def write_output_to_vault(dry_run, vault_path, account, secret_data, name):
integration_name = QONTRACT_INTEGRATION
secret_path = f"{vault_path}/{integration_name}/{account}/{name}"
secret = {"path": secret_path, "data": secret_data}
logging.info(["write_secret", secret_path])
vault_client = VaultClient()
if not dry_run:
vault_client.write(secret)
def write_outputs_to_vault(vault_path, ri):
integration_name = QONTRACT_INTEGRATION.replace('_', '-')
vault_client = VaultClient()
for cluster, namespace, _, data in ri:
for name, d_item in data['desired'].items():
secret_path = \
f"{vault_path}/{integration_name}/{cluster}/{namespace}/{name}"
secret = {'path': secret_path, 'data': d_item.body['data']}
vault_client.write(secret)
def lookup_vault_secret(path, key, version=None, tvars=None):
if tvars is not None:
path = process_jinja2_template(path, vars=tvars)
key = process_jinja2_template(key, vars=tvars)
if version and not isinstance(version, int):
version = process_jinja2_template(version, vars=tvars)
secret = {'path': path, 'field': key, 'version': version}
try:
vault_client = VaultClient()
return vault_client.read(secret)
except Exception as e:
raise FetchVaultSecretError(e)
def fetch_provider_vault_secret(
path,
version,
name,
labels,
annotations,
type,
integration,
integration_version,
validate_alertmanager_config=False,
alertmanager_config_key="alertmanager.yaml",
):
# get the fields from vault
vault_client = VaultClient()
raw_data = vault_client.read_all({"path": path, "version": version})
if validate_alertmanager_config:
check_alertmanager_config(raw_data, path, alertmanager_config_key)
# construct oc resource
body = {
"apiVersion": "v1",
"kind": "Secret",
"type": type,
"metadata": {
"name": name,
"annotations": annotations
},
}
if labels:
body["metadata"]["labels"] = labels
if raw_data.items():
body["data"] = {}
# populate data
for k, v in raw_data.items():
if v == "":
continue
if k.lower().endswith(QONTRACT_BASE64_SUFFIX):
k = k[:-len(QONTRACT_BASE64_SUFFIX)]
v = v.replace("\n", "")
elif v is not None:
v = base64.b64encode(v.encode()).decode("utf-8")
body["data"][k] = v
try:
return OR(body, integration, integration_version, error_details=path)
except ConstructResourceError as e:
raise FetchResourceError(str(e))
def _resolve_secret(self) -> dict[str, str]:
vault_client = cast(_VaultClient, VaultClient())
if self.field == VaultSecretRef._ALL_FIELDS:
return vault_client.read_all(self.__dict__)
else:
field_value = vault_client.read(self.__dict__)
return {self.field: field_value}
def fetch_provider_route(path, tls_path, tls_version):
global _log_lock
openshift_resource = fetch_provider_resource(path)
if tls_path is None or tls_version is None:
return openshift_resource
# override existing tls fields from vault secret
openshift_resource.body["spec"].setdefault("tls", {})
tls = openshift_resource.body["spec"]["tls"]
# get tls fields from vault
vault_client = VaultClient()
raw_data = vault_client.read_all({
"path": tls_path,
"version": tls_version
})
valid_keys = [
"termination",
"insecureEdgeTerminationPolicy",
"certificate",
"key",
"caCertificate",
"destinationCACertificate",
]
for k, v in raw_data.items():
if k in valid_keys:
tls[k] = v
continue
msg = "Route secret '{}' key '{}' not in valid keys {}".format(
tls_path, k, valid_keys)
_log_lock.acquire() # pylint: disable=consider-using-with
logging.info(msg)
_log_lock.release()
host = openshift_resource.body["spec"].get("host")
certificate = openshift_resource.body["spec"]["tls"].get("certificate")
if host and certificate:
match = openssl.certificate_matches_host(certificate, host)
if not match:
e_msg = "Route host does not match CN (common name): {}"
raise FetchRouteError(e_msg.format(path))
return openshift_resource
def run(dry_run, vault_output_path):
"""Get Hive ClusterDeployments from clusters and save mapping to Vault"""
if not vault_output_path:
logging.error("must supply vault output path")
sys.exit(ExitCodes.ERROR)
clusters = queries.get_clusters()
settings = queries.get_app_interface_settings()
oc_map = OC_Map(
clusters=clusters,
integration=QONTRACT_INTEGRATION,
thread_pool_size=1,
settings=settings,
init_api_resources=True,
)
results = []
for c in clusters:
name = c["name"]
oc = oc_map.get(name)
if not oc:
continue
if "ClusterDeployment" not in oc.api_resources:
continue
logging.info(f"[{name}] getting ClusterDeployments")
cds = oc.get_all("ClusterDeployment", all_namespaces=True)["items"]
for cd in cds:
try:
item = {
"id": cd["spec"]["clusterMetadata"]["clusterID"],
"cluster": name,
}
results.append(item)
