README
¶
Vault Client Library
A comprehensive HashiCorp Vault client library for Go applications that provides:
- Easy configuration management via YAML files
- Multiple authentication methods (Token, AppRole)
- Dynamic database credential management
- Keycloak credential retrieval
- Crypto key management
- Automatic lease renewal
Installation
go get github.com/Danextle/vault-client
Usage
Basic Setup
package main
import (
"context"
"log"
vault "github.com/yourusername/vault-client"
)
func main() {
// Initialize vault client with config file
client, err := vault.NewVaultClient("config.yaml")
if err != nil {
log.Fatal(err)
}
// Get database credentials
ctx := context.Background()
dbCreds, err := client.GetDatabaseCredentials(ctx)
if err != nil {
log.Fatal(err)
}
log.Printf("Database credentials: %+v", dbCreds)
}
Configuration File Format
Create a config.yaml file:
vault:
address: "https://vault.example.com:8200"
authMethod: "approle" # or "token"
approleRoleID: "your-role-id"
approleSecretID: "your-secret-id"
databaseSecretsPath: "database/creds/my-role"
# For token auth:
# token: "your-vault-token"
Database Configuration
For database configuration, create a separate db-config.yaml:
database:
postgresql:
host: "localhost"
port: "5432"
dbname: "mydb"
sslmode: "disable"
enableLog: "true"
maxIdleConns: 10
maxOpenConns: 100
connMaxLifetime: 3600
Features
Authentication
- Token Authentication: Direct token-based auth
- AppRole Authentication: Role-based authentication for applications
Credential Management
- Dynamic Database Credentials: Fetch time-limited PostgreSQL credentials
- Keycloak Integration: Retrieve Keycloak admin and client credentials
- Crypto Keys: Secure retrieval of encryption keys
- Lease Renewal: Automatic credential lease management
Configuration
- YAML Configuration: Easy-to-manage configuration files
- Flexible Structure: Support for multiple configuration formats
API Reference
Types
VaultClient: Main client for interacting with VaultConfig: Application configuration structureVaultConfig: Vault-specific configurationDatabaseCredentials: Database connection credentialsKeycloakCredentials: Keycloak service credentials
Methods
NewVaultClient(configFile string) (*VaultClient, error)GetDatabaseCredentials(ctx context.Context) (*DatabaseCredentials, error)GetKeycloakCredentials(ctx context.Context) (*KeycloakCredentials, error)GetCryptoKey(ctx context.Context) (string, error)RenewDatabaseCredentials(ctx context.Context, leaseID string) errorLoadConfig(filename string) (*Config, error)LoadDbConfig(filename string) (*DbConfig, error)
Requirements
- Go 1.19+
- HashiCorp Vault server
- Access to configured Vault policies
License
MIT License - see LICENSE file for details
Documentation
¶
Index ¶
- type Config
- type DatabaseConfig
- type DatabaseCredentials
- type DbConfig
- type KeycloakCredentials
- type PostgresqlConfig
- type VaultClient
- func (vc *VaultClient) GetCryptoKey(ctx context.Context) (string, error)
- func (vc *VaultClient) GetDatabaseCredentials(ctx context.Context) (*DatabaseCredentials, error)
- func (vc *VaultClient) GetKeycloakCredentials(ctx context.Context) (*KeycloakCredentials, error)
- func (vc *VaultClient) GetSecret(ctx context.Context, Path string) (string, error)
- func (vc *VaultClient) RenewDatabaseCredentials(ctx context.Context, leaseID string) error
- type VaultConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
Vault VaultConfig `yaml:"vault"`
}
Config represents the overall application configuration structure
func LoadConfig ¶
LoadConfig reads and parses the YAML configuration file
type DatabaseConfig ¶
type DatabaseConfig struct {
Postgresql PostgresqlConfig `yaml:"postgresql"`
}
DatabaseConfig holds database-specific configuration
type DatabaseCredentials ¶
type DatabaseCredentials struct {
Username string
Password string
LeaseID string
LeaseDuration time.Duration
}
DatabaseCredentials holds PostgreSQL credentials
type DbConfig ¶
type DbConfig struct {
Database DatabaseConfig `yaml:"database"`
}
DbConfig represents database configuration structure
func LoadDbConfig ¶
LoadDbConfig reads and parses the database YAML configuration file
type KeycloakCredentials ¶
type KeycloakCredentials struct {
AdminUsername string
AdminPassword string
ClientSecret string
Realm string
ClientID string
Server string
PublicKey string
}
KeycloakCredentials holds Keycloak credentials
type PostgresqlConfig ¶
type PostgresqlConfig struct {
Host string `yaml:"host"`
Port string `yaml:"port"`
DatabaseName string `yaml:"dbname"`
SslMode string `yaml:"sslmode"`
EnableLog string `yaml:"enableLog"`
MaxIdleConns int `yaml:"maxIdleConns"`
MaxOpenConns int `yaml:"maxOpenConns"`
ConnMaxLifetime int `yaml:"connMaxLifetime"`
}
PostgresqlConfig contains PostgreSQL-specific configuration
type VaultClient ¶
type VaultClient struct {
// contains filtered or unexported fields
}
VaultClient wraps Vault client and configuration
func NewVaultClient ¶
func NewVaultClient(configFile string) (*VaultClient, error)
NewVaultClient initializes a Vault client using configuration from YAML
func (*VaultClient) GetCryptoKey ¶
func (vc *VaultClient) GetCryptoKey(ctx context.Context) (string, error)
GetCryptoKey retrieves the secret encryption key
func (*VaultClient) GetDatabaseCredentials ¶
func (vc *VaultClient) GetDatabaseCredentials(ctx context.Context) (*DatabaseCredentials, error)
GetDatabaseCredentials fetches dynamic PostgreSQL credentials
func (*VaultClient) GetKeycloakCredentials ¶
func (vc *VaultClient) GetKeycloakCredentials(ctx context.Context) (*KeycloakCredentials, error)
GetKeycloakCredentials fetches Keycloak credentials from KV
func (*VaultClient) RenewDatabaseCredentials ¶
func (vc *VaultClient) RenewDatabaseCredentials(ctx context.Context, leaseID string) error
RenewDatabaseCredentials renews the lease for database credentials
type VaultConfig ¶
type VaultConfig struct {
Address string `yaml:"address"`
Token string `yaml:"token"`
DatabaseSecretsPath string `yaml:"databaseSecretsPath"`
AuthMethod string `yaml:"authMethod"`
ApproleRoleID string `yaml:"approleRoleID"`
ApproleSecretID string `yaml:"approleSecretID"`
}
VaultConfig matches the vault section in the YAML file
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.