vaultk8s

package module

v0.1.1 Latest Latest Go to latest Published: Jan 5, 2023 License: MIT Imports: 9 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/postfinance/vaultk8s

Links

Open Source Insights

README ¶

Package vaultk8s

Package vaultk8s provides authentication with Vault on Kubernetes

Replaces package github.com/postfinance/vault/k8s

Authentication is done either with Vault's Kubernetes Auth Method or AppRole Auth Method.

Checkout the Vault documentation for details:

If the environment variables VAULT_ROLE_ID and VAULT_SECRET_ID are set, AppRole Auth Method will be used, Kubernetes Auth Method otherwise.

For a successful Kubernetes authentication the environment variable VAULT_ROLE must be set.

Tests

For testing, HashiCorp's Vault and a Kubernetes cluster will be used.

HashiCorp Vault

Install Vault

Start Vault:

export VAULT_DEV_ROOT_TOKEN_ID="90b03685-e17b-7e5e-13a0-e14e45baeb2f"
export VAULT_DEV_LISTEN_ADDRESS="127.0.0.1:8200"
vault server -dev

IMPORTANT: Start vault with the same root token and listen address as defined in k8s_test.go.

Kubernetes

Install and start kind.
kubectl apply -f ci/rbac.yaml

Documentation ¶

Overview ¶

Package vaultk8s provides authentication with Vault on Kubernetes

Index ¶

Constants
func FixAuthMountPath(p string) string
type Authenticate
type Vault
- func NewFromEnvironment() (*Vault, error)

Constants ¶

View Source

const (
	AuthMountPath           = "kubernetes"
	ServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint: gosec // not the token
	DefaultTimeout          = 30 * time.Second
)

Constants

Variables ¶

This section is empty.

Functions ¶

func FixAuthMountPath ¶

func FixAuthMountPath(p string) string

FixAuthMountPath add the auth prefix kubernetes -> kubernetes /kubernetes -> kubernetes auth/kubernetes -> kubernetes presumes a valid path

Types ¶

type Authenticate ¶ added in v0.1.0

type Authenticate func() (string, error)

Authenticate is the function for the Vault authentication.

type Vault ¶

type Vault struct {
	// approle auth
	RoleID   string
	SecretID string

	// kubernetes auth
	Role                    string
	ServiceAccountTokenPath string

	TokenPath     string
	AuthMountPath string
	TTL           int

	ReAuth    bool
	AllowFail bool

	LoginTimeout time.Duration
	// contains filtered or unexported fields
}

Vault represents the configuration to get a valid Vault token

func NewFromEnvironment ¶

func NewFromEnvironment() (*Vault, error)

NewFromEnvironment returns a initialized Vault type for authentication

func (*Vault) Authenticate ¶

func (v *Vault) Authenticate() (string, error)

Authenticate with vault

func (*Vault) Client ¶

func (v *Vault) Client() *vault.Client

Client returns a Vault *vault.Client

func (*Vault) GetToken ¶

func (v *Vault) GetToken() (string, error)

GetToken tries to load the vault token from VaultTokenPath if token is not available, invalid or not renewable and VaultReAuth is true, try to re-authenticate

func (*Vault) LoadToken ¶

func (v *Vault) LoadToken() (string, error)

LoadToken from VaultTokenPath

func (*Vault) NewRenewer ¶

func (v *Vault) NewRenewer(token string) (*vault.Renewer, error)

NewRenewer returns a *vault.Renewer to renew the vault token regularly

func (*Vault) StoreToken ¶

func (v *Vault) StoreToken(token string) error

StoreToken in VaultTokenPath

func (*Vault) UseToken ¶

func (v *Vault) UseToken(token string)

UseToken directly for requests with Vault

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL