginData creates a ServerLoginData that attempts to fetch the data file files given as arguments to this call.

func NewStaticServerLoginData 

func NewStaticServerLoginData(jobID, clusterID, machineID string, next ServerLoginData) ServerLoginData

NewStaticServerLoginData creates a ServerLoginData that attempts to fetch the data arguments given to this call.

type TidyOptions 

type TidyOptions struct {
	TidyCertificateStore bool
	TidyRevocationList   bool
	SafetyBuffer         time.Duration
}

TidyOptions contains custom options for tidy actions.

type TokenConfig 

type TokenConfig struct {
	Policies []string
	Role     string
	Template string
	WrapTTL  string
}

type VaultClient 

type VaultClient struct {
	Address string
	Client  *api.Client
}

type VaultService 

type VaultService struct {
	// contains filtered or unexported fields
}

func NewVaultService 

func NewVaultService(log *logging.Logger, srvCfg VaultServiceConfig) (*VaultService, error)

NewVaultService creates a new VaultService and loads its configuration from the given settings.

func (*VaultService) GithubLogin 

func (s *VaultService) GithubLogin(data GithubLoginData) (*AuthenticatedVaultClient, error)

GithubLogin performs a standard Github authentication and initializes the vaultClient with the resulting token.

func (*VaultService) Seal 

func (s *VaultService) Seal(c *AuthenticatedVaultClient) error

Seal seals the vault

func (*VaultService) SealStatus 

func (s *VaultService) SealStatus() error

SealStatus shows the seal status of the vault

func (*VaultService) ServerLogin 

func (s *VaultService) ServerLogin(data ServerLoginData) (*AuthenticatedVaultClient, error)

ServerLogin performs a 2-step login and initializes the vaultClient with the resulting token.

func (*VaultService) Unseal 

func (s *VaultService) Unseal(keyCmd []string) error

Unseal unseals the vault. If calls a given process several times to obtain unseal keys

type VaultServiceConfig 

type VaultServiceConfig struct {
	VaultAddr      string // URL of the vault
	VaultCACert    string // Path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate
	VaultCAPath    string // Path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate
	TokenPath      string // Path of a file containing the login token
	IPv4Only       bool   // If set, only use IPv4 addresses
	IPv6Only       bool   // If set, only use IPv6 addresses
	DisableAppID   bool   // If set, AppID authentication is disabled
	DisableAppRole bool   // If set, AppRole authentication is disabled
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.