vault

package
v1.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 28, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	EnvVaultAddr       = "VAULT_ADDR"
	EnvVaultToken      = "VAULT_TOKEN"
	EnvVaultClientCert = "VAULT_CLIENT_CERT"
	EnvVaultClientKey  = "VAULT_CLIENT_KEY"
	EnvVaultCACert     = "VAULT_CACERT"
	EnvVaultNamespace  = "VAULT_NAMESPACE"
	// SPIRE-specific; not a standard Vault SDK environment variable.
	EnvVaultAppRoleID         = "VAULT_APPROLE_ID"
	EnvVaultAppRoleSecretID   = "VAULT_APPROLE_SECRET_ID" // #nosec G101
	EnvVaultTransitEnginePath = "VAULT_TRANSIT_ENGINE_PATH"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AppRoleAuthConfig 

type AppRoleAuthConfig struct {
	// Name of the mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/approle)
	AppRoleMountPoint string `hcl:"approle_auth_mount_point" json:"approle_auth_mount_point"`
	// An identifier that selects the AppRole
	RoleID string `hcl:"approle_id" json:"approle_id"`
	// A credential that is required for login.
	SecretID string `hcl:"approle_secret_id" json:"approle_secret_id"`
}

AppRoleAuthConfig represents parameters for AppRole auth method.

type AuthMethod 

type AuthMethod int
const (
	CERT AuthMethod
	TOKEN
	APPROLE
	K8S
)

func ParseAuthMethod 

func ParseAuthMethod(config *BaseConfiguration) (AuthMethod, error)

type BaseConfiguration 

type BaseConfiguration struct {
	// A URL of Vault server. (e.g., https://vault.example.com:8443/)
	VaultAddr string `hcl:"vault_addr" json:"vault_addr"`
	// Configuration for the Token authentication method
	TokenAuth *TokenAuthConfig `hcl:"token_auth" json:"token_auth,omitempty"`
	// Configuration for the Client Certificate authentication method
	CertAuth *CertAuthConfig `hcl:"cert_auth" json:"cert_auth,omitempty"`
	// Configuration for the AppRole authentication method
	AppRoleAuth *AppRoleAuthConfig `hcl:"approle_auth" json:"approle_auth,omitempty"`
	// Configuration for the Kubernetes authentication method
	K8sAuth *K8sAuthConfig `hcl:"k8s_auth" json:"k8s_auth,omitempty"`
	// Path to a CA certificate file that the client verifies the server certificate.
	// Only PEM format is supported.
	CACertPath string `hcl:"ca_cert_path" json:"ca_cert_path"`
	// If true, vault client accepts any server certificates.
	// It should be used only test environment so on.
	InsecureSkipVerify bool `hcl:"insecure_skip_verify" json:"insecure_skip_verify"`
	// Name of the Vault namespace
	Namespace string `hcl:"namespace" json:"namespace"`
}

type CertAuthConfig 

type CertAuthConfig struct {
	// Name of the mount point where Client Certificate Auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/cert)
	CertAuthMountPoint string `hcl:"cert_auth_mount_point" json:"cert_auth_mount_point"`
	// Name of the Vault role.
	// If given, the plugin authenticates against only the named role.
	CertAuthRoleName string `hcl:"cert_auth_role_name" json:"cert_auth_role_name"`
	// Path to a client certificate file.
	// Only PEM format is supported.
	ClientCertPath string `hcl:"client_cert_path" json:"client_cert_path"`
	// Path to a client private key file.
	// Only PEM format is supported.
	ClientKeyPath string `hcl:"client_key_path" json:"client_key_path"`
}

CertAuthConfig represents parameters for cert auth method

type Client 

type Client struct {
	ClientParams *ClientParams
	// contains filtered or unexported fields
}

func (*Client) Auth 

func (c *Client) Auth(path string, body map[string]any) (*vapi.Secret, error)

Auth authenticates to vault server with TLS certificate method

func (*Client) CreateKey 

func (c *Client) CreateKey(ctx context.Context, keyName string, keyType TransitKeyType) error

CreateKey creates a new key in the specified transit secret engine See: https://developer.hashicorp.com/vault/api-docs/secret/transit#create-key

func (*Client) DeleteKey 

func (c *Client) DeleteKey(ctx context.Context, keyName string) error

DeleteKey deletes a key in the specified transit secret engine See: https://developer.hashicorp.com/vault/api-docs/secret/transit#update-key-configuration and https://developer.hashicorp.com/vault/api-docs/secret/transit#delete-key

func (*Client) GetKey 

func (c *Client) GetKey(ctx context.Context, keyName string) (*KeyEntry, error)

GetKey returns a specific key from the transit engine. See: https://developer.hashicorp.com/vault/api-docs/secret/transit#read-key

func (*Client) GetKeys 

func (c *Client) GetKeys(ctx context.Context) ([]*KeyEntry, error)

GetKeys returns all the keys of the transit engine. See: https://developer.hashicorp.com/vault/api-docs/secret/transit#list-keys

func (*Client) LookupSelf 

func (c *Client) LookupSelf(token string) (*vapi.Secret, error)

func (*Client) SetToken 

func (c *Client) SetToken(v string)

SetToken wraps vapi.Client.SetToken()

func (*Client) SignData 

func (c *Client) SignData(ctx context.Context, keyName string, data []byte, hashAlgo TransitHashAlgorithm, signatureAlgo TransitSignatureAlgorithm) ([]byte, error)

SignData signs the data using the transit engine key with the key name. See: https://developer.hashicorp.com/vault/api-docs/secret/transit#sign-data

func (*Client) SignIntermediate 

func (c *Client) SignIntermediate(ttl string, csr *x509.CertificateRequest) (*SignCSRResponse, error)

SignIntermediate requests sign-intermediate endpoint to generate certificate. ttl = TTL for Intermediate CA Certificate csr = Certificate Signing Request see: https://www.vaultproject.io/api/secret/pki/index.html#sign-intermediate

func (*Client) VaultClient 

func (c *Client) VaultClient() *vapi.Client

VaultClient returns the underlying vault API client.

type ClientConfig 

type ClientConfig struct {
	Logger hclog.Logger
	// vault client parameters
	ClientParams *ClientParams
}

ClientConfig represents configuration parameters for vault client

func NewClientConfig 

func NewClientConfig(cp *ClientParams, logger hclog.Logger) (*ClientConfig, error)

NewClientConfig returns a new *ClientConfig with default parameters.

func (*ClientConfig) NewAuthenticatedClient 

func (c *ClientConfig) NewAuthenticatedClient(method AuthMethod, renewCh chan struct{}) (client *Client, err error)

NewAuthenticatedClient returns a new authenticated vault client with given authentication method

type ClientParams 

type ClientParams struct {
	// A URL of Vault server. (e.g., https://vault.example.com:8443/)
	VaultAddr string
	// Name of mount point where PKI secret engine is mounted. (e.e., /<mount_point>/ca/pem )
	PKIMountPoint string
	// token string to use when auth method is 'token'
	Token string
	// Name of mount point where TLS Cert auth method is mounted. (e.g., /auth/<mount_point>/login )
	CertAuthMountPoint string
	// Name of the Vault role.
	// If given, the plugin authenticates against only the named role
	CertAuthRoleName string
	// Path to a client certificate file to be used when auth method is 'cert'
	ClientCertPath string
	// Path to a client private key file to be used when auth method is 'cert'
	ClientKeyPath string
	// Path to a CA certificate file to be used when client verifies a server certificate
	CACertPath string
	// Name of mount point where AppRole auth method is mounted. (e.g., /auth/<mount_point>/login )
	AppRoleAuthMountPoint string
	// An identifier of AppRole
	AppRoleID string
	// A credential set of AppRole
	AppRoleSecretID string
	// Name of the mount point where Kubernetes auth method is mounted. (e.g., /auth/<mount_point>/login)
	K8sAuthMountPoint string
	// Name of the Vault role.
	// The plugin authenticates against the named role.
	K8sAuthRoleName string
	// Path to a K8s Service Account Token to be used when auth method is 'k8s'
	K8sAuthTokenPath string
	// If true, client accepts any certificates.
	// It should be used only test environment so on.
	TLSSkipVerify bool
	// MaxRetries controls the number of times to retry to connect
	// Set to 0 to disable retrying.
	// If the value is nil, to use the default in hashicorp/vault/api.
	MaxRetries *int
	// Name of the Vault namespace
	Namespace string
	// TransitEnginePath specifies the path to the transit engine to perform key operations.
	TransitEnginePath string
}

func GenClientParams 

func GenClientParams(method AuthMethod, baseConfig *BaseConfiguration, lookupEnv func(string) (string, bool)) (*ClientParams, error)

type K8sAuthConfig 

type K8sAuthConfig struct {
	// Name of the mount point where Kubernetes auth method is mounted. (e.g., /auth/<mount_point>/login)
	// If the value is empty, use default mount point (/auth/kubernetes)
	K8sAuthMountPoint string `hcl:"k8s_auth_mount_point" json:"k8s_auth_mount_point"`
	// Name of the Vault role.
	// The plugin authenticates against the named role.
	K8sAuthRoleName string `hcl:"k8s_auth_role_name" json:"k8s_auth_role_name"`
	// Path to the Kubernetes Service Account Token to use authentication with the Vault.
	TokenPath string `hcl:"token_path" json:"token_path"`
}

K8sAuthConfig represents parameters for Kubernetes auth method.

type KeyEntry 

type KeyEntry struct {
	KeyName string
	// KeyType is the top-level type from Vault (e.g., "ecdsa-p256", "rsa-2048").
	KeyType string
	KeyData map[string]any
}

type Renew 

type Renew struct {
	// contains filtered or unexported fields
}

func NewRenew 

func NewRenew(client *vapi.Client, secret *vapi.Secret, logger hclog.Logger) (*Renew, error)

func (*Renew) Run 

func (r *Renew) Run()

type SignCSRResponse 

type SignCSRResponse struct {
	// A certificate requested to sign
	CACertPEM string
	// A certificate of CA(Vault)
	UpstreamCACertPEM string
	// Set of Upstream CA certificates
	UpstreamCACertChainPEM []string
}

SignCSRResponse includes certificates which are generates by Vault

type TokenAuthConfig 

type TokenAuthConfig struct {
	// Token string to set into "X-Vault-Token" header
	Token string `hcl:"token" json:"token"`
}

TokenAuthConfig represents parameters for token auth method

type TransitHashAlgorithm 

type TransitHashAlgorithm string
const (
	TransitHashAlgorithmSHA256 TransitHashAlgorithm = "sha2-256"
	TransitHashAlgorithmSHA384 TransitHashAlgorithm = "sha2-384"
	TransitHashAlgorithmSHA512 TransitHashAlgorithm = "sha2-512"
	TransitHashAlgorithmNone   TransitHashAlgorithm = "none"
)

type TransitKeyType 

type TransitKeyType string
const (
	TransitKeyTypeRSA2048   TransitKeyType = "rsa-2048"
	TransitKeyTypeRSA4096   TransitKeyType = "rsa-4096"
	TransitKeyTypeECDSAP256 TransitKeyType = "ecdsa-p256"
	TransitKeyTypeECDSAP384 TransitKeyType = "ecdsa-p384"
)

type TransitSignatureAlgorithm 

type TransitSignatureAlgorithm string
const (
	TransitSignatureAlgorithmNone     TransitSignatureAlgorithm = ""
	TransitSignatureAlgorithmPSS      TransitSignatureAlgorithm = "pss"
	TransitSignatureAlgorithmPKCS1v15 TransitSignatureAlgorithm = "pkcs1v15"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.