vault

package

v4.2.2+incompatible Latest Latest Go to latest Published: Sep 17, 2018 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cirocosta/atc

Links

Open Source Insights

Documentation ¶

Index ¶

func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string) *vaultFactory
func NewVaultManagerFactory() creds.ManagerFactory
type APIClient
- func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig *vaultapi.TLSConfig, ...) (*APIClient, error)
type AuthConfig
type Auther
type Cache
- func NewCache(sr SecretReader, maxLease time.Duration) *Cache
- func (c *Cache) Read(path string) (*vaultapi.Secret, error)
type ReAuther
- func NewReAuther(auther Auther, maxTTL, retry, max time.Duration) *ReAuther
- func (ra *ReAuther) LoggedIn() <-chan struct{}
type SecretReader
type TLS
type Vault
- func (v Vault) Get(varDef template.VariableDefinition) (interface{}, bool, error)
- func (v Vault) List() ([]template.VariableDefinition, error)
type VaultManager

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewVaultFactory ¶

func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string) *vaultFactory

func NewVaultManagerFactory ¶

func NewVaultManagerFactory() creds.ManagerFactory

Types ¶

type APIClient ¶

type APIClient struct {
	// contains filtered or unexported fields
}

The APIClient is a SecretReader which maintains an authorized client using the Login and Renew functions.

func NewAPIClient ¶

func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig *vaultapi.TLSConfig, authConfig AuthConfig) (*APIClient, error)

NewAPIClient with the associated authorization config and underlying vault client.

func (ac *APIClient) Login() (time.Duration, error)

Login the APIClient using the credentials passed at construction. Returns a duration after which renew must be called.

func (*APIClient) Read ¶

func (ac *APIClient) Read(path string) (*vaultapi.Secret, error)

Read must be called after a successful login has occurred or an un-authorized client will be used.

func (*APIClient) Renew ¶

func (ac *APIClient) Renew() (time.Duration, error)

Renew the APIClient login using the credentials passed at construction. Must be called after a successful login. Returns a duration after which renew must be called again.

type AuthConfig ¶

type AuthConfig struct {
	ClientToken string `long:"client-token" description:"Client token for accessing secrets within the Vault server."`

	Backend       string        `long:"auth-backend"               description:"Auth backend to use for logging in to Vault."`
	BackendMaxTTL time.Duration `` /* 142-byte string literal not displayed */
	RetryMax      time.Duration `long:"retry-max"     default:"5m" description:"The maximum time between retries when logging in or re-authing a secret."`
	RetryInitial  time.Duration `long:"retry-initial" default:"1s" description:"The initial time between retries when logging in or re-authing a secret."`

	Params []template.VarKV `` /* 139-byte string literal not displayed */
}

type Auther ¶

type Auther interface {
	Login() (time.Duration, error)
	Renew() (time.Duration, error)
}

An Auther is anything which needs to be logged in and then have that login renewed on a regulary basis.

type Cache ¶

type Cache struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

A Cache caches secrets read from a SecretReader until the lease on the secret expires. Once expired the credential is proactively deleted from cache to maintain a smaller cache footprint.

func NewCache ¶

func NewCache(sr SecretReader, maxLease time.Duration) *Cache

NewCache using the underlying vault client.

func (*Cache) Read ¶

func (c *Cache) Read(path string) (*vaultapi.Secret, error)

Read a secret from the cache or the underlying client if not present.

type ReAuther ¶

type ReAuther struct {
	// contains filtered or unexported fields
}

The ReAuther runs the authorization loop (login, renew) and retries using a bounded exponential backoff strategy. If maxTTL is set, a new login will be done _regardless_ of the available leaseDuration.

func NewReAuther ¶

func NewReAuther(auther Auther, maxTTL, retry, max time.Duration) *ReAuther

NewReAuther with a retry time and a max retry time.

func (*ReAuther) LoggedIn ¶

func (ra *ReAuther) LoggedIn() <-chan struct{}

LoggedIn will receive a signal after every login. Multiple logins may result in a single signal as this channel is not blocked.

type SecretReader ¶

type SecretReader interface {
	Read(path string) (*vaultapi.Secret, error)
}

A SecretReader reads a vault secret from the given path. It should be thread safe!

type TLS ¶

type TLS struct {
	CACert     string `long:"ca-cert"              description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
	CAPath     string `` /* 127-byte string literal not displayed */
	ClientCert string `long:"client-cert"          description:"Path to the client certificate for Vault authorization."`
	ClientKey  string `long:"client-key"           description:"Path to the client private key for Vault authorization."`
	ServerName string `long:"server-name"          description:"If set, is used to set the SNI host when connecting via TLS."`
	Insecure   bool   `long:"insecure-skip-verify" description:"Enable insecure SSL verification."`
}

type Vault ¶

type Vault struct {
	SecretReader SecretReader

	PathPrefix   string
	TeamName     string
	PipelineName string
}

Vault converts a vault secret to our completely untyped secret data.

func (Vault) Get ¶

func (v Vault) Get(varDef template.VariableDefinition) (interface{}, bool, error)

func (Vault) List ¶

func (v Vault) List() ([]template.VariableDefinition, error)

type VaultManager ¶

type VaultManager struct {
	URL string `long:"url" description:"Vault server address used to access secrets."`

	PathPrefix string `long:"path-prefix" default:"/concourse" description:"Path under which to namespace credential lookup."`

	Cache    bool          `long:"cache" description:"Cache returned secrets for their lease duration in memory"`
	MaxLease time.Duration `long:"max-lease" description:"If the cache is enabled, and this is set, override secrets lease duration with a maximum value"`

	TLS    TLS
	Auth   AuthConfig
	Client *APIClient
}

func (VaultManager) Health ¶

func (manager VaultManager) Health() (*creds.HealthResponse, error)

func (*VaultManager) Init ¶

func (manager *VaultManager) Init(log lager.Logger) error

func (VaultManager) IsConfigured ¶

func (manager VaultManager) IsConfigured() bool

func (*VaultManager) MarshalJSON ¶

func (manager *VaultManager) MarshalJSON() ([]byte, error)

func (VaultManager) NewVariablesFactory ¶

func (manager VaultManager) NewVariablesFactory(logger lager.Logger) (creds.VariablesFactory, error)

func (VaultManager) Validate ¶

func (manager VaultManager) Validate() error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL