vault

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 12, 2023 License: MPL-2.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NamePrefixVCC = "vso-cc-"
)

Variables

View Source 
var EncryptionRequiredError = fmt.Errorf("encryption required")
View Source 
var (
	EqualMACS = hmac.Equal
)

used for monkey-patching unit tests

Functions

func DecryptWithTransit 

func DecryptWithTransit(ctx context.Context, vaultClient Client, mount, key string, data []byte) ([]byte, error)

DecryptWithTransit decrypts data using Vault Transit.

func EncryptWithTransit 

func EncryptWithTransit(ctx context.Context, vaultClient Client, mount, key string, data []byte) ([]byte, error)

EncryptWithTransit encrypts data using Vault Transit.

func JoinPath 

func JoinPath(parts ...string) string

JoinPath for Vault requests.

func MakeVaultClient 

func MakeVaultClient(ctx context.Context, cfg *ClientConfig, client ctrlclient.Client) (*api.Client, error)

MakeVaultClient creates a Vault api.Client from a ClientConfig.

func MarshalSecretData 

func MarshalSecretData(resp *api.Secret) (map[string][]byte, error)

func MustRegisterClientMetrics 

func MustRegisterClientMetrics(registry prometheus.Registerer)

MustRegisterClientMetrics to register the global Client Prometheus metrics.

Types

type CachingClientFactory 

type CachingClientFactory interface {
	ClientFactory
	Restore(context.Context, ctrlclient.Client, ctrlclient.Object) (Client, error)
	RestoreAll(context.Context, ctrlclient.Client) error
	Prune(context.Context, ctrlclient.Client, ctrlclient.Object, CachingClientFactoryPruneRequest) (int, error)
}

func InitCachingClientFactory 

func InitCachingClientFactory(ctx context.Context, client ctrlclient.Client, config *CachingClientFactoryConfig) (CachingClientFactory, error)

InitCachingClientFactory initializes a CachingClientFactory along with its ClientCacheStorage. It is meant to be called from main.

func NewCachingClientFactory 

func NewCachingClientFactory(ctx context.Context, client ctrlclient.Client, cacheStorage ClientCacheStorage, config *CachingClientFactoryConfig) (CachingClientFactory, error)

NewCachingClientFactory returns a CachingClientFactory with ClientCache initialized. The ClientCache's onEvictCallback is registered with the factory's onClientEvict(), to ensure any evictions are handled by the factory (this is very important).

type CachingClientFactoryConfig 

type CachingClientFactoryConfig struct {
	Persist                   bool
	StorageConfig             *ClientCacheStorageConfig
	ClientCacheSize           int
	CollectClientCacheMetrics bool
	Recorder                  record.EventRecorder
	MetricsRegistry           prometheus.Registerer
}

CachingClientFactoryConfig provides the configuration for a CachingClientFactory instance.

func DefaultCachingClientFactoryConfig 

func DefaultCachingClientFactoryConfig() *CachingClientFactoryConfig

DefaultCachingClientFactoryConfig provides the default configuration for a CachingClientFactory instance.

type CachingClientFactoryPruneRequest 

type CachingClientFactoryPruneRequest struct {
	FilterFunc   clientCacheObjectFilterFunc
	PruneStorage bool
}

type Client 

type Client interface {
	ClientBase
	Init(context.Context, ctrlclient.Client, *secretsv1beta1.VaultAuth, *secretsv1beta1.VaultConnection, string, *ClientOptions) error
	Login(context.Context, ctrlclient.Client) error
	Restore(context.Context, *api.Secret) error
	GetTokenSecret() *api.Secret
	CheckExpiry(int64) (bool, error)
	Validate() error
	GetVaultAuthObj() *secretsv1beta1.VaultAuth
	GetVaultConnectionObj() *secretsv1beta1.VaultConnection
	GetCredentialProvider() credentials.CredentialProvider
	GetCacheKey() (ClientCacheKey, error)
	Close()
	Clone(string) (Client, error)
	IsClone() bool
	Namespace() string
	SetNamespace(string)
}

func NewClient 

func NewClient(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object, opts *ClientOptions) (Client, error)

NewClient returns a Client specific to obj. Supported objects can be found in common.GetVaultAuthAndTarget. An error will be returned if obj is deemed to be invalid.

func NewClientFromStorageEntry 

func NewClientFromStorageEntry(ctx context.Context, client ctrlclient.Client, entry *clientCacheStorageEntry, opts *ClientOptions) (Client, error)

NewClientFromStorageEntry restores a Client from provided clientCacheStorageEntry. If the restoration fails an error will be returned.

func NewClientWithLogin 

func NewClientWithLogin(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object, opts *ClientOptions) (Client, error)

NewClientWithLogin returns a logged-in Client specific to obj. Supported objects can be found in common.GetVaultAuthAndTarget. An error will be returned if obj is deemed to be invalid.

type ClientBase 

type ClientBase interface {
	Read(context.Context, string) (*api.Secret, error)
	Write(context.Context, string, map[string]any) (*api.Secret, error)
	KVv1(string) (*api.KVv1, error)
	KVv2(string) (*api.KVv2, error)
}

type ClientCache 

type ClientCache interface {
	Get(ClientCacheKey) (Client, bool)
	Add(Client) (bool, error)
	Remove(ClientCacheKey) bool
	Len() int
	Prune(filterFunc ClientCachePruneFilterFunc) []ClientCacheKey
	Contains(key ClientCacheKey) bool
}

ClientCache provides an interface for Caching a Client.

func NewClientCache 

func NewClientCache(size int, callbackFunc onEvictCallbackFunc, metricsRegistry prometheus.Registerer) (ClientCache, error)

NewClientCache returns a ClientCache with its onEvictCallbackFunc set. If metricsRegistry is not nil, then the ClientCache's metric collectors will be registered in that prometheus.Registry. It's up to the caller to handle unregistering the collectors. An error will be returned if the cache could not be initialized.

type ClientCacheKey 

type ClientCacheKey string

ClientCacheKey is a type that holds the unique value of an entity in a ClientCache. Being a type captures intent, even if only being an alias to string.

func ClientCacheKeyClone 

func ClientCacheKeyClone(key ClientCacheKey, namespace string) (ClientCacheKey, error)

ClientCacheKeyClone returns a ClientCacheKey that contains the Vault namespace as its suffix. The clone key is meant to differentiate a "parent" cache key from its clones.

func ComputeClientCacheKeyFromClient 

func ComputeClientCacheKeyFromClient(c Client) (ClientCacheKey, error)

ComputeClientCacheKeyFromClient for use in a ClientCache. It is derived from the configuration the Client. If the Client is not properly initialized, an error will be returned.

See computeClientCacheKey for more details on how the client cache is derived

func ComputeClientCacheKeyFromObj 

func ComputeClientCacheKeyFromObj(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object) (ClientCacheKey, error)

ComputeClientCacheKeyFromObj for use in a ClientCache. It is derived from the configuration of obj. If the obj is not of a supported type or is not properly configured, an error will be returned. This operation calls out to the Kubernetes API multiple times.

See computeClientCacheKey for more details on how the client cache is derived.

func (ClientCacheKey) IsClone 

func (k ClientCacheKey) IsClone() bool

func (ClientCacheKey) String 

func (k ClientCacheKey) String() string

type ClientCachePruneFilterFunc 

type ClientCachePruneFilterFunc func(Client) bool

ClientCachePruneFilterFunc allows for selective pruning of the ClientCache. In the case where the return value is true, the Client will be removed from the cache.

type ClientCacheStorage 

type ClientCacheStorage interface {
	Store(context.Context, ctrlclient.Client, ClientCacheStorageStoreRequest) (*corev1.Secret, error)
	Restore(context.Context, ctrlclient.Client, ClientCacheStorageRestoreRequest) (*clientCacheStorageEntry, error)
	RestoreAll(context.Context, ctrlclient.Client, ClientCacheStorageRestoreAllRequest) ([]*clientCacheStorageEntry, error)
	Prune(context.Context, ctrlclient.Client, ClientCacheStoragePruneRequest) (int, error)
	Purge(context.Context, ctrlclient.Client) error
	Len(context.Context, ctrlclient.Client) (int, error)
}

func NewDefaultClientCacheStorage 

func NewDefaultClientCacheStorage(ctx context.Context, client ctrlclient.Client,
	config *ClientCacheStorageConfig, metricsRegistry prometheus.Registerer,
) (ClientCacheStorage, error)

type ClientCacheStorageConfig 

type ClientCacheStorageConfig struct {
	// EnforceEncryption for persisting Clients i.e. the controller must have VaultTransitRef
	// configured before it will persist the Client to storage. This option requires Persist to be true.
	EnforceEncryption bool
	HMACSecretObjKey  ctrlclient.ObjectKey
}

func DefaultClientCacheStorageConfig 

func DefaultClientCacheStorageConfig() *ClientCacheStorageConfig

type ClientCacheStoragePruneRequest 

type ClientCacheStoragePruneRequest struct {
	MatchingLabels ctrlclient.MatchingLabels
	Filter         PruneFilterFunc
}

type ClientCacheStorageRestoreAllRequest 

type ClientCacheStorageRestoreAllRequest struct {
	DecryptionClient    Client
	DecryptionVaultAuth *secretsv1beta1.VaultAuth
}

type ClientCacheStorageRestoreRequest 

type ClientCacheStorageRestoreRequest struct {
	SecretObjKey        ctrlclient.ObjectKey
	CacheKey            ClientCacheKey
	DecryptionClient    Client
	DecryptionVaultAuth *secretsv1beta1.VaultAuth
}

type ClientCacheStorageStoreRequest 

type ClientCacheStorageStoreRequest struct {
	OwnerReferences     []metav1.OwnerReference
	Client              Client
	EncryptionClient    Client
	EncryptionVaultAuth *secretsv1beta1.VaultAuth
}

func (ClientCacheStorageStoreRequest) Validate 

func (c ClientCacheStorageStoreRequest) Validate() error

type ClientConfig 

type ClientConfig struct {
	// CACertSecretRef is the name of a k8 secret that contains a data key
	// "ca.crt" that holds a CA cert that can be used to validate the
	// certificate presented by the Vault server
	CACertSecretRef string
	// K8sNamespace the namespace of the CACertSecretRef secret
	K8sNamespace string
	// Address is the URL of the Vault server
	Address string
	// SkipTLSVerify controls whether the Vault server's TLS certificate is
	// verified
	SkipTLSVerify bool
	// TLSServerName is the name to use as the SNI host when connecting via TLS
	// to Vault
	TLSServerName string
	// VaultNamespace is the namespace in Vault to auth to
	VaultNamespace string
}

ClientConfig contains the connection and auth information to construct a Vault Client.

type ClientFactory 

type ClientFactory interface {
	Get(context.Context, ctrlclient.Client, ctrlclient.Object) (Client, error)
}

type ClientOptions 

type ClientOptions struct {
	SkipRenewal bool
}

type HMACValidator 

type HMACValidator interface {
	HMAC(context.Context, ctrlclient.Client, []byte) ([]byte, error)
	Validate(context.Context, ctrlclient.Client, []byte, []byte) (bool, []byte, error)
}

func NewHMACValidator 

func NewHMACValidator(objKey ctrlclient.ObjectKey) HMACValidator

type PKICertResponse 

type PKICertResponse struct {
	CAChain        []string `json:"ca_chain"`
	Certificate    string   `json:"certificate"`
	Expiration     int64    `json:"expiration"`
	IssuingCa      string   `json:"issuing_ca"`
	PrivateKey     string   `json:"private_key"`
	PrivateKeyType string   `json:"private_key_type"`
	SerialNumber   string   `json:"serial_number"`
}

func UnmarshalPKIIssueResponse 

func UnmarshalPKIIssueResponse(resp *api.Secret) (*PKICertResponse, error)

type PruneFilterFunc 

type PruneFilterFunc func(secret corev1.Secret) bool

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.