Documentation
¶
Overview ¶
Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.
Vault is a KMS implementation with many features. This packages only leverages the key-value store. For an introduction to Vault see: https://www.vaultproject.io/ For an K/V API overview see: https://www.vaultproject.io/api/secret/kv/kv-v1.html
Index ¶
- Constants
- type AppRole
- type Config
- type KeyStore
- func (s *KeyStore) Create(ctx context.Context, name string, key key.Key) error
- func (s *KeyStore) Delete(ctx context.Context, name string) error
- func (s *KeyStore) Get(_ context.Context, name string) (key.Key, error)
- func (s *KeyStore) List(ctx context.Context) (key.Iterator, error)
- func (s *KeyStore) Status(ctx context.Context) (key.StoreState, error)
- type Kubernetes
Constants ¶
const ( APIv1 = "v1" APIv2 = "v2" )
const ( // EngineKV is the Hashicorp Vault default KV secret engine path. EngineKV = "kv" // EngineAppRole is the Hashicorp Vault default AppRole authentication // engine path. EngineAppRole = "approle" // EngineKubernetes is the Hashicorp Vault default Kubernetes // authentication engine path. EngineKubernetes = "kubernetes" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AppRole ¶
type AppRole struct {
// Engine is the authentication engine path
//
// Hashicorp Vault allows multiple engines of the
// same type mounted at the same time and/or engines
// mounted at arbitrary paths.
Engine string
// ID is the AppRole authentication ID
ID string
// Secret is the AppRole authentication secret.
Secret string
// Retry is the duration after which another
// authentication attempt is performed once
// an authentication attempt failed.
Retry time.Duration
}
AppRole contains authentication information for the Hashicorp Vault AppRole authentication API.
type Config ¶ added in v0.17.3
type Config struct {
// Endpoint is the HTTP Vault server endpoint
Endpoint string
// Engine is the path of the K/V engine to use.
//
// Vault allows multiple engines of the same type
// mounted at the same time and/or engines mounted
// at arbitrary paths.
Engine string
// APIVersion is the API version of the K/V engine.
//
// If empty, it defaults to APIv1.
//
// Ref: https://www.vaultproject.io/docs/secrets/kv
APIVersion string
// The Vault namespace used to separate and isolate different
// organizations / tenants at the same Vault instance. If
// non-empty, the Vault client will send the
// X-Vault-Namespace: Namespace
// HTTP header on each request.
//
// Ref: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
Namespace string
// Prefix is the key prefix on Vault's K/V store
// similar to a directory. Keys will be fetched
// from and stored within this prefix.
Prefix string
// AppRole contains the Vault AppRole authentication
// credentials.
AppRole AppRole
// K8S contains the Vault Kubernetes authentication
// credentials.
K8S Kubernetes
// ErrorLog is an optional logger for errors that
// may occur when interacting with an Hashicorp
// Vault server.
ErrorLog *log.Logger
// StatusPingAfter is the duration after which
// the KeyStore will check the status of the Vault
// server. Particularly, this status information
// is used to determine whether the Vault server
// has been sealed resp. unsealed again.
StatusPingAfter time.Duration
// Path to the mTLS client private key to authenticate to
// the Vault server.
ClientKeyPath string
// Path to the mTLS client certificate to authenticate to
// the Vault server.
ClientCertPath string
// Path to the root CA certificate(s) used to verify the
// TLS certificate of the Vault server. If empty, the
// host's root CA set is used.
CAPath string
// contains filtered or unexported fields
}
A Config structure is used to configure a Hashicorp Vault client.
type KeyStore ¶
type KeyStore struct {
// contains filtered or unexported fields
}
KeyStore is a Hashicorp Vault K/V client.
It creates, deletes, stores and fetches key value pairs using the Hashicorp Vault K/V secret engine.
func (*KeyStore) Create ¶
Create creates the given key-value pair at Vault if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.
func (*KeyStore) Delete ¶
Delete removes a the value associated with the given key from Vault, if it exists.
func (*KeyStore) Get ¶
Get returns the value associated with the given key. If no entry for the key exists it returns kes.ErrKeyNotFound.
type Kubernetes ¶ added in v0.13.0
type Kubernetes struct {
// Engine is the authentication engine path
//
// Hashicorp Vault allows multiple engines of the
// same type mounted at the same time and/or engines
// mounted at arbitrary paths.
Engine string
// Role is the JWT role.
Role string
// JWT is the issued authentication token.
JWT string
// Retry is the duration after which another
// authentication attempt is performed once
// an authentication attempt failed.
Retry time.Duration
}
Kubernetes contains authentication information for the Hashicorp Vault Kubernetes authentication API.
Source Files