Documentation
¶
Overview ¶
Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.
Vault is a KMS implementation with many featues. This packages only leverages the key-value store. For an introduction to Vault see: https://www.vaultproject.io/ For an K/V API overview see: https://www.vaultproject.io/api/secret/kv/kv-v1.html
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AppRole ¶
type AppRole struct {
ID string // The AppRole ID
Secret string // The Approle secret ID
Retry time.Duration
}
AppRole holds the Vault AppRole authentication credentials and a duration after which the authentication should be retried whenever it fails.
type KeyStore ¶
type KeyStore struct {
// Addr is the HTTP address of the Vault server.
Addr string
// Location is the location on Vault's K/V store
// where this KeyStore will save secret keys.
//
// It can be used to assign an unique or shared
// prefix. For instance one or more KeyStore can
// store secret keys under /keys/my-app/. In this
// case you may set KeyStore.Location = "key/my-app".
Location string
// AppRole contains the Vault AppRole authentication
// credentials.
AppRole AppRole
// CacheExpireAfter is the duration after which
// cache entries expire such that they have to
// be loaded from the backend storage again.
CacheExpireAfter time.Duration
// CacheExpireUnusedAfter is the duration after
// which not recently used cache entries expire
// such that they have to be loaded from the
// backend storage again.
// Not recently is defined as: CacheExpireUnusedAfter / 2
CacheExpireUnusedAfter time.Duration
// StatusPingAfter is the duration after which
// the KeyStore will check the status of the Vault
// server. Particularly, this status information
// is used to determine whether the Vault server
// has been sealed resp. unsealed again.
StatusPingAfter time.Duration
// ErrorLog specifies an optional logger for errors
// when files cannot be opened, deleted or contain
// invalid content.
// If nil, logging is done via the log package's
// standard logger.
ErrorLog *log.Logger
// Path to the mTLS client private key to authenticate to
// the Vault server.
ClientKeyPath string
// Path to the mTLS client certificate to authenticate to
// the Vault server.
ClientCertPath string
// Path to the root CA certificate(s) used to verify the
// TLS certificate of the Vault server. If empty, the
// host's root CA set is used.
CAPath string
// The Vault namespace used to separate and isolate different
// organizations / tenants at the same Vault instance. If
// non-empty, the Vault client will send the
// X-Vault-Namespace: Namespace
// HTTP header on each request. For more information see:
// https://www.vaultproject.io/docs/enterprise/namespaces/index.html
Namespace string
// contains filtered or unexported fields
}
KeyStore is a secret key store that saves secret keys as K/V entries on Vault's K/V secret backend.
func (*KeyStore) Authenticate ¶
Authenticate tries to establish a connection to a Vault server using the approle credentials. It returns an error if no connection could be established - for instance because of invalid authentication credentials.
func (*KeyStore) Create ¶
Create adds the given secret key to the store if and only if no entry for name exists. If an entry already exists it returns kes.ErrKeyExists.
In particular, Create creates a new K/V entry on the Vault key store.
Source Files