Documentation ¶
Index ¶
- Variables
- func Describe(err error) string
- func IsSecretNotFound(err error) bool
- func IsVault(err error) bool
- func Migrate(from, to migration.Backend, log *logging.Logger) error
- type AggregateError
- type AuthMethod
- type AuthenticatedVaultClient
- func (c *AuthenticatedVaultClient) CA() CA
- func (c *AuthenticatedVaultClient) Cluster() Cluster
- func (c *AuthenticatedVaultClient) CreateEnvironmentFile(path string, secrets []EnvSecret) error
- func (c *AuthenticatedVaultClient) CreateOrUpdateKubernetesSecret(client *K8sClient, secretName string, secrets ...EnvSecret) error
- func (c *AuthenticatedVaultClient) CreateSecretFile(path string, secret FileSecret) error
- func (c *AuthenticatedVaultClient) CreateTokenFile(path string, tokenConfig TokenConfig) error
- func (c *AuthenticatedVaultClient) Job() Job
- func (c *AuthenticatedVaultClient) Token() string
- type CA
- type Cluster
- type EnvSecret
- type FileSecret
- type GithubLoginData
- type IssueConfig
- type Job
- type K8sClient
- type ServerLoginData
- type TidyOptions
- type TokenConfig
- type VaultClient
- type VaultService
- func (s *VaultService) GithubLogin(data GithubLoginData) (*AuthenticatedVaultClient, error)
- func (s *VaultService) Seal(c *AuthenticatedVaultClient) error
- func (s *VaultService) SealStatus() error
- func (s *VaultService) ServerLogin(data ServerLoginData) (*AuthenticatedVaultClient, error)
- func (s *VaultService) Unseal(keyCmd []string) error
- type VaultServiceConfig
Constants ¶
This section is empty.
Variables ¶
Functions ¶
func IsSecretNotFound ¶
Types ¶
type AggregateError ¶
type AggregateError struct {
// contains filtered or unexported fields
}
func (*AggregateError) Error ¶
func (ae *AggregateError) Error() string
type AuthMethod ¶
type AuthMethod uint
AuthMethod specifies a mask of authentication methods.
const ( // AuthMethodAppID indicates the app-id authentication method AuthMethodAppID AuthMethod = 0x01 // AuthMethodAppRole indicates the approle authentication method AuthMethodAppRole AuthMethod = 0x02 )
func (AuthMethod) IsEnabled ¶
func (mask AuthMethod) IsEnabled(specific AuthMethod) bool
IsEnabled returns true if the given specific authentication method is contained in the given mask.
type AuthenticatedVaultClient ¶
type AuthenticatedVaultClient struct {
// contains filtered or unexported fields
}
AuthenticatedVaultClient holds a vault client that is already authenticated.
func (*AuthenticatedVaultClient) CA ¶
func (c *AuthenticatedVaultClient) CA() CA
CA returns a helper to configure certificate authority authentication secrets.
func (*AuthenticatedVaultClient) Cluster ¶
func (c *AuthenticatedVaultClient) Cluster() Cluster
Cluster returns a helper to configure cluster authentication secrets.
func (*AuthenticatedVaultClient) CreateEnvironmentFile ¶
func (c *AuthenticatedVaultClient) CreateEnvironmentFile(path string, secrets []EnvSecret) error
CreateEnvironmentFile extracts one or more secrets and creates a key=secretValue environment file for them.
func (*AuthenticatedVaultClient) CreateOrUpdateKubernetesSecret ¶
func (c *AuthenticatedVaultClient) CreateOrUpdateKubernetesSecret(client *K8sClient, secretName string, secrets ...EnvSecret) error
CreateOrUpdateKubernetesSecret extracts one or more secrets and updates fields in a Kubernetes secret.
func (*AuthenticatedVaultClient) CreateSecretFile ¶
func (c *AuthenticatedVaultClient) CreateSecretFile(path string, secret FileSecret) error
CreateSecretFile extracts one secret and creates a file containing the secret value.
func (*AuthenticatedVaultClient) CreateTokenFile ¶
func (c *AuthenticatedVaultClient) CreateTokenFile(path string, tokenConfig TokenConfig) error
CreateTokenFile creates a new token with given config and stores it in a file.
func (*AuthenticatedVaultClient) Job ¶
func (c *AuthenticatedVaultClient) Job() Job
Job returns a helper to configure job authentication secrets.
func (*AuthenticatedVaultClient) Token ¶
func (c *AuthenticatedVaultClient) Token() string
Token returns the current token of the vault client.
type CA ¶
type CA interface { // CreateETCDMembers creates a CA that issues ETCD member certificates. CreateETCDMembers(clusterID, domainName string, force bool) error // CreateK8sAll creates CA's that issues K8S member certificates for all K8S components. // Each component gets its own CA. CreateK8sAll(clusterID, domainName string, force bool) error // CreateK8s creates a CA that issues K8S member certificates for the various K8S components. CreateK8s(clusterID, component, domainName string, force bool) error // IssueETCDCertificate issues a new certificate for a specific service. IssueETCDCertificate(clusterID string, config IssueConfig) error // IssueK8sCertificate issues a new certificate for a specific service. IssueK8sCertificate(clusterID string, config IssueConfig) error // IssueCertificate issues a new certificate for a specific service. IssueCertificate(clusterID, service string, config IssueConfig) error // ListETCDCertificates issues a new certificate for a specific service. ListETCDCertificates(clusterID string) error // ListK8sCertificates issues a new certificate for a specific service. ListK8sCertificates(clusterID string) error // ListCertificates issues a new certificate for a specific service. ListCertificates(clusterID, service string) error // TidyETCDCertificates performs cleanup of the expired ETCD certificates. TidyETCDCertificates(clusterID string, options TidyOptions) error // TidyK8sCertificates performs cleanup of the expired kubernetes certificates. TidyK8sCertificates(clusterID string, options TidyOptions) error // TidyCertificates performs cleanup of expired certificates for a specific service. TidyCertificates(clusterID, service string, options TidyOptions) error }
CA contains all functions to configure CA secrets
type Cluster ¶
type Cluster interface { // Create creates the app-id mapping for a cluster with given id. // It also creates and uses a policy for accessing only the jobs within the cluster. Create(clusterID string) error // Delete removes the app-id mapping for a cluster with given id. // It also removes the policy for accessing only the jobs within the cluster. Delete(clusterID string) error // AddMachine creates the user-id mapping for adding a machine to a cluster. AddMachine(clusterID, machineID, cidrBlock string) error // RemoveMachine removes the user-id mapping for removing a machine from a cluster. RemoveMachine(clusterID, machineID string) error }
Cluster contains all vault methods to configure secrets for a cluster.
