Documentation
¶
Overview ¶
Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.
Vault is a KMS implementation with many features. This packages only leverages the key-value store. For an introduction to Vault see: https://www.vaultproject.io/ For an K/V API overview see: https://www.vaultproject.io/api/secret/kv/kv-v1.html
Index ¶
- Constants
- type AppRole
- type Config
- type Kubernetes
- type Store
- func (s *Store) Close() error
- func (s *Store) Create(ctx context.Context, name string, value []byte) error
- func (s *Store) Delete(ctx context.Context, name string) error
- func (s *Store) Get(ctx context.Context, name string) ([]byte, error)
- func (s *Store) List(ctx context.Context, prefix string, n int) ([]string, string, error)
- func (s *Store) Set(ctx context.Context, name string, value []byte) error
- func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error)
- func (s *Store) String() string
- type Transit
Constants ¶
const ( // APIv1 is the Vault K/V secret engine API version 1. // The v1 K/V secret engine does not support version'ed // secrets. APIv1 = "v1" // APIv2 is the Vault K/V secret engine API version 2. // The v1 K/V secret engine supports version'ed secrets. APIv2 = "v2" )
const ( // EngineKV is the Hashicorp Vault default KV secret engine path. EngineKV = "kv" // EngineTransit is the Hashicorp Vault default transit secret engine path. EngineTransit = "transit" // EngineAppRole is the Hashicorp Vault default AppRole authentication // engine path. EngineAppRole = "approle" // EngineKubernetes is the Hashicorp Vault default Kubernetes // authentication engine path. EngineKubernetes = "kubernetes" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AppRole ¶
type AppRole struct {
// Engine is the authentication engine path
//
// Hashicorp Vault allows multiple engines of the
// same type mounted at the same time and/or engines
// mounted at arbitrary paths.
Engine string
// ID is the AppRole authentication ID
ID string
// Secret is the AppRole authentication secret.
Secret string
// Retry is the duration after which another
// authentication attempt is performed once
// an authentication attempt failed.
Retry time.Duration
}
AppRole contains authentication information for the Hashicorp Vault AppRole authentication API.
type Config ¶
type Config struct {
// Endpoint is the HTTP Vault server endpoint
Endpoint string
// Engine is the path of the K/V engine to use.
//
// Vault allows multiple engines of the same type
// mounted at the same time and/or engines mounted
// at arbitrary paths.
Engine string
// APIVersion is the API version of the K/V engine.
//
// If empty, it defaults to APIv1.
//
// Ref: https://www.vaultproject.io/docs/secrets/kv
APIVersion string
// The Vault namespace used to separate and isolate different
// organizations / tenants at the same Vault instance. If
// non-empty, the Vault client will send the
// X-Vault-Namespace: Namespace
// HTTP header on each request.
//
// Ref: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
Namespace string
// Prefix is the key prefix on Vault's K/V store
// similar to a directory. Keys will be fetched
// from and stored within this prefix.
Prefix string
// AppRole contains the Vault AppRole authentication
// credentials.
AppRole *AppRole
// K8S contains the Vault Kubernetes authentication
// credentials.
K8S *Kubernetes
// Transit contains an optional Vault transit engine
// configuration for en/decrypting keys at the K/V
// engine. It adds an additional layer of encryption.
Transit *Transit
// StatusPingAfter is the duration after which
// the KeyStore will check the status of the Vault
// server. Particularly, this status information
// is used to determine whether the Vault server
// has been sealed resp. unsealed again.
StatusPingAfter time.Duration
// Path to the mTLS client private key to authenticate to
// the Vault server.
PrivateKey string
// Path to the mTLS client certificate to authenticate to
// the Vault server.
Certificate string
// Path to the root CA certificate(s) used to verify the
// TLS certificate of the Vault server. If empty, the
// host's root CA set is used.
CAPath string
// contains filtered or unexported fields
}
Config is a structure containing configuration options for connecting to a Hashicorp Vault server.
type Kubernetes ¶
type Kubernetes struct {
// Engine is the authentication engine path
//
// Hashicorp Vault allows multiple engines of the
// same type mounted at the same time and/or engines
// mounted at arbitrary paths.
Engine string
// Role is the JWT role.
Role string
// JWT is the issued authentication token.
JWT string
// Retry is the duration after which another
// authentication attempt is performed once
// an authentication attempt failed.
Retry time.Duration
}
Kubernetes contains authentication information for the Hashicorp Vault Kubernetes authentication API.
Ref: https://www.vaultproject.io/api/auth/kubernetes
func (*Kubernetes) Clone ¶ added in v0.23.0
func (k *Kubernetes) Clone() *Kubernetes
Clone returns a copy of the Kubernetes auth.
type Store ¶ added in v0.23.0
type Store struct {
// contains filtered or unexported fields
}
Store is a Hashicorp Vault secret store.
func (*Store) Close ¶ added in v0.23.0
Close closes the Store. It stops any authentication renewal in the background.
func (*Store) Create ¶ added in v0.23.0
Create creates the given key-value pair at Vault if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.
func (*Store) Delete ¶ added in v0.23.0
Delete removes a the value associated with the given key from Vault, if it exists.
func (*Store) Get ¶ added in v0.23.0
Get returns the value associated with the given key. If no entry for the key exists it returns kes.ErrKeyNotFound.
func (*Store) List ¶ added in v0.23.0
List returns the first n key names, that start with the given prefix, and the next prefix from which the listing should continue.
It returns all keys with the prefix if n < 0 and less than n names if n is greater than the number of keys with the prefix.
An empty prefix matches any key name. At the end of the listing or when there are no (more) keys starting with the prefix, the returned prefix is empty.
func (*Store) Set ¶ added in v0.23.0
Set creates the given key-value pair at Vault if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.
type Transit ¶ added in v0.23.0
type Transit struct {
// Engine is the transit engine path.
// If empty, defaults to EngineTransit.
Engine string
// KeyName is the name of the transit key
// used for en/decrypting K/V entries.
KeyName string
}
Transit contains information for using the Hashicorp Vault transit encryption engine.
Ref: https://developer.hashicorp.com/vault/api-docs/secret/transit
Source Files