Documentation
¶
Index ¶
- Constants
- func BuildK8SSecret(secret *Secret, mgr SecretsManager) *core_v1.Secret
- func GetNamespaces(client *kubernetes.Clientset) ([]string, error)
- func ManageSecrets(client *kubernetes.Clientset, mgr SecretsManager, secrets ...*Secret) error
- func NewK8SClient(isPod bool, configPath *string) (*kubernetes.Clientset, error)
- type AWSEnvironmentAuth
- type AWSIAMAuth
- type AWSRegion
- type AWSSecretsAuth
- type AWSSharedCredentialsAuth
- type AWSStaticCredentialsAuth
- type AzureKeyVaultAuth
- type AzureKeyVaultEnvironmentAuth
- type AzureKeyVaultFileAuth
- type HashicorpVaultApproleAuth
- type HashicorpVaultAuth
- type HashicorpVaultK8SAuth
- type HashicorpVaultTokenAuth
- type Secret
- type SecretsManager
- type SecretsManagerClient
- func NewAWSSecretsClient(auth AWSSecretsAuth) (SecretsManagerClient, error)
- func NewAzureKeyVaultClient(auth AzureKeyVaultAuth, subscriptionID ...string) (SecretsManagerClient, error)
- func NewHashicorpVaultClient(path, url, mount string, skipTLSVerify bool, auth HashicorpVaultAuth) (SecretsManagerClient, error)
Constants ¶
const ( // HashicorpVault denotes the secret was managed // by Hashicorp Vault HashicorpVault SecretsManager = "hashicorp-vault" // AWS denotes the secret was managed by AWS // secrets manager AWS SecretsManager = "aws" // Azure denotes the secret was managed by Azure // Key Vault // TODO - Implement Azure Key Vault solution Azure SecretsManager = "azure" // GCP denotes the secret was managed by GCP // TODO - Implement a secrets management // solution for GCP, KMS? GCP SecretsManager = "gcp" // Managed is the common tag/annotation denoting // that the secret is managed by mimir Managed string = "mimir-managed" // Paths is the common tag to use to speify what // paths to load the secret into k8s under Paths string = "mimir-paths" // Source is the common annotation to denote // where the secret was sourced from in k8s Source string = "mimir-source" // Hook is a reference string per server that // allows multiple hooks to co-exist in the // same cluster Hook string = "mimir-hook" // Remote is the path/name of the remote secret Remote string = "mimir-remote" // Local is an override. When set, the secret will // be created with the name given to this attribute, // rather than the pod name Local string = "mimir-local" // Path is the local container path the secrets // should be mounted to Path string = "mimir-path" // Env is a switch that when set, makes mimir // patch the pod to inject all the keys of the // secret to the containers as environment vars Env string = "mimir-env" )
Variables ¶
This section is empty.
Functions ¶
func BuildK8SSecret ¶
func BuildK8SSecret(secret *Secret, mgr SecretsManager) *core_v1.Secret
BuildK8SSecret builds a k8s secret from a mimir intermediary Secret
func GetNamespaces ¶
func GetNamespaces(client *kubernetes.Clientset) ([]string, error)
GetNamespaces retrieves a list of namespaces from the cluster as a slice of strings
func ManageSecrets ¶
func ManageSecrets(client *kubernetes.Clientset, mgr SecretsManager, secrets ...*Secret) error
ManageSecrets is where a slice of Secret created from a backend secrets manager is parsed and then created or updated in kubernetes. Secrets already in the cluster and marked as managed by by mimir and share the same backend source, will be deleted if a corresponding secret from the backend can not be found in the slice.
func NewK8SClient ¶
func NewK8SClient(isPod bool, configPath *string) (*kubernetes.Clientset, error)
NewK8SClient loads a new k8s client for integration with the configured cluster
Types ¶
type AWSEnvironmentAuth ¶
type AWSEnvironmentAuth struct {
AWSRegion
}
AWSEnvironmentAuth contains auth information for using environment variables to authenticate
type AWSIAMAuth ¶
type AWSIAMAuth struct {
AWSRegion
}
AWSIAMAuth contains auth information for using IAM to authenticate
type AWSRegion ¶
type AWSRegion struct {
Region string
}
AWSRegion is a common struct for setting the AWS region to use
type AWSSecretsAuth ¶
AWSSecretsAuth interface provides a common function set to authenticate with AWS from mimir
type AWSSharedCredentialsAuth ¶
type AWSSharedCredentialsAuth struct {
}
AWSSharedCredentialsAuth contains auth information for using shared credentials file to authenticate
type AWSStaticCredentialsAuth ¶
AWSStaticCredentialsAuth contains auth information for using static credentials to authenticate
type AzureKeyVaultAuth ¶
type AzureKeyVaultAuth interface {
GetMgmtAuth() (*autorest.Authorizer, error)
GetAuth() (*autorest.Authorizer, error)
}
AzureKeyVaultAuth is a generic interface for authenticating against Azure
type AzureKeyVaultEnvironmentAuth ¶
type AzureKeyVaultEnvironmentAuth struct{}
AzureKeyVaultEnvironmentAuth is for authentication using environment credentials
func (AzureKeyVaultEnvironmentAuth) GetAuth ¶
func (va AzureKeyVaultEnvironmentAuth) GetAuth() (*autorest.Authorizer, error)
GetAuth loads an Azure authorizer using environment variables for the Key Vault component specifically
func (AzureKeyVaultEnvironmentAuth) GetMgmtAuth ¶
func (va AzureKeyVaultEnvironmentAuth) GetMgmtAuth() (*autorest.Authorizer, error)
GetMgmtAuth loads an Azure authorizer using environment variables for the management layer
type AzureKeyVaultFileAuth ¶
type AzureKeyVaultFileAuth struct {
BaseURI string
}
AzureKeyVaultFileAuth is for authentication using a credentials file
func (AzureKeyVaultFileAuth) GetAuth ¶
func (va AzureKeyVaultFileAuth) GetAuth() (*autorest.Authorizer, error)
GetAuth loads an Azure authorizer using a credentials file for the Key Vault component specifically
func (AzureKeyVaultFileAuth) GetMgmtAuth ¶
func (va AzureKeyVaultFileAuth) GetMgmtAuth() (*autorest.Authorizer, error)
GetMgmtAuth loads an Azure authorizer using a credentials file for the management layer
type HashicorpVaultApproleAuth ¶
HashicorpVaultApproleAuth contains auth information for using the approle auth method
type HashicorpVaultAuth ¶
HashicorpVaultAuth interface provides a common function set to authenticate Hashicorp Vault
type HashicorpVaultK8SAuth ¶
HashicorpVaultK8SAuth contains auth information for using kubernetes authentication method
type HashicorpVaultTokenAuth ¶
type HashicorpVaultTokenAuth struct {
Token string
}
HashicorpVaultTokenAuth contains auth information for using a pre-provided token to authenticate
type Secret ¶
Secret is a common struct designed as an intermediary struct between a backend secrets manager, and k8s
type SecretsManager ¶
type SecretsManager string
SecretsManager denotes what secrets manager backend was used for a particuar secret
type SecretsManagerClient ¶
type SecretsManagerClient interface {
GetSecrets(namespaces ...string) ([]*Secret, error)
GetSecret(path string) (*Secret, error)
}
SecretsManagerClient is the common interface used for interacting with any kind of backend Secrets manager. All integrations with a secrets manager should implement this interface
func NewAWSSecretsClient ¶
func NewAWSSecretsClient(auth AWSSecretsAuth) (SecretsManagerClient, error)
NewAWSSecretsClient provides a new SecretsManagerClient for using AWS secrets manager
func NewAzureKeyVaultClient ¶
func NewAzureKeyVaultClient(auth AzureKeyVaultAuth, subscriptionID ...string) (SecretsManagerClient, error)
NewAzureKeyVaultClient load a new instance of a secrets client for Azure Key Vault
func NewHashicorpVaultClient ¶
func NewHashicorpVaultClient(path, url, mount string, skipTLSVerify bool, auth HashicorpVaultAuth) (SecretsManagerClient, error)
NewHashicorpVaultClient provides a new SecretsManagerClient for using Hashicorp Vault
Source Files