def configure(self,
kubernetes_host,
kubernetes_ca_cert=None,
token_reviewer_jwt=None,
pem_keys=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Configure the connection parameters for Kubernetes.
This path honors the distinction between the create and update capabilities inside ACL policies.
Supported methods:
POST: /auth/{mount_point}/config. Produces: 204 (empty body)
:param kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the
Kubernetes API server. Example: https://k8s.example.com:443
:type kubernetes_host: str | unicode
:param kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
NOTE: Every line must end with a newline: \n
:type kubernetes_ca_cert: str | unicode
:param token_reviewer_jwt: A service account JWT used to access the TokenReview API to validate other
JWTs during login. If not set the JWT used for login will be used to access the API.
:type token_reviewer_jwt: str | unicode
:param pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of
Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every
installation of Kubernetes exposes these keys.
:type pem_keys: list
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the configure_method request.
:rtype: requests.Response
"""
list_of_pem_params = {
'kubernetes_ca_cert': kubernetes_ca_cert,
'pem_keys': pem_keys
}
for param_name, param_argument in list_of_pem_params.items():
if param_argument is not None:
validate_pem_format(
param_name=param_name,
param_argument=param_argument,
)
params = {
'kubernetes_host': kubernetes_host,
}
params.update(
utils.remove_nones({
'kubernetes_ca_cert': kubernetes_ca_cert,
'token_reviewer_jwt': token_reviewer_jwt,
'pem_keys': pem_keys,
}))
api_path = utils.format_url('/v1/auth/{mount_point}/config',
mount_point=mount_point)
return self._adapter.post(
url=api_path,
json=params,
)
def configure(self, kubernetes_host, kubernetes_ca_cert='', token_reviewer_jwt='', pem_keys=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Configure the connection parameters for Kubernetes.
This path honors the distinction between the create and update capabilities inside ACL policies.
Supported methods:
POST: /auth/{mount_point}/config. Produces: 204 (empty body)
:param kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the
Kubernetes API server. Example: https://k8s.example.com:443
:type kubernetes_host: str | unicode
:param kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
NOTE: Every line must end with a newline: \n
:type kubernetes_ca_cert: str | unicode
:param token_reviewer_jwt: A service account JWT used to access the TokenReview API to validate other
JWTs during login. If not set the JWT used for login will be used to access the API.
:type token_reviewer_jwt: str | unicode
:param pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of
Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every
installation of Kubernetes exposes these keys.
:type pem_keys: list
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the configure_method request.
:rtype: requests.Response
"""
if pem_keys is None:
pem_keys = []
list_of_pem_params = {
'kubernetes_ca_cert': kubernetes_ca_cert,
'pem_keys': pem_keys
}
for param_name, param_argument in list_of_pem_params.items():
validate_pem_format(
param_name=param_name,
param_argument=param_argument,
)
params = {
'kubernetes_host': kubernetes_host,
'kubernetes_ca_cert': kubernetes_ca_cert,
'token_reviewer_jwt': token_reviewer_jwt,
'pem_keys': pem_keys,
}
api_path = '/v1/auth/{mount_point}/config'.format(
mount_point=mount_point
)
return self._adapter.post(
url=api_path,
json=params,
)
def login(self, name="", cacert=False, cert_pem="", key_pem="", mount_point='cert', use_token=True):
"""
Log in and fetch a token. If there is a valid chain to a CA configured in the method and all role constraints
are matched, a token will be issued. If the certificate has DNS SANs in it, each of those will be verified.
If Common Name is required to be verified, then it should be a fully qualified DNS domain name and must be
duplicated as a DNS SAN
Supported methods:
POST: /auth/<mount point>/login Produces: 200 application/json
:param name: Authenticate against only the named certificate role, returning its policy list if successful. If
not set, defaults to trying all certificate roles and returning any one that matches.
:type name: str | unicode
:param cacert: The value used here is for the Vault TLS Listener CA certificate, not the CA that issued the
client authentication certificate. This can be omitted if the CA used to issue the Vault server certificate
is trusted by the local system executing this command.
:type cacert: str | bool
:param cert_pem: Location of the cert.pem used to authenticate the host.
:tupe cert_pem: str | unicode
:param key_pem: Location of the public key.pem used to authenticate the host.
:param key_pem: str | unicode
:param mount_point:
:type mount_point:
:param use_token: If the returned token is stored in the client
:param use_token: bool
:return: The response of the login request.
:rtype: requests.Response
"""
params = {'use_token': use_token}
if name != "":
params['name'] = name
api_path = '/v1/auth/{mount_point}/login'.format(mount_point=mount_point)
# Must have cert checking or a CA cert. This is caught lower down but harder to grok
if not cacert:
# If a cacert is not provided try to drop down to the adapter and get the cert there.
# If the cacert is not in the adapter already login will also.
if not self._adapter._kwargs.get('verify'):
raise self.CertificateAuthError("cacert must be True, a file_path, or valid CA Certificate.")
else:
cacert = self._adapter._kwargs.get('verify')
else:
validate_pem_format(cacert, "verify")
# if cert_pem is a string its ready to be used and either has the key with it or the key is provided as an arg
try:
if validate_pem_format(cert_pem, "cert_pem"):
tls_update = True
except exceptions.VaultError as e:
if isinstance(e, type(exceptions.ParamValidationError())):
tls_update = {}
if not (os.path.exists(cert_pem) or self._adapter._kwargs.get('cert')):
raise FileNotFoundError("Can't find the certificate.")
try:
for tls_part, value in {'cert_pem': cert_pem, 'key_pem': key_pem}:
if value != "":
tls_update[tls_part] = value
except ValueError:
tls_update = True
else:
raise e
additional_request_kwargs = {}
if tls_update:
additional_request_kwargs = {
"verify": cacert,
# need to define dict as cert is a tuple
"cert": tuple([cert_pem, key_pem]),
}
return self._adapter.login(
url=api_path,
json=params,
**additional_request_kwargs
)