def fetch_provider_vault_secret( path, version, name, labels, annotations, type, integration, integration_version, validate_alertmanager_config=False, alertmanager_config_key="alertmanager.yaml", ): # get the fields from vault vault_client = VaultClient() raw_data = vault_client.read_all({"path": path, "version": version}) if validate_alertmanager_config: check_alertmanager_config(raw_data, path, alertmanager_config_key) # construct oc resource body = { "apiVersion": "v1", "kind": "Secret", "type": type, "metadata": { "name": name, "annotations": annotations }, } if labels: body["metadata"]["labels"] = labels if raw_data.items(): body["data"] = {} # populate data for k, v in raw_data.items(): if v == "": continue if k.lower().endswith(QONTRACT_BASE64_SUFFIX): k = k[:-len(QONTRACT_BASE64_SUFFIX)] v = v.replace("\n", "") elif v is not None: v = base64.b64encode(v.encode()).decode("utf-8") body["data"][k] = v try: return OR(body, integration, integration_version, error_details=path) except ConstructResourceError as e: raise FetchResourceError(str(e))
def fetch_provider_route(path, tls_path, tls_version): global _log_lock openshift_resource = fetch_provider_resource(path) if tls_path is None or tls_version is None: return openshift_resource # override existing tls fields from vault secret openshift_resource.body["spec"].setdefault("tls", {}) tls = openshift_resource.body["spec"]["tls"] # get tls fields from vault vault_client = VaultClient() raw_data = vault_client.read_all({ "path": tls_path, "version": tls_version }) valid_keys = [ "termination", "insecureEdgeTerminationPolicy", "certificate", "key", "caCertificate", "destinationCACertificate", ] for k, v in raw_data.items(): if k in valid_keys: tls[k] = v continue msg = "Route secret '{}' key '{}' not in valid keys {}".format( tls_path, k, valid_keys) _log_lock.acquire() # pylint: disable=consider-using-with logging.info(msg) _log_lock.release() host = openshift_resource.body["spec"].get("host") certificate = openshift_resource.body["spec"]["tls"].get("certificate") if host and certificate: match = openssl.certificate_matches_host(certificate, host) if not match: e_msg = "Route host does not match CN (common name): {}" raise FetchRouteError(e_msg.format(path)) return openshift_resource
def fetch_provider_route(path, tls_path, tls_version): global _log_lock openshift_resource = fetch_provider_resource(path) if tls_path is None or tls_version is None: return openshift_resource # override existing tls fields from vault secret openshift_resource.body['spec'].setdefault('tls', {}) tls = openshift_resource.body['spec']['tls'] # get tls fields from vault vault_client = VaultClient() raw_data = vault_client.read_all({ 'path': tls_path, 'version': tls_version }) valid_keys = [ 'termination', 'insecureEdgeTerminationPolicy', 'certificate', 'key', 'caCertificate', 'destinationCACertificate' ] for k, v in raw_data.items(): if k in valid_keys: tls[k] = v continue msg = "Route secret '{}' key '{}' not in valid keys {}".format( tls_path, k, valid_keys) _log_lock.acquire() logging.info(msg) _log_lock.release() host = openshift_resource.body['spec'].get('host') certificate = openshift_resource.body['spec']['tls'].get('certificate') if host and certificate: match = openssl.certificate_matches_host(certificate, host) if not match: e_msg = "Route host does not match CN (common name): {}" raise FetchRouteError(e_msg.format(path)) return openshift_resource