Documentation
¶
Overview ¶
Package certretrieveal implementation of the certificate retrieval from a Vault server. It handles authentication via Vault token or kubernetes serviceaccount and attempts to issue a new certificate.
Index ¶
Constants ¶
const (
// The canonical path of a service account token in a running k8s pod
ServiceAccountPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
)
Variables ¶
var ( ErrConfig = fmt.Errorf("configuration error") ErrRetrieval = fmt.Errorf("retrieval error") )
Functions ¶
This section is empty.
Types ¶
type CertRetrieval ¶
type CertRetrieval struct {
Config
}
CertRetrieval manages the retrieval and replacement of certificates
func (*CertRetrieval) Retrieve ¶
func (cr *CertRetrieval) Retrieve() error
Retrieve performs the certificate retrieval
type CertificateData ¶
type CertificateData struct {
Certificate string `json:"certificate,omitempty"`
Expiration UnixTime `json:"expiration,omitempty"`
IssuingCa string `json:"issuing_ca,omitempty"`
PrivateKey string `json:"private_key,omitempty"`
PrivateKeyType string `json:"private_key_type,omitempty"`
SerialNumber string `json:"serial_number,omitempty"`
}
CertificateData is a subtype used in CertificateResponse
type CertificateRequest ¶
type CertificateRequest struct {
Name string `json:"name,omitempty"`
CommonName string `json:"common_name,omitempty"`
AltNames StringList `json:"alt_names,omitempty"`
IpSans StringList `json:"ip_sans,omitempty"`
UriSans StringList `json:"uri_sans,omitempty"`
OtherSans StringList `json:"other_sans,omitempty"`
TTL string `json:"ttl,omitempty"`
Format string `json:"format,omitempty"`
PrivateKeyFormat string `json:"private_key_format,omitempty"`
ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`
}
CertificateRequest implements the Vault certificate requests
type CertificateResponse ¶
type CertificateResponse struct {
RequestId string `json:"request_id,omitempty"`
LeaseId string `json:"lease_id,omitempty"`
LeaseDuration UnixTime `json:"lease_duration,omitempty"`
Renewable bool `json:"renewable,omitempty"`
Data CertificateData `json:"data,omitempty"`
}
CertificateResponse implementes the Vault response for a certificate request
type Config ¶
type Config struct {
// Tokenfile is the path to the file containing the Vault token
Tokenfile string
// Token is the Vault token
Token string
// Vault is the URL of the Vault server
Vault string
// ServerCA is the CA certificate of the Vault server
ServerCA string
// PKI is the path to the PKI engine in Vault
PKI string
// Role is the Vault role to use
Role string
// AuthRole is the Vault role to use for authentication
AuthRole string
// Name is the name of the certificate to retrieve
Name string
// ValidityCheckTolerance is the tolerance in percent for the validity check
ValidityCheckTolerance int64
// Force ignores the validity check and forces retrieval
Force bool
// TTL is the requested TTL for the certificate
TTL time.Duration
// OutCAfile is the path to the file to store the CA certificate
OutCAfile string
// OutCertfile is the path to the file to store the certificate
OutCertfile string
// OutKeyfile is the path to the file to store the private key
OutKeyfile string
}
Config is the configuration struct for the certrieval
type StringList ¶
type StringList []string
StringList is a wrapper for a string slice with suitable json marshalling when the value is not expressed as a JSON array
func (StringList) MarshalJSON ¶
func (sl StringList) MarshalJSON() ([]byte, error)
func (*StringList) UnmarshalJSON ¶
func (sl *StringList) UnmarshalJSON(data []byte) error
type UnixTime ¶
UnixTime is a wrapper type for time.Time. This allows marshalling and unmarshalling JSON representations
Source Files