pouch

package module
v0.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2018 License: Apache-2.0 Imports: 22 Imported by: 0

README

The Pouch project

Pouch and friends are a set of tools to manage provisioning of secrets on hosts based on the AppRole authentication method of Vault.

This project is under development and there may be changes on its commands and configurations

Pouch encourages the application of the good practices of this authentication method by using secret IDs with response wrapping.

The typical workflow to provision machines using Pouch consists on:

  • Properly configure Vault roles and policies
  • Install a machine with pouch as part of its initial provisioning
  • Push wrapped secret ID to the machine
  • pouch unwraps the secret and uses it to obtain the rest of its secrets

This workflow has some advantages:

  • Secret IDs and tokens TTLs can be minimal
  • Final secrets are only extracted from Vault by the host needing them

Tools in the pouch project

  • pouch is a daemon able to login with Vault using AppRole authentication method with wrapped secret IDs, it can request secrets and use them to fill templates.
  • pouchctl is a cli tool that can be used to push wrapped secret ids to hosts using pouch.
  • terraform-provisioner-vault-secret-id is a Terraform plugin that provides a provisioner that can be used to push wrapped secret ids to hosts using pouch.
  • approle-login is a helper tool that can be used with other tools that use Vault as data source but don't implement the AppRole authentication backend.

Credits & Contact

Pouch is a project by Tuenti Technologies S.L.

You can follow Tuenti engineering team on Twitter @tuentieng.

License

pouch is available under the Apache License, Version 2.0. See LICENSE file for more info.

Documentation

Index

Constants

View Source 
const (
	DefaultFileMode   = os.FileMode(0600)
	SecretRetryPeriod = 5 * time.Second
)
View Source 
const (
	DefaultStatePath           = "/var/lib/pouch/state"
	DefaultStateMode           = os.FileMode(0600)
	DefaultStateDirMode        = os.FileMode(0700)
	DefaultSecretDurationRatio = 0.75

	PreviousStateFilePostfix = "-prev"
)
View Source 
const (
	DefaultNotifyTimeout = 5 * time.Minute
)

Variables

This section is empty.

Functions

This section is empty.

Types

type CommandNotifier added in v0.5.0 

type CommandNotifier struct {
	Command string
}

func (*CommandNotifier) Run added in v0.5.0 

func (n *CommandNotifier) Run(ctx context.Context) (string, error)

type FileConfig 

type FileConfig struct {
	Path         string   `json:"path,omitempty"`
	Mode         int      `json:"mode,omitempty"`
	Template     string   `json:"template,omitempty"`
	TemplateFile string   `json:"template_file,omitempty"`
	Notify       []string `json:"notify,omitempty"`
	Priority     int      `json:"priority,omitempty"`
}

type NotifierConfig added in v0.4.0 

type NotifierConfig struct {
	Command string `json:"command,omitempty"`
	Service string `json:"service,omitempty"`

	Timeout string `json:"timeout,omitempty"`
}

type NotifierRunner added in v0.5.0 

type NotifierRunner interface {
	Run(context.Context) (string, error)
}

type Pouch 

type Pouch interface {
	Run(context.Context) error
	Watch(path string) error
	AddStatusNotifier(StatusNotifier)
	ServiceReloader(Reloader)
}

func NewPouch 

func NewPouch(s *PouchState, vc vault.Vault, sc map[string]SecretConfig, fc []FileConfig, nc map[string]NotifierConfig) Pouch

type PouchState added in v0.4.0 

type PouchState struct {
	// Last known token
	Token string `json:"token,omitempty"`

	// Secrets state
	Secrets map[string]*SecretState `json:"secrets,omitempty"`

	// Path from where this state was read
	Path string `json:"-"`
}

func LoadState added in v0.4.0 

func LoadState(path string) (*PouchState, error)

func NewState added in v0.4.0 

func NewState(path string) *PouchState

func (*PouchState) DeleteSecret added in v0.4.0 

func (s *PouchState) DeleteSecret(name string)

func (*PouchState) NextUpdate added in v0.4.0 

func (s *PouchState) NextUpdate() (secret *SecretState, minTTU time.Time)

func (*PouchState) Save added in v0.4.0 

func (s *PouchState) Save() error

func (*PouchState) SetSecret added in v0.4.0 

func (s *PouchState) SetSecret(name string, secret *api.Secret)

type Pouchfile 

type Pouchfile struct {
	WrappedSecretIDPath string `json:"wrapped_secret_id_path,omitempty"`
	StatePath           string `json:"state_path,omitempty"`

