vault

package

v6.7.3-0...-1f455d7 Latest Latest Go to latest Published: Dec 7, 2020 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pf-qiu/concourse

Links

Open Source Insights

Documentation ¶

Index ¶

func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string, ...) *vaultFactory
func NewVaultManagerFactory() creds.ManagerFactory
type APIClient
- func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig TLSConfig, authConfig AuthConfig, ...) (*APIClient, error)
type AuthConfig
type Auther
type ReAuther
- func NewReAuther(logger lager.Logger, auther Auther, maxTTL, retry, max time.Duration) *ReAuther
- func (ra *ReAuther) Close()
- func (ra *ReAuther) LoggedIn() <-chan struct{}
type SecretReader
type TLSConfig
type Vault
- func (v Vault) Get(secretPath string) (interface{}, *time.Time, bool, error)
- func (v Vault) NewSecretLookupPaths(teamName string, pipelineName string, allowRootPath bool) []creds.SecretLookupPath
type VaultManager

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewVaultFactory ¶

func NewVaultFactory(sr SecretReader, loggedIn <-chan struct{}, prefix string, lookupTemplates []*creds.SecretTemplate, sharedPath string) *vaultFactory

func NewVaultManagerFactory ¶

func NewVaultManagerFactory() creds.ManagerFactory

Types ¶

type APIClient ¶

type APIClient struct {
	// contains filtered or unexported fields
}

The APIClient is a SecretReader which maintains an authorized client using the Login and Renew functions.

func NewAPIClient ¶

func NewAPIClient(logger lager.Logger, apiURL string, tlsConfig TLSConfig, authConfig AuthConfig, namespace string) (*APIClient, error)

NewAPIClient with the associated authorization config and underlying vault client.

func (ac *APIClient) Login() (time.Duration, error)

Login the APIClient using the credentials passed at construction. Returns a duration after which renew must be called.

func (*APIClient) Read ¶

func (ac *APIClient) Read(path string) (*vaultapi.Secret, error)

Read must be called after a successful login has occurred or an un-authorized client will be used.

func (*APIClient) Renew ¶

func (ac *APIClient) Renew() (time.Duration, error)

Renew the APIClient login using the credentials passed at construction. Must be called after a successful login. Returns a duration after which renew must be called again.

type AuthConfig ¶

type AuthConfig struct {
	ClientToken string `mapstructure:"client_token" long:"client-token" description:"Client token for accessing secrets within the Vault server."`

	Backend       string        `mapstructure:"auth_backend" long:"auth-backend"               description:"Auth backend to use for logging in to Vault."`
	BackendMaxTTL time.Duration `` /* 178-byte string literal not displayed */
	RetryMax      time.Duration `` /* 150-byte string literal not displayed */
	RetryInitial  time.Duration `` /* 154-byte string literal not displayed */

	Params map[string]string `` /* 166-byte string literal not displayed */
}

type Auther ¶

type Auther interface {
	Login() (time.Duration, error)
	Renew() (time.Duration, error)
}

An Auther is anything which needs to be logged in and then have that login renewed on a regulary basis.

type ReAuther ¶

type ReAuther struct {
	// contains filtered or unexported fields
}

The ReAuther runs the authorization loop (login, renew) and retries using a bounded exponential backoff strategy. If maxTTL is set, a new login will be done _regardless_ of the available leaseDuration.

func NewReAuther ¶

func NewReAuther(logger lager.Logger, auther Auther, maxTTL, retry, max time.Duration) *ReAuther

NewReAuther with a retry time and a max retry time.

func (*ReAuther) Close ¶

func (ra *ReAuther) Close()

func (*ReAuther) LoggedIn ¶

func (ra *ReAuther) LoggedIn() <-chan struct{}

LoggedIn will receive a signal after every login. Multiple logins may result in a single signal as this channel is not blocked.

type SecretReader ¶

type SecretReader interface {
	Read(path string) (*vaultapi.Secret, error)
}

A SecretReader reads a vault secret from the given path. It should be thread safe!

type TLSConfig ¶

type TLSConfig struct {
	CACert     string `mapstructure:"ca_cert"`
	CACertFile string `long:"ca-cert"              description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
	CAPath     string `` /* 127-byte string literal not displayed */

	ClientCert     string `mapstructure:"client_cert"`
	ClientCertFile string `long:"client-cert"          description:"Path to the client certificate for Vault authorization."`

	ClientKey     string `mapstructure:"client_key"`
	ClientKeyFile string `long:"client-key"           description:"Path to the client private key for Vault authorization."`

	ServerName string `` /* 129-byte string literal not displayed */
	Insecure   bool   `mapstructure:"insecure_skip_verify" long:"insecure-skip-verify" description:"Enable insecure SSL verification."`
}

type Vault ¶

type Vault struct {
	SecretReader    SecretReader
	Prefix          string
	LookupTemplates []*creds.SecretTemplate
	SharedPath      string
}

Vault converts a vault secret to our completely untyped secret data.

func (Vault) Get ¶

func (v Vault) Get(secretPath string) (interface{}, *time.Time, bool, error)

Get retrieves the value and expiration of an individual secret

func (Vault) NewSecretLookupPaths ¶

func (v Vault) NewSecretLookupPaths(teamName string, pipelineName string, allowRootPath bool) []creds.SecretLookupPath

NewSecretLookupPaths defines how variables will be searched in the underlying secret manager

type VaultManager ¶

type VaultManager struct {
	URL string `mapstructure:"url" long:"url" description:"Vault server address used to access secrets."`

	PathPrefix      string   `` /* 129-byte string literal not displayed */
	LookupTemplates []string `` /* 186-byte string literal not displayed */
	SharedPath      string   `mapstructure:"shared_path" long:"shared-path" description:"Path under which to lookup shared credentials."`
	Namespace       string   `mapstructure:"namespace" long:"namespace"   description:"Vault namespace to use for authentication and secret lookup."`

	TLS  TLSConfig  `mapstructure:",squash"`
	Auth AuthConfig `mapstructure:",squash"`

	Client        *APIClient
	ReAuther      *ReAuther
	SecretFactory *vaultFactory
}

func (VaultManager) Close ¶

func (manager VaultManager) Close(logger lager.Logger)

func (*VaultManager) Config ¶

func (manager *VaultManager) Config(config map[string]interface{}) error

func (VaultManager) Health ¶

func (manager VaultManager) Health() (*creds.HealthResponse, error)

func (*VaultManager) Init ¶

func (manager *VaultManager) Init(log lager.Logger) error

func (VaultManager) IsConfigured ¶

func (manager VaultManager) IsConfigured() bool

func (*VaultManager) MarshalJSON ¶

func (manager *VaultManager) MarshalJSON() ([]byte, error)

func (*VaultManager) NewSecretsFactory ¶

func (manager *VaultManager) NewSecretsFactory(logger lager.Logger) (creds.SecretsFactory, error)

func (VaultManager) Validate ¶

func (manager VaultManager) Validate() error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL