Documentation ¶
Overview ¶
These functions manage auth configs for instantiating Roles in K8S.
Each Auth Role will enable a number of policies.
It is expected that the consumer of the secret will know, and ask for the role they need.
These functions manage auth configs for instantiating Roles in Vault via TLS Certs.
Each Auth Role will enable a number of policies.
It is expected that the consumer of the secret will know, and ask for the Role they need.
Index ¶
- Constants
- Variables
- func AnonymizeStringArray(input []string) (output []interface{})
- func LoadSecretYamls(files []string, verbose bool) (data [][]byte, err error)
- func MapDiff(expected map[string]interface{}, actual map[string]interface{}) (err error)
- func PartialMatch(matchKeys []string, expected map[string]interface{}, ...) (err error)
- type AlphaGenerator
- type CHBSGenerator
- type Cluster
- type Generator
- func NewCHBSGenerator(options GeneratorData) (generator Generator, err error)
- func NewRSAGenerator(options GeneratorData) (generator Generator, err error)
- func NewStaticGenerator() (generator Generator, err error)
- func NewTlsGenerator(vaultClient *api.Client, options GeneratorData) (generator Generator, err error)
- func NewUUIDGenerator(options GeneratorData) (generator Generator, err error)
- type GeneratorData
- type GeneratorType
- type HexGenerator
- type KeyMaster
- func (km *KeyMaster) AddPolicyToIamRole(role *Role, realm *Realm, policy VaultPolicy) (err error)
- func (km *KeyMaster) AddPolicyToK8sRole(cluster *Cluster, role *Role, realm *Realm, policy VaultPolicy) (err error)
- func (km *KeyMaster) AddPolicyToTlsRole(role *Role, env string, policy VaultPolicy) (err error)
- func (km *KeyMaster) CertPath(team string, name string, env string) (path string, err error)
- func (km *KeyMaster) ConfigureTeam(team *Team, verbose bool) (err error)
- func (km *KeyMaster) DeleteIamAuth(role *Role) (err error)
- func (km *KeyMaster) DeleteK8sAuth(cluster *Cluster, role *Role) (err error)
- func (km *KeyMaster) DeletePolicyFromVault(path string) (err error)
- func (km *KeyMaster) DeleteTlsAuth(role *Role, env string) (err error)
- func (km *KeyMaster) GrantedPoliciesForIamRole(role *Role) (policies []string, err error)
- func (km *KeyMaster) GrantedPoliciesForK8sRole(cluster *Cluster, role *Role) (policies []string, err error)
- func (km *KeyMaster) GrantedPoliciesForTlsRole(role *Role, env string) (policies []string, err error)
- func (km *KeyMaster) IamAuthPath(role *Role) (path string, err error)
- func (km *KeyMaster) K8sAuthPath(cluster *Cluster, role *Role) (path string, err error)
- func (km *KeyMaster) MakePolicyPayload(role *Role, env string) (policy map[string]interface{}, err error)
- func (km *KeyMaster) NewGenerator(options GeneratorData) (generator Generator, err error)
- func (km *KeyMaster) NewPolicy(role *Role, env string) (policy VaultPolicy, err error)
- func (km *KeyMaster) NewTeam(data []byte, verbose bool) (team *Team, err error)
- func (km *KeyMaster) PolicyName(team string, role string, env string) (name string, err error)
- func (km *KeyMaster) PolicyPath(team string, role string, env string) (path string, err error)
- func (km *KeyMaster) ReadIamAuth(role *Role) (data map[string]interface{}, err error)
- func (km *KeyMaster) ReadK8sAuth(cluster *Cluster, role *Role) (data map[string]interface{}, err error)
- func (km *KeyMaster) ReadPolicyFromVault(path string) (policy VaultPolicy, err error)
- func (km *KeyMaster) ReadTlsAuth(role *Role, env string) (data map[string]interface{}, err error)
- func (km *KeyMaster) RemovePolicyFromIamRole(role *Role, realm *Realm, policy VaultPolicy) (err error)
- func (km *KeyMaster) RemovePolicyFromK8sRole(cluster *Cluster, role *Role, realm *Realm, policy VaultPolicy) (err error)
- func (km *KeyMaster) RemovePolicyFromTlsRole(role *Role, env string, policy VaultPolicy) (err error)
- func (km *KeyMaster) SecretPath(team string, name string, env string) (path string, err error)
- func (km *KeyMaster) SetIpRestrictK8sAuth(enabled bool)
- func (km *KeyMaster) SetIpRestrictTlsAuth(enabled bool)
- func (km *KeyMaster) SetK8sClusters(clusters []*Cluster)
- func (km *KeyMaster) SetTlsAuthCaCert(certificate string)
- func (km *KeyMaster) TlsAuthPath(role *Role, env string) (path string, err error)
- func (km *KeyMaster) WriteIamAuth(role *Role, realm *Realm, policies []string) (err error)
- func (km *KeyMaster) WriteK8sAuth(cluster *Cluster, role *Role, realm *Realm, policies []string) (err error)
- func (km *KeyMaster) WritePolicyToVault(policy VaultPolicy, verbose bool) (err error)
- func (km *KeyMaster) WriteSecretForEnv(secret *Secret, secretPath string, env string) (err error)
- func (km *KeyMaster) WriteSecretIfBlank(secret *Secret, verbose bool) (err error)
- func (km *KeyMaster) WriteTlsAuth(role *Role, env string, policies []string) (err error)
- type RSAGenerator
- type Realm
- type Role
- type Secret
- type StaticGenerator
- type TLSGenerator
- type Team
- type UUIDGenerator
- type VaultCert
- type VaultPolicy
Constants ¶
const ERR_BAD_GENERATOR = "unable to create generator"
const ERR_CLUSTER_DATA_LOAD = "failed to load data in supplied config"
const ERR_MISSING_ENVIRONMENTS = "no environments list found in config"
const ERR_MISSING_GENERATOR = "missing generator in secret"
const ERR_MISSING_SECRET = "missing secret in role"
const ERR_NAMELESS_ROLE = "nameless roles are not supported"
const ERR_NAMELESS_SECRET = "nameless secrets are not supported"
const ERR_NAMELESS_TEAM = "nameless teams are not supported"
const ERR_REALMLESS_ROLE = "realmless roles are not supported"
const ERR_SLASH_IN_ROLE_NAME = "role names cannot contain slashes"
const ERR_SLASH_IN_TEAM_NAME = "team names cannot contain slashes"
const ERR_TEAM_DATA_LOAD = "failed to load team data in supplied config"
const ERR_UNKNOWN_GENERATOR = "unknown generator"
const ERR_UNSUPPORTED_REALM = "unsupported realm"
const EXTERNAL = "external"
const IAM = "iam"
const K8S = "k8s"
const TLS = "tls"
const VERSION = "0.3.0"
Variables ¶
Functions ¶
func AnonymizeStringArray ¶
func AnonymizeStringArray(input []string) (output []interface{})
AnonymizeStringArray turns an []string into []interface{} so that we can use reflect.DeepEqual() to compare.
func LoadSecretYamls ¶
Types ¶
type AlphaGenerator ¶
Alphanumerics AlphaGenerator generates alphanumeric strings of any length given
func NewAlphaGenerator ¶
func NewAlphaGenerator(options GeneratorData) (generator AlphaGenerator, err error)
NewAlphaGenerator produces a new AlphaGenerator from the provided options
func (AlphaGenerator) Generate ¶
func (g AlphaGenerator) Generate() (string, error)
Generate produces the required string of the length indicated
type CHBSGenerator ¶
Correct Horse Battery Staple Secrets CHBSGenerator a Correct Horse Battery Staple passphrase generator
func (CHBSGenerator) Generate ¶
func (g CHBSGenerator) Generate() (string, error)
Generate produces a random word list separated by hyphens
type Generator ¶
Generator an interface for a function that creates a string according to a pattern. E. g.
func NewCHBSGenerator ¶
func NewCHBSGenerator(options GeneratorData) (generator Generator, err error)
NewCHBSGenerator creates a CHBSGenerator from the provided options
func NewRSAGenerator ¶
func NewRSAGenerator(options GeneratorData) (generator Generator, err error)
NewRSAGenerrator makes an RSAGenerator from the options provided
func NewStaticGenerator ¶
NewStaticGenerrator makes an StaticGenerator
func NewTlsGenerator ¶
func NewTlsGenerator(vaultClient *api.Client, options GeneratorData) (generator Generator, err error)
NewTlsGenerator produces a new TlSGenerator from the options indicated
func NewUUIDGenerator ¶
func NewUUIDGenerator(options GeneratorData) (generator Generator, err error)
NewUUIDGenerator produces a UUIDGenerator from the provided options
type GeneratorData ¶
type GeneratorData map[string]interface{}
GeneratorData Generic data map for configuring a Generator
type GeneratorType ¶
type GeneratorType int
type HexGenerator ¶
Hex strings HexGenerator generates hecadecimal strings
func NewHexGenerator ¶
func NewHexGenerator(options GeneratorData) (generator HexGenerator, err error)
NewHexGenerator creates a new HexGenerator from the options given
func (HexGenerator) Generate ¶
func (g HexGenerator) Generate() (string, error)
Generate creates a random hex string of the length indicated
type KeyMaster ¶
type KeyMaster struct { VaultClient *api.Client IpRestrictTlsAuth bool IpRestrictK8sAuth bool TlsAuthCaCert string K8sClusters []*Cluster K8sClustersByName map[string]*Cluster }
KeyMaster The KeyMaster Interface
func NewKeyMaster ¶
NewKeyMaster Creates a new KeyMaster with the vault client supplied.
