Documentation
¶
Index ¶
- func EncodeServerConfig(w io.Writer, config *ServerConfig) error
- func WriteServerConfig(filename string, config *ServerConfig) error
- type CacheConfig
- type Env
- type FSConfig
- type FortanixConfig
- type KMSConfig
- type KMSPluginConfig
- type Key
- type KeySecureConfig
- type KeyVaultConfig
- type LogConfig
- type Policy
- type SecretManagerConfig
- type SecretsManagerConfig
- type ServerConfig
- type TLSConfig
- type VaultConfig
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EncodeServerConfig ¶
func EncodeServerConfig(w io.Writer, config *ServerConfig) error
EncodeServerConfig encodes and writes the ServerConfig to an io.Writer
func WriteServerConfig ¶
func WriteServerConfig(filename string, config *ServerConfig) error
WriteServerConfig encodes and writes the ServerConfig to a file.
Types ¶
type CacheConfig ¶
type CacheConfig struct {
// Expiry is the time period after which any cache entries
// are discarded. It determines how often the KES server has
// to fetch a secret key from the KMS backend.
Expiry Env[time.Duration]
// ExpiryUnused is the time period after which all unused
// cache entries are discarded. It determines how often
// "not frequently" used secret keys must be fetched from
// the KMS backend.
ExpiryUnused Env[time.Duration]
// ExpiryOffline is the time period after which any cache
// entries in the offline cache are discarded.
//
// It determines how long the KES server can serve stateless
// requests when the KMS has become unavailable -
// e.g. due to a network outage.
//
// ExpiryOffline is only used while the KMS backend is not
// available. As long as the KMS is available, the regular
// cache expiry periods apply.
ExpiryOffline Env[time.Duration]
// contains filtered or unexported fields
}
CacheConfig is a structure that holds the Cache configuration for a (stateless) KES server.
type Env ¶
type Env[T string | kes.Identity | time.Duration] struct { Name string // Name of the env. variable Value T // Value obtained by unmarshalling or from the environment }
Env wraps a type T and an optional environment variable name.
It can be used to replace env. variable references with values from the environment during unmarshalling. Further, Env preserves any env. variable references during marshaling.
During unmarshalling, Env replaces T's value with the value obtained from the referenced environment variable, if any.
During marshaling, Env preserves and encodes the env. variable reference, if not empty. Otherwise, it encodes Env generic type value.
Example ¶
const Text = `{"addr":"${SERVER_ADDR}"}`
os.Setenv("SERVER_ADDR", "127.0.0.1:7373")
type Config struct {
Addr Env[string] `json:"addr"`
}
var config Config
if err := json.Unmarshal([]byte(Text), &config); err != nil {
log.Fatalln(err)
}
fmt.Println(config.Addr.Name, "=", config.Addr.Value)
Output: SERVER_ADDR = 127.0.0.1:7373
func (Env[_]) MarshalText ¶
MarshalText returns a text representation of the Env[T].
If Env[T] refers to an environment variable then MarshalText returns the environment variable name as "${variable}". Otherwise, it returns a text representation of T.
func (*Env[_]) UnmarshalText ¶
UnmarshalText parses the text as Env[T].
If the given text refers to an environment variable then UnmarshalText looks up the value from the environment. It returns an error if no such environment variable exists.
Otherwise, it parses the text as T and sets the Env[T] name to the empty string.
type FSConfig ¶
type FSConfig struct {
// Dir is the path to the directory that
// contains the keys.
//
// If the directory does not exist, it
// will be created when establishing
// a connection to the filesystem.
Dir Env[string]
// contains filtered or unexported fields
}
FSConfig is a structure containing the configuration for a simple filesystem KMS.
A FSConfig should only be used when testing a KES server.
type FortanixConfig ¶
type FortanixConfig struct {
// Endpoint is the endpoint of the Fortanix KMS.
Endpoint Env[string]
// GroupID is the ID of the access control group.
GroupID Env[string]
// APIKey is the API key for authenticating to
// the Fortanix KMS.
APIKey Env[string]
// CAPath is an optional path to the root
// CA certificate(s) for verifying the TLS
// certificate of the Hashicorp Vault server.
//
// If empty, the OS default root CA set is
// used.
CAPath Env[string]
// contains filtered or unexported fields
}
FortanixConfig is a structure containing the configuration for FortanixConfig SDKMS.
type KMSConfig ¶
type KMSConfig interface {
// Connect establishes and returns a new connection
// to the KMS.
Connect(ctx context.Context) (kms.Conn, error)
// contains filtered or unexported methods
}
KMSConfig represents a KMS configuration.
Concrete instances implement Connect to return a connection to a concrete KMS instance.
type KMSPluginConfig ¶
type KMSPluginConfig struct {
// Endpoint is the endpoint of the KMS plugin.
Endpoint Env[string]
// PrivateKey is an optional path to a
// TLS private key file containing a
// TLS private key for mTLS authentication.
//
// If empty, mTLS authentication is disabled.
PrivateKey Env[string]
// Certificate is an optional path to a
// TLS certificate file containing a
// TLS certificate for mTLS authentication.
//
// If empty, mTLS authentication is disabled.
Certificate Env[string]
// CAPath is an optional path to the root
// CA certificate(s) for verifying the TLS
// certificate of the KMS plugin.
//
// If empty, the OS default root CA set is
// used.
CAPath Env[string]
}
KMSPluginConfig is a structure containing the configuration for a KMS plugin.
type Key ¶
type Key struct {
// Name is the name of the cryptographic key.
Name Env[string]
// contains filtered or unexported fields
}
Key is a structure defining a cryptographic key that the KES server will create before startup.
type KeySecureConfig ¶
type KeySecureConfig struct {
// Endpoint is the endpoint to the KeySecure server.
Endpoint Env[string]
// Token is the refresh authentication token to
// access the KeySecure server.
Token Env[string]
// Domain is the isolated namespace within the
// KeySecure server. If empty, defaults to the
// top-level / root domain.
Domain Env[string]
// Retry is the retry delay between authentication attempts.
// If not set, defaults to 15s.
Retry Env[time.Duration]
// CAPath is an optional path to the root
// CA certificate(s) for verifying the TLS
// certificate of the KeySecure server.
//
// If empty, the OS default root CA set is
// used.
CAPath Env[string]
// contains filtered or unexported fields
}
KeySecureConfig is a structure containing the configuration for Gemalto KeySecure / Thales CipherTrust Manager.
type KeyVaultConfig ¶
type KeyVaultConfig struct {
// Endpoint is the Azure KeyVault endpoint.
Endpoint Env[string]
// TenantID is the ID of the Azure KeyVault tenant.
TenantID Env[string]
// ClientID is the ID of the client accessing
// Azure KeyVault.
ClientID Env[string]
// ClientSecret is the client secret accessing the
// Azure KeyVault.
ClientSecret Env[string]
// ManagedIdentityClientID is the client ID of the
// Azure managed identity that access the KeyVault.
ManagedIdentityClientID Env[string]
// contains filtered or unexported fields
}
KeyVaultConfig is a structure containing the configuration for Azure KeyVault.
type LogConfig ¶
type LogConfig struct {
// Error enables/disables logging audit events to STDOUT.
// Valid values are "on" and "off".
Audit Env[string]
// Error enables/disables logging error events to STDERR.
// Valid values are "on" and "off".
Error Env[string]
// contains filtered or unexported fields
}
LogConfig is a structure that holds the logging configuration for a (stateless) KES server.
type Policy ¶
type Policy struct {
// Allow is the list of API path patterns
// that are explicitly allowed.
Allow []string
// Deny is the list of API path patterns
// that are explicitly denied.
Deny []string
// Identities is a list of KES identities
// that are assigned to this policy.
Identities []Env[kes.Identity]
// contains filtered or unexported fields
}
Policy is a structure defining a KES policy.
Any request issued by a KES identity is validated by the associated allow and deny patterns. A request is accepted if and only if no deny pattern and at least one allow pattern matches the request.
type SecretManagerConfig ¶
type SecretManagerConfig struct {
// ProjectID is the GCP project ID.
ProjectID Env[string]
// Endpoint is the GCP project ID. If empty,
// defaults to:
// secretmanager.googleapis.com:443
Endpoint Env[string]
// Scopes are GCP OAuth2 scopes for accessing
// GCP APIs. If empty, defaults to the GCP
// default scopes.
Scopes []Env[string]
// ClientEmail is the Client email of the
// GCP service account used to access the
// SecretManager.
ClientEmail Env[string]
// ClientID is the Client ID of the GCP
// service account used to access the
// SecretManager.
ClientID Env[string]
// KeyID is the private key ID of the GCP
// service account used to access the
// SecretManager.
KeyID Env[string]
// Key is the private key of the GCP
// service account used to access the
// SecretManager.
Key Env[string]
// contains filtered or unexported fields
}
SecretManagerConfig is a structure containing the configuration for GCP SecretManager.
type SecretsManagerConfig ¶
type SecretsManagerConfig struct {
// Endpoint is the AWS SecretsManager endpoint.
// AWS SecretsManager endpoints have the following
// schema:
// secrestmanager[-fips].<region>.amanzonaws.com
Endpoint Env[string]
// Region is the AWS region the SecretsManager is
// located.
Region Env[string]
// KMSKey is the AWS-KMS key ID (CMK-ID) used to
// to en/decrypt secrets managed by the SecretsManager.
// If empty, the default AWS KMS key is used.
KMSKey Env[string]
// AccessKey is the access key for authenticating to AWS.
AccessKey Env[string]
// SecretKey is the secret key for authenticating to AWS.
SecretKey Env[string]
// SessionToken is an optional session token for authenticating
// to AWS.
SessionToken Env[string]
// contains filtered or unexported fields
}
SecretsManagerConfig is a structure containing the configuration for AWS SecretsManager.
type ServerConfig ¶
type ServerConfig struct {
// Addr is the KES server address.
//
// It should be an IP or FQDN with
// an optional port number separated
// by ':'.
Addr Env[string]
// Admin is the KES server admin identity.
Admin Env[kes.Identity]
// TLS holds the KES server TLS configuration.
TLS TLSConfig
// Cache holds the KES server cache configuration.
Cache CacheConfig
// Log holds the KES server logging configuration.
Log LogConfig
// Policies contains the KES server policy definitions
// and static identity assignments.
Policies map[string]Policy
// Keys contains pre-defined keys that the KES server
// will create on before startup.
Keys []Key
// KMS holds the KES server KMS backend configuration.
KMS KMSConfig
// contains filtered or unexported fields
}
ServerConfig is a structure that holds configuration for a (stateless) KES server.
func DecodeServerConfig ¶
func DecodeServerConfig(r io.Reader) (*ServerConfig, error)
DecodeServerConfig parses and returns a new ServerConfig from an io.Reader.
func ReadServerConfig ¶
func ReadServerConfig(filename string) (*ServerConfig, error)
ReadServerConfig parses and returns a new ServerConfig from a file.
type TLSConfig ¶
type TLSConfig struct {
// PrivateKey is the path to the KES server's TLS private key.
PrivateKey Env[string]
// Certificate is the path to the KES server's TLS certificate.
Certificate Env[string]
// CAPath is an optional path to a X.509 certificate or directory
// containing X.509 certificates that the KES server uses, in
// addition to the system root certificates, as authorities when
// verify client certificates.
//
// If empty, the KES server will only use the system root
// certificates.
CAPath Env[string]
// Password is an optional password to decrypt the KES server's
// private key.
Password Env[string]
// Proxies contains a list of TLS proxy identities.
// The KES identity of any TLS/HTTPS proxy sitting directly
// in-front of KES has to be included in this list. A KES
// server will only accept forwarded client requests from
// proxies listed here.
Proxies []Env[kes.Identity]
// ForwardCertHeader is the HTTP header key used by any
// TLS / HTTPS proxy to forward the actual client certificate
// to KES.
ForwardCertHeader Env[string]
// contains filtered or unexported fields
}
TLSConfig is a structure that holds the TLS configuration for a (stateless) KES server.
type VaultConfig ¶
type VaultConfig struct {
// Endpoint is the Hashicorp Vault endpoint.
Endpoint Env[string]
// Namespace is an optional Hashicorp Vault namespace.
// An empty namespace means no particular namespace
// is used.
Namespace Env[string]
// APIVersion is the API version of the Hashicorp Vault
// K/V engine. Valid values are: "v1" and "v2".
// If empty, defaults to "v1".
APIVersion Env[string]
// Engine is the Hashicorp Vault K/V engine path.
// If empty, defaults to "kv".
Engine Env[string]
// Prefix is an optional prefix / directory within the
// K/V engine.
// If empty, keys will be stored at the K/V engine top
// level.
Prefix Env[string]
// AppRoleEngine is the AppRole authentication engine path.
// If empty, defaults to "approle".
AppRoleEngine Env[string]
// AppRoleID is the AppRole access ID for authenticating
// to Hashicorp Vault via the AppRole method.
AppRoleID Env[string]
// AppRoleSecret is the AppRole access secret for authenticating
// to Hashicorp Vault via the AppRole method.
AppRoleSecret Env[string]
// AppRoleRetry is the retry delay between authentication attempts.
// If not set, defaults to 15s.
AppRoleRetry Env[time.Duration]
// KubernetesEngine is the Kubernetes authentication engine path.
// If empty, defaults to "kubernetes".
KubernetesEngine Env[string]
// KubernetesRole is the login role for authenticating via the
// kubernetes authentication method.
KubernetesRole Env[string]
// KubernetesJWT is either the JWT or a path to a file containing
// the JWT for for authenticating via the kubernetes authentication
// method.
KubernetesJWT Env[string]
// KubernetesRetry is the retry delay between authentication attempts.
// If not set, defaults to 15s.
KubernetesRetry Env[time.Duration]
// PrivateKey is an optional path to a
// TLS private key file containing a
// TLS private key for mTLS authentication.
//
// If empty, mTLS authentication is disabled.
PrivateKey Env[string]
// Certificate is an optional path to a
// TLS certificate file containing a
// TLS certificate for mTLS authentication.
//
// If empty, mTLS authentication is disabled.
Certificate Env[string]
// CAPath is an optional path to the root
// CA certificate(s) for verifying the TLS
// certificate of the Hashicorp Vault server.
//
// If empty, the OS default root CA set is
// used.
CAPath Env[string]
// StatusPing controls how often to Vault health status
// is checked.
// If not set, defaults to 10s.
StatusPing Env[time.Duration]
// contains filtered or unexported fields
}
VaultConfig is a structure containing the configuration for Hashicorp Vault.
Source Files
Click to show internal directories.
Click to hide internal directories.