Documentation
¶
Index ¶
- Constants
- func Init(pod *corev1.Pod, cfg AgentConfig) error
- func ShouldInject(pod *corev1.Pod) (bool, error)
- type Agent
- func (a *Agent) ContainerConfigMapVolume() corev1.Volume
- func (a *Agent) ContainerEnvVars(init bool) ([]corev1.EnvVar, error)
- func (a *Agent) ContainerExtraSecretVolume() corev1.Volume
- func (a *Agent) ContainerInitSidecar() (corev1.Container, error)
- func (a *Agent) ContainerSidecar() (corev1.Container, error)
- func (a *Agent) ContainerTLSSecretVolume() corev1.Volume
- func (a *Agent) ContainerTokenVolume() []corev1.Volume
- func (a *Agent) ContainerVolumeMounts() []corev1.VolumeMount
- func (a *Agent) ContainerVolumes() []corev1.Volume
- func (a *Agent) Patch() ([]byte, error)
- func (a *Agent) Validate() error
- type AgentAPI
- type AgentConfig
- type AutoAuth
- type Cache
- type CachePersist
- type Config
- type Listener
- type Method
- type Secret
- type ServiceAccountTokenVolume
- type Sink
- type Telemetry
- type Template
- type TemplateConfig
- type Vault
- type VaultAgentCache
- type VaultAgentTemplateConfig
- type VaultConfig
Constants ¶
View Source
const ( DefaultVaultImage = "hashicorp/vault:1.16.1" DefaultVaultAuthType = "kubernetes" DefaultVaultAuthPath = "auth/kubernetes" DefaultAgentRunAsUser = 100 DefaultAgentRunAsGroup = 1000 DefaultAgentRunAsSameUser = false DefaultAgentAllowPrivilegeEscalation = false DefaultAgentDropCapabilities = "ALL" DefaultAgentSetSecurityContext = true DefaultAgentReadOnlyRoot = true DefaultAgentCacheEnable = "false" DefaultAgentCacheUseAutoAuthToken = "true" DefaultAgentCacheListenerPort = "8200" DefaultAgentCacheExitOnErr = false DefaultAgentUseLeaderElector = false DefaultAgentInjectToken = false DefaultTemplateConfigExitOnRetryFailure = true DefaultServiceAccountMount = "/var/run/secrets/vault.hashicorp.com/serviceaccount" DefaultEnableQuit = false DefaultAutoAuthEnableOnExit = false )
View Source
const ( // AnnotationAgentStatus is the key of the annotation that is added to // a pod after an injection is done. // There's only one valid status we care about: "injected". AnnotationAgentStatus = "vault.hashicorp.com/agent-inject-status" // AnnotationAgentInject is the key of the annotation that controls whether // injection is explicitly enabled or disabled for a pod. This should // be set to a true or false value, as parseable by parseutil.ParseBool AnnotationAgentInject = "vault.hashicorp.com/agent-inject" // AnnotationAgentInjectSecret is the key annotation that configures Vault // Agent to retrieve the secrets from Vault required by the app. The name // of the secret is any unique string after "vault.hashicorp.com/agent-inject-secret-", // such as "vault.hashicorp.com/agent-inject-secret-foobar". The value is the // path in Vault where the secret is located. AnnotationAgentInjectSecret = "vault.hashicorp.com/agent-inject-secret" // AnnotationAgentInjectFile is the key of the annotation that contains the // name (and optional path) of the file to create on disk. The name of the // secret is the string after "vault.hashicorp.com/agent-inject-file-", and // should map to the same unique value provided in // "vault.hashicorp.com/agent-inject-secret-". The value is the filename and // path in the secrets volume where the vault secret will be written. The // container mount path of the secrets volume may be modified with the // secret-volume-path annotation. AnnotationAgentInjectFile = "vault.hashicorp.com/agent-inject-file" // AnnotationAgentInjectFilePermission is the key of the annotation that contains the // permission of the file to create on disk. The name of the // secret is the string after "vault.hashicorp.com/agent-inject-perms-", and // should map to the same unique value provided in // "vault.hashicorp.com/agent-inject-secret-". The value is the value of the permission, for // example "0644" AnnotationAgentInjectFilePermission = "vault.hashicorp.com/agent-inject-perms" // AnnotationAgentInjectTemplate is the key annotation that configures Vault // Agent what template to use for rendering the secrets. The name // of the template is any unique string after "vault.hashicorp.com/agent-inject-template-", // such as "vault.hashicorp.com/agent-inject-template-foobar". This should map // to the same unique value provided in "vault.hashicorp.com/agent-inject-secret-". // If not provided, a default generic template is used. AnnotationAgentInjectTemplate = "vault.hashicorp.com/agent-inject-template" // AnnotationAgentInjectContainers is the key of the annotation that controls // in which containers the secrets volume should be mounted. Multiple containers can // be specified in a comma-separated list. If not provided, the secrets volume will // be mounted in all containers in the pod. AnnotationAgentInjectContainers = "vault.hashicorp.com/agent-inject-containers" // AnnotationAgentInjectDefaultTemplate sets the default template type. Possible values // are "json" and "map". AnnotationAgentInjectDefaultTemplate = "vault.hashicorp.com/agent-inject-default-template" // AnnotationAgentInjectTemplateFile is the optional key annotation that configures Vault // Agent what template on disk to use for rendering the secrets. The name // of the template is any unique string after "vault.hashicorp.com/agent-inject-template-file-", // such as "vault.hashicorp.com/agent-inject-template-file-foobar". This should map // to the same unique value provided in "vault.hashicorp.com/agent-inject-secret-". // The value is the filename and path of the template used by the agent to render the secrets. // If not provided, the template content key annotation is used. AnnotationAgentInjectTemplateFile = "vault.hashicorp.com/agent-inject-template-file" // AnnotationAgentInjectToken is the annotation key for injecting the // auto-auth token into the secrets volume (e.g. /vault/secrets/token) AnnotationAgentInjectToken = "vault.hashicorp.com/agent-inject-token" // AnnotationAgentInjectCommand is the key annotation that configures Vault Agent // to run a command after the secret is rendered. The name of the template is any // unique string after "vault.hashicorp.com/agent-inject-command-". This should map // to the same unique value provided in "vault.hashicorp.com/agent-inject-secret-". // If not provided (the default), no command is executed. AnnotationAgentInjectCommand = "vault.hashicorp.com/agent-inject-command" // AnnotationAgentImage is the name of the Vault docker image to use. AnnotationAgentImage = "vault.hashicorp.com/agent-image" // AnnotationAgentRequestNamespace is the Kubernetes namespace where the request // originated from. AnnotationAgentRequestNamespace = "vault.hashicorp.com/agent-request-namespace" // AnnotationAgentInitFirst makes the initialization container the first container // to run when a pod starts. Default is last. AnnotationAgentInitFirst = "vault.hashicorp.com/agent-init-first" // AnnotationAgentPrePopulate controls whether an init container is included // to pre-populate the shared memory volume with secrets prior to the application // starting. AnnotationAgentPrePopulate = "vault.hashicorp.com/agent-pre-populate" // AnnotationAgentPrePopulateOnly controls whether an init container is the only // injected container. If true, no sidecar container will be injected at runtime // of the application. AnnotationAgentPrePopulateOnly = "vault.hashicorp.com/agent-pre-populate-only" // AnnotationAgentConfigMap is the name of the configuration map where Vault Agent // configuration file and templates can be found. AnnotationAgentConfigMap = "vault.hashicorp.com/agent-configmap" // AnnotationAgentExtraSecret is the name of a Kubernetes secret that will be mounted // into the Vault agent container so that the agent config can reference secrets. AnnotationAgentExtraSecret = "vault.hashicorp.com/agent-extra-secret" // AnnotationAgentLimitsCPU sets the CPU limit on the Vault Agent containers. AnnotationAgentLimitsCPU = "vault.hashicorp.com/agent-limits-cpu" // AnnotationAgentLimitsMem sets the memory limit on the Vault Agent containers. AnnotationAgentLimitsMem = "vault.hashicorp.com/agent-limits-mem" // AnnotationAgentLimitsEphemeral sets the ephemeral storage limit on the Vault Agent containers. AnnotationAgentLimitsEphemeral = "vault.hashicorp.com/agent-limits-ephemeral" // AnnotationAgentRequestsCPU sets the requested CPU amount on the Vault Agent containers. AnnotationAgentRequestsCPU = "vault.hashicorp.com/agent-requests-cpu" // AnnotationAgentRequestsMem sets the requested memory amount on the Vault Agent containers. AnnotationAgentRequestsMem = "vault.hashicorp.com/agent-requests-mem" // AnnotationAgentRequestsEphemeral sets the ephemeral storage request on the Vault Agent containers. AnnotationAgentRequestsEphemeral = "vault.hashicorp.com/agent-requests-ephemeral" // AnnotationAgentRevokeOnShutdown controls whether a sidecar container will revoke its // own Vault token before shutting down. If you are using a custom agent template, you must // make sure it's written to `/home/vault/.vault-token`. Only supported for sidecar containers. AnnotationAgentRevokeOnShutdown = "vault.hashicorp.com/agent-revoke-on-shutdown" // AnnotationAgentRevokeGrace sets the number of seconds after receiving the signal for pod // termination that the container will attempt to revoke its own Vault token. Defaults to 5s. AnnotationAgentRevokeGrace = "vault.hashicorp.com/agent-revoke-grace" // AnnotationVaultNamespace is the Vault namespace where secrets can be found. AnnotationVaultNamespace = "vault.hashicorp.com/namespace" // AnnotationAgentRunAsUser sets the User ID to run the Vault Agent containers as. AnnotationAgentRunAsUser = "vault.hashicorp.com/agent-run-as-user" // AnnotationAgentRunAsGroup sets