utils

package
v0.8.25 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 4, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddOrReplaceCondition added in v0.8.20 

func AddOrReplaceCondition(c metav1.Condition, conditions []metav1.Condition) []metav1.Condition

AddOrReplaceCondition adds or replaces the passed condition in the passed array of conditions

func CleansePath added in v0.6.3 

func CleansePath(path string) string

func GetFinalizer added in v0.6.3 

func GetFinalizer(instance client.Object) string

func GetJWTToken added in v0.6.3 

func GetJWTToken(context context.Context, serviceAccountName string, kubeNamespace string) (string, error)

func GetJWTTokenWithDuration added in v0.6.4 

func GetJWTTokenWithDuration(context context.Context, serviceAccountName string, kubeNamespace string, duration int64) (string, error)

func ReadSecret 

func ReadSecret(context context.Context, path string) (*vault.Secret, bool, error)

func ReadSecretWithPayload added in v0.6.0 

func ReadSecretWithPayload(context context.Context, path string, payload map[string]string) (*vault.Secret, bool, error)

func ToString added in v0.6.3 

func ToString(name interface{}) string

Types

type ConditionsAware added in v0.8.20 

type ConditionsAware interface {
	GetConditions() []metav1.Condition
	SetConditions(conditions []metav1.Condition)
}

ConditionsAware represents a CRD type that has been enabled with metav1.Conditions, it can then benefit of a series of utility methods.

type KubeAuthConfiguration added in v0.6.3 

type KubeAuthConfiguration struct {
	// ServiceAccount is the service account used for the kube auth authentication
	// +kubebuilder:validation:Required
	// +kubebuilder:default={"name": "default"}
	ServiceAccount *corev1.LocalObjectReference `json:"serviceAccount,omitempty"`

	// Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}
	// +kubebuilder:validation:Required
	// +kubebuilder:default=kubernetes
	Path Path `json:"path,omitempty"`

	// Role the role to be used during authentication
	// +kubebuilder:validation:Required
	Role string `json:"role,omitempty"`

	//Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.
	// +kubebuilder:validation:Optional
	Namespace string `json:"namespace,omitempty"`
}

+kubebuilder:object:generate=true

func (*KubeAuthConfiguration) DeepCopy added in v0.6.3 

func (in *KubeAuthConfiguration) DeepCopy() *KubeAuthConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeAuthConfiguration.

func (*KubeAuthConfiguration) DeepCopyInto added in v0.6.3 

func (in *KubeAuthConfiguration) DeepCopyInto(out *KubeAuthConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KubeAuthConfiguration) GetKubeAuthPath added in v0.6.3 

func (kc *KubeAuthConfiguration) GetKubeAuthPath() string

func (*KubeAuthConfiguration) GetNamespace added in v0.6.3 

func (kc *KubeAuthConfiguration) GetNamespace() string

func (*KubeAuthConfiguration) GetRole added in v0.6.3 

func (kc *KubeAuthConfiguration) GetRole() string

func (*KubeAuthConfiguration) GetServiceAccountName added in v0.6.3 

func (kc *KubeAuthConfiguration) GetServiceAccountName() string

func (*KubeAuthConfiguration) GetVaultClient added in v0.6.3 

func (kc *KubeAuthConfiguration) GetVaultClient(context context.Context, kubeNamespace string) (*vault.Client, error)

type Path added in v0.6.3 

type Path string

+kubebuilder:object:generate=true +kubebuilder:validation:Pattern:=`^(?:/?[\w;:@&=\$-\.\+]*)+/?`

type RabbitMQEngineConfigVaultEndpoint 

type RabbitMQEngineConfigVaultEndpoint struct {
	// contains filtered or unexported fields
}

func NewRabbitMQEngineConfigVaultEndpoint 

func NewRabbitMQEngineConfigVaultEndpoint(obj client.Object) *RabbitMQEngineConfigVaultEndpoint

func (*RabbitMQEngineConfigVaultEndpoint) Create 

func (ve *RabbitMQEngineConfigVaultEndpoint) Create(context context.Context) error

func (*RabbitMQEngineConfigVaultEndpoint) CreateOrUpdateLease 

func (ve *RabbitMQEngineConfigVaultEndpoint) CreateOrUpdateLease(context context.Context) error

type RabbitMQEngineConfigVaultObject 

type RabbitMQEngineConfigVaultObject interface {
	VaultObject
	GetLeasePath() string
	GetLeasePayload() map[string]interface{}
	CheckTTLValuesProvided() bool
}

