vault

package
v2.1.155 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 24, 2020 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source
const (
	BankVaultsImage    = "banzaicloud/bank-vaults"
	VaultOperatorImage = "banzaicloud/vault-operator"
	VaultImage         = "vault"
)

Variables

This section is empty.

Functions

func CreateOrUpdateVault

func CreateOrUpdateVault(vault *v1alpha1.Vault, vaultOperatorClient versioned.Interface, ns string) error

CreateOrUpdateVault creates the specified Vault CRD if it does not exist or updates it otherwise.

func DeleteVault

func DeleteVault(vaultOperatorClient versioned.Interface, name string, ns string) error

DeleteVault delete a Vault resource

func FindVault

func FindVault(vaultOperatorClient versioned.Interface, name string, ns string) bool

FindVault checks if a vault is available

func GetAuthSaName

func GetAuthSaName(vault v1alpha1.Vault) string

GetAuthSaName gets the Auth Service Account name for the vault

func GetVault

func GetVault(vaultOperatorClient versioned.Interface, name string, ns string) (*v1alpha1.Vault, error)

GetVault gets a specific vault

func GetVaults

func GetVaults(client kubernetes.Interface, vaultOperatorClient versioned.Interface, ns string, useIngressURL bool) ([]*vault.Vault, error)

GetVaults returns all vaults available in a given namespaces

func NewVaultCRD

func NewVaultCRD(kubeClient kubernetes.Interface, name string, ns string, images map[string]string,
	authServiceAccount string, authServiceAccountNamespace string, secretsPathPrefix string) (*v1alpha1.Vault, error)

NewVaultCRD creates and initializes a new Vault instance.

func SystemVaultName

func SystemVaultName(kuber kube.Kuber) (string, error)

SystemVaultName returns the name of the system vault based on the cluster name

func SystemVaultNameForCluster

func SystemVaultNameForCluster(clusterName string) string

SystemVaultNameForCluster returns the system vault name from a given cluster name

Types

type AWSConfig

type AWSConfig struct {
	v1alpha1.AWSUnsealConfig
	AutoCreate          bool
	DynamoDBTable       string
	DynamoDBRegion      string
	AccessKeyID         string
	SecretAccessKey     string
	ProvidedIAMUsername string
}

AWSConfig keeps the vault configuration for AWS

type AWSSealConfig added in v2.1.56

type AWSSealConfig struct {
	Region    string `json:"region,omitempty"`
	AccessKey string `json:"access_key,omitempty"`
	SecretKey string `json:"secret_key,omitempty"`
	KmsKeyID  string `json:"kms_key_id,omitempty"`
	Endpoint  string `json:"endpoint,omitempty"`
}

AWSSealConfig AWS KMS config for vault auto-unseal

type AzureConfig added in v2.1.140

type AzureConfig struct {
	v1alpha1.AzureUnsealConfig
	StorageAccountName string
	StorageAccountKey  string
	ContainerName      string
	TenantID           string
	VaultName          string
	KeyName            string
}

AzureConfig keeps the vault configuration for Azure

type AzureSealConfig added in v2.1.140

type AzureSealConfig struct {
	TenantID  string `json:"tenant_id,omitempty"`
	VaultName string `json:"vault_name,omitempty"`
	KeyName   string `json:"key_name,omitempty"`
}

AzureSealConfig Azure Key Vault config for vault auto-unseal

type AzureStorageConfig added in v2.1.140

type AzureStorageConfig struct {
	AccountName   string `json:"accountName"`
	AccountKey    string `json:"accountKey"`
	ContainerName string `json:"container"`
}

AzureStorageConfig Azure Storage config for Vault backend

type CloudProviderConfig

type CloudProviderConfig struct {
	Storage           map[string]interface{}
	Seal              map[string]interface{}
	UnsealConfig      v1alpha1.UnsealConfig
	CredentialsConfig v1alpha1.CredentialsConfig
}

CloudProviderConfig is a wrapper around the cloud provider specific elements of the Vault CRD configuration

func PrepareAWSVaultCRD

func PrepareAWSVaultCRD(awsServiceAccountSecretName string, awsConfig *AWSConfig) (CloudProviderConfig, error)

PrepareAWSVaultCRD creates a new vault backed by AWS KMS and DynamoDB storage

func PrepareAzureVaultCRD added in v2.1.140

func PrepareAzureVaultCRD(azureConfig *AzureConfig) (CloudProviderConfig, error)

PrepareAzureVaultCRD creates a new vault backed by Azure Key Vault and Azure Storage

func PrepareGKEVaultCRD

func PrepareGKEVaultCRD(gcpServiceAccountSecretName string, gcpConfig *GCPConfig) (CloudProviderConfig, error)

PrepareGKEVaultCRD creates a new vault backed by GCP KMS and storage

type DynamoDBConfig

type DynamoDBConfig struct {
	HaEnabled       string `json:"ha_enabled"`
	Region          string `json:"region"`
	Table           string `json:"table"`
	AccessKeyID     string `json:"access_key"`
	SecretAccessKey string `json:"secret_key"`
}

DynamoDBConfig AWS DynamoDB config for Vault backend

type GCPConfig

type GCPConfig struct {
	ProjectId   string
	KmsKeyring  string
	KmsKey      string
	KmsLocation string
	GcsBucket   string
}

GCPConfig keeps the configuration for Google Cloud

type GCPSealConfig

type GCPSealConfig struct {
	Credentials string `json:"credentials,omitempty"`
	Project     string `json:"project,omitempty"`
	Region      string `json:"region,omitempty"`
	KeyRing     string `json:"key_ring,omitempty"`
	CryptoKey   string `json:"crypto_key,omitempty"`
}

GCPSealConfig Google Cloud KMS config for vault auto-unseal

type GCSConfig

type GCSConfig struct {
	Bucket    string `json:"bucket"`
	HaEnabled string `json:"ha_enabled"`
}

GCSConfig Google Cloud Storage config for Vault backend

type Listener

type Listener struct {
	Tcp Tcp `json:"tcp"`
}

Listener vault server listener

type OptionsInterface

type OptionsInterface interface {
	KubeClientAndNamespace() (kubernetes.Interface, string, error)
	VaultOperatorClient() (versioned.Interface, error)
	GetIn() terminal.FileReader
	GetOut() terminal.FileWriter
	GetErr() io.Writer
	GetIOFileHandles() util.IOFileHandles
}

OptionsInterface is an interface to allow passing around of a CommonOptions object without dependencies on the whole of the cmd package

type Seal

type Seal struct {
	GcpCkms       *GCPSealConfig   `json:"gcpckms,omitempty"`
	AWSKms        *AWSSealConfig   `json:"awskms,omitempty"`
	AzureKeyVault *AzureSealConfig `json:"azurekeyvault,omitempty"`
}

Seal configuration for Vault auto-unseal

type SecretEngine

type SecretEngine struct {
	vaultapi.MountInput
	Path string `json:"path"`
}

SecretEngine configuration for secret engine

type Selector

type Selector interface {
	GetVault(name string, namespace string, useIngressURL bool) (*vault.Vault, error)
}

Selector is an interface for selecting a vault from the installed ones on the platform It should pick the most logical one, or give the user a way of picking a vault if there are multiple installed

func NewVaultSelector

func NewVaultSelector(o OptionsInterface) (Selector, error)

NewVaultSelector creates a new vault selector

type Storage

type Storage struct {
	GCS          *GCSConfig          `json:"gcs,omitempty"`
	DynamoDB     *DynamoDBConfig     `json:"dynamodb,omitempty"`
	AzureStorage *AzureStorageConfig `json:"azure,omitempty"`
}

Storage configuration for Vault storage

type Tcp

type Tcp struct {
	Address    string `json:"address"`
	TlsDisable bool   `json:"tls_disable"`
}

Tcp address for vault server

type Telemetry

type Telemetry struct {
	StatsdAddress string `json:"statsd_address"`
}

Telemetry address for telemetry server

type VaultAuth

type VaultAuth struct {
	Roles []VaultRole `json:"roles"`
	Type  string      `json:"type"`
}

VaultAuth vault auth configuration

type VaultAuths

type VaultAuths []VaultAuth

VaultAuths list of vault authentications

type VaultClientFactory

type VaultClientFactory struct {
	Options  OptionsInterface
	Selector Selector

	DisableURLDiscovery bool
	// contains filtered or unexported fields
}

VaultClientFactory keeps the configuration required to build a new vault client factory

func NewInteractiveVaultClientFactory

func NewInteractiveVaultClientFactory(options OptionsInterface) (*VaultClientFactory, error)

NewInteractiveVaultClientFactory creates a VaultClientFactory that allows the user to pick vaults if necessary

func NewVaultClientFactory

func NewVaultClientFactory(kubeClient kubernetes.Interface, vaultOperatorClient versioned.Interface, defaultNamespace string) (*VaultClientFactory, error)

NewVaultClientFactory creates a new VaultClientFactory with different options to the above. It doesnt' have CLI support so will fail if it needs interactive input (unlikely)

func NewVaultClientFactoryWithSelector added in v2.1.56

func NewVaultClientFactoryWithSelector(kubeClient kubernetes.Interface, selector Selector, defaultNamespace string) (*VaultClientFactory, error)

NewVaultClientFactoryWithSelector creates a new VaultClientFactory with a provided Selector. This allows to use an external Vault instance using the custom selector.

func NewVaultClientFactoryWithoutSelector added in v2.1.56

func NewVaultClientFactoryWithoutSelector(kubeClient kubernetes.Interface, defaultNamespace string) (*VaultClientFactory, error)

NewVaultClientFactoryWithoutSelector creates a new VaultClientFactory.

func (*VaultClientFactory) GetConfigData

func (v *VaultClientFactory) GetConfigData(name string, namespace string, useIngressURL, insecureSSLWebhook bool) (config *api.Config, jwt string, saName string, err error)

GetConfigData generates the information necessary to configure an api.Client object Returns the api.Config object, the JWT needed to create the auth user in vault, and an error if present

func (*VaultClientFactory) NewVaultClient

func (v *VaultClientFactory) NewVaultClient(name string, namespace string, useIngressURL, insecureSSLWebhook bool) (*api.Client, error)

NewVaultClient creates a new api.Client if namespace is nil, then the default namespace of the factory will be used if the name is nil, and only one vault is found, then that vault will be used. Otherwise the user will be prompted to select a vault for the client.

func (*VaultClientFactory) NewVaultClientForURL added in v2.1.56

func (v *VaultClientFactory) NewVaultClientForURL(vaultConfig vault.Vault, insecureSSLWebhook bool) (*api.Client, error)

NewVaultClientForURL creates a new Vault api.Client. If namespace is nil, then the default namespace of the factory will be used

type VaultPolicies

type VaultPolicies []VaultPolicy

VaultPolicies list of vault policies

type VaultPolicy

type VaultPolicy struct {
	Name  string `json:"name"`
	Rules string `json:"rules"`
}

VaultPolicy vault policy

type VaultRole

type VaultRole struct {
	BoundServiceAccountNames      string `json:"bound_service_account_names"`
	BoundServiceAccountNamespaces string `json:"bound_service_account_namespaces"`
	Name                          string `json:"name"`
	Policies                      string `json:"policies"`
	TTL                           string `json:"ttl"`
}

VaultRole role configuration for VaultAuth

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL