vault

package
v1.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 9, 2020 License: MIT Imports: 14 Imported by: 9

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthMethod added in v1.7.0 

type AuthMethod interface {
	SetToken(context.Context, *api.Client) error
}

AuthMethod defines the interface required to implement custom authentication against the Vault server.

type ConstantToken added in v1.7.0 

type ConstantToken string

ConstantToken implements AuthMethod with a constant token

func (ConstantToken) SetToken added in v1.7.0 

func (c ConstantToken) SetToken(_ context.Context, cli *api.Client) error

SetToken sets the clients token to the constant token value.

type Issuer 

type Issuer struct {
	// URL is the URL of the Vault instance.
	URL *url.URL
	// Role is the Vault Role that should be used
	// when issuing certificates.
	Role string

	// Token is the Vault secret token that should be used
	// when issuing certificates.
	//
	// Deprecated: use AuthMethod instead.
	Token string
	// AuthMethod configures the method used for authenticating
	// against the Vault server.
	AuthMethod AuthMethod

	// Mount is the name under which the PKI secrets engine
	// is mounted. Defaults to `pki`
	Mount string
	// TLSConfig allows configuration of the TLS config
	// used when connecting to the Vault server.
	TLSConfig *tls.Config

	// TimeToLive configures the lifetime of certificates
	// requested from the Vault server.
	TimeToLive time.Duration

	// SubjectAlternativeNames defines additional DNS or Email Subject Alternative Names
	//
	// Warning: By default Vault reads SANs directly from the
	// Certificate Signing Request (CSR), and ignores this field completely.
	// This field only takes effect when the Vault role has set use_csr_sans to false,
	// and using this setting will ignore any SANs in the CSR.
	//
	// To configure DNS SANs directly in the CSR, set CertConfig.SubjectAlternativeNames,
	SubjectAlternativeNames []string

	// IPSubjectAlternativeNames defines additional IP Address Subject Alternative Names
	//
	// Warning: By default Vault reads IP SANs directly from the
	// Certificate Signing Request (CSR), and ignores this field completely.
	// This field only takes effect when the Vault role has set use_csr_sans to false,
	// and using this setting will ignore any SANs in the CSR.
	//
	// To configure IP SANs directly in the CSR, set CertConfig.IPSubjectAlternativeNames,
	IPSubjectAlternativeNames []string

	// URISubjectAlternativeNames defines custom URI SANs.
	// The format is a URI and must match the value specified in allowed_uri_sans, eg spiffe://hostname/foobar
	//
	// Warning: By default Vault reads URI SANs directly from the
	// Certificate Signing Request (CSR), and ignores this field completely.
	// This field only takes effect when the Vault role has set use_csr_sans to false,
	// and using this setting will ignore any SANs in the CSR.
	//
	// To configure URI SANs directly in the CSR, set CertConfig.URISubjectAlternativeNames,
	URISubjectAlternativeNames []string

	// OtherSubjectAlternativeNames defines custom OID/UTF8-string SANs.
	// The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid <type> is UTF8.
	//
	// Warning: By default Vault reads SANs directly from the
	// Certificate Signing Request (CSR), and ignores this field completely.
	// This field only takes effect when the Vault role has set use_csr_sans to false,
	// and using this setting will ignore any SANs in the CSR.
	OtherSubjectAlternativeNames []string
	// contains filtered or unexported fields
}

Issuer implements the Issuer interface with a Hashicorp Vault PKI Secrets Engine backend.

URL, Role and AuthMethod are required.

func FromClient added in v0.3.0 

func FromClient(v *api.Client, role string) *Issuer

FromClient returns an Issuer using the provided Vault API client. Any changes to the issuers properties (such as setting the TTL or adding Other SANS) must be done before using it. The Issuer will default to using the token already defined in the client for authentication.

func (*Issuer) Issue 

func (v *Issuer) Issue(ctx context.Context, commonName string, conf *certify.CertConfig) (*tls.Certificate, error)

Issue issues a certificate from the configured Vault backend, establishing a connection if one doesn't already exist.

type RenewingToken added in v1.7.0 

type RenewingToken struct {
	// Initial is the token used to initially
	// authenticate against Vault. It must be
	// renewable.
	Initial string
	// RenewBefore configures how long before the expiry
	// of the token it should be renewed. Defaults
	// to 30 minutes before expiry.
	RenewBefore time.Duration
	// TimeToLive configures how long the new token
	// should be valid for. Defaults to 24 hours.
	TimeToLive time.Duration
	// contains filtered or unexported fields
}

RenewingToken is used for automatically renewing the token used to authenticate with Vault. RenewingToken requires SetToken to be called at least once before the expiry of the initial token.

func (*RenewingToken) Close added in v1.7.0 

func (r *RenewingToken) Close() error

Close can be used to release resources associated with the token.

func (*RenewingToken) SetToken added in v1.7.0 

func (r *RenewingToken) SetToken(ctx context.Context, cli *api.Client) error

SetToken implements AuthMethod for RenewingToken.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.