README
¶
caddy-vault-storage
This is a Storage backend for Caddy (CertMagic) which allows storing of TLS certificates managed by Caddy in HashiCorp's Vault.
This plugin can be pulled in via Caddy's build system--to review the CertMagic Storage implementation, review the associated repo here: https://github.com/honest-hosting/certmagic-vault-storage
Usage
Build
Build Caddy using xcaddy with the vault storage plugins:
xcaddy build --output bin/caddy --with github.com/honest-hosting/caddy-vault-storage@<tag> --with github.com/honest-hosting/certmagic-vault-storage@<tag>
Config
Once built, use the following config block to communicate with Vault:
vault <address> {
token <value>
approle_login_path <value>
approle_logout_path <value>
approle_role_id <value>
approle_secret_id <value>
secrets_path <value>
path_prefix <value>
insecure_skip_verify <value>
lock_timeout <value>
lock_polling_interval <value>
}
For more information, review Caddyfile.example and Caddyfile.json.
Either 'address' + 'token' -OR- 'address' + 'approle_role_id'+'approle_secret_id' settings are required:
- If using 'approle' authentication, short-lived tokens are managed on the fly.
- If using 'token' authentication, management of the token (renewal, revocation, etc.) is up to the caller.
| Name | Type | Required? | Description | Default |
|---|---|---|---|---|
address |
url |
yes | Vault address URL | - |
token |
string |
conditionally | Vault static Token to authenticate (this or approle_role_id+approle_secret_id are required) | - |
approle_login_path |
string |
no | Login path for approle authentication | auth/approle/login |
approle_logout_path |
string |
no | Logout path for approle authentication | auth/token/revoke-self |
approle_role_id |
string |
conditionally | Approle RoleID value for authentication (required if 'token' empty) | - |
approle_secret_id |
string |
conditionally | Approle SecretID value for authentication (required if 'token' empty) | - |
secrets_path |
string |
yes | Base path to secrets (KV-V2) mount in Vault | - |
path_prefix |
string |
no | Prefix path in the KV-V2 mount in Vault | - |
insecure_skip_verify |
bool |
no | Disable verification of TLS certificate when communicating with Vault | false |
lock_timeout |
duration |
no | Storage lock timeout duration | 5m |
lock_polling_interval |
duration |
no | Storage lock polling interval | 5s |
Additional Help
Report any problems or questions with the plugin using a GitHub issue.
Documentation
¶
Index ¶
- type Storage
- func (s Storage) CaddyModule() caddy.ModuleInfo
- func (s *Storage) CertMagicStorage() (certmagic.Storage, error)
- func (s *Storage) GetApproleLoginPath() string
- func (s *Storage) GetApproleLogoutPath() string
- func (s *Storage) GetApproleRoleId() string
- func (s *Storage) GetApproleSecretId() string
- func (s *Storage) GetInsecureSkipVerify() bool
- func (s *Storage) GetLockPollingInterval() certmagic_vault_storage.Duration
- func (s *Storage) GetLockTimeout() certmagic_vault_storage.Duration
- func (s *Storage) GetLogger() *zap.SugaredLogger
- func (s *Storage) GetPathPrefix() string
- func (s *Storage) GetSecretsPath() string
- func (s *Storage) GetToken() string
- func (s *Storage) GetVaultBaseUrl() string
- func (s *Storage) Provision(ctx caddy.Context) error
- func (s *Storage) SetLogger(logger *zap.SugaredLogger) *Storage
- func (s *Storage) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Storage ¶
type Storage struct {
// URL the URL for Vault without any API versions or paths like 'https://vault.example.org:8201'.
URL *certmagic_vault_storage.URL `json:"address"`
// Token, the static Vault token. If 'Token' is set, we blindly use that 'Token' when making any calls to
// the Vault API. Management of the token (create, revoke, renew, etc.) is up to the caller.
Token string `json:"token"`
// If 'Approle*', options are available, we log in to Vault to create a short-lived token, using that token to make
// future calls into Vault, and once we are done automatically revoke it. Note that we will "cache" that token for
// up to its lifetime minus 5m so it can be re-used for future calls in to Vault by subsequent CertMagic Storage
// operations.
//
// Approle settings are the recommended way to manage Vault authentication
ApproleLoginPath string `json:"approle_login_path"`
ApproleLogoutPath string `json:"approle_logout_path"`
ApproleRoleId string `json:"approle_role_id"`
ApproleSecretId string `json:"approle_secret_id"`
// SecretsPath is the path in Vault to the secrets engine
SecretsPath string `json:"secrets_path"`
// PathPrefix is the path in the secrets engine where certificates will be placed (default: 'certificates'), assuming:
// URL: https://vault.example.org:8201
// SecretsPath: secrets/production
// PathPrefix: engineering/certmagic/certificates
//
// You will end up with paths like this in vault:
// 'data' path: https://vault.example.org:8201/v1/secrets/production/data/engineering/certmagic/certificates
// 'metadata' path: https://vault.example.org:8201/v1/secrets/production/metadata/engineering/certmagic/certificates
PathPrefix string `json:"path_prefix"`
// InsecureSkipVerify ignore TLS errors when communicating with vault - Default: false
InsecureSkipVerify bool `json:"insecure_skip_verify"`
// Locking mechanism
LockTimeout *certmagic_vault_storage.Duration `json:"lock_timeout"`
LockPollingInterval *certmagic_vault_storage.Duration `json:"lock_polling_interval"`
// contains filtered or unexported fields
}
func (Storage) CaddyModule ¶
func (s Storage) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (*Storage) CertMagicStorage ¶
CertMagicStorage converts s to a certmagic.Storage instance.
func (*Storage) GetApproleLoginPath ¶
func (*Storage) GetApproleLogoutPath ¶
func (*Storage) GetApproleRoleId ¶
func (*Storage) GetApproleSecretId ¶
func (*Storage) GetInsecureSkipVerify ¶
func (*Storage) GetLockPollingInterval ¶
func (s *Storage) GetLockPollingInterval() certmagic_vault_storage.Duration
func (*Storage) GetLockTimeout ¶
func (s *Storage) GetLockTimeout() certmagic_vault_storage.Duration
func (*Storage) GetLogger ¶
func (s *Storage) GetLogger() *zap.SugaredLogger
func (*Storage) GetPathPrefix ¶
func (*Storage) GetSecretsPath ¶
func (*Storage) GetVaultBaseUrl ¶
Source Files
Click to show internal directories.
Click to hide internal directories.