type RootCredentialConfig added in v0.6.3 

type RootCredentialConfig struct {
	// VaultSecret retrieves the credentials from a Vault secret. This will map the "username" and "password" keys of the secret to the username and password of this config. All other keys will be ignored. Only one of RootCredentialsFromVaultSecret or RootCredentialsFromSecret or RootCredentialsFromRandomSecret can be specified.
	// username: Specifies the name of the user to use as the "root" user when connecting to the database. This "root" user is used to create/update/delete users managed by these plugins, so you will need to ensure that this user has permissions to manipulate users appropriate to the database. This is typically used in the connection_url field via the templating directive "{{"username"}}" or "{{"name"}}".
	// password: Specifies the password to use when connecting with the username. This value will not be returned by Vault when performing a read upon the configuration. This is typically used in the connection_url field via the templating directive "{{"password"}}".
	// If username is provided as spec.username, it takes precedence over the username retrieved from the referenced secret
	// +kubebuilder:validation:Optional
	VaultSecret *VaultSecretReference `json:"vaultSecret,omitempty"`

	// Secret retrieves the credentials from a Kubernetes secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). This will map the "username" and "password" keys of the secret to the username and password of this config. If the kubernetes secret is updated, this configuration will also be updated. All other keys will be ignored. Only one of RootCredentialsFromVaultSecret or RootCredentialsFromSecret or RootCredentialsFromRandomSecret can be specified.
	// username: Specifies the name of the user to use as the "root" user when connecting to the database. This "root" user is used to create/update/delete users managed by these plugins, so you will need to ensure that this user has permissions to manipulate users appropriate to the database. This is typically used in the connection_url field via the templating directive "{{"username"}}" or "{{"name"}}".
	// password: Specifies the password to use when connecting with the username. This value will not be returned by Vault when performing a read upon the configuration. This is typically used in the connection_url field via the templating directive "{{"password"}}".
	// If username is provided as spec.username, it takes precedence over the username retrieved from the referenced secret
	// +kubebuilder:validation:Optional
	Secret *corev1.LocalObjectReference `json:"secret,omitempty"`

	// RandomSecret retrieves the credentials from the Vault secret corresponding to this RandomSecret. This will map the "username" and "password" keys of the secret to the username and password of this config. All other keys will be ignored. If the RandomSecret is refreshed the operator retrieves the new secret from Vault and updates this configuration. Only one of RootCredentialsFromVaultSecret or RootCredentialsFromSecret or RootCredentialsFromRandomSecret can be specified.
	// When using randomSecret a username must be specified in the spec.username
	// password: Specifies the password to use when connecting with the username. This value will not be returned by Vault when performing a read upon the configuration. This is typically used in the connection_url field via the templating directive "{{"password"}}"".
	// +kubebuilder:validation:Optional
	RandomSecret *corev1.LocalObjectReference `json:"randomSecret,omitempty"`

	// PasswordKey key to be used when retrieving the password, required with VaultSecrets and Kubernetes secrets, ignored with RandomSecret
	// +kubebuilder:validation:Optional
	// +kubebuilder:default="password"
	PasswordKey string `json:"passwordKey,omitempty"`

	// UsernameKey key to be used when retrieving the username, optional with VaultSecrets and Kubernetes secrets, ignored with RandomSecret
	// +kubebuilder:validation:Optional
	// +kubebuilder:default="username"
	UsernameKey string `json:"usernameKey,omitempty"`
}

+kubebuilder:object:generate=true

func (*RootCredentialConfig) DeepCopy added in v0.6.3 

func (in *RootCredentialConfig) DeepCopy() *RootCredentialConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RootCredentialConfig.

func (*RootCredentialConfig) DeepCopyInto added in v0.6.3 

func (in *RootCredentialConfig) DeepCopyInto(out *RootCredentialConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RootCredentialConfig) ValidateEitherFromVaultSecretOrFromSecret added in v0.6.3 

func (credentials *RootCredentialConfig) ValidateEitherFromVaultSecretOrFromSecret() error

func (*RootCredentialConfig) ValidateEitherFromVaultSecretOrFromSecretOrFromRandomSecret added in v0.6.3 

func (credentials *RootCredentialConfig) ValidateEitherFromVaultSecretOrFromSecretOrFromRandomSecret() error

type TLSConfig added in v0.8.9 

type TLSConfig struct {
	// Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.
	// +kubebuilder:validation:Optional
	Cacert *string `json:"cacert,omitempty"`

	// TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"
	// +kubebuilder:validation:Optional
	TLSSecret *corev1.LocalObjectReference `json:"tlsSecret,omitempty"`

	// SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.
	// +kubebuilder:validation:Optional
	SkipVerify bool `json:"skipVerify,omitempty"`

	// TLSServerName Name to use as the SNI host when connecting via TLS.
	// +kubebuilder:validation:Optional
	TLSServerName *string `json:"tlsServerName,omitempty"`
}

