def _auth_kubernetes(self, _client: hvac.Client) -> None:
if not self.kubernetes_jwt_path:
raise VaultError(
"The kubernetes_jwt_path should be set here. This should not happen."
)
with open(self.kubernetes_jwt_path) as f:
jwt = f.read()
_client.auth_kubernetes(role=self.kubernetes_role, jwt=jwt)
class GetAuthToken():
def __init__(self):
if not os.getenv("SERVICE_ACCOUNT_TOEKN_PATH"):
self.k8s_service_account_token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
else:
self.k8s_service_account_token_path = os.getenv("SERVICE_ACCOUNT_TOEKN_PATH")
if not os.getenv("VAULT_ROLE"):
raise Exception('VAULT_ROLE is a mandatory env variable')
else:
self.role = os.getenv("VAULT_ROLE")
if not os.getenv("VAULT_URL"):
raise Exception("VAULT_URL is a mandatory env variable")
else:
self.vault_url = os.getenv("VAULT_URL")
self.client = Client(url=self.vault_url)
def get_auth_token(self):
try:
service_account_token = open(self.k8s_service_account_token_path)
jwt = service_account_token.read()
data = self.client.auth_kubernetes(role=self.role, jwt=jwt)
return data["auth"]["client_token"]
except Exception as e:
print(e)
finally:
service_account_token.close()
def _get_client_token(self, client: hvac.Client) -> str:
with open(self.auth_token_path) as f:
sa_token = f.read()
auth_info = client.auth_kubernetes(role=self.role,
jwt=sa_token,
mount_point=self.auth_mount_point)
client_token = auth_info.get("auth", {}).get("client_token")
if not client_token:
raise ValueError("Not found vault token.")
return str(client_token)
def test_auth_kubernetes(self, test_label, test_role, test_jwt, mount_point, requests_mocker):
mock_response = {
'auth': {
'accessor': 'accessor-1234-5678-9012-345678901234',
'client_token': 'cltoken-1234-5678-9012-345678901234',
'lease_duration': 10000,
'metadata': {
'role': 'custom_role',
'service_account_name': 'vault-auth',
'service_account_namespace': 'default',
'service_account_secret_name': 'vault-auth-token-pd21c',
'service_account_uid': 'aa9aa8ff-98d0-11e7-9bb7-0800276d99bf'
},
'policies': [
'default',
'custom_role'
],
'renewable': True
},
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': 'requesti-1234-5678-9012-345678901234',
'warnings': [],
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'kubernetes' if mount_point is None else mount_point)
requests_mocker.register_uri(
method='POST',
url=mock_url,
json=mock_response
)
client = Client()
test_arguments = dict(
role=test_role,
jwt=test_jwt,
)
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.auth_kubernetes(**test_arguments)
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
def test_auth_kubernetes(self, test_label, test_role, test_jwt,
mount_point, requests_mocker):
mock_response = {
'auth': {
'accessor': 'accessor-1234-5678-9012-345678901234',
'client_token': 'cltoken-1234-5678-9012-345678901234',
'lease_duration': 10000,
'metadata': {
'role': 'custom_role',
'service_account_name': 'vault-auth',
'service_account_namespace': 'default',
'service_account_secret_name': 'vault-auth-token-pd21c',
'service_account_uid':
'aa9aa8ff-98d0-11e7-9bb7-0800276d99bf'
},
'policies': ['default', 'custom_role'],
'renewable': True
},
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': 'requesti-1234-5678-9012-345678901234',
'warnings': [],
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'kubernetes' if mount_point is None else mount_point)
requests_mocker.register_uri(method='POST',
url=mock_url,
json=mock_response)
client = Client()
test_arguments = dict(
role=test_role,
jwt=test_jwt,
)
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.auth_kubernetes(**test_arguments)
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