func (*KeyMaster) AddPolicyToIamRole ¶
func (km *KeyMaster) AddPolicyToIamRole(role *Role, realm *Realm, policy VaultPolicy) (err error)
AddPolicyToIamRole Add a policy to an IAM auth role
func (*KeyMaster) AddPolicyToK8sRole ¶
func (*KeyMaster) AddPolicyToTlsRole ¶
func (km *KeyMaster) AddPolicyToTlsRole(role *Role, env string, policy VaultPolicy) (err error)
func (*KeyMaster) CertPath ¶
CertPath Given a Name, Team, and Environment, returns the proper path in Vault where that Cert Secret is stored.
func (*KeyMaster) ConfigureTeam ¶
ConfigureTeam The grand unified config loader that, after the yaml file is read into memory, applies it to Vault.
func (*KeyMaster) DeleteIamAuth ¶
DeleteIamAuth deletes an IAM Auth role
func (*KeyMaster) DeleteK8sAuth ¶
DeleteK8sAuth Delete a Vault K8s Auth config.
func (*KeyMaster) DeletePolicyFromVault ¶
DeletePolicyFromVault deletes a policy from vault. It only deletes the policy, it doesn't do anything about the auth method or the secrets.
func (*KeyMaster) DeleteTlsAuth ¶
DeleteTlsAuth Delete a Tls auth config for a Role.
func (*KeyMaster) GrantedPoliciesForIamRole ¶
GrantedPoliciesForIamRole
func (*KeyMaster) GrantedPoliciesForK8sRole ¶
func (*KeyMaster) GrantedPoliciesForTlsRole ¶
func (*KeyMaster) IamAuthPath ¶
IamAuthPath constructs an auth path in a predictable fashion
func (*KeyMaster) K8sAuthPath ¶
func (km *KeyMaster) NewCluster(data []byte, verbose bool) (cluster Cluster, err error) { err = yaml.Unmarshal(data, &cluster) if err != nil { err = errors.Wrap(err, ERR_CLUSTER_DATA_LOAD) return cluster, err } return cluster, err }
K8sAuthPath constructs the auth path in a regular fashion.
func (*KeyMaster) MakePolicyPayload ¶
func (km *KeyMaster) MakePolicyPayload(role *Role, env string) (policy map[string]interface{}, err error)
MakePolicyPayload is the access policy to a specific secret path. Policy Payloads give access to a single path, wildcards are not supported.
example policy: We will only ever set 'read'.
{ "path": { # alphabetical by key "service/sign/cert-issuer": { "capabilities": [ "read" ] } } }
func (*KeyMaster) NewGenerator ¶
func (km *KeyMaster) NewGenerator(options GeneratorData) (generator Generator, err error)
NewGenerator creates a new generator from the options given
func (*KeyMaster) NewPolicy ¶
func (km *KeyMaster) NewPolicy(role *Role, env string) (policy VaultPolicy, err error)
NewPolicy creates a new Policy object for a given Role and Environment
func (*KeyMaster) PolicyName ¶
PolicyName constructs the policy name form the inputs in a regular fashion. Note: team names like 'core-platform' will make policy names with embedded hyphens. This could be a problem if we ever need to split the policy name to reconstruct the inputs.
func (*KeyMaster) PolicyPath ¶
PolicyPath constructs the path to the policy for the role
func (*KeyMaster) ReadIamAuth ¶
ReadIamAuth read an IAM role out of vault
func (*KeyMaster) ReadK8sAuth ¶
func (km *KeyMaster) ReadK8sAuth(cluster *Cluster, role *Role) (data map[string]interface{}, err error)
ReadK8sAuth Reach into Vault and get the Auth config for the Role given.
func (*KeyMaster) ReadPolicyFromVault ¶
func (km *KeyMaster) ReadPolicyFromVault(path string) (policy VaultPolicy, err error)
ReadPolicyFromVault fetches a policy from vault and converts it back to a VaultPolicy object
func (*KeyMaster) ReadTlsAuth ¶
Read TlsAuth path and return it's data
func (*KeyMaster) RemovePolicyFromIamRole ¶
func (km *KeyMaster) RemovePolicyFromIamRole(role *Role, realm *Realm, policy VaultPolicy) (err error)
RemovePolicyFromIamRole removes a policy from an IAM Role
func (*KeyMaster) RemovePolicyFromK8sRole ¶
func (*KeyMaster) RemovePolicyFromTlsRole ¶
func (km *KeyMaster) RemovePolicyFromTlsRole(role *Role, env string, policy VaultPolicy) (err error)
func (*KeyMaster) SecretPath ¶
SecretPath Given a Name, Team, and Environment, returns the proper path in Vault where that secret is stored.
