Documentation
¶
Overview ¶
Package openbao provides a secrets.Provider that resolves secret references from an OpenBao KV v2 secret engine.
The provider uses a thin HTTP client (no SDK dependency) and supports HTTPS-only connections with SSRF protection, custom CA certificates, and mTLS client authentication.
Usage ¶
provider, err := openbao.New(&openbao.Config{
Address: os.Getenv("BAO_ADDR"),
Token: os.Getenv("BAO_TOKEN"),
})
if err != nil {
return err
}
defer provider.Close()
val, err := provider.Resolve(ctx, ref)
Pass the provider to outputconfig.Load via outputconfig.WithSecretProvider to resolve ref+ URIs in YAML configuration files automatically.
KV v2 Path Convention ¶
Secret references use the raw API path, not the CLI logical path. The CLI command "bao kv get secret/audit/hmac" maps to the API path "secret/data/audit/hmac". Ref URIs use the API path:
ref+openbao://secret/data/audit/hmac#salt
Index ¶
- type Config
- type Provider
- func (p *Provider) Close() error
- func (p *Provider) Format(f fmt.State, _ rune)
- func (p *Provider) GoString() string
- func (p *Provider) Resolve(ctx context.Context, ref secrets.Ref) (string, error)
- func (p *Provider) ResolvePath(ctx context.Context, path string) (map[string]string, error)
- func (p *Provider) Scheme() string
- func (p *Provider) String() string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Address is the OpenBao server URL. Required. Must use HTTPS.
// Typically sourced from the BAO_ADDR environment variable.
Address string
// Token is the authentication token. Required.
// Typically sourced from the BAO_TOKEN environment variable.
Token string
// Namespace is the OpenBao namespace prefix. Optional.
// Set via X-Vault-Namespace header on every request.
Namespace string
// TLSCA is the path to a custom CA certificate PEM file for
// verifying the OpenBao server's TLS certificate.
TLSCA string
// TLSCert is the path to a client certificate for mTLS
// authentication.
TLSCert string
// TLSKey is the path to the client private key for mTLS
// authentication.
TLSKey string
// TLSPolicy controls TLS version and cipher suite selection.
// Nil defaults to TLS 1.3 only.
TLSPolicy *audit.TLSPolicy
// AllowPrivateRanges permits connections to RFC 1918 private
// addresses and loopback. Required for local development where
// OpenBao runs on 127.0.0.1. Cloud metadata endpoints remain
// blocked. Default: false.
AllowPrivateRanges bool
// AllowInsecureHTTP permits http:// URLs. Default: false.
// MUST NOT be set to true in production. Plaintext HTTP exposes
// the authentication token to network observers. Use only for
// local development with Docker Compose where OpenBao runs
// on the internal Docker network.
AllowInsecureHTTP bool
}
Config holds connection parameters for an OpenBao provider.
func (Config) Format ¶ added in v0.1.11
Format writes the redacted representation to the formatter. Prevents credential leakage via %+v and all other format verbs.
func (Config) GoString ¶ added in v0.1.11
GoString returns the same redacted representation as Config.String. Prevents credential leakage when a Config is formatted via %#v.
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
Provider resolves secret references from an OpenBao KV v2 engine. Construction validates the address and builds an SSRF-safe HTTP client but performs no network I/O. The first [Resolve] call initiates the connection.
func New ¶
New creates an OpenBao provider from the given configuration. Validates the address (HTTPS required unless [Config.AllowInsecureHTTP] is set), builds the TLS config and HTTP client, but performs no network I/O.
Error messages do not echo caller-supplied substrings (the configured address, scheme, or token); the audit/secrets/openbao logger category surfaces the failure class without leakage. Set log-level debug on that category if a deployment-time root cause is needed (#651).
func NewWithHTTPClient ¶
NewWithHTTPClient creates an OpenBao provider using the provided HTTP client instead of building one from the Config's TLS settings. This is primarily for testing with net/http/httptest servers. The Config.Address and Config.Token are still validated.
func (*Provider) Close ¶
Close releases resources held by the provider and zeroes the authentication token from memory (best-effort; Go GC may retain copies).
Close is idempotent: repeated calls are safe, return nil, and do not panic. Token zeroing on an already-zero slice is a no-op, and http.Client.CloseIdleConnections is safe to invoke multiple times per the stdlib contract. Calls to Provider.Resolve after Close will fail with a connection error.
func (*Provider) Format ¶
Format implements fmt.Formatter to prevent token leakage via %+v.
func (*Provider) GoString ¶
GoString implements fmt.GoStringer to prevent token leakage via %#v.
func (*Provider) ResolvePath ¶
ResolvePath fetches all key-value pairs at the given path from the OpenBao KV v2 engine. Implements secrets.BatchProvider for path-level caching.
Source Files