jx: github.com/jenkins-x/jx/pkg/kube/vault Index | Files

package vault

import "github.com/jenkins-x/jx/pkg/kube/vault"

Index

Package Files

vault.go vault_factory.go vault_selector.go

Constants

const (
    BankVaultsImage    = "banzaicloud/bank-vaults"
    VaultOperatorImage = "banzaicloud/vault-operator"
    VaultImage         = "vault"
)

func CreateOrUpdateVault Uses

func CreateOrUpdateVault(vault *v1alpha1.Vault, vaultOperatorClient versioned.Interface, ns string) error

CreateOrUpdateVault creates the specified Vault CRD if it does not exist or updates it otherwise.

func DeleteVault Uses

func DeleteVault(vaultOperatorClient versioned.Interface, name string, ns string) error

DeleteVault delete a Vault resource

func FindVault Uses

func FindVault(vaultOperatorClient versioned.Interface, name string, ns string) bool

FindVault checks if a vault is available

func GetAuthSaName Uses

func GetAuthSaName(vault v1alpha1.Vault) string

GetAuthSaName gets the Auth Service Account name for the vault

func GetVault Uses

func GetVault(vaultOperatorClient versioned.Interface, name string, ns string) (*v1alpha1.Vault, error)

GetVault gets a specific vault

func GetVaults Uses

func GetVaults(client kubernetes.Interface, vaultOperatorClient versioned.Interface, ns string, useIngressURL bool) ([]*vault.Vault, error)

GetVaults returns all vaults available in a given namespaces

func NewVaultCRD Uses

func NewVaultCRD(kubeClient kubernetes.Interface, name string, ns string, images map[string]string,
    authServiceAccount string, authServiceAccountNamespace string, secretsPathPrefix string) (*v1alpha1.Vault, error)

NewVaultCRD creates and initializes a new Vault instance.

func SystemVaultName Uses

func SystemVaultName(kuber kube.Kuber) (string, error)

SystemVaultName returns the name of the system vault based on the cluster name

func SystemVaultNameForCluster Uses

func SystemVaultNameForCluster(clusterName string) string

SystemVaultNameForCluster returns the system vault name from a given cluster name

type AWSConfig Uses

type AWSConfig struct {
    v1alpha1.AWSUnsealConfig
    AutoCreate          bool
    DynamoDBTable       string
    DynamoDBRegion      string
    AccessKeyID         string
    SecretAccessKey     string
    ProvidedIAMUsername string
}

AWSConfig keeps the vault configuration for AWS

type AWSSealConfig Uses

type AWSSealConfig struct {
    Region    string `json:"region,omitempty"`
    AccessKey string `json:"access_key,omitempty"`
    SecretKey string `json:"secret_key,omitempty"`
    KmsKeyID  string `json:"kms_key_id,omitempty"`
    Endpoint  string `json:"endpoint,omitempty"`
}

AWSSealConfig AWS KMS config for vault auto-unseal

type CloudProviderConfig Uses

type CloudProviderConfig struct {
    Storage           map[string]interface{}
    Seal              map[string]interface{}
    UnsealConfig      v1alpha1.UnsealConfig
    CredentialsConfig v1alpha1.CredentialsConfig
}

CloudProviderConfig is a wrapper around the cloud provider specific elements of the Vault CRD configuration

func PrepareAWSVaultCRD Uses

func PrepareAWSVaultCRD(awsServiceAccountSecretName string, awsConfig *AWSConfig) (CloudProviderConfig, error)

PrepareAWSVaultCRD creates a new vault backed by AWS KMS and DynamoDB storage

func PrepareGKEVaultCRD Uses

func PrepareGKEVaultCRD(gcpServiceAccountSecretName string, gcpConfig *GCPConfig) (CloudProviderConfig, error)

PrepareGKEVaultCRD creates a new vault backed by GCP KMS and storage

type DynamoDBConfig Uses

type DynamoDBConfig struct {
    HaEnabled       string `json:"ha_enabled"`
    Region          string `json:"region"`
    Table           string `json:"table"`
    AccessKeyID     string `json:"access_key"`
    SecretAccessKey string `json:"secret_key"`
}

DynamoDBConfig AWS DynamoDB config for Vault backend

type GCPConfig Uses

type GCPConfig struct {
    ProjectId   string
    KmsKeyring  string
    KmsKey      string
    KmsLocation string
    GcsBucket   string
}

GCPConfig keeps the configuration for Google Cloud

type GCPSealConfig Uses

type GCPSealConfig struct {
    Credentials string `json:"credentials,omitempty"`
    Project     string `json:"project,omitempty"`
    Region      string `json:"region,omitempty"`
    KeyRing     string `json:"key_ring,omitempty"`
    CryptoKey   string `json:"crypto_key,omitempty"`
}

GCPSealConfig Google Cloud KMS config for vault auto-unseal

type GCSConfig Uses

type GCSConfig struct {
    Bucket    string `json:"bucket"`
    HaEnabled string `json:"ha_enabled"`
}

GCSConfig Google Cloud Storage config for Vault backend

type Listener Uses

type Listener struct {
    Tcp Tcp `json:"tcp"`
}

Listener vault server listener

type OptionsInterface Uses

type OptionsInterface interface {
    KubeClientAndNamespace() (kubernetes.Interface, string, error)
    VaultOperatorClient() (versioned.Interface, error)
    GetIn() terminal.FileReader
    GetOut() terminal.FileWriter
    GetErr() io.Writer
    GetIOFileHandles() util.IOFileHandles
}

