Documentation
¶
Overview ¶
Package secrets implements a high throughput vault client.
Index ¶
- Constants
- func ServiceConfigPath(config Config) string
- func URL(format string, args ...interface{}) *url.URL
- type Buffer
- type BufferPool
- type CertPool
- type Client
- type Config
- func (c Config) GetAddr(inherited ...string) string
- func (c Config) GetMount() string
- func (c Config) GetRootCAs() []string
- func (c Config) GetServicePath() string
- func (c Config) GetTimeout() time.Duration
- func (c Config) GetToken() string
- func (c Config) IsZero() bool
- func (c Config) MustAddr() *url.URL
- type Event
- func (e *Event) Key() string
- func (e *Event) Method() string
- func (e *Event) Remote() string
- func (e *Event) WithKey(key string) *Event
- func (e *Event) WithMethod(method string) *Event
- func (e *Event) WithRemote(remote string) *Event
- func (e *Event) WriteJSON() map[string]interface{}
- func (e *Event) WriteText(tf logger.TextFormatter, buf *bytes.Buffer)
- type HTTPClient
- type KV
- type MockClient
- type MockHTTPClient
- type Mount
- type MountConfig
- type MountConfigInput
- type MountInput
- type MountResponse
- type Option
- type SecretAuth
- type SecretData
- type SecretV1
- type SecretV2
- type SecretWrapInfo
- type Values
- type VaultClient
- func (c *VaultClient) CertPool() *CertPool
- func (c *VaultClient) Delete(key string, options ...Option) error
- func (c *VaultClient) Get(key string, options ...Option) (Values, error)
- func (c *VaultClient) HTTPClient() HTTPClient
- func (c *VaultClient) Logger() *logger.Logger
- func (c *VaultClient) Mount() string
- func (c *VaultClient) Put(key string, data Values, options ...Option) error
- func (c *VaultClient) ReadInto(key string, obj interface{}, options ...Option) error
- func (c *VaultClient) Remote() *url.URL
- func (c *VaultClient) Token() string
- func (c *VaultClient) WithHTTPClient(hc HTTPClient) *VaultClient
- func (c *VaultClient) WithLogger(log *logger.Logger) *VaultClient
- func (c *VaultClient) WithMount(mount string) *VaultClient
- func (c *VaultClient) WithRemote(remote *url.URL) *VaultClient
- func (c *VaultClient) WithToken(token string) *VaultClient
- func (c *VaultClient) WriteInto(key string, obj interface{}, options ...Option) error
Constants ¶
const ( // DefaultAddr is the default addr. DefaultAddr = "http://127.0.0.1:8200" // DefaultTimeout is the default timeout. DefaultTimeout = time.Second // DefaultMount is the default kv mount. DefaultMount = "/secret" )
const ( // MethodGet is a request method. MethodGet = "GET" // MethodPost is a request method. MethodPost = "POST" // MethodPut is a request method. MethodPut = "PUT" // MethodDelete is a request method. MethodDelete = "DELETE" // HeaderVaultToken is the vault token header. HeaderVaultToken = "X-Vault-Token" // HeaderContentType is the content type header. HeaderContentType = "Content-Type" // ContentTypeApplicationJSON is a content type. ContentTypeApplicationJSON = "application/json" // DefaultBufferPoolSize is the default buffer pool size. DefaultBufferPoolSize = 1024 // ReflectTagName is a reflect tag name. ReflectTagName = "secret" // Version1 is a constant. Version1 = "1" // Version2 is a constant. Version2 = "2" )
const (
// Flag is the logger flag.
Flag = "secrets"
)
Variables ¶
This section is empty.
Functions ¶
func ServiceConfigPath ¶
ServiceConfigPath returns the service config path.
Types ¶
type Buffer ¶
Buffer is a bytes.Buffer with a reference back to the buffer pool. It returns itself to the pool on close.
type BufferPool ¶
BufferPool is a sync.Pool of bytes.Buffer.
func NewBufferPool ¶
func NewBufferPool(bufferSize int) *BufferPool
NewBufferPool returns a new BufferPool. bufferSize is the size of the returned buffers pre-allocated size in bytes. Typically this is something between 256 bytes and 1kb.
func (*BufferPool) Get ¶
func (bp *BufferPool) Get() *Buffer
Get returns a pooled bytes.Buffer instance.
type CertPool ¶
type CertPool struct {
// contains filtered or unexported fields
}
CertPool is a wrapper for x509.CertPool.
func NewCertPool ¶
NewCertPool creates a new cert pool. This cert pool starts with the system certs.
type Client ¶
type Client interface {
Put(key string, data Values, options ...Option) error
Get(key string, options ...Option) (Values, error)
Delete(key string, options ...Option) error
}
Client is the general interface for a Secrets client
type Config ¶
type Config struct {
// Addr is the remote address of the secret store.
Addr string `json:"addr" yaml:"addr" env:"VAULT_ADDR"`
// Token is the authentication token used to talk to the secret store.
Token string `json:"token" yaml:"token" env:"VAULT_TOKEN"`
// Mount is the default mount path, it prefixes any keys.
Mount string `json:"mount" yaml:"mount"`
// Timeout is the dial timeout for requests to the secrets store.
Timeout time.Duration `json:"timeout" yaml:"timeout"`
// RootCAs is a list of certificate authority paths.
RootCAs []string `json:"rootCAs" yaml:"rootCAs" env:"VAULT_CACERT,csv"`
// ServicePath is the path that service secrets live under
ServicePath string `json:"servicePath" yaml:"servicePath" env:"SECRETS_SERVICE_PATH"`
}
Config is the secrets config object.
func MustNewConfigFromEnv ¶
func MustNewConfigFromEnv() (cfg *Config)
MustNewConfigFromEnv returns a config set from the env, and panics on error.
func NewConfigFromEnv ¶
NewConfigFromEnv returns a config populated by the env.
func (Config) GetServicePath ¶
GetServicePath returns the service path
func (Config) GetTimeout ¶
GetTimeout returns the client timeout.
type Event ¶
Event is an event.
func (*Event) WithMethod ¶
WithMethod sets the event method.
func (*Event) WithRemote ¶
WithRemote sets the event remote.
type HTTPClient ¶
HTTPClient is a client that can send http requests.
type KV ¶
type KV interface {
Put(key string, data Values, options ...Option) error
Get(key string, options ...Option) (Values, error)
Delete(key string, options ...Option) error
}
KV is a basic key value store.
type MockClient ¶
MockClient is a mock events client
func (*MockClient) Delete ¶
func (c *MockClient) Delete(key string, options ...Option) error
Delete deletes a key.
type MockHTTPClient ¶
type MockHTTPClient struct {
// contains filtered or unexported fields
}
MockHTTPClient is a mock http client.
func NewMockHTTPClient ¶
func NewMockHTTPClient() *MockHTTPClient
NewMockHTTPClient returns a new mock http client.
func (*MockHTTPClient) With ¶
func (mh *MockHTTPClient) With(verb string, url *url.URL, response *http.Response) *MockHTTPClient
With adds a mocked endpoint.
func (*MockHTTPClient) WithString ¶
func (mh *MockHTTPClient) WithString(verb string, url *url.URL, contents string) *MockHTTPClient
WithString adds a mocked endpoint.
type Mount ¶
type Mount struct {
Type string `json:"type"`
Description string `json:"description"`
Accessor string `json:"accessor"`
Config MountConfig `json:"config"`
Options map[string]string `json:"options"`
Local bool `json:"local"`
SealWrap bool `json:"seal_wrap" mapstructure:"seal_wrap"`
}
Mount is a vault mount.
type MountConfig ¶
type MountConfig struct {
DefaultLeaseTTL int `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
MaxLeaseTTL int `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"`
PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
}
MountConfig is a vault mount config.
type MountConfigInput ¶
type MountConfigInput struct {
Options map[string]string `json:"options" mapstructure:"options"`
DefaultLeaseTTL string `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
MaxLeaseTTL string `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"`
PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
}
MountConfigInput is a vault mount config input.
type MountInput ¶
type MountInput struct {
Type string `json:"type"`
Description string `json:"description"`
Config MountConfigInput `json:"config"`
Options map[string]string `json:"options"`
Local bool `json:"local"`
PluginName string `json:"plugin_name,omitempty"`
SealWrap bool `json:"seal_wrap" mapstructure:"seal_wrap"`
}
MountInput is a vault mount input.
type MountResponse ¶
MountResponse is the result of a call to a mount.
type SecretAuth ¶
type SecretAuth struct {
ClientToken string `json:"client_token"`
Accessor string `json:"accessor"`
Policies []string `json:"policies"`
Metadata map[string]string `json:"metadata"`
LeaseDuration int `json:"lease_duration"`
Renewable bool `json:"renewable"`
}
SecretAuth is the structure containing auth information if we have it.
type SecretV1 ¶
type SecretV1 struct {
// The request ID that generated this response
RequestID string `json:"request_id"`
LeaseID string `json:"lease_id"`
LeaseDuration int `json:"lease_duration"`
Renewable bool `json:"renewable"`
// Data is the actual contents of the secret. The format of the data
// is arbitrary and up to the secret backend.
Data Values `json:"data"`
// Warnings contains any warnings related to the operation. These
// are not issues that caused the command to fail, but that the
// client should be aware of.
Warnings []string `json:"warnings"`
// Auth, if non-nil, means that there was authentication information
// attached to this response.
Auth *SecretAuth `json:"auth,omitempty"`
// WrapInfo, if non-nil, means that the initial response was wrapped in the
// cubbyhole of the given token (which has a TTL of the given number of
// seconds)
WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
}
SecretV1 is the structure returned for every secret within Vault.
type SecretV2 ¶
type SecretV2 struct {
// The request ID that generated this response
RequestID string `json:"request_id"`
LeaseID string `json:"lease_id"`
LeaseDuration int `json:"lease_duration"`
Renewable bool `json:"renewable"`
// Data is the actual contents of the secret. The format of the data
// is arbitrary and up to the secret backend.
Data SecretData `json:"data"`
// Warnings contains any warnings related to the operation. These
// are not issues that caused the command to fail, but that the
// client should be aware of.
Warnings []string `json:"warnings"`
// Auth, if non-nil, means that there was authentication information
// attached to this response.
Auth *SecretAuth `json:"auth,omitempty"`
// WrapInfo, if non-nil, means that the initial response was wrapped in the
// cubbyhole of the given token (which has a TTL of the given number of
// seconds)
WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
}
SecretV2 is the structure returned for every secret within Vault.
type SecretWrapInfo ¶
type SecretWrapInfo struct {
Token string `json:"token"`
Accessor string `json:"accessor"`
TTL int `json:"ttl"`
CreationTime time.Time `json:"creation_time"`
CreationPath string `json:"creation_path"`
WrappedAccessor string `json:"wrapped_accessor"`
}
SecretWrapInfo contains wrapping information if we have it. If what is contained is an authentication token, the accessor for the token will be available in WrappedAccessor.
type VaultClient ¶
type VaultClient struct {
// contains filtered or unexported fields
}
VaultClient is a client to talk to the secrets store.
func Must ¶
func Must(c *VaultClient, err error) *VaultClient
Must does things with the error such as panic.
func NewVaultClient ¶
func NewVaultClient() (*VaultClient, error)
NewVaultClient returns a new client.
func NewVaultClientFromConfig ¶
func NewVaultClientFromConfig(cfg *Config) (*VaultClient, error)
NewVaultClientFromConfig returns a new client from a config.
func NewVaultClientFromEnv ¶
func NewVaultClientFromEnv() (*VaultClient, error)
NewVaultClientFromEnv is a helper to create a client from a config read from the environment.
func (*VaultClient) CertPool ¶
func (c *VaultClient) CertPool() *CertPool
CertPool returns the cert pool.
func (*VaultClient) Delete ¶
func (c *VaultClient) Delete(key string, options ...Option) error
Delete puts a key.
func (*VaultClient) Get ¶
func (c *VaultClient) Get(key string, options ...Option) (Values, error)
Get gets a value at a given key.
func (*VaultClient) HTTPClient ¶
func (c *VaultClient) HTTPClient() HTTPClient
HTTPClient sets the http client.
func (*VaultClient) Logger ¶
func (c *VaultClient) Logger() *logger.Logger
Logger returns the logger.
func (*VaultClient) Put ¶
func (c *VaultClient) Put(key string, data Values, options ...Option) error
Put puts a value.
func (*VaultClient) ReadInto ¶
func (c *VaultClient) ReadInto(key string, obj interface{}, options ...Option) error
ReadInto reads a secret into an object.
func (*VaultClient) Remote ¶
func (c *VaultClient) Remote() *url.URL
Remote returns the client remote addr.
func (*VaultClient) WithHTTPClient ¶
func (c *VaultClient) WithHTTPClient(hc HTTPClient) *VaultClient
WithHTTPClient sets the http client.
func (*VaultClient) WithLogger ¶
func (c *VaultClient) WithLogger(log *logger.Logger) *VaultClient
WithLogger sets the logger.
func (*VaultClient) WithMount ¶
func (c *VaultClient) WithMount(mount string) *VaultClient
WithMount sets the token.
func (*VaultClient) WithRemote ¶
func (c *VaultClient) WithRemote(remote *url.URL) *VaultClient
WithRemote set the client remote url.
func (*VaultClient) WithToken ¶
func (c *VaultClient) WithToken(token string) *VaultClient
WithToken sets the token.