vault

package

v0.0.0-...-7dd96b6 Latest Latest Go to latest Published: Aug 30, 2023 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/app-sre/vault-manager

Links

Open Source Insights

Documentation ¶

Overview ¶

Package vault implements a wrapper around a Vault API client that retrieves credentials from the operating system environment.

Index ¶

Constants
func DataInSecret(instanceAddr string, data map[string]interface{}, path string, version string) (bool, error)
func DeleteSecret(instanceAddr string, secretPath string) error
func DeleteVaultPolicy(instanceAddr string, name string) error
func DisableAuditDevice(instanceAddr string, path string) error
func DisableAuth(instanceAddr string, path string) error
func DisableSecretsEngine(instanceAddr string, path string) error
func EnableAuditDevice(instanceAddr, path string, options *api.EnableAuditOptions) error
func EnableAuthWithOptions(instanceAddr string, path string, options *api.EnableAuthOptions) error
func EnableSecretsEngine(instanceAddr string, path string, mount *api.MountInput) error
func EqualPathNames(x, y string) bool
func FormatSecretPath(secret string, secretEngine string) string
func GenerateApproleSecretID(instanceAddr, secretPath string) (*api.Secret, error)
func GetEntityAliasInfo(instanceAddr string, id string) (map[string]interface{}, error)
func GetEntityInfo(instanceAddr string, name string) (map[string]interface{}, error)
func GetGroupInfo(instanceAddr string, name string) (map[string]interface{}, error)
func GetInstances(entriesBytes []byte, kubeAuth bool, threadPoolSize int) []string
func GetVaultPolicy(instanceAddr string, name string) (string, error)
func GetVaultSecretField(instanceAddr, path, field, engineVersion string) (string, error)
func GetVaultVersion(instanceAddr string) (string, error)
func ListAuditDevices(instanceAddr string) (map[string]*api.Audit, error)
func ListAuthBackends(instanceAddr string) (map[string]*api.AuthMount, error)
func ListEntities(instanceAddr string) (map[string]interface{}, error)
func ListGroups(instanceAddr string) (map[string]interface{}, error)
func ListSecrets(instanceAddr string, path string) (*api.Secret, error)
func ListSecretsEngines(instanceAddr string) (map[string]*api.MountOutput, error)
func ListVaultPolicies(instanceAddr string) ([]string, error)
func OptionsEqual(xopts, yopts map[string]interface{}) bool
func ParseDuration(duration string) (time.Duration, error)
func PutVaultPolicy(instanceAddr string, name string, rules string) error
func ReadSecret(instanceAddr, secretPath, engineVersion string) (map[string]interface{}, error)
func UpdateSecretsEngine(instanceAddr string, path string, config api.MountConfigInput) error
func WriteEntityAlias(instanceAddr string, secretPath string, secretData map[string]interface{}) error
func WriteSecret(instanceAddr, secretPath, engineVersion string, ...) error
type AuthBundle
type Instance
type Item
- func DiffItems(desired, existing []Item) (toBeWritten, toBeDeleted, toBeUpdated []Item)
type VaultSecret

Constants ¶

View Source

const (
	ROLE_ID      = "roleID"
	SECRET_ID    = "secretID"
	TOKEN        = "token"
	APPROLE_AUTH = "approle"
	TOKEN_AUTH   = "token"
	KV_V1        = "kv_v1"
	KV_V2        = "kv_v2"
)

names to assign to access attributes

View Source

const (
	OIDC_CLIENT_SECRET        = "oidc_client_secret"
	OIDC_CLIENT_SECRET_KV_VER = "oidc_client_secret_kv_version"
	KUBERNETES_CA_CERT        = "kubernetes_ca_cert"
	KUBERNETES_CA_CERT_KV_VER = "kubernetes_ca_cert_kv_version"
)

Variables ¶

This section is empty.

Functions ¶

func DataInSecret ¶

func DataInSecret(instanceAddr string, data map[string]interface{}, path string, version string) (bool, error)

DataInSecret compare given data with data stored in the vault secret

func DeleteSecret ¶

func DeleteSecret(instanceAddr string, secretPath string) error

delete secret from vault

func DeleteVaultPolicy ¶

func DeleteVaultPolicy(instanceAddr string, name string) error

delete vault policy

func DisableAuditDevice ¶

func DisableAuditDevice(instanceAddr string, path string) error

disable audit device

func DisableAuth ¶

func DisableAuth(instanceAddr string, path string) error

disable auth backend

func DisableSecretsEngine ¶

func DisableSecretsEngine(instanceAddr string, path string) error

disable secrets engine

func EnableAuditDevice ¶

func EnableAuditDevice(instanceAddr, path string, options *api.EnableAuditOptions) error

enable audit device with options

func EnableAuthWithOptions ¶

func EnableAuthWithOptions(instanceAddr string, path string, options *api.EnableAuthOptions) error

enable auth backend

func EnableSecretsEngine ¶

func EnableSecretsEngine(instanceAddr string, path string, mount *api.MountInput) error

enable secrets engine

func EqualPathNames ¶

func EqualPathNames(x, y string) bool

EqualPathNames determines if two paths are the same.

