@enspirit/emb
Version:
A replacement for our Makefile-for-monorepos
75 lines (74 loc) • 2.11 kB
TypeScript
import { AbstractSecretProvider, SecretReference } from '../SecretProvider.js';
/**
* Authentication configuration for HashiCorp Vault.
*/
export type VaultAuthConfig = {
method: 'approle';
roleId: string;
secretId: string;
} | {
method: 'jwt';
role: string;
jwt: string;
} | {
method: 'kubernetes';
role: string;
} | {
method: 'oidc';
role?: string;
port?: number;
} | {
method: 'token';
token: string;
};
/**
* Configuration for the Vault provider.
*/
export interface VaultProviderConfig {
/** Vault server address (defaults to VAULT_ADDR env var) */
address: string;
/** Authentication configuration */
auth: VaultAuthConfig;
/** Vault namespace (optional, defaults to VAULT_NAMESPACE env var) */
namespace?: string;
}
/**
* Error class for Vault-specific errors.
*/
export declare class VaultError extends Error {
code: string;
statusCode?: number | undefined;
constructor(message: string, code: string, statusCode?: number | undefined);
}
/**
* HashiCorp Vault secret provider.
* Supports KV v2 secrets engine.
*/
export declare class VaultProvider extends AbstractSecretProvider<VaultProviderConfig> {
private token;
connect(): Promise<void>;
disconnect(): Promise<void>;
fetchSecret(ref: SecretReference): Promise<Record<string, unknown>>;
/**
* Normalize a path for the appropriate secrets engine.
* - KV v2: Insert '/data/' after the mount point
* - 1Password Connect: Use path as-is (contains /vaults/ and /items/)
* - Other engines: Use path as-is
*/
private normalizeKvPath;
private buildHeaders;
private loginAppRole;
private loginKubernetes;
/**
* Authenticate using JWT (non-interactive).
* Suitable for CI/CD pipelines where a JWT is provided externally.
*/
private loginJwt;
/**
* Authenticate using OIDC (interactive browser flow).
* Opens a browser for the user to authenticate with Keycloak/OIDC provider.
*/
private loginOidc;
private verifyToken;
private parseErrorResponse;
}