vault

package
v1.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 21, 2019 License: MIT Imports: 10 Imported by: 0

Documentation

Overview

vault handles the Hashicorp Vault secret store. It uses the default Vault environment variables for configuration and adds a couple more. If you supply a token by some means, it will use that. If not, it will either fetch a token from a specified file, or fall back to userpass auth.

You should provide at least the following:

  • VAULT_ADDR - URL of the Vault server
  • VAULT_MAX_RETRIES - API retries before Vault fails
  • VAULT_TOKEN - Optional if specified in a file or using userpass
  • VAULT_TOKEN_FILE - Where to cache Vault tokens between calls to the executor on the same host.
  • VAULT_TTL - The TTL in seconds of the Vault Token we'll have issued note that the grace period is one hour so shorter than 1 hour is not possible.

Index

Constants

View Source 
const (
	VaultURLScheme  = "vault"
	VaultDefaultKey = "value"
)
View Source 
const (
	DefaultTokenTTL  = 86400 // 1 day
	TokenGracePeriod = 3600  // 1 hour
)

Variables

This section is empty.

Functions

func GetTTL added in v1.1.0 

func GetTTL() int

func GetToken added in v1.1.0 

func GetToken(client TokenAuthHandler) (err error)

GetToken uses username and password auth to get a Vault Token

func GetTokenFromFile added in v1.1.0 

func GetTokenFromFile(tokenFile string) (string, error)

GetTokenFromFile attempts to read a token from the Vault token file as specified in the environment.

func GetTokenWithLogin added in v1.1.0 

func GetTokenWithLogin(client TokenAuthHandler) (string, error)

GetTokenWithLogin calls out to the Vault API and authenticates with userpass credentials.

Types

type EnvVault 

type EnvVault struct {
	// contains filtered or unexported fields
}

Client to replace vault paths by the secret value stored in Hashicorp Vault.

func NewDefaultVault 

func NewDefaultVault() EnvVault

NewDefaultVault returns a client using the default configuration.

The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.

func (EnvVault) DecryptAllEnv 

func (v EnvVault) DecryptAllEnv(envs []string) ([]string, error)

DecryptAllEnv decrypts all env vars that contain a Vault path. All values staring with `vault://` are overridden by the secret value stored in the path. For instance: 

 Input: ["db_url=url","db_pass=vault://secret/db_pass"]
Output: ["db_url=url","db_pass=ACTUAL_SECRET_PASS"]

By default, the key used to retrieve the contents of the Secret that Vault returns is the string `VaultDefaultKey`. If you have more than one entry stored in a Secret and need to refer to them by name, you may append a query string specifying the key, such as: 

vault://secret/prod-database?key=username

func (EnvVault) ReadSecretValue 

func (v EnvVault) ReadSecretValue(vaultURL string) (string, error)

ReadSecretValue returns the secret value of a Vault path.

type TokenAuthHandler added in v1.1.0 

type TokenAuthHandler interface {
	Validate(token string) (*api.Secret, error)
	Login(username string, password string, options map[string]interface{}) (string, error)
	SetToken(token string)
}

Wrapper for parts of the Hashicorp Vault API we have to do more work with before calling. Covers over some parts of the API that are hard to mock.

type VaultAPI 

type VaultAPI interface {
	Address() string
	NewRequest(method, path string) *api.Request
	RawRequest(r *api.Request) (*api.Response, error)
}

Our own narrowly-scoped interface for Hashicorp Vault Client

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.