def fetch_provider_vault_secret(
path,
version,
name,
labels,
annotations,
type,
integration,
integration_version,
validate_alertmanager_config=False,
alertmanager_config_key="alertmanager.yaml",
):
# get the fields from vault
vault_client = VaultClient()
raw_data = vault_client.read_all({"path": path, "version": version})
if validate_alertmanager_config:
check_alertmanager_config(raw_data, path, alertmanager_config_key)
# construct oc resource
body = {
"apiVersion": "v1",
"kind": "Secret",
"type": type,
"metadata": {
"name": name,
"annotations": annotations
},
}
if labels:
body["metadata"]["labels"] = labels
if raw_data.items():
body["data"] = {}
# populate data
for k, v in raw_data.items():
if v == "":
continue
if k.lower().endswith(QONTRACT_BASE64_SUFFIX):
k = k[:-len(QONTRACT_BASE64_SUFFIX)]
v = v.replace("\n", "")
elif v is not None:
v = base64.b64encode(v.encode()).decode("utf-8")
body["data"][k] = v
try:
return OR(body, integration, integration_version, error_details=path)
except ConstructResourceError as e:
raise FetchResourceError(str(e))
def fetch_provider_route(path, tls_path, tls_version):
global _log_lock
openshift_resource = fetch_provider_resource(path)
if tls_path is None or tls_version is None:
return openshift_resource
# override existing tls fields from vault secret
openshift_resource.body["spec"].setdefault("tls", {})
tls = openshift_resource.body["spec"]["tls"]
# get tls fields from vault
vault_client = VaultClient()
raw_data = vault_client.read_all({
"path": tls_path,
"version": tls_version
})
valid_keys = [
"termination",
"insecureEdgeTerminationPolicy",
"certificate",
"key",
"caCertificate",
"destinationCACertificate",
]
for k, v in raw_data.items():
if k in valid_keys:
tls[k] = v
continue
msg = "Route secret '{}' key '{}' not in valid keys {}".format(
tls_path, k, valid_keys)
_log_lock.acquire() # pylint: disable=consider-using-with
logging.info(msg)
_log_lock.release()
host = openshift_resource.body["spec"].get("host")
certificate = openshift_resource.body["spec"]["tls"].get("certificate")
if host and certificate:
match = openssl.certificate_matches_host(certificate, host)
if not match:
e_msg = "Route host does not match CN (common name): {}"
raise FetchRouteError(e_msg.format(path))
return openshift_resource
def fetch_provider_route(path, tls_path, tls_version):
global _log_lock
openshift_resource = fetch_provider_resource(path)
if tls_path is None or tls_version is None:
return openshift_resource
# override existing tls fields from vault secret
openshift_resource.body['spec'].setdefault('tls', {})
tls = openshift_resource.body['spec']['tls']
# get tls fields from vault
vault_client = VaultClient()
raw_data = vault_client.read_all({
'path': tls_path,
'version': tls_version
})
valid_keys = [
'termination', 'insecureEdgeTerminationPolicy', 'certificate', 'key',
'caCertificate', 'destinationCACertificate'
]
for k, v in raw_data.items():
if k in valid_keys:
tls[k] = v
continue
msg = "Route secret '{}' key '{}' not in valid keys {}".format(
tls_path, k, valid_keys)
_log_lock.acquire()
logging.info(msg)
_log_lock.release()
host = openshift_resource.body['spec'].get('host')
certificate = openshift_resource.body['spec']['tls'].get('certificate')
if host and certificate:
match = openssl.certificate_matches_host(certificate, host)
if not match:
e_msg = "Route host does not match CN (common name): {}"
raise FetchRouteError(e_msg.format(path))
return openshift_resource