OptionsInterface is an interface to allow passing around of a CommonOptions object without dependencies on the whole of the cmd package

type Seal Uses

type Seal struct {
    GcpCkms *GCPSealConfig `json:"gcpckms,omitempty"`
    AWSKms  *AWSSealConfig `json:"awskms,omitempty"`
}

Seal configuration for Vault auto-unseal

type SecretEngine Uses

type SecretEngine struct {
    vaultapi.MountInput
    Path string `json:"path"`
}

SecretEngine configuration for secret engine

type Selector Uses

type Selector interface {
    GetVault(name string, namespace string, useIngressURL bool) (*vault.Vault, error)
}

Selector is an interface for selecting a vault from the installed ones on the platform It should pick the most logical one, or give the user a way of picking a vault if there are multiple installed

func NewVaultSelector Uses

func NewVaultSelector(o OptionsInterface) (Selector, error)

NewVaultSelector creates a new vault selector

type Storage Uses

type Storage struct {
    GCS      *GCSConfig      `json:"gcs,omitempty"`
    DynamoDB *DynamoDBConfig `json:"dynamodb,omitempty"`
}

Storage configuration for Vault storage

type Tcp Uses

type Tcp struct {
    Address    string `json:"address"`
    TlsDisable bool   `json:"tls_disable"`
}

Tcp address for vault server

type Telemetry Uses

type Telemetry struct {
    StatsdAddress string `json:"statsd_address"`
}

Telemetry address for telemetry server

type VaultAuth Uses

type VaultAuth struct {
    Roles []VaultRole `json:"roles"`
    Type  string      `json:"type"`
}

VaultAuth vault auth configuration

type VaultAuths Uses

type VaultAuths []VaultAuth

VaultAuths list of vault authentications

type VaultClientFactory Uses

type VaultClientFactory struct {
    Options  OptionsInterface
    Selector Selector

    DisableURLDiscovery bool
    // contains filtered or unexported fields
}

VaultClientFactory keeps the configuration required to build a new vault client factory

func NewInteractiveVaultClientFactory Uses

func NewInteractiveVaultClientFactory(options OptionsInterface) (*VaultClientFactory, error)

NewInteractiveVaultClientFactory creates a VaultClientFactory that allows the user to pick vaults if necessary

func NewVaultClientFactory Uses

func NewVaultClientFactory(kubeClient kubernetes.Interface, vaultOperatorClient versioned.Interface, defaultNamespace string) (*VaultClientFactory, error)

NewVaultClientFactory creates a new VaultClientFactory with different options to the above. It doesnt' have CLI support so will fail if it needs interactive input (unlikely)

func NewVaultClientFactoryWithSelector Uses

func NewVaultClientFactoryWithSelector(kubeClient kubernetes.Interface, selector Selector, defaultNamespace string) (*VaultClientFactory, error)

NewVaultClientFactoryWithSelector creates a new VaultClientFactory with a provided Selector. This allows to use an external Vault instance using the custom selector.

func NewVaultClientFactoryWithoutSelector Uses

func NewVaultClientFactoryWithoutSelector(kubeClient kubernetes.Interface, defaultNamespace string) (*VaultClientFactory, error)

NewVaultClientFactoryWithoutSelector creates a new VaultClientFactory.

func (*VaultClientFactory) GetConfigData Uses

func (v *VaultClientFactory) GetConfigData(name string, namespace string, useIngressURL, insecureSSLWebhook bool) (config *api.Config, jwt string, saName string, err error)

GetConfigData generates the information necessary to configure an api.Client object Returns the api.Config object, the JWT needed to create the auth user in vault, and an error if present

func (*VaultClientFactory) NewVaultClient Uses

func (v *VaultClientFactory) NewVaultClient(name string, namespace string, useIngressURL, insecureSSLWebhook bool) (*api.Client, error)

NewVaultClient creates a new api.Client if namespace is nil, then the default namespace of the factory will be used if the name is nil, and only one vault is found, then that vault will be used. Otherwise the user will be prompted to select a vault for the client.

func (*VaultClientFactory) NewVaultClientForURL Uses

func (v *VaultClientFactory) NewVaultClientForURL(vaultConfig vault.Vault, insecureSSLWebhook bool) (*api.Client, error)

NewVaultClientForURL creates a new Vault api.Client. If namespace is nil, then the default namespace of the factory will be used

type VaultPolicies Uses

type VaultPolicies []VaultPolicy

VaultPolicies list of vault policies

type VaultPolicy Uses

type VaultPolicy struct {
    Name  string `json:"name"`
    Rules string `json:"rules"`
}

VaultPolicy vault policy

type VaultRole Uses

type VaultRole struct {
    BoundServiceAccountNames      string `json:"bound_service_account_names"`
    BoundServiceAccountNamespaces string `json:"bound_service_account_namespaces"`
    Name                          string `json:"name"`
    Policies                      string `json:"policies"`
    TTL                           string `json:"ttl"`
}

VaultRole role configuration for VaultAuth

Package vault imports 25 packages (graph) and is imported by 1 packages. Updated 2020-07-03. Refresh now. Tools for package owners.