+kubebuilder:object:generate=true

func (*TLSConfig) DeepCopy added in v0.8.9 

func (in *TLSConfig) DeepCopy() *TLSConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.

func (*TLSConfig) DeepCopyInto added in v0.8.9 

func (in *TLSConfig) DeepCopyInto(out *TLSConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TargetNamespaceConfig added in v0.6.3 

type TargetNamespaceConfig struct {
	// TargetNamespaceSelector is a selector of namespaces from which service accounts will receove this role. Either TargetNamespaceSelector or TargetNamespaces can be specified
	// +kubebuilder:validation:Optional
	TargetNamespaceSelector *metav1.LabelSelector `json:"targetNamespaceSelector,omitempty"`

	// TargetNamespaces is a list of namespace from which service accounts will receive this role. Either TargetNamespaceSelector or TargetNamespaces can be specified.
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:MinItems=1
	// kubebuilder:validation:UniqueItems=true
	// +listType=set
	TargetNamespaces []string `json:"targetNamespaces,omitempty"`
}

+kubebuilder:object:generate=true

func (*TargetNamespaceConfig) DeepCopy added in v0.6.3 

func (in *TargetNamespaceConfig) DeepCopy() *TargetNamespaceConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetNamespaceConfig.

func (*TargetNamespaceConfig) DeepCopyInto added in v0.6.3 

func (in *TargetNamespaceConfig) DeepCopyInto(out *TargetNamespaceConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultClientCache added in v0.8.18 

type VaultClientCache struct {
	// contains filtered or unexported fields
}

func (*VaultClientCache) Delete added in v0.8.18 

func (cache *VaultClientCache) Delete(kc *KubeAuthConfiguration, kubeNamespace string)

func (*VaultClientCache) Get added in v0.8.18 

func (cache *VaultClientCache) Get(kc *KubeAuthConfiguration, kubeNamespace string) *vault.Client

func (*VaultClientCache) Put added in v0.8.18 

func (cache *VaultClientCache) Put(kc *KubeAuthConfiguration, kubeNamespace string, client *vault.Client)

type VaultConnection added in v0.8.9 

type VaultConnection struct {
	// +kubebuilder:validation:Optional
	TLSConfig *TLSConfig `json:"tLSConfig,omitempty"`

	// Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/
	// +kubebuilder:validation:Required
	Address string `json:"address,omitempty"`

	// Timeout Timeout variable. The default value is 60s.
	// +kubebuilder:validation:Optional
	TimeOut *metav1.Duration `json:"timeOut,omitempty"`

	// MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).
	// +kubebuilder:validation:Optional
	MaxRetries *int `json:"maxRetries,omitempty"`
}

+kubebuilder:object:generate=true

func (*VaultConnection) DeepCopy added in v0.8.9 

func (in *VaultConnection) DeepCopy() *VaultConnection

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultConnection.

func (*VaultConnection) DeepCopyInto added in v0.8.9 

func (in *VaultConnection) DeepCopyInto(out *VaultConnection)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultEndpoint 

type VaultEndpoint struct {
	// contains filtered or unexported fields
}

func NewVaultEndpoint 

func NewVaultEndpoint(obj client.Object) *VaultEndpoint

func (*VaultEndpoint) Create 

func (ve *VaultEndpoint) Create(context context.Context) error

func (*VaultEndpoint) CreateOrUpdate 

func (ve *VaultEndpoint) CreateOrUpdate(context context.Context) error

func (*VaultEndpoint) DeleteIfExists 

func (ve *VaultEndpoint) DeleteIfExists(context context.Context) error

func (*VaultEndpoint) DeleteKVv2IfExists added in v0.8.17 

func (ve *VaultEndpoint) DeleteKVv2IfExists(context context.Context) error

Deletes all versions and metadata of the KVv2 secret This is similar to vaultClient.KVv2(mountPath string).DeleteMetadata(ctx context.Context, secretPath string) but works better with existing interface

type VaultEngineEndpoint 

type VaultEngineEndpoint struct {
	*VaultEndpoint
	// contains filtered or unexported fields
}

func NewVaultEngineEndpoint 

func NewVaultEngineEndpoint(obj client.Object) *VaultEngineEndpoint

func (*VaultEngineEndpoint) CreateOrUpdateTuneConfig 

func (ve *VaultEngineEndpoint) CreateOrUpdateTuneConfig(context context.Context) error

func (*VaultEngineEndpoint) Exists 

func (ve *VaultEngineEndpoint) Exists(context context.Context) (bool, error)

func (*VaultEngineEndpoint) GetAccessor 

func (ve *VaultEngineEndpoint) GetAccessor(context context.Context) (string, error)

