Documentation ¶
Index ¶
- Constants
- func UnsealerEntrypoint(ctx context.Context, assetConfig assets.Config, uc *UnsealerCommand) error
- type FileSource
- type KeySource
- type KeySourceErr
- type KubernetesSource
- type UnsealerCommand
- type VaultSource
- type VaultUnsealer
- type VaultUnsealerConfig
- type VaultUnsealerConfigError
- type VaultUnsealerInitializationConfig
- type VaultUnsealerInitializationError
- type VaultUnsealerOperationError
Constants ¶
const ( KeySourceFile = "file" KeySourceKubernetes = "k8s" KeySourceVault = "vault" )
Variables ¶
This section is empty.
Functions ¶
func UnsealerEntrypoint ¶
Types ¶
type FileSource ¶
type FileSource struct {
FilePath string `mapstructure:"path" help:"AuthPath to the file with the unseal-key'"`
}
func (*FileSource) GetUnsealKey ¶
func (fu *FileSource) GetUnsealKey() (string, error)
type KeySourceErr ¶
type KeySourceErr struct {
// contains filtered or unexported fields
}
func (KeySourceErr) Error ¶
func (k KeySourceErr) Error() string
type KubernetesSource ¶
type KubernetesSource struct { // ClusterAddr where the cluster should be accessed. If blank, the current // cluster is used (or the default configured in the environment). ClusterAddr string `mapstructure:"cluster_addr,omitempty" help:"Kubernetes API server address"` // Token if non-blank should be the JWT which authenticates to the cluster. BearerToken string `mapstructure:"bearer_token,omitempty" help:"Optional bearer token to access cluster"` // TLSNoVerify disabled TLS auth for connections to the Kubernetes server TLSNoVerify bool `mapstructure:"tls_no_verify,omitempty" help:"Disable TLS verification to cluster (not recommended)"` // SecretNamespace is the namespace the secret is found in SecretNamespace string `mapstructure:"namespace,omitempty" help:"Namespace of the secret - if blank uses current namespace"` // SecretName is the name of the secret SecretName string `mapstructure:"secret_name" help:"Name of the secret"` // SecretKey is the key within the secret. SecretKey string `mapstructure:"secret_key" help:"Key within the secret"` }
KubernetesSource reads the unseal key from a K8S secret in a given cluster. ClusterAddr and ServiceAccount are optional - if not specified defaults to the current cluster and current service account if it can be loaded from the environment. SecretNamespace is optional will default to the current namespace if not specified.
func (*KubernetesSource) GetUnsealKey ¶
func (k *KubernetesSource) GetUnsealKey() (string, error)
type UnsealerCommand ¶
type UnsealerCommand struct { MonitorEnable bool `help:"enable the HTTP monitor port"` Monitor server.MonitorServerConfig `embed:"" prefix:"monitor." help:"configuration for the monitoring endpoint"` TLSNoVerify bool `help:"disable TLS verification"` TLSCAFiles []string `help:"additional TLS CA certificate files"` KeySource struct { Name string `help:"source of the unseal key" default:"file" enum:"file,k8s,vault"` FileSource *FileSource `embed:"" prefix:"file." help:"Configuration for file source unsealing"` K8SSource *KubernetesSource `embed:"" prefix:"k8s." help:"Configuration for kubernetes source unsealing"` VaultSource *VaultSource `embed:"" prefix:"vault." help:"Configuration for Vault source unsealing"` } `embed:"" prefix:"key-source."` Initialize bool `help:"initialize the Vault instance (raft join)" default:"true"` Unseal bool `help:"unseal the Vault instance" default:"true"` InitOptions struct { LeaderCACert string `help:"leader CA certificate to use when performing Raft joins. Either filepath or literal value"` } `embed:"" prefix:"init."` VaultEndpoint *url.URL `arg:"" help:"vault HA endpoint for API access"` VaultInstance *url.URL `arg:"" help:"vault instance address to monitor"` PollFrequency time.Duration `help:"frequency to check the Vault instance for unlocks" default:"1s"` }
UnsealerCommand implements the command line interface for starting the unsealer.
type VaultSource ¶
type VaultSource struct { VaultAddr string `help:"Vault Server address to connect to"` VaultCACerts string `help:"CA Certificate to authenticate Vault"` VaultTLSNoVerify bool `help:"Disable TLS verification to the endpoint"` // AuthType to use with Vault. May be any valid Vault type. AuthType string `help:"Authentication type to attempt with Vault"` // AuthPath path to the auth method's mount point AuthPath string `help:"Mount path of the authentication method"` // AuthParameters is a freeform set of parameters sent to the Vault auth path // to acquire a token. AuthParameters map[string]string `help:"Authentication parameters (see Vault documentation)"` // SecretPath is the HTTP path to the secret to read. SecretPath string `help:"Path to the secret to read as specified to the HTTP API of Vault."` // SecretKey is the subkey of the secret to read SecretKey string `help:"subkey of the secret to read." default:"value"` }
VaultSource retreives the unseal key from a path in Hashicorp Vault This source would be used in an HA mode where there's a common endpoint which will find a functional Vault instance to retrieve the key from.
func (*VaultSource) GetUnsealKey ¶
func (k *VaultSource) GetUnsealKey() (string, error)
TODO: determine GetUnsealKey utility at startup.
type VaultUnsealer ¶
type VaultUnsealer interface { Start(config VaultUnsealerConfig) chan error Stop() Liveness() time.Time }
VaultUnsealer implements a watcher which will attempt to unseal a targeted Vault instance.
func NewVaultUnsealer ¶
func NewVaultUnsealer(config VaultUnsealerInitializationConfig) (VaultUnsealer, error)
NewVaultUnsealer initializes a new VaultUnsealer and validates it's configuration.
type VaultUnsealerConfig ¶
type VaultUnsealerConfig struct { PollFrequency time.Duration UnsealKeySource KeySource // CanInitialize means this agent should try and initialize uninitialized instances CanInitialize bool // CanUnseal means this agent should try and unseal sealed instances CanUnseal bool // LeaderCACert is the certificate used with the Raft leader. // If nil, then it is not sent and system CA certs will be used. LeaderCACert *x509.Certificate }
type VaultUnsealerConfigError ¶
type VaultUnsealerConfigError struct {
// contains filtered or unexported fields
}
func (VaultUnsealerConfigError) Error ¶
func (v VaultUnsealerConfigError) Error() string
type VaultUnsealerInitializationConfig ¶
type VaultUnsealerInitializationConfig struct { // Logger is the *zap.Logger to use Logger *zap.Logger // InstanceClient is the resty Client instance for contacting the Vault Instance InstanceClient *resty.Client // EndpointClient is the resty Client instance to use for contacting the Vault Endpoint EndpointClient *resty.Client // URLCloner function for copying URLs safely URLCloner func(url *url.URL) *url.URL // Now function for getting time Now func() time.Time // NewTimer function for creating timers NewTicker func(duration time.Duration) *time.Ticker }
VaultUnsealerInitializationConfig provides initialization parameters for the Vault Unsealer.
type VaultUnsealerInitializationError ¶
type VaultUnsealerInitializationError struct {
// contains filtered or unexported fields
}
func (VaultUnsealerInitializationError) Error ¶
func (v VaultUnsealerInitializationError) Error() string
type VaultUnsealerOperationError ¶
type VaultUnsealerOperationError struct {
// contains filtered or unexported fields
}
func (VaultUnsealerOperationError) Error ¶
func (v VaultUnsealerOperationError) Error() string