func (*KeyMaster) SetIpRestrictK8sAuth ¶
func (*KeyMaster) SetIpRestrictTlsAuth ¶
func (*KeyMaster) SetK8sClusters ¶
func (*KeyMaster) SetTlsAuthCaCert ¶
func (*KeyMaster) TlsAuthPath ¶
TlsAuthPath constructs the auth path in a regular fashion.
func (*KeyMaster) WriteIamAuth ¶
WriteIamAuth writes an AWS IAM auth role to vault
func (*KeyMaster) WriteK8sAuth ¶
func (km *KeyMaster) WriteK8sAuth(cluster *Cluster, role *Role, realm *Realm, policies []string) (err error)
WriteK8sAuth Writes the Vault Auth definition for the Role.
func (*KeyMaster) WritePolicyToVault ¶
func (km *KeyMaster) WritePolicyToVault(policy VaultPolicy, verbose bool) (err error)
WritePolicyToVault does just that. It takes a vault client and the policy and takes care of the asshattery that is the vault api for policies.
func (*KeyMaster) WriteSecretForEnv ¶
func (*KeyMaster) WriteSecretIfBlank ¶
WriteSecretIfBlank writes a secret to each environment, but only if there's not already a value there.
type RSAGenerator ¶
RSA Keys RSAGenerator generates RSA Keys
func (RSAGenerator) Generate ¶
func (g RSAGenerator) Generate() (string, error)
Generate produces new RSA keys
type Realm ¶
type Realm struct { Type string `yaml:"type"` // k8s iam sl Identifiers []string `yaml:"identifiers"` // cluster names for k8s, hostnames for TLS, meaningless for IAM unless account number? Principals []string `yaml:"principals"` // namespaces for k8s, ARN's for IAM Environment string `yaml:"environment"` // Environment the realm occupies }
type Role ¶
type Role struct { Name string `yaml:"name"` Secrets []*Secret `yaml:"secrets"` SecretsMap map[string]*Secret Realms []*Realm `yaml:"realms"` Team string `yaml:"team"` }
Role A named set of Secrets that is instantiated as an Auth endpoint in Vault for each computing realm.
type Secret ¶
type Secret struct { Name string `yaml:"name"` Team string `yaml:"team"` GeneratorData GeneratorData `yaml:"generator"` Generator Generator `yaml:"-"` Environments []string `yaml:"-"` }
Secret a set of information describing a string value in Vault that is protected from unauthorized access, and varies by business environment.
func (*Secret) SetEnvironments ¶
func (*Secret) SetGenerator ¶
SetGenerator What else? Set's the generator on the Secret.
type StaticGenerator ¶
type StaticGenerator struct {
Type string
}
Static Secrets Static Secrets don't change, hence this just creates an empty bucket
func (StaticGenerator) Generate ¶
func (g StaticGenerator) Generate() (string, error)
Generate produces.... nothing.
type TLSGenerator ¶
type TLSGenerator struct { Type string CommonName string Sans []string IPSans []string CA string TTL string VaultClient *api.Client }
TLS Certs TLSGenerator generates TLS certs
func (TLSGenerator) Generate ¶
func (g TLSGenerator) Generate() (string, error)
Generate Hits Vault to generate TLS certs
type Team ¶
type Team struct { Name string `yaml:"name"` Roles []*Role `yaml:"roles"` Secrets []*Secret `yaml:"secrets"` Environments []string `yaml:"environments"` SecretsMap map[string]*Secret RolesMap map[string]*Role }
Team Group of humans who control their own destiny in regard to secrets
type UUIDGenerator ¶
type UUIDGenerator struct {
Type string
}
UUID's UUIDGenerator produces random UUIDs
func (UUIDGenerator) Generate ¶
func (g UUIDGenerator) Generate() (string, error)
Generate produces a random UUID string
type VaultCert ¶
type VaultCert struct { Chain []string `json:"ca_chain"` Cert string `json:"certificate"` Expiration int `json:"expiration"` CA string `json:"issuing_ca"` Key string `json:"private_key"` Type string `json:"private_key_type"` Serial string `json:"serial_number"` }
VaultCert a struct representing what Vault returns when you create a cert in one shot.
type VaultPolicy ¶
VaultPolicy Vault Policy that allows a Role access to a Secret