type VaultEngineObject 

type VaultEngineObject interface {
	GetEngineListPath() string
	GetEngineTunePath() string
	GetTunePayload() map[string]interface{}
	SetAccessor(accessor string)
}

type VaultObject 

type VaultObject interface {
	GetPath() string
	GetPayload() map[string]interface{}
	// IsEquivalentToDesiredState returns wether the passed payload is equivalent to the payload that the current object would generate. When this is a engine object the tune payload will be compared
	IsEquivalentToDesiredState(payload map[string]interface{}) bool
	IsInitialized() bool
	IsValid() (bool, error)
	PrepareInternalValues(context context.Context, object client.Object) error
	PrepareTLSConfig(context context.Context, object client.Object) error
	GetKubeAuthConfiguration() *KubeAuthConfiguration
	GetVaultConnection() *VaultConnection
}

type VaultPKIEngineEndpoint added in v0.3.0 

type VaultPKIEngineEndpoint struct {
	*VaultEndpoint
	// contains filtered or unexported fields
}

func NewVaultPKIEngineEndpoint added in v0.3.0 

func NewVaultPKIEngineEndpoint(obj client.Object) *VaultPKIEngineEndpoint

func (*VaultPKIEngineEndpoint) CreateExported added in v0.3.0 

func (ve *VaultPKIEngineEndpoint) CreateExported(context context.Context, secret *vault.Secret) (bool, error)

func (*VaultPKIEngineEndpoint) CreateIntermediate added in v0.3.0 

func (ve *VaultPKIEngineEndpoint) CreateIntermediate(context context.Context) error

func (*VaultPKIEngineEndpoint) CreateOrUpdateConfig added in v0.3.0 

func (ve *VaultPKIEngineEndpoint) CreateOrUpdateConfig(context context.Context, configPath string, payload map[string]interface{}) error

func (*VaultPKIEngineEndpoint) CreateOrUpdateConfigCrl added in v0.3.0 

func (ve *VaultPKIEngineEndpoint) CreateOrUpdateConfigCrl(context context.Context) error

func (*VaultPKIEngineEndpoint) CreateOrUpdateConfigUrls added in v0.3.0 

func (ve *VaultPKIEngineEndpoint) CreateOrUpdateConfigUrls(context context.Context) error

func (*VaultPKIEngineEndpoint) DeleteIfExists added in v0.3.0 

func (ve *VaultPKIEngineEndpoint) DeleteIfExists(context context.Context) error

func (*VaultPKIEngineEndpoint) Exists added in v0.3.0 

func (ve *VaultPKIEngineEndpoint) Exists(context context.Context) (bool, error)

func (*VaultPKIEngineEndpoint) Generate added in v0.3.0 

func (ve *VaultPKIEngineEndpoint) Generate(context context.Context) (*vault.Secret, error)

type VaultPKIEngineObject added in v0.3.0 

type VaultPKIEngineObject interface {
	GetGeneratePath() string
	GetDeletePath() string
	GetGeneratedStatus() bool
	SetGeneratedStatus(status bool)
	GetConfigUrlsPath() string
	GetConfigCrlPath() string
	GetConfigUrlsPayload() map[string]interface{}
	GetConfigCrlPayload() map[string]interface{}
	CreateExported(context context.Context, secret *vault.Secret) (bool, error)
	SetExportedStatus(status bool)
	SetIntermediate(context context.Context) error
	GetSignedStatus() bool
	SetSignedStatus(status bool)
}

type VaultSecretEndpoint added in v0.6.0 

type VaultSecretEndpoint struct {
	// contains filtered or unexported fields
}

func NewVaultSecretEndpoint added in v0.6.0 

func NewVaultSecretEndpoint(obj VaultSecretObject) *VaultSecretEndpoint

func (*VaultSecretEndpoint) GetSecret added in v0.6.0 

func (ve *VaultSecretEndpoint) GetSecret(context context.Context) (*vault.Secret, bool, error)

type VaultSecretObject added in v0.6.0 

type VaultSecretObject interface {
	GetPath() string
	GetRequestMethod() string
	GetPostRequestPayload() map[string]string
	GetVaultConnection() *VaultConnection
}

type VaultSecretReference added in v0.6.3 

type VaultSecretReference struct {
	// Path is the path to the secret
	// +kubebuilder:validation:Required
	Path string `json:"path,omitempty"`
}

+kubebuilder:object:generate=true

func (*VaultSecretReference) DeepCopy added in v0.6.3 

func (in *VaultSecretReference) DeepCopy() *VaultSecretReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultSecretReference.

func (*VaultSecretReference) DeepCopyInto added in v0.6.3 

func (in *VaultSecretReference) DeepCopyInto(out *VaultSecretReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.