Documentation

Index

Constants

View Source
const (
	Unset   PatchOperation = "unset"
	Add                    = "add"
	Replace                = "replace"
)
View Source
const (
	// These environment variables aren't set by default.
	// Vault may read them in if set through these environment variables.
	// Example here:
	// https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/
	// The client itself does nothing directly with these variables, it's
	// up to the caller. However, they live here so they'll be consistently
	// named should the client ever be reused.
	// We generally recommend preferring environmental settings over configured
	// ones, allowing settings from the Downward API to override hard-coded
	// ones.
	EnvVarKubernetesNamespace = "VAULT_K8S_NAMESPACE"
	EnvVarKubernetesPodName   = "VAULT_K8S_POD_NAME"

	// The service host and port environment variables are
	// set by default inside a Kubernetes environment.
	EnvVarKubernetesServiceHost = "KUBERNETES_SERVICE_HOST"
	EnvVarKubernetesServicePort = "KUBERNETES_SERVICE_PORT"
)

Variables

View Source
var (
	// Retry configuration
	RetryWaitMin = 500 * time.Millisecond
	RetryWaitMax = 30 * time.Second
	RetryMax     = 10

	// Standard errs
	ErrNamespaceUnset = errors.New(`"namespace" is unset`)
	ErrPodNameUnset   = errors.New(`"podName" is unset`)
	ErrNotInCluster   = errors.New("unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined")
)
View Source
var (
	// These are presented as variables so they can be updated
	// to point at test fixtures if needed. They aren't passed
	// into inClusterConfig to avoid dependency injection.
	Scheme     = "https://"
	TokenFile  = "/var/run/secrets/kubernetes.io/serviceaccount/token"
	RootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
)

Functions

func Sanitize

func Sanitize(val string) string

    Sanitize is for "data" being sent to the Kubernetes API. Data must consist of alphanumeric characters, '-', '_' or '.'. Any other characters found in the original value will be stripped, and the surrounding characters will be concatenated.

    Types

    type Client

    type Client struct {
    	// contains filtered or unexported fields
    }

      Client is a minimal Kubernetes client. We rolled our own because the existing Kubernetes client-go library available externally has a high number of dependencies and we thought it wasn't worth it for only two API calls. If at some point they break the client into smaller modules, or if we add quite a few methods to this client, it may be worthwhile to revisit that decision.

      func New

      func New(logger hclog.Logger) (*Client, error)

        New instantiates a Client. The stopCh is used for exiting retry loops when closed.

        func (*Client) GetPod

        func (c *Client) GetPod(namespace, podName string) (*Pod, error)

          GetPod gets a pod from the Kubernetes API.

          func (*Client) PatchPod

          func (c *Client) PatchPod(namespace, podName string, patches ...*Patch) error

            PatchPod updates the pod's tags to the given ones. It does so non-destructively, or in other words, without tearing down the pod.

            func (*Client) Shutdown

            func (c *Client) Shutdown()

            type Config

            type Config struct {
            	CACertPool *x509.CertPool
            
            	// Host must be a host string, a host:port pair, or a URL to the base of the apiserver.
            	// If a URL is given then the (optional) Path of that URL represents a prefix that must
            	// be appended to all request URIs used to access the apiserver. This allows a frontend
            	// proxy to easily relocate all of the apiserver endpoints.
            	Host string
            
            	// Server requires Bearer authentication. This client will not attempt to use
            	// refresh tokens for an OAuth2 flow.
            	BearerToken string
            
            	// Path to a file containing a BearerToken.
            	// If set, checks for a new token in the case of authorization errors.
            	BearerTokenFile string
            }

              This config is based on the one returned here: https://github.com/kubernetes/client-go/blob/a56922badea0f2a91771411eaa1173c9e9243908/rest/config.go#L451 It is pared down to the absolute minimum fields used by this code. The CACertPool is promoted to the top level from being originally on the TLSClientConfig because it is the only parameter of the TLSClientConfig used by this code. Also, it made more sense to simply reuse the pool rather than holding raw values and parsing it repeatedly.

              type ErrNotFound

              type ErrNotFound struct {
              	// contains filtered or unexported fields
              }

              func (*ErrNotFound) Error

              func (e *ErrNotFound) Error() string

              type Metadata

              type Metadata struct {
              	Name string `json:"name,omitempty"`
              
              	// This map will be nil if no "labels" key was provided.
              	// It will be populated but have a length of zero if the
              	// key was provided, but no values.
              	Labels map[string]string `json:"labels,omitempty"`
              }

              type Patch

              type Patch struct {
              	Operation PatchOperation
              	Path      string
              	Value     interface{}
              }

              type PatchOperation

              type PatchOperation string

              type Pod

              type Pod struct {
              	Metadata *Metadata `json:"metadata,omitempty"`
              }

              Directories

              Path Synopsis
              cmd