the Group ID to run the Vault Agent containers as. AnnotationAgentRunAsGroup = "vault.hashicorp.com/agent-run-as-group" // AnnotationAgentRunAsSameUser sets the User ID of the injected Vault Agent // containers to the User ID of the first application container in the Pod. // Requires Spec.Containers[0].SecurityContext.RunAsUser to be set in the // Pod Spec. AnnotationAgentRunAsSameUser = "vault.hashicorp.com/agent-run-as-same-user" AnnotationAgentShareProcessNamespace = "vault.hashicorp.com/agent-share-process-namespace" // AnnotationAgentSetSecurityContext controls whether a SecurityContext (uid // and gid) is set on the injected Vault Agent containers AnnotationAgentSetSecurityContext = "vault.hashicorp.com/agent-set-security-context" // AnnotationAgentServiceAccountTokenVolumeName is the optional name of a volume containing a // service account token AnnotationAgentServiceAccountTokenVolumeName = "vault.hashicorp.com/agent-service-account-token-volume-name" // AnnotationVaultService is the name of the Vault server. This can be overridden by the // user but will be set by a flag on the deployment. AnnotationVaultService = "vault.hashicorp.com/service" // AnnotationProxyAddress is the HTTP proxy to use when talking to the Vault server. AnnotationProxyAddress = "vault.hashicorp.com/proxy-address" // AnnotationVaultTLSSkipVerify allows users to configure verifying TLS // when communicating with Vault. AnnotationVaultTLSSkipVerify = "vault.hashicorp.com/tls-skip-verify" // AnnotationVaultTLSSecret is the name of the Kubernetes secret containing // client TLS certificates and keys. AnnotationVaultTLSSecret = "vault.hashicorp.com/tls-secret" // AnnotationVaultTLSServerName is the name of the Vault server to verify the // authenticity of the server when communicating with Vault over TLS. AnnotationVaultTLSServerName = "vault.hashicorp.com/tls-server-name" // AnnotationVaultCACert is the path of the CA certificate used to verify Vault's // CA certificate. AnnotationVaultCACert = "vault.hashicorp.com/ca-cert" // AnnotationVaultCAKey is the path of the CA key used to verify Vault's CA. AnnotationVaultCAKey = "vault.hashicorp.com/ca-key" // AnnotationVaultClientCert is the path of the client certificate used to communicate // with Vault over TLS. AnnotationVaultClientCert = "vault.hashicorp.com/client-cert" // AnnotationVaultClientKey is the path of the client key used to communicate // with Vault over TLS. AnnotationVaultClientKey = "vault.hashicorp.com/client-key" // AnnotationVaultClientMaxRetries is the number of retry attempts when 5xx errors are encountered. AnnotationVaultClientMaxRetries = "vault.hashicorp.com/client-max-retries" // AnnotationVaultClientTimeout sets the request timeout when communicating with Vault. AnnotationVaultClientTimeout = "vault.hashicorp.com/client-timeout" // AnnotationVaultGoMaxProcs sets the Vault Agent go max procs. AnnotationVaultGoMaxProcs = "vault.hashicorp.com/go-max-procs" // AnnotationVaultLogLevel sets the Vault Agent log level. AnnotationVaultLogLevel = "vault.hashicorp.com/log-level" // AnnotationVaultLogFormat sets the Vault Agent log format. AnnotationVaultLogFormat = "vault.hashicorp.com/log-format" // AnnotationVaultRole specifies the role to be used for the Kubernetes auto-auth // method. AnnotationVaultRole = "vault.hashicorp.com/role" // AnnotationVaultAuthType specifies the auto-auth method type to be used. AnnotationVaultAuthType = "vault.hashicorp.com/auth-type" // AnnotationVaultAuthPath specifies the mount path to be used for the auto-auth method. AnnotationVaultAuthPath = "vault.hashicorp.com/auth-path" // AnnotationVaultAuthConfig specifies the Auto Auth Method configuration parameters. // The name of the parameter is any unique string after "vault.hashicorp.com/auth-config-", // such as "vault.hashicorp.com/auth-config-foobar". AnnotationVaultAuthConfig = "vault.hashicorp.com/auth-config" // AnnotationVaultSecretVolumePath specifies where the secrets are to be // Mounted after fetching. AnnotationVaultSecretVolumePath = "vault.hashicorp.com/secret-volume-path" // AnnotationPreserveSecretCase if enabled will preserve the case of secret name // by default the name is converted to lower case. AnnotationPreserveSecretCase = "vault.hashicorp.com/preserve-secret-case" // AnnotationAgentCacheEnable if enabled will configure the sidecar container // to enable agent caching AnnotationAgentCacheEnable = "vault.hashicorp.com/agent-cache-enable" // AnnotationAgentCacheUseAutoAuthToken configures the agent cache to use the // auto auth token or not. Can be set to "force" to force usage of the auto-auth token AnnotationAgentCacheUseAutoAuthToken = "vault.hashicorp.com/agent-cache-use-auto-auth-token" // AnnotationAgentCacheListenerPort configures the port the agent cache should listen on AnnotationAgentCacheListenerPort = "vault.hashicorp.com/agent-cache-listener-port" // AnnotationAgentCacheExitOnErr configures whether the agent will exit on an // error while restoring the persistent cache AnnotationAgentCacheExitOnErr = "vault.hashicorp.com/agent-cache-exit-on-err" // AnnotationAgentCopyVolumeMounts is the name of the container or init container // in the Pod whose volume mounts should be copied onto the Vault Agent init and // sidecar containers. Ignores any Kubernetes service account token mounts. AnnotationAgentCopyVolumeMounts = "vault.hashicorp.com/agent-copy-volume-mounts" // AnnotationTemplateConfigExitOnRetryFailure configures whether agent // will exit on template render failures once it has exhausted all its retry // attempts. Defaults to true. AnnotationTemplateConfigExitOnRetryFailure = "vault.hashicorp.com/template-config-exit-on-retry-failure" // AnnotationTemplateConfigStaticSecretRenderInterval // If specified, configures how often Vault Agent Template should render non-leased secrets such as KV v2. // Defaults to 5 minutes. AnnotationTemplateConfigStaticSecretRenderInterval = "vault.hashicorp.com/template-static-secret-render-interval" // AnnotationTemplateConfigMaxConnectionsPerHost limits the total number of connections // that the Vault Agent templating engine can use for a particular Vault host. This limit // includes connections in the dialing, active, and idle states. AnnotationTemplateConfigMaxConnectionsPerHost = "vault.hashicorp.com/template-max-connections-per-host" // AnnotationAgentEnableQuit configures whether the quit endpoint is // enabled in the injected agent config AnnotationAgentEnableQuit = "vault.hashicorp.com/agent-enable-quit" // AnnotationAgentAuthMinBackoff specifies the minimum backoff duration used when the agent auto auth fails. // Defaults to 1 second. AnnotationAgentAuthMinBackoff = "vault.hashicorp.com/auth-min-backoff" // AnnotationAgentAuthMaxBackoff specifies the maximum backoff duration used when the agent auto auth fails. // Defaults to 5 minutes. AnnotationAgentAuthMaxBackoff = "vault.hashicorp.com/auth-max-backoff" // AnnotationAgentDisableIdleConnections specifies disabling idle connections for various // features in Vault Agent. Comma-separated string, with valid values auto-auth, caching, // templating. AnnotationAgentDisableIdleConnections = "vault.hashicorp.com/agent-disable-idle-connections" // AnnotationAgentDisableKeepAlives specifies disabling keep-alives for various // features in Vault Agent. Comma-separated string, with valid values auto-auth, caching, // templating. AnnotationAgentDisableKeepAlives = "vault.hashicorp.com/agent-disable-keep-alives" // AnnotationAgentJsonPatch is used to specify a JSON patch to be applied to the agent sidecar container before // it is created. AnnotationAgentJsonPatch = "vault.hashicorp.com/agent-json-patch" // AnnotationAgentInitJsonPatch is used to specify a JSON patch to be applied to the agent init container before // it is created. AnnotationAgentInitJsonPatch = "vault.hashicorp.com/agent-init-json-patch" // AnnotationAgentAutoAuthExitOnError is used to control if a failure in the auto_auth method will cause the agent to exit or try indefinitely (the default). AnnotationAgentAutoAuthExitOnError = "vault.hashicorp.com/agent-auto-auth-exit-on-err" // AnnotationAgentTelemetryConfig specifies the Agent Telemetry configuration parameters. // The name of the parameter is any unique string after "vault.hashicorp.com/agent-telemetry-", // such as "vault.hashicorp.com/agent-telemetry-foobar". AnnotationAgentTelemetryConfig = "vault.hashicorp.com/agent-telemetry" // AnnotationErrorOnMissingKey is the key of annotation that configures whether // template should error when a key is missing in the secret. The name of the // secret is the string after "vault.hashicorp.com/error-on-missing-key-", and // should map to the same unique value provided in // "vault.hashicorp.com/agent-inject-secret-". Defaults to false AnnotationErrorOnMissingKey = "vault.hashicorp.com/error-on-missing-key" )
View Source
const ( DefaultMapTemplate = "{{ with secret \"%s\" }}{{ range $k, $v := .Data }}{{ $k }}: {{ $v }}\n{{ end }}{{ end }}" DefaultJSONTemplate = "{{ with secret \"%s\" }}{{ .Data | toJSON }}\n{{ end }}" DefaultTemplateType = "map" PidFile = "/home/vault/.pid" TokenFile = "/home/vault/.vault-token" )
View Source
const ( // https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu DefaultResourceLimitCPU = "500m" DefaultResourceLimitMem = "128Mi" DefaultResourceRequestCPU = "250m" DefaultResourceRequestMem = "64Mi" DefaultContainerArg = "echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json" DefaultRevokeGrace = 5 DefaultAgentLogLevel = "info" DefaultAgentLogFormat = "standard" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Agent ¶
type Agent struct {
// Annotations are the current pod annotations used to
// configure the Vault Agent container.
Annotations map[string]string
// DefaultTemplate is the default template to be used when
// no custom template is specified via annotations.
DefaultTemplate string
// ImageName is the name of the Vault image to use for the
// sidecar container.
ImageName string
// Containers determine which containers should be injected
Containers []string
// Inject is the flag used to determine if a container should be requested
// in a pod request.
Inject bool
// InitFirst controls whether an init container is first to run.
InitFirst bool
// LimitsCPU is the upper CPU limit the sidecar container is allowed to consume.
LimitsCPU string
// LimitsMem is the upper memory limit the sidecar container is allowed to consume.
LimitsMem string
// LimitsEphemeral is the upper ephemeral storage limit the sidecar container is allowed to consume.
LimitsEphemeral string
// Namespace is the Kubernetes namespace the request originated from.
Namespace string
// Pod is the original Kubernetes pod spec.
Pod *corev1.Pod
// PrePopulate controls whether an init container is added to the request.
PrePopulate bool
// PrePopulateOnly controls whether an init container is the _only_ container
// added to the request.
PrePopulateOnly bool
// RevokeOnShutdown controls whether a sidecar container will attempt to revoke its Vault
// token on shutting down.
RevokeOnShutdown bool
// RevokeGrace controls after receiving the signal for pod
// termination that the container will attempt to revoke its own Vault token.
RevokeGrace uint64
// RequestsCPU is the requested minimum CPU amount required when being scheduled to deploy.
RequestsCPU string
// RequestsMem is the requested minimum memory amount required when being scheduled to deploy.
RequestsMem string
// RequestsEphemeral is the requested minimum ephemeral storage amount required when being scheduled to deploy.
RequestsEphemeral string
// Secrets are all the templates, the path in Vault where the secret can be
// found, and the unique name of the secret which will be used for the filename.
Secrets []*Secret
// ServiceAccountTokenVolume holds details of a volume mount for a
// Kubernetes service account token for the pod. This is used when we mount
// the service account to the Vault Agent container(s).
ServiceAccountTokenVolume *ServiceAccountTokenVolume
// Status is the current injection status. The only status considered is "injected",
// which prevents further mutations. A user can patch this annotation to force a new
// mutation.
Status string
// ConfigMapName is the name of the configmap a user wants to mount to Vault Agent
// container(s).
ConfigMapName string
// Vault is the structure holding all the Vault specific configurations.
Vault Vault
// VaultAgentCache is the structure holding the Vault agent cache specific configurations
VaultAgentCache VaultAgentCache
// VaultAgentTemplateConfig is the structure holding the Vault agent
// template_config specific configuration
VaultAgentTemplateConfig VaultAgentTemplateConfig
// RunAsUser is the user ID to run the Vault agent container(s) as.
RunAsUser int64
// RunAsGroup is the group ID to run the Vault agent container(s) as.
RunAsGroup int64
// RunAsSameID sets the user ID of the Vault agent container(s) to be the
// same as the first application container
RunAsSameID bool
ShareProcessNamespace *bool
// SetSecurityContext controls whether the injected containers have a
// SecurityContext set.
SetSecurityContext bool
// ExtraSecret is the Kubernetes secret to mount as a volume in the Vault agent container
// which can be referenced by the Agent config for secrets. Mounted at /vault/custom/
ExtraSecret string
// AwsIamTokenAccountName is the aws iam volume mount name for the pod.
// Need this for IRSA aka pod identity
AwsIamTokenAccountName string
// AwsIamTokenAccountPath is the aws iam volume mount path for the pod
// where the JWT would be present
// Need this for IRSA aka pod identity
AwsIamTokenAccountPath string
// CopyVolumeMounts is the name of the container in the Pod whose volume mounts
// should be copied into the Vault Agent init and/or sidecar containers.
CopyVolumeMounts string
// InjectToken controls whether the auto-auth token is injected into the
// secrets volume (e.g. /vault/secrets/token)
InjectToken bool
// EnableQuit controls whether the quit endpoint is enabled on a localhost
// listener
EnableQuit bool
// DisableIdleConnections controls which Agent features have idle
// connections disabled
DisableIdleConnections []string
// DisableKeepAlives controls which Agent features have keep-alives disabled.
DisableKeepAlives []string
// JsonPatch can be used to modify the agent sidecar container before it is created.
JsonPatch string
// InitJsonPatch can be used to modify the agent-init container before it is created.
InitJsonPatch string
// AutoAuthExitOnError is used to control if a failure in the auto_auth method will cause the agent to exit or try indefinitely (the default).
AutoAuthExitOnError bool
}
Agent is the top level structure holding all the configurations for the Vault Agent container.
func (*Agent) ContainerConfigMapVolume ¶
ContainerConfigMapVolume returns a volume to mount a config map if the user supplied any.
func (*Agent) ContainerEnvVars ¶
ContainerEnvVars adds the applicable environment vars for the Vault Agent sidecar.
func (*Agent) ContainerExtraSecretVolume ¶ added in v0.6.0
ContainerExtraSecretVolume returns a volume to mount a Kube secret if the user supplied one.
func (*Agent) ContainerInitSidecar ¶
ContainerInitSidecar creates a new init container to be added to the pod being mutated. After Vault 1.4 is released, this can be removed because an exit_after_auth environment variable is available for the agent. This means we won't need to generate two config files.
func (*Agent) ContainerSidecar ¶
ContainerSidecar creates a new container to be added to the pod being mutated.
func (*Agent) ContainerTLSSecretVolume ¶
ContainerTLSSecretVolume returns a volume to mount TLS secrets if the user supplied any.
func (*Agent) ContainerTokenVolume ¶ added in v0.4.0
ContainerTokenVolume returns a volume to mount the home directory where the token sink will write to.
func (*Agent) ContainerVolumeMounts ¶ added in v0.3.0
func (a *Agent) ContainerVolumeMounts() []corev1.VolumeMount
ContainerVolumeMounts mounts the shared memory volume where secrets will be rendered.
func (*Agent) ContainerVolumes ¶ added in v0.3.0
ContainerVolume returns the volume data to add to the pod. This volumes are used for shared data between containers.
type AgentAPI ¶ added in v0.16.0
type AgentAPI struct {
EnableQuit bool `json:"enable_quit"`
}
AgentAPI defines the agent_api stanza for a listener
type AgentConfig ¶ added in v0.4.0
type AgentConfig struct {
Image string
Address string
AuthType string
AuthPath string
VaultNamespace string
Namespace string
RevokeOnShutdown bool
UserID string
GroupID string
SameID bool
SetSecurityContext bool
ProxyAddress string
DefaultTemplate string
ResourceRequestCPU string
ResourceRequestMem string
ResourceRequestEphemeral string
ResourceLimitCPU string
ResourceLimitMem string
ResourceLimitEphemeral string
ExitOnRetryFailure bool
StaticSecretRenderInterval string
MaxConnectionsPerHost int64
AuthMinBackoff string
AuthMaxBackoff string
DisableIdleConnections string
DisableKeepAlives string
}
type AutoAuth ¶
type AutoAuth struct {
Method *Method `json:"method,omitempty"`
Sinks []*Sink `json:"sink,omitempty"`
}
AutoAuth is the configured authentication method and sinks
type Cache ¶ added in v0.5.0
type Cache struct {
UseAutoAuthToken string `json:"use_auto_auth_token,omitempty"`
Persist *CachePersist `json:"persist,omitempty"`
}
Cache defines the configuration for the Vault Agent Cache
type CachePersist ¶ added in v0.9.0
type CachePersist struct {
Type string `json:"type"`
Path string `json:"path"`
KeepAfterImport bool `json:"keep_after_import,omitempty"`
ExitOnErr bool `json:"exit_on_err,omitempty"`
ServiceAccountTokenFile string `json:"service_account_token_file,omitempty"`
}
CachePersist defines the configuration for persistent caching in Vault Agent
type Config ¶
type Config struct {
AutoAuth *AutoAuth `json:"auto_auth"`
ExitAfterAuth bool `json:"exit_after_auth"`
PidFile string `json:"pid_file"`
Vault *VaultConfig `json:"vault"`
Templates []*Template `json:"template,omitempty"`
Listener []*Listener `json:"listener,omitempty"`
Cache *Cache `json:"cache,omitempty"`
TemplateConfig *TemplateConfig `json:"template_config,omitempty"`
DisableIdleConnections []string `json:"disable_idle_connections,omitempty"`
DisableKeepAlives []string `json:"disable_keep_alives,omitempty"`
Telemetry *Telemetry `json:"telemetry,omitempty"`
}
Config is the top level struct that composes a Vault Agent configuration file.
type Listener ¶ added in v0.5.0
type Listener struct {
Type string `json:"type"`
Address string `json:"address"`
TLSDisable bool `json:"tls_disable"`
AgentAPI *AgentAPI `json:"agent_api,omitempty"`
}
Listener defines the configuration for Vault Agent Cache Listener
type Method ¶
type Method struct {
Type string `json:"type"`
MountPath string `json:"mount_path,omitempty"`
WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"`
WrapTTL time.Duration `json:"-"`
MinBackoff string `json:"min_backoff,omitempty"`
MaxBackoff string `json:"max_backoff,omitempty"`
Namespace string `json:"namespace,omitempty"`
Config map[string]interface{} `json:"config,omitempty"`
ExitOnErr bool `json:"exit_on_err,omitempty"`
}
Method represents the configuration for the authentication backend
type Secret ¶
type Secret struct {
// Name of the secret used to identify other annotation directives, and used
// as the filename for the rendered secret file (unless FilePathAndName is
// specified).
Name string
// RawName is original annotation suffix value
RawName string
// Path in Vault where the secret desired can be found.
Path string
// Template is the optional custom template to use when rendering the secret.
Template string
// Template file is the optional path on disk to the custom template to use when rendering the secret.
TemplateFile string
// Mount Path for the volume holding the rendered secret file
MountPath string
// Command is the optional command to run after rendering the secret.
Command string
// FilePathAndName is the optional file path and name for the rendered secret file.
FilePathAndName string
// FilePermission is the optional file permission for the rendered secret file
FilePermission string
// ErrMissingKey is used to control how the template behaves when attempting
// to index a struct or a map key that does not exist
ErrMissingKey bool
}
type ServiceAccountTokenVolume ¶ added in v0.13.0
type Sink ¶
type Sink struct {
Type string `json:"type"`
WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"`
WrapTTL time.Duration `json:"-"`
DHType string `json:"dh_type,omitempty"`
DHPath string `json:"dh_path,omitempty"`
AAD string `json:"aad,omitempty"`
AADEnvVar string `json:"aad_env_var,omitempty"`
Config map[string]interface{} `json:"config,omitempty"`
}
Sink defines a location to write the authenticated token
type Telemetry ¶ added in v1.2.0
type Telemetry struct {
UsageGaugePeriod string `json:"usage_gauge_period,omitempty"`
MaximumGaugeCardinality int `json:"maximum_gauge_cardinality,omitempty"`
DisableHostname bool `json:"disable_hostname,omitempty"`
EnableHostnameLabel bool `json:"enable_hostname_label,omitempty"`
LeaseMetricsEpsilon string `json:"lease_metrics_epsilon,omitempty"`
NumLeaseMetricsBuckets int `json:"num_lease_metrics_buckets,omitempty"`
AddLeaseMetricsNamespaceLabels bool `json:"add_lease_metrics_namespace_labels,omitempty"`
FilterDefault bool `json:"filter_default,omitempty"`
PrefixFilter []string `json:"prefix_filter,omitempty"`
StatsiteAddress string `json:"statsite_address,omitempty"`
StatsdAddress string `json:"statsd_address,omitempty"`
CirconusApiToken string `json:"circonus_api_token,omitempty"`
CirconusApiApp string `json:"circonus_api_app,omitempty"`
CirconusApiURL string `json:"circonus_api_url,omitempty"`
CirconusSubmissionInterval string `json:"circonus_submission_interval,omitempty"`
CirconusSubmissionURL string `json:"circonus_submission_url,omitempty"`
CirconusCheckID string `json:"circonus_check_id,omitempty"`
CirconusCheckForceMetricActivation bool `json:"circonus_check_force_metric_activation,omitempty"`
CirconusCheckInstanceID string `json:"circonus_check_instance_id,omitempty"`
CirconusCheckSearchTag string `json:"circonus_check_search_tag,omitempty"`
CirconusCheckDisplayName string `json:"circonus_check_display_name,omitempty"`
CirconusCheckTags string `json:"circonus_check_tags,omitempty"`
CirconusBrokerID string `json:"circonus_broker_id,omitempty"`
CirconusBrokerSelectTag string `json:"circonus_broker_select_tag,omitempty"`
DogstatsdAddr string `json:"dogstatsd_addr,omitempty"`
DogstatsdTags []string `json:"dogstatsd_tags,omitempty"`
PrometheusRetentionTime string `json:"prometheus_retention_time,omitempty"`
StackdriverProjectID string `json:"stackdriver_project_id,omitempty"`
StackdriverLocation string `json:"stackdriver_location,omitempty"`
StackdriverNamespace string `json:"stackdriver_namespace,omitempty"`
StackdriverDebugLogs bool `json:"stackdriver_debug_logs,omitempty"`
}
Telemetry defines the configuration for agent telemetry in Vault Agent.
