Documentation
¶
Overview ¶
Package vault implements a store.Plugin backed by HashiCorp Vault's KV v2 secrets engine. Each configuration value is stored as a separate Vault secret, enabling native value-level versioning, encryption at rest (via Vault's storage barrier), authentication, and access control through Vault ACL policies.
Storage layout (with default mount="secret", prefix="zhi"):
secret/data/zhi/{tree_id}/{path} — value data
secret/metadata/zhi/{tree_id}/{path} — value metadata and versions
For example, the config path "db/host" in tree "prod" maps to the Vault secret at path "zhi/prod/db/host" within the "secret" KV v2 engine.
Index ¶
- type Config
- type Store
- func (s *Store) AuthMethods(_ context.Context) ([]store.AuthMethod, error)
- func (s *Store) Capabilities(_ context.Context) (*store.Capabilities, error)
- func (s *Store) DeleteTree(ctx context.Context, id string) error
- func (s *Store) DeleteTreeVersion(_ context.Context, _ string, _ string) error
- func (s *Store) DeleteValueVersion(ctx context.Context, id string, path string, version string) error
- func (s *Store) DeleteValues(ctx context.Context, id string, paths []string) error
- func (s *Store) GetTreeVersion(_ context.Context, _ string, _ string, _ []string) (map[string]config.Value, error)
- func (s *Store) GetValueVersion(ctx context.Context, id string, path string, version string) (config.Value, bool, error)
- func (s *Store) GetValues(ctx context.Context, id string, paths []string) (map[string]config.Value, error)
- func (s *Store) GrantAccess(ctx context.Context, id string, user string, permissions []store.Permission) error
- func (s *Store) InitEncryption(_ context.Context, _ []byte) error
- func (s *Store) ListAccess(ctx context.Context, id string) (map[string][]store.Permission, error)
- func (s *Store) ListTreeVersions(_ context.Context, _ string) ([]string, error)
- func (s *Store) ListTrees(ctx context.Context) ([]string, error)
- func (s *Store) ListValueVersions(ctx context.Context, id string, path string) ([]string, error)
- func (s *Store) Login(ctx context.Context, method string, credentials map[string]string) (*store.Credential, error)
- func (s *Store) LoginInteractive(ctx context.Context, method string, params map[string]string) (*store.InteractiveChallenge, error)
- func (s *Store) LoginInteractiveCallback(ctx context.Context, _ string, callbackParams map[string]string) (*store.Credential, error)
- func (s *Store) PutValues(ctx context.Context, id string, values map[string]config.Value, ...) error
- func (s *Store) RevokeAccess(ctx context.Context, id string, user string, paths []string) error
- func (s *Store) RollbackTree(_ context.Context, _ string, _ string) error
- func (s *Store) RollbackValue(ctx context.Context, id string, path string, version string) error
- func (s *Store) RotateEncryption(_ context.Context, _, _ []byte) error
- func (s *Store) Stop()
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Address is the Vault server address.
// Defaults to the VAULT_ADDR environment variable, or "http://127.0.0.1:8200".
Address string
// Token is the initial Vault authentication token.
// Defaults to the VAULT_TOKEN environment variable.
Token string
// Mount is the KV v2 secrets engine mount point.
// Defaults to "secret".
Mount string
// Prefix is the key prefix within the mount for all zhi data.
// Defaults to "zhi".
Prefix string
// Namespace is the Vault namespace (enterprise feature).
// Defaults to the VAULT_NAMESPACE environment variable.
Namespace string
// CACert is the path to a PEM-encoded CA certificate for verifying
// the Vault server's TLS certificate.
// Defaults to the VAULT_CACERT environment variable.
CACert string
// ClientCert is the path to a PEM-encoded client certificate for
// mutual TLS authentication with Vault.
// Defaults to the VAULT_CLIENT_CERT environment variable.
ClientCert string
// ClientKey is the path to a PEM-encoded client private key for
// mutual TLS authentication with Vault.
// Defaults to the VAULT_CLIENT_KEY environment variable.
ClientKey string
// SkipVerify disables TLS certificate verification. This should
// only be used for development and testing.
// Defaults to the VAULT_SKIP_VERIFY environment variable.
SkipVerify bool
}
Config holds Vault connection and storage settings.
func DefaultConfig ¶
func DefaultConfig() Config
DefaultConfig returns a Config populated from environment variables with sensible defaults.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
Store implements store.Plugin using Vault's KV v2 secrets engine.
func (*Store) AuthMethods ¶
func (*Store) Capabilities ¶
func (*Store) DeleteTreeVersion ¶
func (*Store) DeleteValueVersion ¶
func (*Store) DeleteValues ¶
func (*Store) GetTreeVersion ¶
func (*Store) GetValueVersion ¶
func (*Store) GrantAccess ¶
func (*Store) InitEncryption ¶
Vault handles encryption transparently via its storage barrier. InitEncryption is a no-op since encryption is always active.
func (*Store) ListAccess ¶
func (*Store) ListTreeVersions ¶
func (*Store) ListValueVersions ¶
func (*Store) LoginInteractive ¶ added in v1.2.0
func (s *Store) LoginInteractive(ctx context.Context, method string, params map[string]string) (*store.InteractiveChallenge, error)
LoginInteractive starts an OIDC browser-based authentication flow. It contacts Vault's OIDC auth endpoint to obtain an authorization URL that the user must visit in their browser.
func (*Store) LoginInteractiveCallback ¶ added in v1.2.0
func (s *Store) LoginInteractiveCallback(ctx context.Context, _ string, callbackParams map[string]string) (*store.Credential, error)
LoginInteractiveCallback completes the OIDC authentication flow by exchanging the callback parameters (code, state) with Vault.
func (*Store) RevokeAccess ¶
func (*Store) RollbackTree ¶
func (*Store) RollbackValue ¶
func (*Store) RotateEncryption ¶
RotateEncryption is a no-op since Vault manages its own barrier key rotation.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package httpclient provides a thin HTTP client for the HashiCorp Vault API.
|
Package httpclient provides a thin HTTP client for the HashiCorp Vault API. |