vault

package

v0.11.3 Latest Latest Go to latest Published: Mar 4, 2021 License: Apache-2.0 Imports: 21 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/spiffe/spire

Links

Open Source Insights

Documentation ¶

Index ¶

func BuiltIn() catalog.Plugin
type AppRoleAuthConfig
type AuthMethod
type CertAuthConfig
type Client
type ClientConfig
- func NewClientConfig(cp *ClientParams, logger hclog.Logger) (*ClientConfig, error)
- func (c *ClientConfig) NewAuthenticatedClient(method AuthMethod) (*Client, error)
type ClientParams
type Plugin
- func New() *Plugin
type PluginConfig
type Renew
- func NewRenew(client *vapi.Client, secret *vapi.Secret, logger hclog.Logger) (*Renew, error)
- func (r *Renew) Run()
type SignCSRResponse
type TokenAuthConfig

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func BuiltIn ¶

func BuiltIn() catalog.Plugin

BuiltIn constructs a catalog Plugin using a new instance of this plugin.

Types ¶

type AppRoleAuthConfig ¶

type AppRoleAuthConfig struct {
	// Name of the mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/approle)
	AppRoleMountPoint string `hcl:"approle_auth_mount_point"`
	// An identifier that selects the AppRole
	RoleID string `hcl:"approle_id"`
	// A credential that is required for login.
	SecretID string `hcl:"approle_secret_id"`
}

AppRoleAuth represents parameters for AppRole auth method.

type AuthMethod ¶

type AuthMethod int

const (
	CERT AuthMethod
	TOKEN
	APPROLE
)

type CertAuthConfig ¶

type CertAuthConfig struct {
	// Name of the mount point where Client Certificate Auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/cert)
	CertAuthMountPoint string `hcl:"cert_auth_mount_point"`
	// Path to a client certificate file.
	// Only PEM format is supported.
	ClientCertPath string `hcl:"client_cert_path"`
	// Path to a client private key file.
	// Only PEM format is supported.
	ClientKeyPath string `hcl:"client_key_path"`
}

CertAuth represents parameters for cert auth method

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

func (*Client) Auth ¶

func (c *Client) Auth(path string, body map[string]interface{}) (*vapi.Secret, error)

TLSAuth authenticates to vault server with TLS certificate method

func (*Client) SetToken ¶

func (c *Client) SetToken(v string)

SetToken wraps vapi.Client.SetToken()

func (*Client) SignIntermediate ¶

func (c *Client) SignIntermediate(ttl string, csr *x509.CertificateRequest) (*SignCSRResponse, error)

SignIntermediate requests sign-intermediate endpoint to generate certificate. ttl = TTL for Intermediate CA Certificate csr = Certificate Signing Request see: https://www.vaultproject.io/api/secret/pki/index.html#sign-intermediate

type ClientConfig ¶

type ClientConfig struct {
	Logger hclog.Logger
	// contains filtered or unexported fields
}

ClientConfig represents configuration parameters for vault client

func NewClientConfig ¶

func NewClientConfig(cp *ClientParams, logger hclog.Logger) (*ClientConfig, error)

NewClient returns a new *ClientConfig with default parameters.

func (*ClientConfig) NewAuthenticatedClient ¶

func (c *ClientConfig) NewAuthenticatedClient(method AuthMethod) (*Client, error)

NewAuthenticatedClient returns a new authenticated vault client with given authentication method

type ClientParams ¶

type ClientParams struct {
	// A URL of Vault server. (e.g., https://vault.example.com:8443/)
	VaultAddr string
	// Name of mount point where PKI secret engine is mounted. (e.e., /<mount_point>/ca/pem )
	PKIMountPoint string
	// token string to use when auth method is 'token'
	Token string
	// Name of mount point where TLS Cert auth method is mounted. (e.g., /auth/<mount_point>/login )
	CertAuthMountPoint string
	// Path to a client certificate file to be used when auth method is 'cert'
	ClientCertPath string
	// Path to a client private key file to be used when auth method is 'cert'
	ClientKeyPath string
	// Path to a CA certificate file to be used when client verifies a server certificate
	CACertPath string
	// Name of mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login )
	AppRoleAuthMountPoint string
	// An identifier of AppRole
	AppRoleID string
	// A credential set of AppRole
	AppRoleSecretID string
	// If true, client accepts any certificates.
	// It should be used only test environment so on.
	TLSSKipVerify bool
	// MaxRetries controls the number of times to retry to connect
	// Set to 0 to disable retrying.
	// If the value is nil, to use the default in hashicorp/vault/api.
	MaxRetries *int
}

type Plugin ¶

type Plugin struct {
	// contains filtered or unexported fields
}

func New ¶

func New() *Plugin

func (*Plugin) Configure ¶

func (p *Plugin) Configure(ctx context.Context, req *spi.ConfigureRequest) (*spi.ConfigureResponse, error)

func (*Plugin) GetPluginInfo ¶

func (*Plugin) GetPluginInfo(context.Context, *spi.GetPluginInfoRequest) (*spi.GetPluginInfoResponse, error)

func (*Plugin) MintX509CA ¶

func (p *Plugin) MintX509CA(req *upstreamauthority.MintX509CARequest, stream upstreamauthority.UpstreamAuthority_MintX509CAServer) error

func (*Plugin) PublishJWTKey ¶

func (*Plugin) PublishJWTKey(*upstreamauthority.PublishJWTKeyRequest, upstreamauthority.UpstreamAuthority_PublishJWTKeyServer) error

PublishJWTKey is not implemented by the wrapper and returns a codes.Unimplemented status

func (*Plugin) SetLogger ¶

func (p *Plugin) SetLogger(log hclog.Logger)

type PluginConfig ¶

type PluginConfig struct {
	// A URL of Vault server. (e.g., https://vault.example.com:8443/)
	VaultAddr string `hcl:"vault_addr"`
	// Name of the mount point where PKI secret engine is mounted. (e.g., /<mount_point>/ca/pem)
	PKIMountPoint string `hcl:"pki_mount_point"`
	// Configuration for the Token authentication method
	TokenAuth *TokenAuthConfig `hcl:"token_auth"`
	// Configuration for the Client Certificate authentication method
	CertAuth *CertAuthConfig `hcl:"cert_auth"`
	// Configuration for the AppRole authentication method
	AppRoleAuth *AppRoleAuthConfig `hcl:"approle_auth"`
	// Path to a CA certificate file that the client verifies the server certificate.
	// Only PEM format is supported.
	CACertPath string `hcl:"ca_cert_path"`
	// If true, vault client accepts any server certificates.
	// It should be used only test environment so on.
	InsecureSkipVerify bool `hcl:"insecure_skip_verify"`
}

type Renew ¶

type Renew struct {
	Logger hclog.Logger
	// contains filtered or unexported fields
}

func NewRenew ¶

func NewRenew(client *vapi.Client, secret *vapi.Secret, logger hclog.Logger) (*Renew, error)

func (*Renew) Run ¶

func (r *Renew) Run()

type SignCSRResponse ¶

type SignCSRResponse struct {
	// A certificate requested to sign
	CertPEM string
	// A certificate of CA(Vault)
	CACertPEM string
	// Set of Upstream CA certificates
	CACertChainPEM []string
}

SignCSRResponse includes certificates which are generates by Vault

type TokenAuthConfig ¶

type TokenAuthConfig struct {
	// Token string to set into "X-Vault-Token" header
	Token string `hcl:"token"`
}

TokenAuth represents parameters for token auth method

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL