Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewVaultClient

func NewVaultClient(config *config.VaultConfig, logger hclog.Logger, tokenDeriver TokenDeriverFunc) (*vaultClient, error)

    NewVaultClient returns a new vault client from the given config.

    Types

    type MockVaultClient

    type MockVaultClient struct {
    
    	// DeriveTokenFn allows the caller to control the DeriveToken function. If
    	// not set an error is returned if found in DeriveTokenErrors and otherwise
    	// a token is generated and returned
    	DeriveTokenFn func(a *structs.Allocation, tasks []string) (map[string]string, error)
    	// contains filtered or unexported fields
    }

      MockVaultClient is used for testing the vaultclient integration and is safe for concurrent access.

      func NewMockVaultClient

      func NewMockVaultClient() *MockVaultClient

        NewMockVaultClient returns a MockVaultClient for testing

        func (*MockVaultClient) DeriveToken

        func (vc *MockVaultClient) DeriveToken(a *structs.Allocation, tasks []string) (map[string]string, error)

        func (*MockVaultClient) DeriveTokenErrors

        func (vc *MockVaultClient) DeriveTokenErrors() map[string]map[string]error

          DeriveTokenErrors maps an allocation ID and tasks to an error when the token is derived

          func (*MockVaultClient) GetConsulACL

          func (vc *MockVaultClient) GetConsulACL(string, string) (*vaultapi.Secret, error)

          func (*MockVaultClient) RenewToken

          func (vc *MockVaultClient) RenewToken(token string, interval int) (<-chan error, error)

          func (*MockVaultClient) RenewTokenErrors

          func (vc *MockVaultClient) RenewTokenErrors() map[string]error

            RenewTokenErrors is used to return an error when the RenewToken is called with the given token

            func (*MockVaultClient) RenewTokens

            func (vc *MockVaultClient) RenewTokens() map[string]chan error

              RenewTokens are the tokens that have been renewed and their error channels

              func (*MockVaultClient) SetDeriveTokenError

              func (vc *MockVaultClient) SetDeriveTokenError(allocID string, tasks []string, err error)

              func (*MockVaultClient) SetRenewTokenError

              func (vc *MockVaultClient) SetRenewTokenError(token string, err error)

              func (*MockVaultClient) Start

              func (vc *MockVaultClient) Start()

              func (*MockVaultClient) Stop

              func (vc *MockVaultClient) Stop()

              func (*MockVaultClient) StopRenewToken

              func (vc *MockVaultClient) StopRenewToken(token string) error

              func (*MockVaultClient) StoppedTokens

              func (vc *MockVaultClient) StoppedTokens() []string

                StoppedTokens tracks the tokens that have stopped renewing

                type TokenDeriverFunc

                type TokenDeriverFunc func(*structs.Allocation, []string, *vaultapi.Client) (map[string]string, error)

                  TokenDeriverFunc takes in an allocation and a set of tasks and derives a wrapped token for all the tasks, from the nomad server. All the derived wrapped tokens will be unwrapped using the vault API client.

                  type VaultClient

                  type VaultClient interface {
                  	// Start initiates the renewal loop of tokens and secrets
                  	Start()
                  
                  	// Stop terminates the renewal loop for tokens and secrets
                  	Stop()
                  
                  	// DeriveToken contacts the nomad server and fetches wrapped tokens for
                  	// a set of tasks. The wrapped tokens will be unwrapped using vault and
                  	// returned.
                  	DeriveToken(*structs.Allocation, []string) (map[string]string, error)
                  
                  	// GetConsulACL fetches the Consul ACL token required for the task
                  	GetConsulACL(string, string) (*vaultapi.Secret, error)
                  
                  	// RenewToken renews a token with the given increment and adds it to
                  	// the min-heap for periodic renewal.
                  	RenewToken(string, int) (<-chan error, error)
                  
                  	// StopRenewToken removes the token from the min-heap, stopping its
                  	// renewal.
                  	StopRenewToken(string) error
                  }

                    The interface which nomad client uses to interact with vault and periodically renews the tokens and secrets.