type Template ¶
type Template struct {
CreateDestDirs bool `json:"create_dest_dirs,omitempty"`
Destination string `json:"destination"`
Contents string `json:"contents,omitempty"`
LeftDelim string `json:"left_delimiter,omitempty"`
RightDelim string `json:"right_delimiter,omitempty"`
Command string `json:"command,omitempty"`
Source string `json:"source,omitempty"`
Perms string `json:"perms,omitempty"`
ErrMissingKey bool `json:"error_on_missing_key,omitempty"`
}
Template defines the Consul Template parameters
type TemplateConfig ¶ added in v0.11.0
type TemplateConfig struct {
ExitOnRetryFailure bool `json:"exit_on_retry_failure"`
StaticSecretRenderInterval string `json:"static_secret_render_interval,omitempty"`
MaxConnectionsPerHost int64 `json:"max_connections_per_host,omitempty"`
}
TemplateConfig defines the configuration for template_config in Vault Agent
type Vault ¶
type Vault struct {
// Address is the Vault service address.
Address string
// ProxyAddress is the proxy service address to use when talking to the Vault service.
ProxyAddress string
// AuthType is type of Vault Auth Method to use.
AuthType string
// AuthPath is the Mount Path of Vault Auth Method.
AuthPath string
// AuthConfig is the Auto Auth Method configuration.
AuthConfig map[string]interface{}
// CACert is the name of the Certificate Authority certificate
// to use when validating Vault's server certificates. It takes
// precedence over CACertBytes.
CACert string
// CACertBytes is the contents of the CA certificate to trust
// for TLS with Vault as a PEM-encoded certificate or bundle.
// Can also be base64 encoded PEM contents.
CACertBytes string
// CAKey is the name of the Certificate Authority key
// to use when validating Vault's server certificates.
CAKey string
// ClientCert is the name of the client certificate to use when communicating
// with Vault over TLS.
ClientCert string
// ClientKey is the name of the client key to use when communicating
// with Vault over TLS.
ClientKey string
// ClientMaxRetries configures the number of retries the client should make
// when 5-- errors are received from the Vault server. Default is 2.
ClientMaxRetries string
// ClientTimeout is the max number in seconds the client should attempt to
// make a request to the Vault server.
ClientTimeout string
// GoMaxProcs sets the Vault Agent go max procs.
GoMaxProcs string
// LogLevel sets the Vault Agent log level. Defaults to info.
LogLevel string
// LogFormat sets the Vault Agent log format. Defaults to standard.
LogFormat string
// Namespace is the Vault namespace to prepend to secret paths.
Namespace string
// Role is the name of the Vault role to use for authentication.
Role string
// TLSSecret is the name of the secret to be mounted to the Vault Agent container
// containing the TLS certificates required to communicate with Vault.
TLSSecret string
// TLSSkipVerify toggles verification of Vault's certificates.
TLSSkipVerify bool
// TLSServerName is the name of the Vault server to use when validating Vault's
// TLS certificates.
TLSServerName string
// AuthMinBackoff is the minimum time to backoff if auto auth fails.
AuthMinBackoff string
// AuthMinBackoff is the maximum time to backoff if auto auth fails.
AuthMaxBackoff string
// AgentTelemetryConfig is the agent telemetry configuration.
AgentTelemetryConfig map[string]interface{}
}
type VaultAgentCache ¶ added in v0.5.0
type VaultAgentCache struct {
// Enable configures whether the cache is enabled or not
Enable bool
// ListenerPort is the port the cache should listen to
ListenerPort string
// UseAutoAuthToken configures whether the auto auth token is used in cache requests
UseAutoAuthToken string
// Persist marks whether persistent caching is enabled or not
Persist bool
// ExitOnErr configures whether the agent will exit on an error while
// restoring the persistent cache
ExitOnErr bool
}
type VaultAgentTemplateConfig ¶ added in v0.11.0
type VaultAgentTemplateConfig struct {
// ExitOnRetryFailure configures whether agent should exit after failing
// all its retry attempts when rendering templates
ExitOnRetryFailure bool
// StaticSecretRenderInterval If specified, configures how often
// Vault Agent Template should render non-leased secrets such as KV v2
StaticSecretRenderInterval string
// MaxConnectionsPerHost limits the total number of connections
// that the Vault Agent templating engine can use for a particular Vault host. This limit
// includes connections in the dialing, active, and idle states.
MaxConnectionsPerHost int64
}
type VaultConfig ¶
type VaultConfig struct {
Address string `json:"address"`
CACert string `json:"ca_cert,omitempty"`
CAPath string `json:"ca_path,omitempty"`
TLSSkipVerify bool `json:"tls_skip_verify,omitempty"`
ClientCert string `json:"client_cert,omitempty"`
ClientKey string `json:"client_key,omitempty"`
TLSServerName string `json:"tls_server_name,omitempty"`
}
Vault contains configuration for connecting to Vault servers
Source Files
Click to show internal directories.
Click to hide internal directories.