Documentation ¶
Overview ¶
Copyright 2020 Ayache Khettar. All rights reserved. Use of this source file is governed by MIT license license that can be found in LICENSE file.
Package vault provides a way of loading all the secrets for a given Go application or a service into memory. These secrets are then available for the application to use at run time.
Two methods of authentication are supported by this library namely, Kubernetes and App role authentication.
Here is an example on how the library is used ¶
Kubernetes authentication
import ( "fmt" "github.com/akhettar/vault-secrets-plugin" ) func main() { // Create a client by login into vault and read all the secrets into memory client, err := vault.NewClient("config/config.yml") if err != nil { vault.Error.Fatalf("Failed %v", err) } // read secret - this read from memory pwd := client.ReadSecret("password") vault.Info.Printf("Password is %s", pwd) }
The config yml should look like this
auth_method: KUBERNETES token: data/token role: example_role secret_path: secret/data/app/config address: http://localhost:8080 role_id: 62022d0a-b316-30cb-8265-b37da6763012 \ secret_id: f4a9312b-118c-8d28-fbff-5661760e8a58 tls_config: ca_cert: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU ca_path: /var/ca client_cert: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU client_key: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU tls_server_name: name insecure: false
Creating a client with a config
import ( "fmt" "github.com/akhettar/vault-secrets-plugin" ) func main() { // TLS config - if tls is not enabled, this config can be ignored tlsConfig := vault.TLSConfig{CAPath:"<root-ca>", ClientCert:"<public-key>", ClientKey:"<private-key>"} // create config config := vault.Config{ Address: vault_addr, Role: "example", SecretPath: "secret/data/myapp/config", AuthMethod: vault.KubernetesAuth, Token: "<kube-token>", // this can be sourced from /var/run/secrets/kubernetes.io/serviceaccount/token TLSConfig:tlsConfig} // Create a client by login into vault and read all the secrets into memory client, err := vault.NewClientWithConfig(config) if err != nil { vault.Error.Fatalf("Failed %v", err) } // read secret - this read from memory pwd := client.ReadSecret("password") vault.Info.Printf("Password is %s", pwd) }
App role authentication
import ( "fmt" "github.com/akhettar/vault-secrets-plugin" ) func main() { // TLS config - if tls is not enabled, this config can be ignored tlsConfig := vault.TLSConfig{CAPath:"<root-ca>", ClientCert:"<public-key>", ClientKey:"<private-key>"} // create config config := vault.Config{ Address: vault_addr, SecretPath: "secret/data/myapp/config", AuthMethod: vault.AppRoleAuth, SecretId:"056a8b44-8473-e7d1-f76b-af86144fcabe", RoleId:"62022d0a-b316-30cb-8265-b37da6763012", TLSConfig: tlsConfig}} // Create a client by login into vault and read all the secrets into memory client, err := vault.NewClientWithConfig(config) if err != nil { vault.Error.Fatalf("Failed %v", err) } // read secret - this read from memory pwd := client.ReadSecret("password") vault.Info.Printf("Password is %s", pwd) }
Index ¶
Constants ¶
const ( // AUTH used in the vault REST path for login endpoint AUTH = "auth" // ClientToken the json name field of the client token we get in the login response ClientToken = "client_token" // JWT vault token header for querying the secrets JWT = "X-Vault-Token" // DATA the json field object name representing the secrets DATA = "data" // Kubernetes auth KubernetesAuth = "KUBERNETES" // App Role AppRoleAuth = "APP_ROLE" )
Variables ¶
var ( // Info logger Info *log.Logger // Error logger Error *log.Logger )
Functions ¶
Types ¶
type AppRoleAuthBody ¶
type AppRoleAuthBody struct { RoleID string `json:"role_id"` SecretID string `json:"secret_id, string"` }
AppRoleAuthBody is the body request for the vault login request
type Config ¶
type Config struct { // AuthMethod the authentication method AuthMethod AuthMethod `yaml:"auth_method"` // Token the vault kube token path only required fro kube auth method Token string `yaml:"token"` // Role The role attached to the JWT vault token Role string `yaml:"role"` // SecretPath a string the secret path SecretPath string `yaml:"secret_path"` // Address the vault url Address string `yaml:"address"` // TLSConfig the tls config TLSConfig TLSConfig `yaml:"tls_config"` // RoleId only required for App role auth method RoleId string `yaml:"role_id"` //SecretId only required for app role auth method SecretId string `yaml:"secret_id"` }
Config for vault
type KubeAuthBody ¶
KubeAuthBody is the body request for the vault login request
type SecretLoader ¶
type SecretLoader struct {
// contains filtered or unexported fields
}
SecretLoader used for Vault HTTP client
func NewClient ¶
func NewClient(file string) (SecretLoader, error)
NewClient returns an instance of the Secret Loader with the given configuration file
func NewClientWithConfig ¶
func NewClientWithConfig(cf Config) (SecretLoader, error)
NewClientWithConfig returns an instance of the SecretLoader
func (*SecretLoader) ReadSecret ¶
func (client *SecretLoader) ReadSecret(key string) string
ReadSecret form the vault repository for given key. If the secret is not present this functions returns an empty string
type TLSConfig ¶
type TLSConfig struct { // CACert is the path to a PEM-encoded CA cert file to use to verify the // Vault server SSL certificate. CACert string `yaml:"ca_cert"` // CAPath is the path to a directory of PEM-encoded CA cert files to verify // the Vault server SSL certificate. CAPath string `yaml:"ca_path"` // ClientCert is the path to the certificate for Vault communication ClientCert string `yaml:"client_cert"` // ClientKey is the path to the private key for Vault communication ClientKey string `yaml:"client_key"` // TLSServerName, if set, is used to set the SNI host when connecting via // TLS. TLSServerName string `yaml:"tls_server_name"` // Insecure enables or disables SSL verification Insecure bool `yaml:"insecure"` }
TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.