func NewCluster ¶
func NewCluster(vaultClient *api.Client, methods AuthMethod) Cluster
NewCluster creates a new Cluster manipulator for the given vault client.
type FileSecret ¶
type GithubLoginData ¶
type IssueConfig ¶
type IssueConfig struct { Role string CommonName string AltNames []string IPSans []string OutputDir string CertificateFileName string KeyFileName string CAFileName string FileMode uint32 }
func (*IssueConfig) IssueIsNeeded ¶
func (config *IssueConfig) IssueIsNeeded(log *logging.Logger) bool
IssueIsNeeded checks the certificate files that will be created by an issue command. If they exist and are valid, an issue is not needed and false will be returned.
func (*IssueConfig) SetupDefaults ¶
func (config *IssueConfig) SetupDefaults(clusterID string)
SetupDefaults ensures all fields are set to their defaults if they are not yet set
type Job ¶
type Job interface { // Create creates the authentication mapping for a job with given id. Create(jobID, policyName string) error // Delete removes the authentication mapping for a job with given id. Delete(jobID string) error // AllowCluster creates the user-id mapping for allowing a cluster access to the secrets of a job. AllowCluster(jobID, clusterID string) error // DenyCluster removes the user-id mapping so the cluster is denied access to the secrets of a job. DenyCluster(jobID, clusterID string) error }
Job contains all vault methods to configure secrets for a job.
type K8sClient ¶
type K8sClient struct {
// contains filtered or unexported fields
}
func NewKubernetesClient ¶
func NewKubernetesClient(podName, podIP, clusterInfoSecretName, clusterIDSecretKey string) (*K8sClient, error)
NewKubernetesClient creates a kubernetes client.
func (*K8sClient) ServerLoginData ¶
func (c *K8sClient) ServerLoginData(next ServerLoginData) ServerLoginData
type ServerLoginData ¶
type ServerLoginData interface { JobID() (string, error) ClusterID() (string, error) MachineID() (string, error) }
func NewEnvServerLoginData ¶
func NewEnvServerLoginData(next ServerLoginData) ServerLoginData
NewEnvServerLoginData creates a ServerLoginData that attempts to fetch the data from env variables.
func NewFileSystemServerLoginData ¶
func NewFileSystemServerLoginData(jobIDPath, clusterIDPath, machineIDPath string, next ServerLoginData) ServerLoginData
NewFileSystemServerLoginData creates a ServerLoginData that attempts to fetch the data file files given as arguments to this call.
func NewStaticServerLoginData ¶
func NewStaticServerLoginData(jobID, clusterID, machineID string, next ServerLoginData) ServerLoginData
NewStaticServerLoginData creates a ServerLoginData that attempts to fetch the data arguments given to this call.
type TidyOptions ¶
type TidyOptions struct { TidyCertificateStore bool TidyRevocationList bool SafetyBuffer time.Duration }
TidyOptions contains custom options for tidy actions.
type TokenConfig ¶
type VaultClient ¶
type VaultService ¶
type VaultService struct {
// contains filtered or unexported fields
}
func NewVaultService ¶
func NewVaultService(log *logging.Logger, srvCfg VaultServiceConfig) (*VaultService, error)
NewVaultService creates a new VaultService and loads its configuration from the given settings.
func (*VaultService) GithubLogin ¶
func (s *VaultService) GithubLogin(data GithubLoginData) (*AuthenticatedVaultClient, error)
GithubLogin performs a standard Github authentication and initializes the vaultClient with the resulting token.
func (*VaultService) Seal ¶
func (s *VaultService) Seal(c *AuthenticatedVaultClient) error
Seal seals the vault
func (*VaultService) SealStatus ¶
func (s *VaultService) SealStatus() error
SealStatus shows the seal status of the vault
func (*VaultService) ServerLogin ¶
func (s *VaultService) ServerLogin(data ServerLoginData) (*AuthenticatedVaultClient, error)
ServerLogin performs a 2-step login and initializes the vaultClient with the resulting token.
func (*VaultService) Unseal ¶
func (s *VaultService) Unseal(keyCmd []string) error
Unseal unseals the vault. If calls a given process several times to obtain unseal keys
type VaultServiceConfig ¶
type VaultServiceConfig struct { VaultAddr string // URL of the vault VaultCACert string // Path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate VaultCAPath string // Path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate TokenPath string // Path of a file containing the login token IPv4Only bool // If set, only use IPv4 addresses IPv6Only bool // If set, only use IPv6 addresses DisableAppID bool // If set, AppID authentication is disabled DisableAppRole bool // If set, AppRole authentication is disabled }