	Vault     vault.Config              `json:"vault,omitempty"`
	Systemd   SystemdConfig             `json:"systemd,omitempty"`
	Notifiers map[string]NotifierConfig `json:"notifiers,omitempty"`
	Secrets   map[string]SecretConfig   `json:"secrets,omitempty"`
	Files     []FileConfig              `json:"files,omitempty"`
}

func LoadPouchfile 

func LoadPouchfile(path string) (*Pouchfile, error)

type PriorityFile added in v0.6.0 

type PriorityFile struct {
	Priority int    `json:"-"`
	Path     string `json:"path,omitempty"`
}

func (*PriorityFile) MarshalJSON added in v0.6.0 

func (pf *PriorityFile) MarshalJSON() ([]byte, error)

type PriorityFileSortedList added in v0.6.0 

type PriorityFileSortedList []PriorityFile

func (PriorityFileSortedList) Len added in v0.6.0 

func (p PriorityFileSortedList) Len() int

func (PriorityFileSortedList) Less added in v0.6.0 

func (p PriorityFileSortedList) Less(i, j int) bool

func (PriorityFileSortedList) Swap added in v0.6.0 

func (p PriorityFileSortedList) Swap(i, j int)

func (*PriorityFileSortedList) UnmarshalJSON added in v0.6.0 

func (s *PriorityFileSortedList) UnmarshalJSON(data []byte) error

type Reloader added in v0.4.0 

type Reloader interface {
	Reload(context.Context, string) error
}

type SecretConfig 

type SecretConfig struct {
	VaultURL   string     `json:"vault_url,omitempty"`
	HTTPMethod string     `json:"http_method,omitempty"`
	Data       SecretData `json:"data,omitempty"`
}

type SecretData added in v0.6.0 

type SecretData map[string]interface{}

type SecretState added in v0.4.0 

type SecretState struct {
	// Secret name
	Name string `json:"name,omitempty"`

	// Time when the secret was read
	Timestamp time.Time `json:"creation_time,omitempty"`

	// Lease duration, in seconds, if any when the secret was read
	LeaseDuration int `json:"lease_duration,omitempty"`

	// Secret will be renewed after this portion of its life has passed
	DurationRatio float64 `json:"duration_ratio,omitempty"`

	// If the secret has no expiration data, don't try to update it
	DisableAutoUpdate bool `json:"disable_auto_uptdate,omitempty"`

	// Actual secret
	Data SecretData `json:"data,omitempty"`

	// Files using this secret
	FilesUsing PriorityFileSortedList `json:"files_using,omitempty"`
}

func (*SecretState) Ratio added in v0.6.0 

func (s *SecretState) Ratio() float64

func (*SecretState) RegisterUsage added in v0.5.0 

func (s *SecretState) RegisterUsage(path string, priority int)

func (*SecretState) TTL added in v0.4.0 

func (s *SecretState) TTL() (int, bool)

func (*SecretState) TimeToUpdate added in v0.4.0 

func (s *SecretState) TimeToUpdate() (minTTU time.Time, known bool)

type ServiceNotifier added in v0.5.0 

type ServiceNotifier struct {
	Reloader

	Service string
}

func (*ServiceNotifier) Run added in v0.5.0 

func (n *ServiceNotifier) Run(ctx context.Context) (string, error)

type StatusNotifier 

type StatusNotifier interface {
	NotifyReady() error
}

type SystemdConfig 

type SystemdConfig struct {
	// If pouch should enable systemd support. Defaults to true
	// if systemd is available
	Enabled *bool `json:"enabled,omitempty"`
}

func (*SystemdConfig) Configurer added in v0.3.0 

func (s *SystemdConfig) Configurer() *systemdConfigurer

Source Files

View all Source files

Directories

Path Synopsis
cmd
approle-login
pouch
pouchctl
terraform-provisioner-vault-secret-id
pkg
systemd
vault
vault/test

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.