func FormatSecretPath ¶

func FormatSecretPath(secret string, secretEngine string) string

return proper secret path format based upon kv version kv v2 api inserts /data/ between the root engine name and remaining path

func GenerateApproleSecretID ¶

func GenerateApproleSecretID(instanceAddr, secretPath string) (*api.Secret, error)

"write" empty secret to approle secret-id endpoint in order to generate new secret_id https://www.vaultproject.io/docs/auth/approle#via-the-api-1

func GetEntityAliasInfo ¶

func GetEntityAliasInfo(instanceAddr string, id string) (map[string]interface{}, error)

func GetEntityInfo ¶

func GetEntityInfo(instanceAddr string, name string) (map[string]interface{}, error)

func GetGroupInfo ¶

func GetGroupInfo(instanceAddr string, name string) (map[string]interface{}, error)

func GetInstances ¶

func GetInstances(entriesBytes []byte, kubeAuth bool, threadPoolSize int) []string

Utilized to initialize vault instance clients for use by other toplevel integrations returns list of instance addresses being included in reconcile

func GetVaultPolicy ¶

func GetVaultPolicy(instanceAddr string, name string) (string, error)

get vault policy name

func GetVaultSecretField ¶

func GetVaultSecretField(instanceAddr, path, field, engineVersion string) (string, error)

attempts to read/proccess a single access credential for a particular vault instance

func GetVaultVersion ¶

func GetVaultVersion(instanceAddr string) (string, error)

GetVaultVersion returns the vault server version

func ListAuditDevices ¶

func ListAuditDevices(instanceAddr string) (map[string]*api.Audit, error)

list existing enabled Audits Devices.

func ListAuthBackends ¶

func ListAuthBackends(instanceAddr string) (map[string]*api.AuthMount, error)

list existing auth backends

func ListEntities ¶

func ListEntities(instanceAddr string) (map[string]interface{}, error)

func ListGroups ¶

func ListGroups(instanceAddr string) (map[string]interface{}, error)

func ListSecrets ¶

func ListSecrets(instanceAddr string, path string) (*api.Secret, error)

list secrets

func ListSecretsEngines ¶

func ListSecretsEngines(instanceAddr string) (map[string]*api.MountOutput, error)

return secret engines

func ListVaultPolicies ¶

func ListVaultPolicies(instanceAddr string) ([]string, error)

returns a list of existing policy names for a specific instance

func OptionsEqual ¶

func OptionsEqual(xopts, yopts map[string]interface{}) bool

OptionsEqual compares two sets of options mappings.

func ParseDuration ¶

func ParseDuration(duration string) (time.Duration, error)

ParseDuration parses a string duration from Vault. Defaults to seconds if no unit is found at the end of the string.

func PutVaultPolicy ¶

func PutVaultPolicy(instanceAddr string, name string, rules string) error

put vault policy

func ReadSecret ¶

func ReadSecret(instanceAddr, secretPath, engineVersion string) (map[string]interface{}, error)

read secret from vault and return the secret map

func UpdateSecretsEngine ¶

func UpdateSecretsEngine(instanceAddr string, path string, config api.MountConfigInput) error

update secrets engine

func WriteEntityAlias ¶

func WriteEntityAlias(instanceAddr string, secretPath string, secretData map[string]interface{}) error

func WriteSecret ¶

func WriteSecret(instanceAddr, secretPath, engineVersion string, secretData map[string]interface{}) error

write secret to vault

Types ¶

type AuthBundle ¶

type AuthBundle struct {
	KubeRoleName string
	SecretEngine string
	VaultSecrets []*VaultSecret
}

type Instance ¶

type Instance struct {
	Address string `yaml:"address"`
	Auth    auth   `yaml:"auth"`
}

type Item ¶

type Item interface {
	Key() string
	Equals(interface{}) bool
	KeyForDescription() string
	KeyForType() string
}

Item represents a remote value stored in a Vault instance.

func DiffItems ¶

func DiffItems(desired, existing []Item) (toBeWritten, toBeDeleted, toBeUpdated []Item)

DiffItems is a pure function that determines what changes need to be made to a Vault instance in order to reach the desired state.

type VaultSecret ¶

type VaultSecret struct {
	Name    string
	Type    string
	Path    string
	Field   string
	Version string
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL