caddy_vault_storage

package module

v0.1.1 Latest Latest Go to latest Published: Dec 24, 2023 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mywordpress-io/caddy-vault-storage

Links

Open Source Insights

README ¶

caddy-vault-storage

This is a Storage backend for Caddy (CertMagic) which allows storing of TLS certificates managed by Caddy in HashiCorp's Vault.

This plugin can be pulled in via Caddy's build system--to review the CertMagic Storage implementation, review the associated repo here: https://github.com/mywordpress-io/certmagic-vault-storage

Usage

Build

Build Caddy using xcaddy with the vault storage plugins:

xcaddy build --output bin/caddy --with github.com/mywordpress-io/caddy-vault-storage@<tag> --with github.com/mywordpress-io/certmagic-vault-storage@<tag>

Config

Once built, use the following config block to communicate with Vault:

vault <address> {
    token <value>

    approle_login_path <value>
    approle_logout_path <value>
    approle_role_id <value>
    approle_secret_id <value>

    secrets_path <value>
    path_prefix <value>

    insecure_skip_verify <value>

    lock_timeout <value>
    lock_polling_interval <value>
}

For more information, review Caddyfile.example and Caddyfile.json.

Either 'address' + 'token' -OR- 'address' + 'approle_role_id'+'approle_secret_id' settings are required:

If using 'approle' authentication, short-lived tokens are managed on the fly.
If using 'token' authentication, management of the token (renewal, revocation, etc.) is up to the caller.

Name	Type	Required?	Description	Default
`address`	`url`	yes	Vault address URL	-
`token`	`string`	conditionally	Vault static Token to authenticate (this or approle_role_id+approle_secret_id are required)	-
`approle_login_path`	`string`	no	Login path for approle authentication	auth/approle/login
`approle_logout_path`	`string`	no	Logout path for approle authentication	auth/token/revoke-self
`approle_role_id`	`string`	conditionally	Approle RoleID value for authentication (required if 'token' empty)	-
`approle_secret_id`	`string`	conditionally	Approle SecretID value for authentication (required if 'token' empty)	-
`secrets_path`	`string`	yes	Base path to secrets (KV-V2) mount in Vault	-
`path_prefix`	`string`	no	Prefix path in the KV-V2 mount in Vault	-
`insecure_skip_verify`	`bool`	no	Disable verification of TLS certificate when communicating with Vault	false
`lock_timeout`	`duration`	no	Storage lock timeout duration	5m
`lock_polling_interval`	`duration`	no	Storage lock polling interval	5s

Additional Help

Report any problems or questions with the plugin using a GitHub issue.

Documentation ¶

Index ¶

type Storage

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Storage ¶

type Storage struct {
	// URL the URL for Vault without any API versions or paths like 'https://vault.example.org:8201'.
	URL *certmagic_vault_storage.URL `json:"address"`

	// Token, the static Vault token.  If 'Token' is set, we blindly use that 'Token' when making any calls to
	// the Vault API. Management of the token (create, revoke, renew, etc.) is up to the caller.
	Token string `json:"token"`

	// If 'Approle*', options are available, we log in to Vault to create a short-lived token, using that token to make
	// future calls into Vault, and once we are done automatically revoke it.  Note that we will "cache" that token for
	// up to its lifetime minus 5m so it can be re-used for future calls in to Vault by subsequent CertMagic Storage
	// operations.
	//
	// Approle settings are the recommended way to manage Vault authentication
	ApproleLoginPath  string `json:"approle_login_path"`
	ApproleLogoutPath string `json:"approle_logout_path"`
	ApproleRoleId     string `json:"approle_role_id"`
	ApproleSecretId   string `json:"approle_secret_id"`

	// SecretsPath is the path in Vault to the secrets engine
	SecretsPath string `json:"secrets_path"`

	// PathPrefix is the path in the secrets engine where certificates will be placed (default: 'certificates'), assuming:
	//           URL: https://vault.example.org:8201
	//       SecretsPath: secrets/production
	//        PathPrefix: engineering/certmagic/certificates
	//
	// You will end up with paths like this in vault:
	//     'data' path: https://vault.example.org:8201/v1/secrets/production/data/engineering/certmagic/certificates
	// 'metadata' path: https://vault.example.org:8201/v1/secrets/production/metadata/engineering/certmagic/certificates
	PathPrefix string `json:"path_prefix"`

	// InsecureSkipVerify ignore TLS errors when communicating with vault - Default: false
	InsecureSkipVerify bool `json:"insecure_skip_verify"`

	// Locking mechanism
	LockTimeout         *certmagic_vault_storage.Duration `json:"lock_timeout"`
	LockPollingInterval *certmagic_vault_storage.Duration `json:"lock_polling_interval"`
	// contains filtered or unexported fields
}

func (Storage) CaddyModule ¶

func (s Storage) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (*Storage) CertMagicStorage ¶

func (s *Storage) CertMagicStorage() (certmagic.Storage, error)

CertMagicStorage converts s to a certmagic.Storage instance.

func (*Storage) GetApproleLoginPath ¶

func (s *Storage) GetApproleLoginPath() string

func (*Storage) GetApproleLogoutPath ¶

func (s *Storage) GetApproleLogoutPath() string

func (*Storage) GetApproleRoleId ¶

func (s *Storage) GetApproleRoleId() string

func (*Storage) GetApproleSecretId ¶

func (s *Storage) GetApproleSecretId() string

func (*Storage) GetInsecureSkipVerify ¶

func (s *Storage) GetInsecureSkipVerify() bool

func (*Storage) GetLockPollingInterval ¶

func (s *Storage) GetLockPollingInterval() certmagic_vault_storage.Duration

func (*Storage) GetLockTimeout ¶

func (s *Storage) GetLockTimeout() certmagic_vault_storage.Duration

func (*Storage) GetLogger ¶

func (s *Storage) GetLogger() *zap.SugaredLogger

func (*Storage) GetPathPrefix ¶

func (s *Storage) GetPathPrefix() string

func (*Storage) GetSecretsPath ¶

func (s *Storage) GetSecretsPath() string

func (*Storage) GetToken ¶

func (s *Storage) GetToken() string

func (*Storage) GetVaultBaseUrl ¶

func (s *Storage) GetVaultBaseUrl() string

func (*Storage) Provision ¶

func (s *Storage) Provision(ctx caddy.Context) error

Provisions an instance of the storage provider in caddy

func (*Storage) SetLogger ¶

func (s *Storage) SetLogger(logger *zap.SugaredLogger) *Storage

func (*Storage) UnmarshalCaddyfile ¶

func (s *Storage) UnmarshalCaddyfile(d *caddyfile.Dispenser) error

UnmarshalCaddyfile sets up the storage module from Caddyfile tokens. For syntax, review README.md

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL