Documentation
¶
Index ¶
Constants ¶
const ( KVSecretScheme = "vault+kv" PKISecretScheme = "vault+pki" )
Variables ¶
var (
ErrInvalidSecret = errors.New("invalid vault secret")
)
Functions ¶
This section is empty.
Types ¶
type KVSecret ¶ added in v0.5.0
func NewKVSecret ¶ added in v0.5.0
func ParseKVSecret ¶ added in v0.5.0
type KVSecretClient ¶ added in v0.5.0
type KVSecretClient struct {
// contains filtered or unexported fields
}
KVSecretClient acts as a certificate retriever using Vault's KV store.
This Vault-specific implementation corresponds with the K8s-specific implementation, k8s.K8sSecretClient.
func NewKVSecretClient ¶ added in v0.5.0
func NewKVSecretClient(logger hclog.Logger, kvPath string) (*KVSecretClient, error)
NewKVSecretClient relies on having standard VAULT_x envars set such as VAULT_TOKEN, VAULT_ADDR, etc. In the future, we may need to construct the config externally to allow for custom flags, etc.
func (*KVSecretClient) FetchSecret ¶ added in v0.5.0
func (c *KVSecretClient) FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)
FetchSecret accepts an opaque string containing necessary values for retrieving a certificate and private key from Vault KV. It retrieves the certificate and private key, stores them in memory, and returns a tls.Secret acceptable for Envoy SDS.
type LogicalClient ¶
type PKISecret ¶ added in v0.5.0
type PKISecret struct {
AltNames string
CommonName string
IPSANs string
OtherSANs string
TTL string
}
PKISecret is a wrapper to a certificate secret to be generated by Vault.
This Vault-specific implementation corresponds with the K8s-specific implementation, utils.K8sSecret.
func NewPKISecret ¶ added in v0.5.0
NewPKISecret creates a descriptor for a certificate to be generated via Vault's PKI API. The arguments correspond with inputs to the cert + key generation endpoint. https://www.vaultproject.io/api-docs/secret/pki#generate-certificate-and-key
func ParsePKISecret ¶ added in v0.5.0
ParsePKISecret accepts an opaque string reference and returns a PKISecret. The expected format is vault://<common_name>?ttl=<ttl>&ipSans=<sans>... where "common_name", "ttl", etc. correlate with values accepted by Vault's PKI API. Plural vars are generally comma-delimited lists as described in the docs.
https://www.vaultproject.io/api-docs/secret/pki
Some components such as the issuer and issue are configured globally today. In the future, we could include those as additional query parameters.
type PKISecretClient ¶ added in v0.5.0
type PKISecretClient struct {
// contains filtered or unexported fields
}
PKISecretClient acts as a certificate generator using Vault's PKI engine.
This Vault-specific implementation corresponds with the K8s-specific implementation, k8s.K8sSecretClient.
func NewPKISecretClient ¶ added in v0.5.0
func NewPKISecretClient(logger hclog.Logger, pkiPath, issue string) (*PKISecretClient, error)
NewPKISecretClient relies on having standard VAULT_x envars set such as VAULT_TOKEN, VAULT_ADDR, etc. In the future, we may need to construct the config externally to allow for custom flags, etc.
func (*PKISecretClient) FetchSecret ¶ added in v0.5.0
func (c *PKISecretClient) FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)
FetchSecret accepts an opaque string containing necessary values for generating a certificate and private key with Vault's PKI engine. It generates the certificate and private key, stores them in memory, and returns a tls.Secret acceptable for Envoy SDS.
Source Files
Directories