Documentation ¶
Index ¶
- Constants
- Variables
- func CheckHCLKeys(node ast.Node, valid []string) error
- func DefaultRetryPolicy(ctx context.Context, resp *http.Response, err error) (bool, error)
- func IsSudoPath(path string) bool
- func LookupBaoVariable(name string) (string, bool)
- func ReadBaoVariable(name string) string
- func SudoPaths() map[string]*regexp.Regexp
- func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error)
- func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error)
- type Audit
- type Auth
- func (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Secret, error)
- func (a *Auth) MFALogin(ctx context.Context, authMethod AuthMethod, creds ...string) (*Secret, error)
- func (a *Auth) MFAValidate(ctx context.Context, mfaSecret *Secret, payload map[string]interface{}) (*Secret, error)
- func (a *Auth) Token() *TokenAuth
- type AuthConfigInput
- type AuthConfigOutput
- type AuthMethod
- type AuthMount
- type AutopilotConfig
- type AutopilotServer
- type AutopilotState
- type AutopilotUpgrade
- type AutopilotZone
- type AutopilotZoneUpgradeVersions
- type CORSRequest
- type CORSResponse
- type Client
- func (c *Client) AddHeader(key, value string)
- func (c *Client) Address() string
- func (c *Client) Auth() *Auth
- func (c *Client) CheckRetry() retryablehttp.CheckRetry
- func (c *Client) ClearNamespace()
- func (c *Client) ClearToken()
- func (c *Client) ClientTimeout() time.Duration
- func (c *Client) Clone() (*Client, error)
- func (c *Client) CloneConfig() *Config
- func (c *Client) CloneHeaders() bool
- func (c *Client) CloneToken() bool
- func (c *Client) CloneWithHeaders() (*Client, error)
- func (c *Client) CurrentWrappingLookupFunc() WrappingLookupFunc
- func (c *Client) DisableKeepAlives() bool
- func (c *Client) Headers() http.Header
- func (c *Client) Help(path string) (*Help, error)
- func (c *Client) HelpWithContext(ctx context.Context, path string) (*Help, error)
- func (c *Client) KVv1(mountPath string) *KVv1
- func (c *Client) KVv2(mountPath string) *KVv2
- func (c *Client) Limiter() *rate.Limiter
- func (c *Client) Logical() *Logical
- func (c *Client) MaxIdleConnections() int
- func (c *Client) MaxRetries() int
- func (c *Client) MaxRetryWait() time.Duration
- func (c *Client) MinRetryWait() time.Duration
- func (c *Client) Namespace() string
- func (c *Client) NewLifetimeWatcher(i *LifetimeWatcherInput) (*LifetimeWatcher, error)
- func (c *Client) NewRenewer(i *LifetimeWatcherInput) (*LifetimeWatcher, error)deprecated
- func (c *Client) NewRequest(method, requestPath string) *Request
- func (c *Client) OutputCurlString() bool
- func (c *Client) OutputPolicy() bool
- func (c *Client) RawRequest(r *Request) (*Response, error)deprecated
- func (c *Client) RawRequestWithContext(ctx context.Context, r *Request) (*Response, error)deprecated
- func (c *Client) SRVLookup() bool
- func (c *Client) SSH() *SSH
- func (c *Client) SSHHelper() *SSHHelper
- func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper
- func (c *Client) SSHWithMountPoint(mountPoint string) *SSH
- func (c *Client) SetAddress(addr string) error
- func (c *Client) SetBackoff(backoff retryablehttp.Backoff)
- func (c *Client) SetCheckRedirect(f func(*http.Request, []*http.Request) error)
- func (c *Client) SetCheckRetry(checkRetry retryablehttp.CheckRetry)
- func (c *Client) SetClientTimeout(timeout time.Duration)
- func (c *Client) SetCloneHeaders(cloneHeaders bool)
- func (c *Client) SetCloneToken(cloneToken bool)
- func (c *Client) SetDisableKeepAlives(disable bool)
- func (c *Client) SetHeaders(headers http.Header)
- func (c *Client) SetLimiter(rateLimit float64, burst int)
- func (c *Client) SetLogger(logger retryablehttp.LeveledLogger)
- func (c *Client) SetMFACreds(creds []string)
- func (c *Client) SetMaxIdleConnections(idle int)
- func (c *Client) SetMaxRetries(retries int)
- func (c *Client) SetMaxRetryWait(retryWait time.Duration)
- func (c *Client) SetMinRetryWait(retryWait time.Duration)
- func (c *Client) SetNamespace(namespace string)
- func (c *Client) SetOutputCurlString(curl bool)
- func (c *Client) SetOutputPolicy(isSet bool)
- func (c *Client) SetPolicyOverride(override bool)
- func (c *Client) SetSRVLookup(srv bool)
- func (c *Client) SetToken(v string)
- func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc)
- func (c *Client) Sys() *Sys
- func (c *Client) Token() string
- func (c *Client) WithNamespace(namespace string) *Client
- func (c *Client) WithRequestCallbacks(callbacks ...RequestCallback) *Client
- func (c *Client) WithResponseCallbacks(callbacks ...ResponseCallback) *Client
- type Config
- type DeregisterPluginInput
- type EnableAuditOptions
- type EnableAuthOptions
- type ErrorResponse
- type GenerateRootStatusResponse
- type GetPluginInput
- type GetPluginResponse
- type HANode
- type HAStatusResponse
- type HealthResponse
- type Help
- type InitRequest
- type InitResponse
- type InitStatusResponse
- type KVMetadata
- type KVMetadataPatchInput
- type KVMetadataPutInput
- type KVOption
- type KVSecret
- type KVVersionMetadata
- type KVv1
- type KVv2
- func (kv *KVv2) Delete(ctx context.Context, secretPath string) error
- func (kv *KVv2) DeleteMetadata(ctx context.Context, secretPath string) error
- func (kv *KVv2) DeleteVersions(ctx context.Context, secretPath string, versions []int) error
- func (kv *KVv2) Destroy(ctx context.Context, secretPath string, versions []int) error
- func (kv *KVv2) Get(ctx context.Context, secretPath string) (*KVSecret, error)
- func (kv *KVv2) GetMetadata(ctx context.Context, secretPath string) (*KVMetadata, error)
- func (kv *KVv2) GetVersion(ctx context.Context, secretPath string, version int) (*KVSecret, error)
- func (kv *KVv2) GetVersionsAsList(ctx context.Context, secretPath string) ([]KVVersionMetadata, error)
- func (kv *KVv2) Patch(ctx context.Context, secretPath string, newData map[string]interface{}, ...) (*KVSecret, error)
- func (kv *KVv2) PatchMetadata(ctx context.Context, secretPath string, metadata KVMetadataPatchInput) error
- func (kv *KVv2) Put(ctx context.Context, secretPath string, data map[string]interface{}, ...) (*KVSecret, error)
- func (kv *KVv2) PutMetadata(ctx context.Context, secretPath string, metadata KVMetadataPutInput) error
- func (kv *KVv2) Rollback(ctx context.Context, secretPath string, toVersion int) (*KVSecret, error)
- func (kv *KVv2) Undelete(ctx context.Context, secretPath string, versions []int) error
- type KeyStatus
- type LeaderResponse
- type LifetimeWatcher
- type LifetimeWatcherInput
- type ListPluginsInput
- type ListPluginsResponse
- type Logical
- func (c *Logical) Delete(path string) (*Secret, error)
- func (c *Logical) DeleteWithContext(ctx context.Context, path string) (*Secret, error)
- func (c *Logical) DeleteWithData(path string, data map[string][]string) (*Secret, error)
- func (c *Logical) DeleteWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error)
- func (c *Logical) JSONMergePatch(ctx context.Context, path string, data map[string]interface{}) (*Secret, error)
- func (c *Logical) List(path string) (*Secret, error)
- func (c *Logical) ListPage(path string, after string, limit int) (*Secret, error)
- func (c *Logical) ListPageWithContext(ctx context.Context, path string, after string, limit int) (*Secret, error)
- func (c *Logical) ListWithContext(ctx context.Context, path string) (*Secret, error)
- func (c *Logical) ParseRawResponseAndCloseBody(resp *Response, err error) (*Secret, error)
- func (c *Logical) Read(path string) (*Secret, error)
- func (c *Logical) ReadRaw(path string) (*Response, error)
- func (c *Logical) ReadRawWithContext(ctx context.Context, path string) (*Response, error)
- func (c *Logical) ReadRawWithData(path string, data map[string][]string) (*Response, error)
- func (c *Logical) ReadRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error)
- func (c *Logical) ReadWithContext(ctx context.Context, path string) (*Secret, error)
- func (c *Logical) ReadWithData(path string, data map[string][]string) (*Secret, error)
- func (c *Logical) ReadWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error)
- func (c *Logical) Unwrap(wrappingToken string) (*Secret, error)
- func (c *Logical) UnwrapWithContext(ctx context.Context, wrappingToken string) (*Secret, error)
- func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error)
- func (c *Logical) WriteBytes(path string, data []byte) (*Secret, error)
- func (c *Logical) WriteBytesWithContext(ctx context.Context, path string, data []byte) (*Secret, error)
- func (c *Logical) WriteWithContext(ctx context.Context, path string, data map[string]interface{}) (*Secret, error)
- type MFAConstraintAny
- type MFAMethodID
- type MFARequirement
- type MountConfigInput
- type MountConfigOutput
- type MountInput
- type MountMigrationOutput
- type MountMigrationStatusInfo
- type MountMigrationStatusOutput
- type MountOutput
- type OutputPolicyError
- type OutputStringError
- type PluginAPIClientMeta
- type PluginDetails
- type PluginType
- type RaftJoinRequest
- type RaftJoinResponse
- type RegisterPluginInput
- type RekeyInitRequest
- type RekeyRetrieveResponse
- type RekeyStatusResponse
- type RekeyUpdateResponse
- type RekeyVerificationStatusResponse
- type RekeyVerificationUpdateResponse
- type ReloadPluginInput
- type ReloadPluginStatusInput
- type ReloadStatus
- type ReloadStatusResponse
- type RenewBehavior
- type RenewOutput
- type Renewer
- type RenewerInput
- type Request
- type RequestCallback
- type Response
- type ResponseCallback
- type ResponseError
- type RevokeOptions
- type SSH
- func (c *SSH) Credential(role string, data map[string]interface{}) (*Secret, error)
- func (c *SSH) CredentialWithContext(ctx context.Context, role string, data map[string]interface{}) (*Secret, error)
- func (c *SSH) SignKey(role string, data map[string]interface{}) (*Secret, error)
- func (c *SSH) SignKeyWithContext(ctx context.Context, role string, data map[string]interface{}) (*Secret, error)
- type SSHHelper
- type SSHHelperConfig
- type SSHVerifyResponse
- type SealStatusResponse
- type Secret
- func (s *Secret) TokenAccessor() (string, error)
- func (s *Secret) TokenID() (string, error)
- func (s *Secret) TokenIsRenewable() (bool, error)
- func (s *Secret) TokenMetadata() (map[string]string, error)
- func (s *Secret) TokenPolicies() ([]string, error)
- func (s *Secret) TokenRemainingUses() (int, error)
- func (s *Secret) TokenTTL() (time.Duration, error)
- type SecretAuth
- type SecretWrapInfo
- type Sys
- func (c *Sys) AuditHash(path string, input string) (string, error)
- func (c *Sys) AuditHashWithContext(ctx context.Context, path string, input string) (string, error)
- func (c *Sys) CORSStatus() (*CORSResponse, error)
- func (c *Sys) CORSStatusWithContext(ctx context.Context) (*CORSResponse, error)
- func (c *Sys) Capabilities(token, path string) ([]string, error)
- func (c *Sys) CapabilitiesSelf(path string) ([]string, error)
- func (c *Sys) CapabilitiesSelfWithContext(ctx context.Context, path string) ([]string, error)
- func (c *Sys) CapabilitiesWithContext(ctx context.Context, token, path string) ([]string, error)
- func (c *Sys) ConfigureCORS(req *CORSRequest) error
- func (c *Sys) ConfigureCORSWithContext(ctx context.Context, req *CORSRequest) error
- func (c *Sys) DeletePolicy(name string) error
- func (c *Sys) DeletePolicyWithContext(ctx context.Context, name string) error
- func (c *Sys) DeregisterPlugin(i *DeregisterPluginInput) error
- func (c *Sys) DeregisterPluginWithContext(ctx context.Context, i *DeregisterPluginInput) error
- func (c *Sys) DisableAudit(path string) error
- func (c *Sys) DisableAuditWithContext(ctx context.Context, path string) error
- func (c *Sys) DisableAuth(path string) error
- func (c *Sys) DisableAuthWithContext(ctx context.Context, path string) error
- func (c *Sys) DisableCORS() error
- func (c *Sys) DisableCORSWithContext(ctx context.Context) error
- func (c *Sys) EnableAudit(path string, auditType string, desc string, opts map[string]string) error
- func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) error
- func (c *Sys) EnableAuditWithOptionsWithContext(ctx context.Context, path string, options *EnableAuditOptions) error
- func (c *Sys) EnableAuth(path, authType, desc string) error
- func (c *Sys) EnableAuthWithOptions(path string, options *EnableAuthOptions) error
- func (c *Sys) EnableAuthWithOptionsWithContext(ctx context.Context, path string, options *EnableAuthOptions) error
- func (c *Sys) GenerateRecoveryOperationTokenCancel() error
- func (c *Sys) GenerateRecoveryOperationTokenCancelWithContext(ctx context.Context) error
- func (c *Sys) GenerateRecoveryOperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRecoveryOperationTokenInitWithContext(ctx context.Context, otp, pgpKey string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRecoveryOperationTokenStatus() (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRecoveryOperationTokenStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRecoveryOperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRecoveryOperationTokenUpdateWithContext(ctx context.Context, shard, nonce string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootCancel() error
- func (c *Sys) GenerateRootCancelWithContext(ctx context.Context) error
- func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootInitWithContext(ctx context.Context, otp, pgpKey string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootUpdateWithContext(ctx context.Context, shard, nonce string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GetPlugin(i *GetPluginInput) (*GetPluginResponse, error)
- func (c *Sys) GetPluginWithContext(ctx context.Context, i *GetPluginInput) (*GetPluginResponse, error)
- func (c *Sys) GetPolicy(name string) (string, error)
- func (c *Sys) GetPolicyWithContext(ctx context.Context, name string) (string, error)
- func (c *Sys) HAStatus() (*HAStatusResponse, error)
- func (c *Sys) HAStatusWithContext(ctx context.Context) (*HAStatusResponse, error)
- func (c *Sys) Health() (*HealthResponse, error)
- func (c *Sys) HealthWithContext(ctx context.Context) (*HealthResponse, error)
- func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)
- func (c *Sys) InitStatus() (bool, error)
- func (c *Sys) InitStatusWithContext(ctx context.Context) (bool, error)
- func (c *Sys) InitWithContext(ctx context.Context, opts *InitRequest) (*InitResponse, error)
- func (c *Sys) KeyStatus() (*KeyStatus, error)
- func (c *Sys) KeyStatusWithContext(ctx context.Context) (*KeyStatus, error)
- func (c *Sys) Leader() (*LeaderResponse, error)
- func (c *Sys) LeaderWithContext(ctx context.Context) (*LeaderResponse, error)
- func (c *Sys) ListAudit() (map[string]*Audit, error)
- func (c *Sys) ListAuditWithContext(ctx context.Context) (map[string]*Audit, error)
- func (c *Sys) ListAuth() (map[string]*AuthMount, error)
- func (c *Sys) ListAuthWithContext(ctx context.Context) (map[string]*AuthMount, error)
- func (c *Sys) ListMounts() (map[string]*MountOutput, error)
- func (c *Sys) ListMountsWithContext(ctx context.Context) (map[string]*MountOutput, error)
- func (c *Sys) ListPlugins(i *ListPluginsInput) (*ListPluginsResponse, error)
- func (c *Sys) ListPluginsWithContext(ctx context.Context, i *ListPluginsInput) (*ListPluginsResponse, error)
- func (c *Sys) ListPolicies() ([]string, error)
- func (c *Sys) ListPoliciesWithContext(ctx context.Context) ([]string, error)
- func (c *Sys) Lookup(id string) (*Secret, error)
- func (c *Sys) LookupWithContext(ctx context.Context, id string) (*Secret, error)
- func (c *Sys) MFAValidate(requestID string, payload map[string]interface{}) (*Secret, error)
- func (c *Sys) MFAValidateWithContext(ctx context.Context, requestID string, payload map[string]interface{}) (*Secret, error)
- func (c *Sys) Monitor(ctx context.Context, logLevel string, logFormat string) (chan string, error)
- func (c *Sys) Mount(path string, mountInfo *MountInput) error
- func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)
- func (c *Sys) MountConfigWithContext(ctx context.Context, path string) (*MountConfigOutput, error)
- func (c *Sys) MountWithContext(ctx context.Context, path string, mountInfo *MountInput) error
- func (c *Sys) PutPolicy(name, rules string) error
- func (c *Sys) PutPolicyWithContext(ctx context.Context, name, rules string) error
- func (c *Sys) PutRaftAutopilotConfiguration(opts *AutopilotConfig) error
- func (c *Sys) PutRaftAutopilotConfigurationWithContext(ctx context.Context, opts *AutopilotConfig) error
- func (c *Sys) RaftAutopilotConfiguration() (*AutopilotConfig, error)
- func (c *Sys) RaftAutopilotConfigurationWithContext(ctx context.Context) (*AutopilotConfig, error)
- func (c *Sys) RaftAutopilotConfigurationWithDRToken(drToken string) (*AutopilotConfig, error)
- func (c *Sys) RaftAutopilotState() (*AutopilotState, error)
- func (c *Sys) RaftAutopilotStateWithContext(ctx context.Context) (*AutopilotState, error)
- func (c *Sys) RaftAutopilotStateWithDRToken(drToken string) (*AutopilotState, error)
- func (c *Sys) RaftJoin(opts *RaftJoinRequest) (*RaftJoinResponse, error)
- func (c *Sys) RaftJoinWithContext(ctx context.Context, opts *RaftJoinRequest) (*RaftJoinResponse, error)
- func (c *Sys) RaftSnapshot(snapWriter io.Writer) error
- func (c *Sys) RaftSnapshotRestore(snapReader io.Reader, force bool) error
- func (c *Sys) RaftSnapshotRestoreWithContext(ctx context.Context, snapReader io.Reader, force bool) error
- func (c *Sys) RaftSnapshotWithContext(ctx context.Context, snapWriter io.Writer) error
- func (c *Sys) RegisterPlugin(i *RegisterPluginInput) error
- func (c *Sys) RegisterPluginWithContext(ctx context.Context, i *RegisterPluginInput) error
- func (c *Sys) RekeyCancel() error
- func (c *Sys) RekeyCancelWithContext(ctx context.Context) error
- func (c *Sys) RekeyDeleteBackup() error
- func (c *Sys) RekeyDeleteBackupWithContext(ctx context.Context) error
- func (c *Sys) RekeyDeleteRecoveryBackup() error
- func (c *Sys) RekeyDeleteRecoveryBackupWithContext(ctx context.Context) error
- func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyInitWithContext(ctx context.Context, config *RekeyInitRequest) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyCancel() error
- func (c *Sys) RekeyRecoveryKeyCancelWithContext(ctx context.Context) error
- func (c *Sys) RekeyRecoveryKeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyInitWithContext(ctx context.Context, config *RekeyInitRequest) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyStatus() (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyStatusWithContext(ctx context.Context) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
- func (c *Sys) RekeyRecoveryKeyUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyUpdateResponse, error)
- func (c *Sys) RekeyRecoveryKeyVerificationCancel() error
- func (c *Sys) RekeyRecoveryKeyVerificationCancelWithContext(ctx context.Context) error
- func (c *Sys) RekeyRecoveryKeyVerificationStatus() (*RekeyVerificationStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyVerificationStatusWithContext(ctx context.Context) (*RekeyVerificationStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error)
- func (c *Sys) RekeyRecoveryKeyVerificationUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyVerificationUpdateResponse, error)
- func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)
- func (c *Sys) RekeyRetrieveBackupWithContext(ctx context.Context) (*RekeyRetrieveResponse, error)
- func (c *Sys) RekeyRetrieveRecoveryBackup() (*RekeyRetrieveResponse, error)
- func (c *Sys) RekeyRetrieveRecoveryBackupWithContext(ctx context.Context) (*RekeyRetrieveResponse, error)
- func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)
- func (c *Sys) RekeyStatusWithContext(ctx context.Context) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
- func (c *Sys) RekeyUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyUpdateResponse, error)
- func (c *Sys) RekeyVerificationCancel() error
- func (c *Sys) RekeyVerificationCancelWithContext(ctx context.Context) error
- func (c *Sys) RekeyVerificationStatus() (*RekeyVerificationStatusResponse, error)
- func (c *Sys) RekeyVerificationStatusWithContext(ctx context.Context) (*RekeyVerificationStatusResponse, error)
- func (c *Sys) RekeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error)
- func (c *Sys) RekeyVerificationUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyVerificationUpdateResponse, error)
- func (c *Sys) ReloadPlugin(i *ReloadPluginInput) (string, error)
- func (c *Sys) ReloadPluginStatus(reloadStatusInput *ReloadPluginStatusInput) (*ReloadStatusResponse, error)
- func (c *Sys) ReloadPluginStatusWithContext(ctx context.Context, reloadStatusInput *ReloadPluginStatusInput) (*ReloadStatusResponse, error)
- func (c *Sys) ReloadPluginWithContext(ctx context.Context, i *ReloadPluginInput) (string, error)
- func (c *Sys) Remount(from, to string) error
- func (c *Sys) RemountStatus(migrationID string) (*MountMigrationStatusOutput, error)
- func (c *Sys) RemountStatusWithContext(ctx context.Context, migrationID string) (*MountMigrationStatusOutput, error)
- func (c *Sys) RemountWithContext(ctx context.Context, from, to string) error
- func (c *Sys) Renew(id string, increment int) (*Secret, error)
- func (c *Sys) RenewWithContext(ctx context.Context, id string, increment int) (*Secret, error)
- func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)
- func (c *Sys) ResetUnsealProcessWithContext(ctx context.Context) (*SealStatusResponse, error)
- func (c *Sys) Revoke(id string) error
- func (c *Sys) RevokeForce(id string) error
- func (c *Sys) RevokeForceWithContext(ctx context.Context, id string) error
- func (c *Sys) RevokePrefix(id string) error
- func (c *Sys) RevokePrefixWithContext(ctx context.Context, id string) error
- func (c *Sys) RevokeWithContext(ctx context.Context, id string) error
- func (c *Sys) RevokeWithOptions(opts *RevokeOptions) error
- func (c *Sys) RevokeWithOptionsWithContext(ctx context.Context, opts *RevokeOptions) error
- func (c *Sys) Rotate() error
- func (c *Sys) RotateWithContext(ctx context.Context) error
- func (c *Sys) Seal() error
- func (c *Sys) SealStatus() (*SealStatusResponse, error)
- func (c *Sys) SealStatusWithContext(ctx context.Context) (*SealStatusResponse, error)
- func (c *Sys) SealWithContext(ctx context.Context) error
- func (c *Sys) StartRemount(from, to string) (*MountMigrationOutput, error)
- func (c *Sys) StartRemountWithContext(ctx context.Context, from, to string) (*MountMigrationOutput, error)
- func (c *Sys) StepDown() error
- func (c *Sys) StepDownWithContext(ctx context.Context) error
- func (c *Sys) TuneMount(path string, config MountConfigInput) error
- func (c *Sys) TuneMountWithContext(ctx context.Context, path string, config MountConfigInput) error
- func (c *Sys) Unmount(path string) error
- func (c *Sys) UnmountWithContext(ctx context.Context, path string) error
- func (c *Sys) Unseal(shard string) (*SealStatusResponse, error)
- func (c *Sys) UnsealWithContext(ctx context.Context, shard string) (*SealStatusResponse, error)
- func (c *Sys) UnsealWithOptions(opts *UnsealOpts) (*SealStatusResponse, error)
- func (c *Sys) UnsealWithOptionsWithContext(ctx context.Context, opts *UnsealOpts) (*SealStatusResponse, error)
- type TLSConfig
- type TokenAuth
- func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error)
- func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error)
- func (c *TokenAuth) CreateOrphanWithContext(ctx context.Context, opts *TokenCreateRequest) (*Secret, error)
- func (c *TokenAuth) CreateWithContext(ctx context.Context, opts *TokenCreateRequest) (*Secret, error)
- func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error)
- func (c *TokenAuth) CreateWithRoleWithContext(ctx context.Context, opts *TokenCreateRequest, roleName string) (*Secret, error)
- func (c *TokenAuth) Lookup(token string) (*Secret, error)
- func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error)
- func (c *TokenAuth) LookupAccessorWithContext(ctx context.Context, accessor string) (*Secret, error)
- func (c *TokenAuth) LookupSelf() (*Secret, error)
- func (c *TokenAuth) LookupSelfWithContext(ctx context.Context) (*Secret, error)
- func (c *TokenAuth) LookupWithContext(ctx context.Context, token string) (*Secret, error)
- func (c *TokenAuth) Renew(token string, increment int) (*Secret, error)
- func (c *TokenAuth) RenewAccessor(accessor string, increment int) (*Secret, error)
- func (c *TokenAuth) RenewAccessorWithContext(ctx context.Context, accessor string, increment int) (*Secret, error)
- func (c *TokenAuth) RenewSelf(increment int) (*Secret, error)
- func (c *TokenAuth) RenewSelfWithContext(ctx context.Context, increment int) (*Secret, error)
- func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error)
- func (c *TokenAuth) RenewTokenAsSelfWithContext(ctx context.Context, token string, increment int) (*Secret, error)
- func (c *TokenAuth) RenewWithContext(ctx context.Context, token string, increment int) (*Secret, error)
- func (c *TokenAuth) RevokeAccessor(accessor string) error
- func (c *TokenAuth) RevokeAccessorWithContext(ctx context.Context, accessor string) error
- func (c *TokenAuth) RevokeOrphan(token string) error
- func (c *TokenAuth) RevokeOrphanWithContext(ctx context.Context, token string) error
- func (c *TokenAuth) RevokeSelf(token string) error
- func (c *TokenAuth) RevokeSelfWithContext(ctx context.Context, token string) error
- func (c *TokenAuth) RevokeTree(token string) error
- func (c *TokenAuth) RevokeTreeWithContext(ctx context.Context, token string) error
- type TokenCreateRequest
- type UnsealOpts
- type UserLockoutConfigInput
- type UserLockoutConfigOutput
- type WrappingLookupFunc
Constants ¶
const ( EnvVaultAddress = "BAO_ADDR" EnvVaultAgentAddr = "BAO_AGENT_ADDR" EnvVaultCACert = "BAO_CACERT" EnvVaultCACertBytes = "BAO_CACERT_BYTES" EnvVaultCAPath = "BAO_CAPATH" EnvVaultClientCert = "BAO_CLIENT_CERT" EnvVaultClientKey = "BAO_CLIENT_KEY" EnvVaultClientTimeout = "BAO_CLIENT_TIMEOUT" EnvVaultSRVLookup = "BAO_SRV_LOOKUP" EnvVaultSkipVerify = "BAO_SKIP_VERIFY" EnvVaultNamespace = "BAO_NAMESPACE" EnvVaultTLSServerName = "BAO_TLS_SERVER_NAME" EnvVaultWrapTTL = "BAO_WRAP_TTL" EnvVaultMaxRetries = "BAO_MAX_RETRIES" EnvVaultToken = "BAO_TOKEN" EnvVaultMFA = "BAO_MFA" EnvRateLimit = "BAO_RATE_LIMIT" EnvHTTPProxy = "BAO_HTTP_PROXY" EnvVaultProxyAddr = "BAO_PROXY_ADDR" EnvVaultDisableRedirects = "BAO_DISABLE_REDIRECTS" // NamespaceHeaderName is the header set to specify which namespace the // request is indented for. NamespaceHeaderName = "X-Vault-Namespace" // AuthHeaderName is the name of the header containing the token. AuthHeaderName = "X-Vault-Token" // RequestHeaderName is the name of the header used by the Agent for // SSRF protection. RequestHeaderName = "X-Vault-Request" TLSErrorString = "This error usually means that the server is running with TLS disabled\n" + "but the client is configured to use TLS. Please either enable TLS\n" + "on the server or run the client with -address set to an address\n" + "that uses the http protocol:\n\n" + " vault <command> -address http://<address>\n\n" + "You can also set the BAO_ADDR environment variable:\n\n\n" + " BAO_ADDR=http://<address> vault <command>\n\n" + "where <address> is replaced by the actual address to the server." )
const ( EnvVaultAgentAddress = "BAO_AGENT_ADDR" EnvVaultInsecure = "BAO_SKIP_VERIFY" )
Deprecated values
const ( KVOptionCheckAndSet = "cas" KVOptionMethod = "method" KVMergeMethodPatch = "patch" KVMergeMethodReadWrite = "rw" )
const ( // PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override // setting a TLSProviderFunc for a plugin. PluginAutoMTLSEnv = "BAO_PLUGIN_AUTOMTLS_ENABLED" // PluginMetadataModeEnv is an ENV name used to disable TLS communication // to bootstrap mounting plugins. PluginMetadataModeEnv = "BAO_PLUGIN_METADATA_MODE" // PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the // plugin. PluginUnwrapTokenEnv = "BAO_UNWRAP_TOKEN" )
const ( // SSHHelperDefaultMountPoint is the default path at which SSH backend will be // mounted in the Vault server. SSHHelperDefaultMountPoint = "ssh" // VerifyEchoRequest is the echo request message sent as OTP by the helper. VerifyEchoRequest = "verify-echo-request" // VerifyEchoResponse is the echo response message sent as a response to OTP // matching echo request. VerifyEchoResponse = "verify-echo-response" )
const (
ErrOutputPolicyRequest = "output a policy, please"
)
const (
ErrOutputStringRequest = "output a string, please"
)
Variables ¶
var ( ErrLifetimeWatcherMissingInput = errors.New("missing input") ErrLifetimeWatcherMissingSecret = errors.New("missing secret") ErrLifetimeWatcherNotRenewable = errors.New("secret is not renewable") ErrLifetimeWatcherNoSecretData = errors.New("returned empty secret data") // Deprecated; kept for compatibility ErrRenewerMissingInput = errors.New("missing input to renewer") ErrRenewerMissingSecret = errors.New("missing secret to renew") ErrRenewerNotRenewable = errors.New("secret is not renewable") ErrRenewerNoSecretData = errors.New("returned empty secret data") // DefaultLifetimeWatcherRenewBuffer is the default size of the buffer for renew // messages on the channel. DefaultLifetimeWatcherRenewBuffer = 5 // Deprecated: kept for backwards compatibility DefaultRenewerRenewBuffer = 5 )
var ( // The default TTL that will be used with `sys/wrapping/wrap`, can be // changed DefaultWrappingTTL = "5m" // The default function used if no other function is set. It honors the env // var to set the wrap TTL. The default wrap TTL will apply when when writing // to `sys/wrapping/wrap` when the env var is not set. DefaultWrappingLookupFunc = func(operation, path string) string { if ReadBaoVariable(EnvVaultWrapTTL) != "" { return ReadBaoVariable(EnvVaultWrapTTL) } if (operation == http.MethodPut || operation == http.MethodPost) && path == "sys/wrapping/wrap" { return DefaultWrappingTTL } return "" } )
var ErrIncompleteSnapshot = errors.New("incomplete snapshot, unable to read SHA256SUMS.sealed file")
var ErrSecretNotFound = errors.New("secret not found")
ErrSecretNotFound is returned by KVv1 and KVv2 wrappers to indicate that the secret is missing at the given location.
var PluginTypes = []PluginType{ PluginTypeUnknown, PluginTypeCredential, PluginTypeDatabase, PluginTypeSecrets, }
Functions ¶
func DefaultRetryPolicy ¶
DefaultRetryPolicy is the default retry policy used by new Client objects. It is the same as retryablehttp.DefaultRetryPolicy except that it also retries 412 requests, which are returned by Vault when a X-Vault-Index header isn't satisfied.
func IsSudoPath ¶
Determine whether the given path requires the sudo capability. Note that this uses hardcoded static path information, so will return incorrect results for paths in namespaces, or for secret engines mounted at non-default paths.
func LookupBaoVariable ¶
func ReadBaoVariable ¶
func VaultPluginTLSProvider ¶
VaultPluginTLSProvider wraps VaultPluginTLSProviderContext using context.Background.
Types ¶
type Auth ¶
type Auth struct {
// contains filtered or unexported fields
}
Auth is used to perform credential backend related operations.
func (*Auth) Login ¶
Login sets up the required request body for login requests to the given auth method's /login API endpoint, and then performs a write to it. After a successful login, this method will automatically set the client's token to the login response's ClientToken as well.
The Secret returned is the authentication secret, which if desired can be passed as input to the NewLifetimeWatcher method in order to start automatically renewing the token.
func (*Auth) MFALogin ¶
func (a *Auth) MFALogin(ctx context.Context, authMethod AuthMethod, creds ...string) (*Secret, error)
MFALogin is a wrapper that helps satisfy Vault's MFA implementation. If optional credentials are provided a single-phase login will be attempted and the resulting Secret will contain a ClientToken if the authentication is successful. The client's token will also be set accordingly.
If no credentials are provided a two-phase MFA login will be assumed and the resulting Secret will have a MFARequirement containing the MFARequestID to be used in a follow-up call to `sys/mfa/validate` or by passing it to the method (*Auth).MFAValidate.
func (*Auth) MFAValidate ¶
func (a *Auth) MFAValidate(ctx context.Context, mfaSecret *Secret, payload map[string]interface{}) (*Secret, error)
MFAValidate validates an MFA request using the appropriate payload and a secret containing Auth.MFARequirement, like the one returned by MFALogin when credentials are not provided. Upon successful validation the client token will be set accordingly.
The Secret returned is the authentication secret, which if desired can be passed as input to the NewLifetimeWatcher method in order to start automatically renewing the token.
type AuthConfigInput ¶
type AuthConfigInput = MountConfigInput
Rather than duplicate, we can use modern Go's type aliasing
type AuthConfigOutput ¶
type AuthConfigOutput = MountConfigOutput
Rather than duplicate, we can use modern Go's type aliasing
type AuthMethod ¶
type AuthMount ¶
type AuthMount = MountOutput
Rather than duplicate, we can use modern Go's type aliasing
type AutopilotConfig ¶
type AutopilotConfig struct { CleanupDeadServers bool `json:"cleanup_dead_servers" mapstructure:"cleanup_dead_servers"` LastContactThreshold time.Duration `json:"last_contact_threshold" mapstructure:"-"` DeadServerLastContactThreshold time.Duration `json:"dead_server_last_contact_threshold" mapstructure:"-"` MaxTrailingLogs uint64 `json:"max_trailing_logs" mapstructure:"max_trailing_logs"` MinQuorum uint `json:"min_quorum" mapstructure:"min_quorum"` ServerStabilizationTime time.Duration `json:"server_stabilization_time" mapstructure:"-"` }
AutopilotConfig is used for querying/setting the Autopilot configuration.
func (*AutopilotConfig) MarshalJSON ¶
func (ac *AutopilotConfig) MarshalJSON() ([]byte, error)
MarshalJSON makes the autopilot config fields JSON compatible
func (*AutopilotConfig) UnmarshalJSON ¶
func (ac *AutopilotConfig) UnmarshalJSON(b []byte) error
UnmarshalJSON parses the autopilot config JSON blob
type AutopilotServer ¶
type AutopilotServer struct { ID string `mapstructure:"id"` Name string `mapstructure:"name"` Address string `mapstructure:"address"` NodeStatus string `mapstructure:"node_status"` LastContact string `mapstructure:"last_contact"` LastTerm uint64 `mapstructure:"last_term"` LastIndex uint64 `mapstructure:"last_index"` Healthy bool `mapstructure:"healthy"` StableSince string `mapstructure:"stable_since"` Status string `mapstructure:"status"` Version string `mapstructure:"version"` UpgradeVersion string `mapstructure:"upgrade_version,omitempty"` NodeType string `mapstructure:"node_type,omitempty"` }
AutopilotServer represents the server blocks in the response of the raft autopilot state API.
type AutopilotState ¶
type AutopilotState struct { Healthy bool `mapstructure:"healthy"` FailureTolerance int `mapstructure:"failure_tolerance"` Servers map[string]*AutopilotServer `mapstructure:"servers"` Leader string `mapstructure:"leader"` Voters []string `mapstructure:"voters"` NonVoters []string `mapstructure:"non_voters"` Upgrade *AutopilotUpgrade `mapstructure:"upgrade_info,omitempty"` OptimisticFailureTolerance int `mapstructure:"optimistic_failure_tolerance,omitempty"` }
AutopilotState represents the response of the raft autopilot state API
type AutopilotUpgrade ¶
type AutopilotUpgrade struct { Status string `mapstructure:"status"` TargetVersion string `mapstructure:"target_version,omitempty"` TargetVersionVoters []string `mapstructure:"target_version_voters,omitempty"` TargetVersionNonVoters []string `mapstructure:"target_version_non_voters,omitempty"` TargetVersionReadReplicas []string `mapstructure:"target_version_read_replicas,omitempty"` OtherVersionVoters []string `mapstructure:"other_version_voters,omitempty"` OtherVersionNonVoters []string `mapstructure:"other_version_non_voters,omitempty"` OtherVersionReadReplicas []string `mapstructure:"other_version_read_replicas,omitempty"` }
type AutopilotZone ¶
type AutopilotZoneUpgradeVersions ¶
type AutopilotZoneUpgradeVersions struct { TargetVersionVoters []string `mapstructure:"target_version_voters,omitempty"` TargetVersionNonVoters []string `mapstructure:"target_version_non_voters,omitempty"` OtherVersionVoters []string `mapstructure:"other_version_voters,omitempty"` OtherVersionNonVoters []string `mapstructure:"other_version_non_voters,omitempty"` }
type CORSRequest ¶
type CORSResponse ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client is the client to the Vault API. Create a client with NewClient.
func NewClient ¶
NewClient returns a new client for the given configuration.
If the configuration is nil, Vault will use configuration from DefaultConfig(), which is the recommended starting configuration.
If the environment variable `BAO_TOKEN` is present, the token will be automatically added to the client. Otherwise, you must manually call `SetToken()`.
func (*Client) AddHeader ¶
AddHeader allows a single header key/value pair to be added in a race-safe fashion.
func (*Client) CheckRetry ¶
func (c *Client) CheckRetry() retryablehttp.CheckRetry
func (*Client) ClearNamespace ¶
func (c *Client) ClearNamespace()
ClearNamespace removes the namespace header if set.
func (*Client) ClearToken ¶
func (c *Client) ClearToken()
ClearToken deletes the token if it is set or does nothing otherwise.
func (*Client) ClientTimeout ¶
func (*Client) Clone ¶
Clone creates a new client with the same configuration. Note that the same underlying http.Client is used; modifying the client from more than one goroutine at once may not be safe, so modify the client as needed and then clone. The headers are cloned based on the CloneHeaders property of the source config
Also, only the client's config is currently copied; this means items not in the api.Config struct, such as policy override and wrapping function behavior, must currently then be set as desired on the new client.
func (*Client) CloneConfig ¶
func (*Client) CloneHeaders ¶
CloneHeaders gets the configured CloneHeaders value.
func (*Client) CloneToken ¶
CloneToken gets the configured CloneToken value.
func (*Client) CloneWithHeaders ¶
CloneWithHeaders creates a new client similar to Clone, with the difference being that the headers are always cloned
func (*Client) CurrentWrappingLookupFunc ¶
func (c *Client) CurrentWrappingLookupFunc() WrappingLookupFunc
CurrentWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path.
func (*Client) DisableKeepAlives ¶
func (*Client) Headers ¶
Headers gets the current set of headers used for requests. This returns a copy; to modify it call AddHeader or SetHeaders.
func (*Client) HelpWithContext ¶
HelpWithContext reads the help information for the given path.
func (*Client) KVv1 ¶
KVv1 is used to return a client for reads and writes against a KV v1 secrets engine in Vault.
The mount path is the location where the target KV secrets engine resides in Vault.
While v1 is not necessarily deprecated, Vault development servers tend to use v2 as the version of the KV secrets engine, as this is what's mounted by default when a server is started in -dev mode. See the kvv2 struct.
Learn more about the KV secrets engine here: https://www.vaultproject.io/docs/secrets/kv
func (*Client) KVv2 ¶
KVv2 is used to return a client for reads and writes against a KV v2 secrets engine in Vault.
The mount path is the location where the target KV secrets engine resides in Vault.
Vault development servers tend to have "secret" as the mount path, as these are the default settings when a server is started in -dev mode.
Learn more about the KV secrets engine here: https://www.vaultproject.io/docs/secrets/kv
func (*Client) MaxIdleConnections ¶
func (*Client) MaxRetries ¶
func (*Client) MaxRetryWait ¶
func (*Client) MinRetryWait ¶
func (*Client) Namespace ¶
Namespace returns the namespace currently set in this client. It will return an empty string if there is no namespace set.
func (*Client) NewLifetimeWatcher ¶
func (c *Client) NewLifetimeWatcher(i *LifetimeWatcherInput) (*LifetimeWatcher, error)
NewLifetimeWatcher creates a new renewer from the given input.
func (*Client) NewRenewer
deprecated
func (c *Client) NewRenewer(i *LifetimeWatcherInput) (*LifetimeWatcher, error)
Deprecated: exists only for backwards compatibility. Calls NewLifetimeWatcher, and sets compatibility flags.
func (*Client) NewRequest ¶
NewRequest creates a new raw request object to query the Vault server configured for this client. This is an advanced method and generally doesn't need to be called externally.
func (*Client) OutputCurlString ¶
func (*Client) OutputPolicy ¶
func (*Client) RawRequest
deprecated
RawRequest performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.
Deprecated: RawRequest exists for historical compatibility and should not be used directly. Use client.Logical().ReadRaw(...) or higher level methods instead.
func (*Client) RawRequestWithContext
deprecated
RawRequestWithContext performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.
Deprecated: RawRequestWithContext exists for historical compatibility and should not be used directly. Use client.Logical().ReadRawWithContext(...) or higher level methods instead.
func (*Client) SSHHelper ¶
SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend mounted at default path ("ssh").
func (*Client) SSHHelperWithMountPoint ¶
SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend mounted at a specific mount point.
func (*Client) SSHWithMountPoint ¶
SSHWithMountPoint returns the client with specific SSH mount point.
func (*Client) SetAddress ¶
SetAddress sets the address of Vault in the client. The format of address should be "<Scheme>://<Host>:<Port>". Setting this on a client will override the value of BAO_ADDR environment variable.
func (*Client) SetBackoff ¶
func (c *Client) SetBackoff(backoff retryablehttp.Backoff)
SetBackoff sets the backoff function to be used for future requests.
func (*Client) SetCheckRedirect ¶
func (*Client) SetCheckRetry ¶
func (c *Client) SetCheckRetry(checkRetry retryablehttp.CheckRetry)
SetCheckRetry sets the CheckRetry function to be used for future requests.
func (*Client) SetClientTimeout ¶
SetClientTimeout sets the client request timeout
func (*Client) SetCloneHeaders ¶
SetCloneHeaders to allow headers to be copied whenever the client is cloned.
func (*Client) SetCloneToken ¶
SetCloneToken from parent
func (*Client) SetDisableKeepAlives ¶
func (*Client) SetHeaders ¶
SetHeaders clears all previous headers and uses only the given ones going forward.
func (*Client) SetLimiter ¶
SetLimiter will set the rate limiter for this client. This method is thread-safe. rateLimit and burst are specified according to https://godoc.org/golang.org/x/time/rate#NewLimiter
func (*Client) SetMFACreds ¶
SetMFACreds sets the MFA credentials supplied either via the environment variable or via the command line.
func (*Client) SetMaxIdleConnections ¶
func (*Client) SetMaxRetries ¶
SetMaxRetries sets the number of retries that will be used in the case of certain errors
func (*Client) SetMaxRetryWait ¶
SetMaxRetryWait sets the maximum time to wait before retrying in the case of certain errors.
func (*Client) SetMinRetryWait ¶
SetMinRetryWait sets the minimum time to wait before retrying in the case of certain errors.
func (*Client) SetNamespace ¶
SetNamespace sets the namespace supplied either via the environment variable or via the command line.
func (*Client) SetOutputCurlString ¶
func (*Client) SetOutputPolicy ¶
func (*Client) SetPolicyOverride ¶
SetPolicyOverride sets whether requests should be sent with the policy override flag to request overriding soft-mandatory Sentinel policies (both RGPs and EGPs)
func (*Client) SetSRVLookup ¶
func (*Client) SetToken ¶
SetToken sets the token directly. This won't perform any auth verification, it simply sets the token properly for future requests.
func (*Client) SetWrappingLookupFunc ¶
func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc)
SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path.
func (*Client) Token ¶
Token returns the access token being used by this client. It will return the empty string if there is no token set.
func (*Client) WithNamespace ¶
WithNamespace makes a shallow copy of Client, modifies it to use the given namespace, and returns it. Passing an empty string will temporarily unset the namespace.
func (*Client) WithRequestCallbacks ¶
func (c *Client) WithRequestCallbacks(callbacks ...RequestCallback) *Client
WithRequestCallbacks makes a shallow clone of Client, modifies it to use the given callbacks, and returns it. Each of the callbacks will be invoked on every outgoing request. A client may be used to issue requests concurrently; any locking needed by callbacks invoked concurrently is the callback's responsibility.
func (*Client) WithResponseCallbacks ¶
func (c *Client) WithResponseCallbacks(callbacks ...ResponseCallback) *Client
WithResponseCallbacks makes a shallow clone of Client, modifies it to use the given callbacks, and returns it. Each of the callbacks will be invoked on every received response. A client may be used to issue requests concurrently; any locking needed by callbacks invoked concurrently is the callback's responsibility.
type Config ¶
type Config struct { // Address is the address of the Vault server. This should be a complete // URL such as "http://vault.example.com". If you need a custom SSL // cert or want to enable insecure mode, you need to specify a custom // HttpClient. Address string // AgentAddress is the address of the local Vault agent. This should be a // complete URL such as "http://vault.example.com". AgentAddress string // HttpClient is the HTTP client to use. Vault sets sane defaults for the // http.Client and its associated http.Transport created in DefaultConfig. // If you must modify Vault's defaults, it is suggested that you start with // that client and modify as needed rather than start with an empty client // (or http.DefaultClient). HttpClient *http.Client // MinRetryWait controls the minimum time to wait before retrying when a 5xx // error occurs. Defaults to 1000 milliseconds. MinRetryWait time.Duration // MaxRetryWait controls the maximum time to wait before retrying when a 5xx // error occurs. Defaults to 1500 milliseconds. MaxRetryWait time.Duration // MaxRetries controls the maximum number of times to retry when a 5xx // error occurs. Set to 0 to disable retrying. Defaults to 2 (for a total // of three tries). MaxRetries int // Timeout, given a non-negative value, will apply the request timeout // to each request function unless an earlier deadline is passed to the // request function through context.Context. Note that this timeout is // not applicable to Logical().ReadRaw* (raw response) functions. // Defaults to 60 seconds. Timeout time.Duration // If there is an error when creating the configuration, this will be the // error Error error // The Backoff function to use; a default is used if not provided Backoff retryablehttp.Backoff // The CheckRetry function to use; a default is used if not provided CheckRetry retryablehttp.CheckRetry // Logger is the leveled logger to provide to the retryable HTTP client. Logger retryablehttp.LeveledLogger // Limiter is the rate limiter used by the client. // If this pointer is nil, then there will be no limit set. // In contrast, if this pointer is set, even to an empty struct, // then that limiter will be used. Note that an empty Limiter // is equivalent blocking all events. Limiter *rate.Limiter // OutputCurlString causes the actual request to return an error of type // *OutputStringError. Type asserting the error message will allow // fetching a cURL-compatible string for the operation. // // Note: It is not thread-safe to set this and make concurrent requests // with the same client. Cloning a client will not clone this value. OutputCurlString bool // OutputPolicy causes the actual request to return an error of type // *OutputPolicyError. Type asserting the error message will display // an example of the required policy HCL needed for the operation. // // Note: It is not thread-safe to set this and make concurrent requests // with the same client. Cloning a client will not clone this value. OutputPolicy bool // SRVLookup enables the client to lookup the host through DNS SRV lookup SRVLookup bool // CloneHeaders ensures that the source client's headers are copied to // its clone. CloneHeaders bool // CloneToken from parent. CloneToken bool // DisableRedirects when set to true, will prevent the client from // automatically following a (single) redirect response to its initial // request. This behavior may be desirable if using Vault CLI on the server // side. // // Note: Disabling redirect following behavior could cause issues with // commands such as 'vault operator raft snapshot' as this redirects to the // primary node. DisableRedirects bool // contains filtered or unexported fields }
Config is used to configure the creation of the client.
func DefaultConfig ¶
func DefaultConfig() *Config
DefaultConfig returns a default configuration for the client. It is safe to modify the return value of this function.
The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `BAO_ADDR` environment variable.
If an error is encountered, the Error field on the returned *Config will be populated with the specific error.
func (*Config) ConfigureTLS ¶
ConfigureTLS takes a set of TLS configurations and applies those to the HTTP client.
func (*Config) ParseAddress ¶
ParseAddress transforms the provided address into a url.URL and handles the case of Unix domain sockets by setting the DialContext in the configuration's HttpClient.Transport. This function must be called with c.modifyLock held for write access.
func (*Config) ReadEnvironment ¶
ReadEnvironment reads configuration information from the environment. If there is an error, no configuration value is updated.
type DeregisterPluginInput ¶
type DeregisterPluginInput struct { // Name is the name of the plugin. Required. Name string `json:"-"` // Type of the plugin. Required. Type PluginType `json:"type"` // Version of the plugin. Optional. Version string `json:"version,omitempty"` }
DeregisterPluginInput is used as input to the DeregisterPlugin function.
type EnableAuditOptions ¶
type EnableAuthOptions ¶
type EnableAuthOptions = MountInput
Rather than duplicate, we can use modern Go's type aliasing
type ErrorResponse ¶
type ErrorResponse struct {
Errors []string
}
ErrorResponse is the raw structure of errors when they're returned by the HTTP API.
type GenerateRootStatusResponse ¶
type GenerateRootStatusResponse struct { Nonce string `json:"nonce"` Started bool `json:"started"` Progress int `json:"progress"` Required int `json:"required"` Complete bool `json:"complete"` EncodedToken string `json:"encoded_token"` EncodedRootToken string `json:"encoded_root_token"` PGPFingerprint string `json:"pgp_fingerprint"` OTP string `json:"otp"` OTPLength int `json:"otp_length"` }
type GetPluginInput ¶
type GetPluginInput struct { Name string `json:"-"` // Type of the plugin. Required. Type PluginType `json:"type"` Version string `json:"version"` }
GetPluginInput is used as input to the GetPlugin function.
type GetPluginResponse ¶
type GetPluginResponse struct { Args []string `json:"args"` Builtin bool `json:"builtin"` Command string `json:"command"` Name string `json:"name"` SHA256 string `json:"sha256"` DeprecationStatus string `json:"deprecation_status,omitempty"` Version string `json:"version,omitempty"` }
GetPluginResponse is the response from the GetPlugin call.
type HANode ¶
type HANode struct { Hostname string `json:"hostname"` APIAddress string `json:"api_address"` ClusterAddress string `json:"cluster_address"` ActiveNode bool `json:"active_node"` LastEcho *time.Time `json:"last_echo"` Version string `json:"version"` UpgradeVersion string `json:"upgrade_version,omitempty"` }
type HAStatusResponse ¶
type HAStatusResponse struct {
Nodes []HANode
}
type HealthResponse ¶
type HealthResponse struct { Initialized bool `json:"initialized"` Sealed bool `json:"sealed"` Standby bool `json:"standby"` ServerTimeUTC int64 `json:"server_time_utc"` Version string `json:"version"` ClusterName string `json:"cluster_name,omitempty"` ClusterID string `json:"cluster_id,omitempty"` LastWAL uint64 `json:"last_wal,omitempty"` }
type InitRequest ¶
type InitResponse ¶
type InitStatusResponse ¶
type InitStatusResponse struct {
Initialized bool
}
type KVMetadata ¶
type KVMetadata struct { CASRequired bool `mapstructure:"cas_required"` CreatedTime time.Time `mapstructure:"created_time"` CurrentVersion int `mapstructure:"current_version"` CustomMetadata map[string]interface{} `mapstructure:"custom_metadata"` DeleteVersionAfter time.Duration `mapstructure:"delete_version_after"` MaxVersions int `mapstructure:"max_versions"` OldestVersion int `mapstructure:"oldest_version"` UpdatedTime time.Time `mapstructure:"updated_time"` // Keys are stringified ints, e.g. "3". To get a sorted slice of version metadata, use GetVersionsAsList. Versions map[string]KVVersionMetadata `mapstructure:"versions"` Raw *Secret }
KVMetadata is the full metadata for a given KV v2 secret.
type KVMetadataPatchInput ¶
type KVMetadataPatchInput struct { CASRequired *bool CustomMetadata map[string]interface{} DeleteVersionAfter *time.Duration MaxVersions *int }
KVMetadataPatchInput is the subset of metadata that can be manually modified for a KV v2 secret using the PatchMetadata method.
The struct's fields are all pointers. A pointer to a field's zero value (e.g. false for *bool) implies that field should be reset to its zero value after update, whereas a field left as a nil pointer (e.g. nil for *bool) implies the field should remain unchanged.
Since maps are already pointers, use an empty map to remove all custom metadata.
type KVMetadataPutInput ¶
type KVMetadataPutInput struct { CASRequired bool CustomMetadata map[string]interface{} DeleteVersionAfter time.Duration MaxVersions int }
KVMetadataPutInput is the subset of metadata that can be replaced for a KV v2 secret using the PutMetadata method.
All fields should be explicitly provided, as any fields left unset in the struct will be reset to their zero value.
type KVOption ¶
type KVOption func() (key string, value interface{})
Currently supported options: WithOption, WithCheckAndSet, WithMethod
func WithCheckAndSet ¶
WithCheckAndSet can optionally be passed to perform a check-and-set operation on a KV request. If not set, the write will be allowed. If cas is set to 0, a write will only be allowed if the key doesn't exist. If set to non-zero, the write will only be allowed if the key’s current version matches the version specified in the cas parameter.
func WithMergeMethod ¶
WithMergeMethod can optionally be passed to dictate which type of patch to perform in a Patch request. If set to "patch", then an HTTP PATCH request will be issued. If set to "rw", then a read will be performed, then a local update, followed by a remote update. Defaults to "patch".
func WithOption ¶
WithOption can optionally be passed to provide generic options for a KV request. Valid keys and values depend on the type of request.
type KVSecret ¶
type KVSecret struct { Data map[string]interface{} VersionMetadata *KVVersionMetadata CustomMetadata map[string]interface{} Raw *Secret }
A KVSecret is a key-value secret returned by Vault's KV secrets engine, and is the most basic type of secret stored in Vault.
Data contains the key-value pairs of the secret itself, while Metadata contains a subset of metadata describing this particular version of the secret. The Metadata field for a KV v1 secret will always be nil, as metadata is only supported starting in KV v2.
The Raw field can be inspected for information about the lease, and passed to a LifetimeWatcher object for periodic renewal.
type KVVersionMetadata ¶
type KVVersionMetadata struct { Version int `mapstructure:"version"` CreatedTime time.Time `mapstructure:"created_time"` DeletionTime time.Time `mapstructure:"deletion_time"` Destroyed bool `mapstructure:"destroyed"` }
KVVersionMetadata is a subset of metadata for a given version of a KV v2 secret.
type KVv1 ¶
type KVv1 struct {
// contains filtered or unexported fields
}
type KVv2 ¶
type KVv2 struct {
// contains filtered or unexported fields
}
func (*KVv2) Delete ¶
Delete deletes the most recent version of a secret from the KV v2 secrets engine. To delete an older version, use DeleteVersions.
func (*KVv2) DeleteMetadata ¶
DeleteMetadata deletes all versions and metadata of the secret at the given path.
func (*KVv2) DeleteVersions ¶
DeleteVersions deletes the specified versions of a secret from the KV v2 secrets engine. To delete the latest version of a secret, just use Delete.
func (*KVv2) Destroy ¶
Destroy permanently removes the specified secret versions' data from the Vault server. If no secret exists at the given path, no action will be taken.
A list of existing versions can be retrieved using the GetVersionsAsList method.
func (*KVv2) Get ¶
Get returns the latest version of a secret from the KV v2 secrets engine.
If the latest version has been deleted, an error will not be thrown, but the Data field on the returned secret will be nil, and the Metadata field will contain the deletion time.
func (*KVv2) GetMetadata ¶
GetMetadata returns the full metadata for a given secret, including a map of its existing versions and their respective creation/deletion times, etc.
func (*KVv2) GetVersion ¶
GetVersion returns the data and metadata for a specific version of the given secret.
If that version has been deleted, the Data field on the returned secret will be nil, and the Metadata field will contain the deletion time.
GetVersionsAsList can provide a list of available versions sorted by version number, while the response from GetMetadata contains them as a map.
func (*KVv2) GetVersionsAsList ¶
func (kv *KVv2) GetVersionsAsList(ctx context.Context, secretPath string) ([]KVVersionMetadata, error)
GetVersionsAsList returns a subset of the metadata for each version of the secret, sorted by version number.
func (*KVv2) Patch ¶
func (kv *KVv2) Patch(ctx context.Context, secretPath string, newData map[string]interface{}, opts ...KVOption) (*KVSecret, error)
Patch additively updates the most recent version of a key-value secret, differentiating it from Put which will fully overwrite the previous data. Only the key-value pairs that are new or changing need to be provided.
The WithMethod KVOption function can optionally be passed to dictate which kind of patch to perform, as older Vault server versions (pre-1.9.0) may only be able to use the old "rw" (read-then-write) style of partial update, whereas newer Vault servers can use the default value of "patch" if the client token's policy has the "patch" capability.
func (*KVv2) PatchMetadata ¶
func (kv *KVv2) PatchMetadata(ctx context.Context, secretPath string, metadata KVMetadataPatchInput) error
PatchMetadata can be used to replace just a subset of a secret's metadata fields at a time, as opposed to PutMetadata which is used to completely replace all fields on the previous metadata.
func (*KVv2) Put ¶
func (kv *KVv2) Put(ctx context.Context, secretPath string, data map[string]interface{}, opts ...KVOption) (*KVSecret, error)
Put inserts a key-value secret (e.g. {"password": "Hashi123"}) into the KV v2 secrets engine.
If the secret already exists, a new version will be created and the previous version can be accessed with the GetVersion method. GetMetadata can provide a list of available versions.
func (*KVv2) PutMetadata ¶
func (kv *KVv2) PutMetadata(ctx context.Context, secretPath string, metadata KVMetadataPutInput) error
PutMetadata can be used to fully replace a subset of metadata fields for a given KV v2 secret. All fields will replace the corresponding values on the Vault server. Any fields left as nil will reset the field on the Vault server back to its zero value.
To only partially replace the values of these metadata fields, use PatchMetadata.
This method can also be used to create a new secret with just metadata and no secret data yet.
func (*KVv2) Rollback ¶
Rollback can be used to roll a secret back to a previous non-deleted/non-destroyed version. That previous version becomes the next/newest version for the path.
type LeaderResponse ¶
type LeaderResponse struct { HAEnabled bool `json:"ha_enabled"` IsSelf bool `json:"is_self"` ActiveTime time.Time `json:"active_time"` LeaderAddress string `json:"leader_address"` LeaderClusterAddress string `json:"leader_cluster_address"` RaftCommittedIndex uint64 `json:"raft_committed_index,omitempty"` RaftAppliedIndex uint64 `json:"raft_applied_index,omitempty"` }
type LifetimeWatcher ¶
type LifetimeWatcher struct {
// contains filtered or unexported fields
}
LifetimeWatcher is a process for watching lifetime of a secret.
watcher, err := client.NewLifetimeWatcher(&LifetimeWatcherInput{ Secret: mySecret, }) go watcher.Start() defer watcher.Stop() for { select { case err := <-watcher.DoneCh(): if err != nil { log.Fatal(err) } // Renewal is now over case renewal := <-watcher.RenewCh(): log.Printf("Successfully renewed: %#v", renewal) } }
`DoneCh` will return if renewal fails, or if the remaining lease duration is under a built-in threshold and either renewing is not extending it or renewing is disabled. In both cases, the caller should attempt a re-read of the secret. Clients should check the return value of the channel to see if renewal was successful.
func (*LifetimeWatcher) DoneCh ¶
func (r *LifetimeWatcher) DoneCh() <-chan error
DoneCh returns the channel where the renewer will publish when renewal stops. If there is an error, this will be an error.
func (*LifetimeWatcher) Renew ¶
func (r *LifetimeWatcher) Renew()
Renew is for compatibility with the legacy api.Renewer. Calling Renew simply chains to Start.
func (*LifetimeWatcher) RenewCh ¶
func (r *LifetimeWatcher) RenewCh() <-chan *RenewOutput
RenewCh is a channel that receives a message when a successful renewal takes place and includes metadata about the renewal.
func (*LifetimeWatcher) Start ¶
func (r *LifetimeWatcher) Start()
Start starts a background process for watching the lifetime of this secret. If renewal is enabled, when the secret has auth data, this attempts to renew the auth (token); When the secret has a lease, this attempts to renew the lease.
type LifetimeWatcherInput ¶
type LifetimeWatcherInput struct { // Secret is the secret to renew Secret *Secret // DEPRECATED: this does not do anything. Grace time.Duration // Rand is the randomizer to use for underlying randomization. If not // provided, one will be generated and seeded automatically. If provided, it // is assumed to have already been seeded. Rand *rand.Rand // RenewBuffer is the size of the buffered channel where renew messages are // dispatched. RenewBuffer int // The new TTL, in seconds, that should be set on the lease. The TTL set // here may or may not be honored by the vault server, based on Vault // configuration or any associated max TTL values. If specified, the // minimum of this value and the remaining lease duration will be used // for grace period calculations. Increment int // RenewBehavior controls what happens when a renewal errors or the // passed-in secret is not renewable. RenewBehavior RenewBehavior }
LifetimeWatcherInput is used as input to the renew function.
type ListPluginsInput ¶
type ListPluginsInput struct { // Type of the plugin. Required. Type PluginType `json:"type"` }
ListPluginsInput is used as input to the ListPlugins function.
type ListPluginsResponse ¶
type ListPluginsResponse struct { // PluginsByType is the list of plugins by type. PluginsByType map[PluginType][]string `json:"types"` Details []PluginDetails `json:"details,omitempty"` // Names is the list of names of the plugins. // // Deprecated: Newer server responses should be returning PluginsByType (json: // "types") instead. Names []string `json:"names"` }
ListPluginsResponse is the response from the ListPlugins call.
type Logical ¶
type Logical struct {
// contains filtered or unexported fields
}
Logical is used to perform logical backend operations on Vault.
func (*Logical) DeleteWithContext ¶
func (*Logical) DeleteWithData ¶
func (*Logical) DeleteWithDataWithContext ¶
func (*Logical) JSONMergePatch ¶
func (*Logical) ListPageWithContext ¶
func (*Logical) ListWithContext ¶
func (*Logical) ParseRawResponseAndCloseBody ¶
func (*Logical) ReadRaw ¶
ReadRaw attempts to read the value stored at the given Vault path (without '/v1/' prefix) and returns a raw *http.Response.
Note: the raw-response functions do not respect the client-configured request timeout; if a timeout is desired, please use ReadRawWithContext instead and set the timeout through context.WithTimeout or context.WithDeadline.
func (*Logical) ReadRawWithContext ¶
ReadRawWithContext attempts to read the value stored at the give Vault path (without '/v1/' prefix) and returns a raw *http.Response.
Note: the raw-response functions do not respect the client-configured request timeout; if a timeout is desired, please set it through context.WithTimeout or context.WithDeadline.
func (*Logical) ReadRawWithData ¶
ReadRawWithData attempts to read the value stored at the given Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data' map is added as query parameters to the request.
Note: the raw-response functions do not respect the client-configured request timeout; if a timeout is desired, please use ReadRawWithDataWithContext instead and set the timeout through context.WithTimeout or context.WithDeadline.
func (*Logical) ReadRawWithDataWithContext ¶
func (c *Logical) ReadRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error)
ReadRawWithDataWithContext attempts to read the value stored at the given Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data' map is added as query parameters to the request.
Note: the raw-response functions do not respect the client-configured request timeout; if a timeout is desired, please set it through context.WithTimeout or context.WithDeadline.
func (*Logical) ReadWithContext ¶
func (*Logical) ReadWithData ¶
func (*Logical) ReadWithDataWithContext ¶
func (*Logical) UnwrapWithContext ¶
func (*Logical) WriteBytes ¶
func (*Logical) WriteBytesWithContext ¶
type MFAConstraintAny ¶
type MFAConstraintAny struct {
Any []*MFAMethodID `json:"any,omitempty"`
}
type MFAMethodID ¶
type MFARequirement ¶
type MFARequirement struct { MFARequestID string `json:"mfa_request_id,omitempty"` MFAConstraints map[string]*MFAConstraintAny `json:"mfa_constraints,omitempty"` }
type MountConfigInput ¶
type MountConfigInput struct { Options map[string]string `json:"options" mapstructure:"options"` DefaultLeaseTTL string `json:"default_lease_ttl" mapstructure:"default_lease_ttl"` Description *string `json:"description,omitempty" mapstructure:"description"` MaxLeaseTTL string `json:"max_lease_ttl" mapstructure:"max_lease_ttl"` ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"` AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"` AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"` ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"` PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"` AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"` TokenType string `json:"token_type,omitempty" mapstructure:"token_type"` AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"` PluginVersion string `json:"plugin_version,omitempty"` UserLockoutConfig *UserLockoutConfigInput `json:"user_lockout_config,omitempty"` // Deprecated: This field will always be blank for newer server responses. PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` }
type MountConfigOutput ¶
type MountConfigOutput struct { DefaultLeaseTTL int `json:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL int `json:"max_lease_ttl" mapstructure:"max_lease_ttl"` ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"` AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"` AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"` ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"` PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"` AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"` TokenType string `json:"token_type,omitempty" mapstructure:"token_type"` AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"` UserLockoutConfig *UserLockoutConfigOutput `json:"user_lockout_config,omitempty"` // Deprecated: This field will always be blank for newer server responses. PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` }
type MountInput ¶
type MountInput struct { Type string `json:"type"` Description string `json:"description"` Config MountConfigInput `json:"config"` Local bool `json:"local"` SealWrap bool `json:"seal_wrap" mapstructure:"seal_wrap"` ExternalEntropyAccess bool `json:"external_entropy_access" mapstructure:"external_entropy_access"` Options map[string]string `json:"options"` // Deprecated: Newer server responses should be returning this information in the // Type field (json: "type") instead. PluginName string `json:"plugin_name,omitempty"` }
type MountMigrationOutput ¶
type MountMigrationOutput struct {
MigrationID string `mapstructure:"migration_id"`
}
type MountMigrationStatusOutput ¶
type MountMigrationStatusOutput struct { MigrationID string `mapstructure:"migration_id"` MigrationInfo *MountMigrationStatusInfo `mapstructure:"migration_info"` }
type MountOutput ¶
type MountOutput struct { UUID string `json:"uuid"` Type string `json:"type"` Description string `json:"description"` Accessor string `json:"accessor"` Config MountConfigOutput `json:"config"` Options map[string]string `json:"options"` Local bool `json:"local"` SealWrap bool `json:"seal_wrap" mapstructure:"seal_wrap"` ExternalEntropyAccess bool `json:"external_entropy_access" mapstructure:"external_entropy_access"` PluginVersion string `json:"plugin_version" mapstructure:"plugin_version"` RunningVersion string `json:"running_plugin_version" mapstructure:"running_plugin_version"` RunningSha256 string `json:"running_sha256" mapstructure:"running_sha256"` DeprecationStatus string `json:"deprecation_status" mapstructure:"deprecation_status"` }
type OutputPolicyError ¶
type OutputPolicyError struct {
// contains filtered or unexported fields
}
var LastOutputPolicyError *OutputPolicyError
func (*OutputPolicyError) Error ¶
func (d *OutputPolicyError) Error() string
func (*OutputPolicyError) HCLString ¶
func (d *OutputPolicyError) HCLString() (string, error)
type OutputStringError ¶
type OutputStringError struct { *retryablehttp.Request TLSSkipVerify bool ClientCACert, ClientCAPath string ClientCert, ClientKey string // contains filtered or unexported fields }
var LastOutputStringError *OutputStringError
func (*OutputStringError) CurlString ¶
func (d *OutputStringError) CurlString() (string, error)
func (*OutputStringError) Error ¶
func (d *OutputStringError) Error() string
type PluginAPIClientMeta ¶
type PluginAPIClientMeta struct {
// contains filtered or unexported fields
}
PluginAPIClientMeta is a helper that plugins can use to configure TLS connections back to Vault.
func (*PluginAPIClientMeta) FlagSet ¶
func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet
FlagSet returns the flag set for configuring the TLS connection
func (*PluginAPIClientMeta) GetTLSConfig ¶
func (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig
GetTLSConfig will return a TLSConfig based off the values from the flags
type PluginDetails ¶
type PluginType ¶
type PluginType uint32
const ( PluginTypeUnknown PluginType = iota PluginTypeCredential PluginTypeDatabase PluginTypeSecrets )
This is a list of PluginTypes used by Vault. If we need to add any in the future, it would be best to add them to the _end_ of the list below because they resolve to incrementing numbers, which may be saved in state somewhere. Thus if the name for one of those numbers changed because a value were added to the middle, that could cause the wrong plugin types to be read from storage for a given underlying number. Example of the problem here: https://play.golang.org/p/YAaPw5ww3er
func ParsePluginType ¶
func ParsePluginType(pluginType string) (PluginType, error)
func (PluginType) String ¶
func (p PluginType) String() string
type RaftJoinRequest ¶
type RaftJoinRequest struct { AutoJoin string `json:"auto_join"` AutoJoinScheme string `json:"auto_join_scheme"` AutoJoinPort uint `json:"auto_join_port"` LeaderAPIAddr string `json:"leader_api_addr"` LeaderCACert string `json:"leader_ca_cert"` LeaderClientCert string `json:"leader_client_cert"` LeaderClientKey string `json:"leader_client_key"` Retry bool `json:"retry"` NonVoter bool `json:"non_voter"` }
RaftJoinRequest represents the parameters consumed by the raft join API
type RaftJoinResponse ¶
type RaftJoinResponse struct {
Joined bool `json:"joined"`
}
RaftJoinResponse represents the response of the raft join API
type RegisterPluginInput ¶
type RegisterPluginInput struct { // Name is the name of the plugin. Required. Name string `json:"-"` // Type of the plugin. Required. Type PluginType `json:"type"` // Args is the list of args to spawn the process with. Args []string `json:"args,omitempty"` // Command is the command to run. Command string `json:"command,omitempty"` // SHA256 is the shasum of the plugin. SHA256 string `json:"sha256,omitempty"` // Version is the optional version of the plugin being registered Version string `json:"version,omitempty"` }
RegisterPluginInput is used as input to the RegisterPlugin function.
type RekeyInitRequest ¶
type RekeyRetrieveResponse ¶
type RekeyStatusResponse ¶
type RekeyStatusResponse struct { Nonce string `json:"nonce"` Started bool `json:"started"` T int `json:"t"` N int `json:"n"` Progress int `json:"progress"` Required int `json:"required"` PGPFingerprints []string `json:"pgp_fingerprints"` Backup bool `json:"backup"` VerificationRequired bool `json:"verification_required"` VerificationNonce string `json:"verification_nonce"` }
type RekeyUpdateResponse ¶
type RekeyUpdateResponse struct { Nonce string `json:"nonce"` Complete bool `json:"complete"` Keys []string `json:"keys"` KeysB64 []string `json:"keys_base64"` PGPFingerprints []string `json:"pgp_fingerprints"` Backup bool `json:"backup"` VerificationRequired bool `json:"verification_required"` VerificationNonce string `json:"verification_nonce,omitempty"` }
type ReloadPluginInput ¶
type ReloadPluginInput struct { // Plugin is the name of the plugin to reload, as registered in the plugin catalog Plugin string `json:"plugin"` // Mounts is the array of string mount paths of the plugin backends to reload Mounts []string `json:"mounts"` // Scope is the scope of the plugin reload Scope string `json:"scope"` }
ReloadPluginInput is used as input to the ReloadPlugin function.
type ReloadPluginStatusInput ¶
type ReloadPluginStatusInput struct { // ReloadID is the ID of the reload operation ReloadID string `json:"reload_id"` }
ReloadPluginStatusInput is used as input to the ReloadStatusPlugin function.
type ReloadStatus ¶
type ReloadStatus struct { Timestamp time.Time `json:"timestamp" mapstructure:"timestamp"` Error string `json:"error" mapstructure:"error"` }
ReloadStatus is the status of an individual node's plugin reload
type ReloadStatusResponse ¶
type ReloadStatusResponse struct { ReloadID string `mapstructure:"reload_id"` Results map[string]*ReloadStatus `mapstructure:"results"` }
ReloadStatusResponse is the combined response of all known completed plugin reloads
type RenewBehavior ¶
type RenewBehavior uint
const ( // RenewBehaviorIgnoreErrors means we will attempt to keep renewing until // we hit the lifetime threshold. It also ignores errors stemming from // passing a non-renewable lease in. In practice, this means you simply // reauthenticate/refetch credentials when the watcher exits. This is the // default. RenewBehaviorIgnoreErrors RenewBehavior = iota // RenewBehaviorRenewDisabled turns off renewal attempts entirely. This // allows you to simply watch lifetime and have the watcher return at a // reasonable threshold without actually making Vault calls. RenewBehaviorRenewDisabled // RenewBehaviorErrorOnErrors is the "legacy" behavior which always exits // on some kind of error RenewBehaviorErrorOnErrors )
type RenewOutput ¶
type RenewOutput struct { // RenewedAt is the timestamp when the renewal took place (UTC). RenewedAt time.Time // Secret is the underlying renewal data. It's the same struct as all data // that is returned from Vault, but since this is renewal data, it will not // usually include the secret itself. Secret *Secret }
RenewOutput is the metadata returned to the client (if it's listening) to renew messages.
type Renewer ¶
type Renewer = LifetimeWatcher
type RenewerInput ¶
type RenewerInput = LifetimeWatcherInput
type Request ¶
type Request struct { Method string URL *url.URL Host string Params url.Values Headers http.Header ClientToken string MFAHeaderVals []string WrapTTL string Obj interface{} // When possible, use BodyBytes as it is more efficient due to how the // retry logic works BodyBytes []byte // Fallback Body io.Reader BodySize int64 // Whether to request overriding soft-mandatory Sentinel policies (RGPs and // EGPs). If set, the override flag will take effect for all policies // evaluated during the request. PolicyOverride bool }
Request is a raw request configuration structure used to initiate API requests to the Vault server.
func (*Request) ResetJSONBody ¶
ResetJSONBody is used to reset the body for a redirect
func (*Request) SetJSONBody ¶
SetJSONBody is used to set a request body that is a JSON-encoded value.
type RequestCallback ¶
type RequestCallback func(*Request)
type Response ¶
Response is a raw response that wraps an HTTP response.
func (*Response) DecodeJSON ¶
DecodeJSON will decode the response body to a JSON structure. This will consume the response body, but will not close it. Close must still be called.
type ResponseCallback ¶
type ResponseCallback func(*Response)
type ResponseError ¶
type ResponseError struct { // HTTPMethod is the HTTP method for the request (PUT, GET, etc). HTTPMethod string // URL is the URL of the request. URL string // StatusCode is the HTTP status code. StatusCode int // RawError marks that the underlying error messages returned by Vault were // not parsable. The Errors slice will contain the raw response body as the // first and only error string if this value is set to true. RawError bool // Errors are the underlying errors returned by Vault. Errors []string // Namespace path to be reported to the client if it is set to anything other // than root NamespacePath string }
ResponseError is the error returned when Vault responds with an error or non-success HTTP status code. If a request to Vault fails because of a network error a different error message will be returned. ResponseError gives access to the underlying errors and status code.
func (*ResponseError) Error ¶
func (r *ResponseError) Error() string
Error returns a human-readable error string for the response error.
type SSH ¶
type SSH struct { MountPoint string // contains filtered or unexported fields }
SSH is used to return a client to invoke operations on SSH backend.
func (*SSH) Credential ¶
Credential wraps CredentialWithContext using context.Background.
func (*SSH) CredentialWithContext ¶
func (c *SSH) CredentialWithContext(ctx context.Context, role string, data map[string]interface{}) (*Secret, error)
CredentialWithContext invokes the SSH backend API to create a credential to establish an SSH session.
type SSHHelper ¶
type SSHHelper struct { MountPoint string // contains filtered or unexported fields }
SSHHelper is a structure representing a vault-ssh-helper which can talk to vault server in order to verify the OTP entered by the user. It contains the path at which SSH backend is mounted at the server.
func (*SSHHelper) Verify ¶
func (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error)
Verify verifies if the key provided by user is present in Vault server. The response will contain the IP address and username associated with the OTP. In case the OTP matches the echo request message, instead of searching an entry for the OTP, an echo response message is returned. This feature is used by ssh-helper to verify if its configured correctly.
func (*SSHHelper) VerifyWithContext ¶
VerifyWithContext the same as Verify but with a custom context.
type SSHHelperConfig ¶
type SSHHelperConfig struct { VaultAddr string `hcl:"vault_addr"` SSHMountPoint string `hcl:"ssh_mount_point"` Namespace string `hcl:"namespace"` CACert string `hcl:"ca_cert"` CAPath string `hcl:"ca_path"` AllowedCidrList string `hcl:"allowed_cidr_list"` AllowedRoles string `hcl:"allowed_roles"` TLSSkipVerify bool `hcl:"tls_skip_verify"` TLSServerName string `hcl:"tls_server_name"` }
SSHHelperConfig is a structure which represents the entries from the vault-ssh-helper's configuration file.
func LoadSSHHelperConfig ¶
func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error)
LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding in-memory structure.
Vault address is a required parameter. Mount point defaults to "ssh".
func ParseSSHHelperConfig ¶
func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error)
ParseSSHHelperConfig parses the given contents as a string for the SSHHelper configuration.
func (*SSHHelperConfig) NewClient ¶
func (c *SSHHelperConfig) NewClient() (*Client, error)
NewClient returns a new client for the configuration. This client will be used by the vault-ssh-helper to communicate with Vault server and verify the OTP entered by user. If the configuration supplies Vault SSL certificates, then the client will have TLS configured in its transport.
func (*SSHHelperConfig) SetTLSParameters ¶
func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool)
SetTLSParameters sets the TLS parameters for this SSH agent.
type SSHVerifyResponse ¶
type SSHVerifyResponse struct { // Usually empty. If the request OTP is echo request message, this will // be set to the corresponding echo response message. Message string `json:"message" mapstructure:"message"` // Username associated with the OTP Username string `json:"username" mapstructure:"username"` // IP associated with the OTP IP string `json:"ip" mapstructure:"ip"` // Name of the role against which the OTP was issued RoleName string `json:"role_name" mapstructure:"role_name"` }
SSHVerifyResponse is a structure representing the fields in Vault server's response.
type SealStatusResponse ¶
type SealStatusResponse struct { Type string `json:"type"` Initialized bool `json:"initialized"` Sealed bool `json:"sealed"` T int `json:"t"` N int `json:"n"` Progress int `json:"progress"` Nonce string `json:"nonce"` Version string `json:"version"` BuildDate string `json:"build_date"` Migration bool `json:"migration"` ClusterName string `json:"cluster_name,omitempty"` ClusterID string `json:"cluster_id,omitempty"` RecoverySeal bool `json:"recovery_seal"` StorageType string `json:"storage_type,omitempty"` Warnings []string `json:"warnings,omitempty"` }
type Secret ¶
type Secret struct { // The request ID that generated this response RequestID string `json:"request_id"` LeaseID string `json:"lease_id"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` // Data is the actual contents of the secret. The format of the data // is arbitrary and up to the secret backend. Data map[string]interface{} `json:"data"` // Warnings contains any warnings related to the operation. These // are not issues that caused the command to fail, but that the // client should be aware of. Warnings []string `json:"warnings"` // Auth, if non-nil, means that there was authentication information // attached to this response. Auth *SecretAuth `json:"auth,omitempty"` // WrapInfo, if non-nil, means that the initial response was wrapped in the // cubbyhole of the given token (which has a TTL of the given number of // seconds) WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` }
Secret is the structure returned for every secret within Vault.
func ParseSecret ¶
ParseSecret is used to parse a secret value from JSON from an io.Reader.
func (*Secret) TokenAccessor ¶
TokenAccessor returns the standardized token accessor for the given secret. If the secret is nil or does not contain an accessor, this returns the empty string.
func (*Secret) TokenIsRenewable ¶
TokenIsRenewable returns the standardized token renewability for the given secret. If the secret is nil or does not contain the "renewable" key, this returns false.
func (*Secret) TokenMetadata ¶
TokenMetadata returns the map of metadata associated with this token, if any exists. If the secret is nil or does not contain the "metadata" key, this returns nil.
func (*Secret) TokenPolicies ¶
TokenPolicies returns the standardized list of policies for the given secret. If the secret is nil or does not contain any policies, this returns nil. It also populates the secret's Auth info with identity/token policy info.
func (*Secret) TokenRemainingUses ¶
TokenRemainingUses returns the standardized remaining uses for the given secret. If the secret is nil or does not contain the "num_uses", this returns -1. On error, this will return -1 and a non-nil error.
type SecretAuth ¶
type SecretAuth struct { ClientToken string `json:"client_token"` Accessor string `json:"accessor"` Policies []string `json:"policies"` TokenPolicies []string `json:"token_policies"` IdentityPolicies []string `json:"identity_policies"` Metadata map[string]string `json:"metadata"` Orphan bool `json:"orphan"` EntityID string `json:"entity_id"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` MFARequirement *MFARequirement `json:"mfa_requirement"` }
SecretAuth is the structure containing auth information if we have it.
type SecretWrapInfo ¶
type SecretWrapInfo struct { Token string `json:"token"` Accessor string `json:"accessor"` TTL int `json:"ttl"` CreationTime time.Time `json:"creation_time"` CreationPath string `json:"creation_path"` WrappedAccessor string `json:"wrapped_accessor"` }
SecretWrapInfo contains wrapping information if we have it. If what is contained is an authentication token, the accessor for the token will be available in WrappedAccessor.
type Sys ¶
type Sys struct {
// contains filtered or unexported fields
}
Sys is used to perform system-related operations on Vault.
func (*Sys) AuditHashWithContext ¶
func (*Sys) CORSStatus ¶
func (c *Sys) CORSStatus() (*CORSResponse, error)
func (*Sys) CORSStatusWithContext ¶
func (c *Sys) CORSStatusWithContext(ctx context.Context) (*CORSResponse, error)
func (*Sys) CapabilitiesSelfWithContext ¶
func (*Sys) CapabilitiesWithContext ¶
func (*Sys) ConfigureCORS ¶
func (c *Sys) ConfigureCORS(req *CORSRequest) error
func (*Sys) ConfigureCORSWithContext ¶
func (c *Sys) ConfigureCORSWithContext(ctx context.Context, req *CORSRequest) error
func (*Sys) DeletePolicy ¶
func (*Sys) DeletePolicyWithContext ¶
func (*Sys) DeregisterPlugin ¶
func (c *Sys) DeregisterPlugin(i *DeregisterPluginInput) error
DeregisterPlugin wraps DeregisterPluginWithContext using context.Background.
func (*Sys) DeregisterPluginWithContext ¶
func (c *Sys) DeregisterPluginWithContext(ctx context.Context, i *DeregisterPluginInput) error
DeregisterPluginWithContext removes the plugin with the given name from the plugin catalog.
func (*Sys) DisableAudit ¶
func (*Sys) DisableAuditWithContext ¶
func (*Sys) DisableAuth ¶
func (*Sys) DisableAuthWithContext ¶
func (*Sys) DisableCORS ¶
func (*Sys) DisableCORSWithContext ¶
func (*Sys) EnableAudit ¶
func (c *Sys) EnableAudit( path string, auditType string, desc string, opts map[string]string, ) error
DEPRECATED: Use EnableAuditWithOptions instead
func (*Sys) EnableAuditWithOptions ¶
func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) error
func (*Sys) EnableAuditWithOptionsWithContext ¶
func (*Sys) EnableAuth ¶
DEPRECATED: Use EnableAuthWithOptions instead
func (*Sys) EnableAuthWithOptions ¶
func (c *Sys) EnableAuthWithOptions(path string, options *EnableAuthOptions) error
func (*Sys) EnableAuthWithOptionsWithContext ¶
func (*Sys) GenerateRecoveryOperationTokenCancel ¶
func (*Sys) GenerateRecoveryOperationTokenCancelWithContext ¶
func (*Sys) GenerateRecoveryOperationTokenInit ¶
func (c *Sys) GenerateRecoveryOperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRecoveryOperationTokenInitWithContext ¶
func (*Sys) GenerateRecoveryOperationTokenStatus ¶
func (c *Sys) GenerateRecoveryOperationTokenStatus() (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRecoveryOperationTokenStatusWithContext ¶
func (c *Sys) GenerateRecoveryOperationTokenStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRecoveryOperationTokenUpdate ¶
func (c *Sys) GenerateRecoveryOperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRecoveryOperationTokenUpdateWithContext ¶
func (*Sys) GenerateRootCancel ¶
func (*Sys) GenerateRootCancelWithContext ¶
func (*Sys) GenerateRootInit ¶
func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootInitWithContext ¶
func (*Sys) GenerateRootStatus ¶
func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootStatusWithContext ¶
func (c *Sys) GenerateRootStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootUpdate ¶
func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootUpdateWithContext ¶
func (*Sys) GetPlugin ¶
func (c *Sys) GetPlugin(i *GetPluginInput) (*GetPluginResponse, error)
GetPlugin wraps GetPluginWithContext using context.Background.
func (*Sys) GetPluginWithContext ¶
func (c *Sys) GetPluginWithContext(ctx context.Context, i *GetPluginInput) (*GetPluginResponse, error)
GetPluginWithContext retrieves information about the plugin.
func (*Sys) GetPolicyWithContext ¶
func (*Sys) HAStatus ¶
func (c *Sys) HAStatus() (*HAStatusResponse, error)
func (*Sys) HAStatusWithContext ¶
func (c *Sys) HAStatusWithContext(ctx context.Context) (*HAStatusResponse, error)
func (*Sys) Health ¶
func (c *Sys) Health() (*HealthResponse, error)
func (*Sys) HealthWithContext ¶
func (c *Sys) HealthWithContext(ctx context.Context) (*HealthResponse, error)
func (*Sys) Init ¶
func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)
func (*Sys) InitStatus ¶
func (*Sys) InitStatusWithContext ¶
func (*Sys) InitWithContext ¶
func (c *Sys) InitWithContext(ctx context.Context, opts *InitRequest) (*InitResponse, error)
func (*Sys) KeyStatusWithContext ¶
func (*Sys) Leader ¶
func (c *Sys) Leader() (*LeaderResponse, error)
func (*Sys) LeaderWithContext ¶
func (c *Sys) LeaderWithContext(ctx context.Context) (*LeaderResponse, error)
func (*Sys) ListAuditWithContext ¶
func (*Sys) ListAuthWithContext ¶
func (*Sys) ListMounts ¶
func (c *Sys) ListMounts() (map[string]*MountOutput, error)
func (*Sys) ListMountsWithContext ¶
func (*Sys) ListPlugins ¶
func (c *Sys) ListPlugins(i *ListPluginsInput) (*ListPluginsResponse, error)
ListPlugins wraps ListPluginsWithContext using context.Background.
func (*Sys) ListPluginsWithContext ¶
func (c *Sys) ListPluginsWithContext(ctx context.Context, i *ListPluginsInput) (*ListPluginsResponse, error)
ListPluginsWithContext lists all plugins in the catalog and returns their names as a list of strings.
func (*Sys) ListPolicies ¶
func (*Sys) ListPoliciesWithContext ¶
func (*Sys) LookupWithContext ¶
func (*Sys) MFAValidate ¶
func (*Sys) MFAValidateWithContext ¶
func (*Sys) Monitor ¶
Monitor returns a channel that outputs strings containing the log messages coming from the server.
func (*Sys) MountConfig ¶
func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)
func (*Sys) MountConfigWithContext ¶
func (*Sys) MountWithContext ¶
func (*Sys) PutPolicyWithContext ¶
func (*Sys) PutRaftAutopilotConfiguration ¶
func (c *Sys) PutRaftAutopilotConfiguration(opts *AutopilotConfig) error
PutRaftAutopilotConfiguration wraps PutRaftAutopilotConfigurationWithContext using context.Background.
func (*Sys) PutRaftAutopilotConfigurationWithContext ¶
func (c *Sys) PutRaftAutopilotConfigurationWithContext(ctx context.Context, opts *AutopilotConfig) error
PutRaftAutopilotConfigurationWithContext allows modifying the raft autopilot configuration
func (*Sys) RaftAutopilotConfiguration ¶
func (c *Sys) RaftAutopilotConfiguration() (*AutopilotConfig, error)
RaftAutopilotConfiguration wraps RaftAutopilotConfigurationWithContext using context.Background.
func (*Sys) RaftAutopilotConfigurationWithContext ¶
func (c *Sys) RaftAutopilotConfigurationWithContext(ctx context.Context) (*AutopilotConfig, error)
RaftAutopilotConfigurationWithContext fetches the autopilot config.
func (*Sys) RaftAutopilotConfigurationWithDRToken ¶
func (c *Sys) RaftAutopilotConfigurationWithDRToken(drToken string) (*AutopilotConfig, error)
RaftAutopilotConfigurationWithDRToken wraps RaftAutopilotConfigurationWithContext using the given token.
func (*Sys) RaftAutopilotState ¶
func (c *Sys) RaftAutopilotState() (*AutopilotState, error)
RaftAutopilotState wraps RaftAutopilotStateWithContext using context.Background.
func (*Sys) RaftAutopilotStateWithContext ¶
func (c *Sys) RaftAutopilotStateWithContext(ctx context.Context) (*AutopilotState, error)
RaftAutopilotStateWithContext returns the state of the raft cluster as seen by autopilot.
func (*Sys) RaftAutopilotStateWithDRToken ¶
func (c *Sys) RaftAutopilotStateWithDRToken(drToken string) (*AutopilotState, error)
RaftAutopilotStateWithToken wraps RaftAutopilotStateWithContext using the given token.
func (*Sys) RaftJoin ¶
func (c *Sys) RaftJoin(opts *RaftJoinRequest) (*RaftJoinResponse, error)
RaftJoin wraps RaftJoinWithContext using context.Background.
func (*Sys) RaftJoinWithContext ¶
func (c *Sys) RaftJoinWithContext(ctx context.Context, opts *RaftJoinRequest) (*RaftJoinResponse, error)
RaftJoinWithContext adds the node from which this call is invoked from to the raft cluster represented by the leader address in the parameter.
func (*Sys) RaftSnapshot ¶
RaftSnapshot wraps RaftSnapshotWithContext using context.Background.
func (*Sys) RaftSnapshotRestore ¶
RaftSnapshotRestore wraps RaftSnapshotRestoreWithContext using context.Background.
func (*Sys) RaftSnapshotRestoreWithContext ¶
func (c *Sys) RaftSnapshotRestoreWithContext(ctx context.Context, snapReader io.Reader, force bool) error
RaftSnapshotRestoreWithContext reads the snapshot from the io.Reader and installs that snapshot, returning the cluster to the state defined by it.
func (*Sys) RaftSnapshotWithContext ¶
RaftSnapshotWithContext invokes the API that takes the snapshot of the raft cluster and writes it to the supplied io.Writer.
func (*Sys) RegisterPlugin ¶
func (c *Sys) RegisterPlugin(i *RegisterPluginInput) error
RegisterPlugin wraps RegisterPluginWithContext using context.Background.
func (*Sys) RegisterPluginWithContext ¶
func (c *Sys) RegisterPluginWithContext(ctx context.Context, i *RegisterPluginInput) error
RegisterPluginWithContext registers the plugin with the given information.
func (*Sys) RekeyCancel ¶
func (*Sys) RekeyCancelWithContext ¶
func (*Sys) RekeyDeleteBackup ¶
func (*Sys) RekeyDeleteBackupWithContext ¶
func (*Sys) RekeyDeleteRecoveryBackup ¶
func (*Sys) RekeyDeleteRecoveryBackupWithContext ¶
func (*Sys) RekeyInit ¶
func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
func (*Sys) RekeyInitWithContext ¶
func (c *Sys) RekeyInitWithContext(ctx context.Context, config *RekeyInitRequest) (*RekeyStatusResponse, error)
func (*Sys) RekeyRecoveryKeyCancel ¶
func (*Sys) RekeyRecoveryKeyCancelWithContext ¶
func (*Sys) RekeyRecoveryKeyInit ¶
func (c *Sys) RekeyRecoveryKeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
func (*Sys) RekeyRecoveryKeyInitWithContext ¶
func (c *Sys) RekeyRecoveryKeyInitWithContext(ctx context.Context, config *RekeyInitRequest) (*RekeyStatusResponse, error)
func (*Sys) RekeyRecoveryKeyStatus ¶
func (c *Sys) RekeyRecoveryKeyStatus() (*RekeyStatusResponse, error)
func (*Sys) RekeyRecoveryKeyStatusWithContext ¶
func (c *Sys) RekeyRecoveryKeyStatusWithContext(ctx context.Context) (*RekeyStatusResponse, error)
func (*Sys) RekeyRecoveryKeyUpdate ¶
func (c *Sys) RekeyRecoveryKeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
func (*Sys) RekeyRecoveryKeyUpdateWithContext ¶
func (*Sys) RekeyRecoveryKeyVerificationCancel ¶
func (*Sys) RekeyRecoveryKeyVerificationCancelWithContext ¶
func (*Sys) RekeyRecoveryKeyVerificationStatus ¶
func (c *Sys) RekeyRecoveryKeyVerificationStatus() (*RekeyVerificationStatusResponse, error)
func (*Sys) RekeyRecoveryKeyVerificationStatusWithContext ¶
func (c *Sys) RekeyRecoveryKeyVerificationStatusWithContext(ctx context.Context) (*RekeyVerificationStatusResponse, error)
func (*Sys) RekeyRecoveryKeyVerificationUpdate ¶
func (c *Sys) RekeyRecoveryKeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error)
func (*Sys) RekeyRecoveryKeyVerificationUpdateWithContext ¶
func (*Sys) RekeyRetrieveBackup ¶
func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)
func (*Sys) RekeyRetrieveBackupWithContext ¶
func (c *Sys) RekeyRetrieveBackupWithContext(ctx context.Context) (*RekeyRetrieveResponse, error)
func (*Sys) RekeyRetrieveRecoveryBackup ¶
func (c *Sys) RekeyRetrieveRecoveryBackup() (*RekeyRetrieveResponse, error)
func (*Sys) RekeyRetrieveRecoveryBackupWithContext ¶
func (c *Sys) RekeyRetrieveRecoveryBackupWithContext(ctx context.Context) (*RekeyRetrieveResponse, error)
func (*Sys) RekeyStatus ¶
func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)
func (*Sys) RekeyStatusWithContext ¶
func (c *Sys) RekeyStatusWithContext(ctx context.Context) (*RekeyStatusResponse, error)
func (*Sys) RekeyUpdate ¶
func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
func (*Sys) RekeyUpdateWithContext ¶
func (*Sys) RekeyVerificationCancel ¶
func (*Sys) RekeyVerificationCancelWithContext ¶
func (*Sys) RekeyVerificationStatus ¶
func (c *Sys) RekeyVerificationStatus() (*RekeyVerificationStatusResponse, error)
func (*Sys) RekeyVerificationStatusWithContext ¶
func (c *Sys) RekeyVerificationStatusWithContext(ctx context.Context) (*RekeyVerificationStatusResponse, error)
func (*Sys) RekeyVerificationUpdate ¶
func (c *Sys) RekeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error)
func (*Sys) RekeyVerificationUpdateWithContext ¶
func (*Sys) ReloadPlugin ¶
func (c *Sys) ReloadPlugin(i *ReloadPluginInput) (string, error)
ReloadPlugin wraps ReloadPluginWithContext using context.Background.
func (*Sys) ReloadPluginStatus ¶
func (c *Sys) ReloadPluginStatus(reloadStatusInput *ReloadPluginStatusInput) (*ReloadStatusResponse, error)
ReloadPluginStatus wraps ReloadPluginStatusWithContext using context.Background.
func (*Sys) ReloadPluginStatusWithContext ¶
func (c *Sys) ReloadPluginStatusWithContext(ctx context.Context, reloadStatusInput *ReloadPluginStatusInput) (*ReloadStatusResponse, error)
ReloadPluginStatusWithContext retrieves the status of a reload operation
func (*Sys) ReloadPluginWithContext ¶
ReloadPluginWithContext reloads mounted plugin backends, possibly returning reloadId for a cluster scoped reload
func (*Sys) RemountStatus ¶
func (c *Sys) RemountStatus(migrationID string) (*MountMigrationStatusOutput, error)
RemountStatus wraps RemountStatusWithContext using context.Background.
func (*Sys) RemountStatusWithContext ¶
func (c *Sys) RemountStatusWithContext(ctx context.Context, migrationID string) (*MountMigrationStatusOutput, error)
RemountStatusWithContext checks the status of a mount migration operation with the provided ID
func (*Sys) RemountWithContext ¶
RemountWithContext kicks off a remount operation, polls the status endpoint using the migration ID till either success or failure state is observed
func (*Sys) RenewWithContext ¶
func (*Sys) ResetUnsealProcess ¶
func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)
func (*Sys) ResetUnsealProcessWithContext ¶
func (c *Sys) ResetUnsealProcessWithContext(ctx context.Context) (*SealStatusResponse, error)
func (*Sys) RevokeForce ¶
func (*Sys) RevokeForceWithContext ¶
func (*Sys) RevokePrefix ¶
func (*Sys) RevokePrefixWithContext ¶
func (*Sys) RevokeWithContext ¶
func (*Sys) RevokeWithOptions ¶
func (c *Sys) RevokeWithOptions(opts *RevokeOptions) error
func (*Sys) RevokeWithOptionsWithContext ¶
func (c *Sys) RevokeWithOptionsWithContext(ctx context.Context, opts *RevokeOptions) error
func (*Sys) SealStatus ¶
func (c *Sys) SealStatus() (*SealStatusResponse, error)
func (*Sys) SealStatusWithContext ¶
func (c *Sys) SealStatusWithContext(ctx context.Context) (*SealStatusResponse, error)
func (*Sys) StartRemount ¶
func (c *Sys) StartRemount(from, to string) (*MountMigrationOutput, error)
StartRemount wraps StartRemountWithContext using context.Background.
func (*Sys) StartRemountWithContext ¶
func (c *Sys) StartRemountWithContext(ctx context.Context, from, to string) (*MountMigrationOutput, error)
StartRemountWithContext kicks off a mount migration and returns a response with the migration ID
func (*Sys) TuneMountWithContext ¶
func (*Sys) UnmountWithContext ¶
func (*Sys) UnsealWithContext ¶
func (*Sys) UnsealWithOptions ¶
func (c *Sys) UnsealWithOptions(opts *UnsealOpts) (*SealStatusResponse, error)
func (*Sys) UnsealWithOptionsWithContext ¶
func (c *Sys) UnsealWithOptionsWithContext(ctx context.Context, opts *UnsealOpts) (*SealStatusResponse, error)
type TLSConfig ¶
type TLSConfig struct { // CACert is the path to a PEM-encoded CA cert file to use to verify the // Vault server SSL certificate. It takes precedence over CACertBytes // and CAPath. CACert string // CACertBytes is a PEM-encoded certificate or bundle. It takes precedence // over CAPath. CACertBytes []byte // CAPath is the path to a directory of PEM-encoded CA cert files to verify // the Vault server SSL certificate. CAPath string // ClientCert is the path to the certificate for Vault communication ClientCert string // ClientKey is the path to the private key for Vault communication ClientKey string // TLSServerName, if set, is used to set the SNI host when connecting via // TLS. TLSServerName string // Insecure enables or disables SSL verification Insecure bool }
TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.
type TokenAuth ¶
type TokenAuth struct {
// contains filtered or unexported fields
}
TokenAuth is used to perform token backend operations on Vault
func (*TokenAuth) CreateOrphan ¶
func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error)
func (*TokenAuth) CreateOrphanWithContext ¶
func (*TokenAuth) CreateWithContext ¶
func (*TokenAuth) CreateWithRole ¶
func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error)
func (*TokenAuth) CreateWithRoleWithContext ¶
func (*TokenAuth) LookupAccessor ¶
func (*TokenAuth) LookupAccessorWithContext ¶
func (*TokenAuth) LookupSelf ¶
func (*TokenAuth) LookupSelfWithContext ¶
func (*TokenAuth) LookupWithContext ¶
func (*TokenAuth) RenewAccessor ¶
func (*TokenAuth) RenewAccessorWithContext ¶
func (*TokenAuth) RenewSelfWithContext ¶
func (*TokenAuth) RenewTokenAsSelf ¶
RenewTokenAsSelf wraps RenewTokenAsSelfWithContext using context.Background.
func (*TokenAuth) RenewTokenAsSelfWithContext ¶
func (c *TokenAuth) RenewTokenAsSelfWithContext(ctx context.Context, token string, increment int) (*Secret, error)
RenewTokenAsSelfWithContext behaves like renew-self, but authenticates using a provided token instead of the token attached to the client.
func (*TokenAuth) RenewWithContext ¶
func (*TokenAuth) RevokeAccessor ¶
RevokeAccessor wraps RevokeAccessorWithContext using context.Background.
func (*TokenAuth) RevokeAccessorWithContext ¶
RevokeAccessorWithContext revokes a token associated with the given accessor along with all the child tokens.
func (*TokenAuth) RevokeOrphan ¶
RevokeOrphan wraps RevokeOrphanWithContext using context.Background.
func (*TokenAuth) RevokeOrphanWithContext ¶
RevokeOrphanWithContext revokes a token without revoking the tree underneath it (so child tokens are orphaned rather than revoked)
func (*TokenAuth) RevokeSelf ¶
RevokeSelf wraps RevokeSelfWithContext using context.Background.
func (*TokenAuth) RevokeSelfWithContext ¶
RevokeSelfWithContext revokes the token making the call. The `token` parameter is kept for backwards compatibility but is ignored; only the client's set token has an effect.
func (*TokenAuth) RevokeTree ¶
RevokeTree wraps RevokeTreeWithContext using context.Background.
type TokenCreateRequest ¶
type TokenCreateRequest struct { ID string `json:"id,omitempty"` Policies []string `json:"policies,omitempty"` Metadata map[string]string `json:"meta,omitempty"` Lease string `json:"lease,omitempty"` TTL string `json:"ttl,omitempty"` ExplicitMaxTTL string `json:"explicit_max_ttl,omitempty"` Period string `json:"period,omitempty"` NoParent bool `json:"no_parent,omitempty"` NoDefaultPolicy bool `json:"no_default_policy,omitempty"` DisplayName string `json:"display_name"` NumUses int `json:"num_uses"` Renewable *bool `json:"renewable,omitempty"` Type string `json:"type"` EntityAlias string `json:"entity_alias"` }
TokenCreateRequest is the options structure for creating a token.
type UnsealOpts ¶
type UserLockoutConfigInput ¶
type UserLockoutConfigInput struct { LockoutThreshold string `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"` LockoutDuration string `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"` LockoutCounterResetDuration string `` /* 134-byte string literal not displayed */ DisableLockout *bool `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"` }
type UserLockoutConfigOutput ¶
type UserLockoutConfigOutput struct { LockoutThreshold uint `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"` LockoutDuration int `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"` LockoutCounterReset int `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"` DisableLockout *bool `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"` }
type WrappingLookupFunc ¶
WrappingLookupFunc is a function that, given an HTTP verb and a path, returns an optional string duration to be used for response wrapping (e.g. "15s", or simply "15"). The path will not begin with "/v1/" or "v1/" or "/", however, end-of-path forward slashes are not trimmed, so must match your called path precisely. Response wrapping will only be used when the return value is not the empty string.
Source Files ¶
- auth.go
- auth_token.go
- client.go
- env.go
- help.go
- kv.go
- kv_v1.go
- kv_v2.go
- lifetime_watcher.go
- logical.go
- output_policy.go
- output_string.go
- plugin_helpers.go
- plugin_types.go
- request.go
- response.go
- secret.go
- ssh.go
- ssh_agent.go
- sys.go
- sys_audit.go
- sys_auth.go
- sys_capabilities.go
- sys_config_cors.go
- sys_generate_root.go
- sys_hastatus.go
- sys_health.go
- sys_init.go
- sys_leader.go
- sys_leases.go
- sys_mfa.go
- sys_monitor.go
- sys_mounts.go
- sys_plugins.go
- sys_policy.go
- sys_raft.go
- sys_rekey.go
- sys_rotate.go
- sys_seal.go
- sys_stepdown.go