except KeyError:
pass
if not dry_run:
logging.info("writing ClusterDeployments to vault")
vault_client = VaultClient()
secret = {
"path": f"{vault_output_path}/{QONTRACT_INTEGRATION}",
"data": {
"map": "\n".join(f"{item['id']}: {item['cluster']}" for item in results)
},
}
vault_client.write(secret, decode_base64=False)
def run(dry_run, vault_output_path):
"""Get Hive ClusterDeployments from clusters and save mapping to Vault"""
if not vault_output_path:
logging.error('must supply vault output path')
sys.exit(ExitCodes.ERROR)
clusters = queries.get_clusters()
settings = queries.get_app_interface_settings()
oc_map = OC_Map(clusters=clusters,
integration=QONTRACT_INTEGRATION,
thread_pool_size=1,
settings=settings,
init_api_resources=True)
results = []
for c in clusters:
name = c['name']
oc = oc_map.get(name)
if not oc:
continue
if 'ClusterDeployment' not in oc.api_resources:
continue
logging.info(f'[{name}] getting ClusterDeployments')
cds = oc.get_all('ClusterDeployment', all_namespaces=True)['items']
for cd in cds:
try:
item = {
'id': cd['spec']['clusterMetadata']['clusterID'],
'cluster': name,
}
results.append(item)
except KeyError:
pass
if not dry_run:
logging.info('writing ClusterDeployments to vault')
vault_client = VaultClient()
secret = {
'path': f"{vault_output_path}/{QONTRACT_INTEGRATION}",
'data': {
'map':
'\n'.join(f"{item['id']}: {item['cluster']}"
for item in results)
}
}
vault_client.write(secret, decode_base64=False)
def fetch_provider_route(path, tls_path, tls_version):
global _log_lock
openshift_resource = fetch_provider_resource(path)
if tls_path is None or tls_version is None:
return openshift_resource
# override existing tls fields from vault secret
openshift_resource.body['spec'].setdefault('tls', {})
tls = openshift_resource.body['spec']['tls']
# get tls fields from vault
vault_client = VaultClient()
raw_data = vault_client.read_all({
'path': tls_path,
'version': tls_version
})
valid_keys = [
'termination', 'insecureEdgeTerminationPolicy', 'certificate', 'key',
'caCertificate', 'destinationCACertificate'
]
for k, v in raw_data.items():
if k in valid_keys:
tls[k] = v
continue
msg = "Route secret '{}' key '{}' not in valid keys {}".format(
tls_path, k, valid_keys)
_log_lock.acquire()
logging.info(msg)
_log_lock.release()
host = openshift_resource.body['spec'].get('host')
certificate = openshift_resource.body['spec']['tls'].get('certificate')
if host and certificate:
match = openssl.certificate_matches_host(certificate, host)
if not match:
e_msg = "Route host does not match CN (common name): {}"
raise FetchRouteError(e_msg.format(path))
return openshift_resource
def write_outputs_to_vault(vault_path, ri):
integration_name = QONTRACT_INTEGRATION.replace("_", "-")
vault_client = VaultClient()
for cluster, namespace, _, data in ri:
for name, d_item in data["desired"].items():
body_data = d_item.body["data"]
# write secret to per-namespace location
secret_path = (f"{vault_path}/{integration_name}/" +
f"{cluster}/{namespace}/{name}")
secret = {"path": secret_path, "data": body_data}
vault_client.write(secret)
# write secret to shared-resources location
secret_path = (f"{vault_path}/{integration_name}/" +
f"shared-resources/{name}")
secret = {"path": secret_path, "data": body_data}
vault_client.write(secret)
def write_outputs_to_vault(vault_path, ri):
integration_name = QONTRACT_INTEGRATION.replace('_', '-')
vault_client = VaultClient()
for cluster, namespace, _, data in ri:
for name, d_item in data['desired'].items():
body_data = d_item.body['data']
# write secret to per-namespace location
secret_path = \
f"{vault_path}/{integration_name}/" + \
f"{cluster}/{namespace}/{name}"
secret = {'path': secret_path, 'data': body_data}
vault_client.write(secret)
# write secret to shared-resources location
secret_path = \
f"{vault_path}/{integration_name}/" + \
f"shared-resources/{name}"
secret = {'path': secret_path, 'data': body_data}
vault_client.write(secret)
def write_output_to_vault(vault_path, name, data):
integration_name = QONTRACT_INTEGRATION
vault_client = VaultClient()
secret_path = f"{vault_path}/{integration_name}/{name}"
secret = {'path': secret_path, 'data': data}
vault_client.write(secret)
def read_input_from_vault(vault_path, name, field):
integration_name = QONTRACT_INTEGRATION
vault_client = VaultClient()
secret_path = f"{vault_path}/{integration_name}/{name}"
secret = {'path': secret_path, 'field': field}
return vault_client.read(secret)
def vault_client(self):
if self._vault_client is None:
self._vault_client = VaultClient()
return self._vault_client
