def __init__(
self,
soa_dir: Optional[str],
service_name: Optional[str],
cluster_names: List[str],
vault_cluster_config: Dict[str, str] = {},
vault_auth_method: str = "ldap",
vault_token_file: str = "/root/.vault-token",
vault_num_uses: int = 1,
**kwargs: Any,
) -> None:
super().__init__(soa_dir, service_name, cluster_names)
self.vault_cluster_config = vault_cluster_config
self.vault_auth_method = vault_auth_method
self.vault_token_file = vault_token_file
self.ecosystems = self.get_vault_ecosystems_for_clusters()
self.clients: Mapping[str, hvac.Client] = {}
if vault_auth_method == "ldap":
username = getpass.getuser()
password = getpass.getpass(
"Please enter your LDAP password to auth with Vault\n")
else:
username = None
password = None
for ecosystem in self.ecosystems:
self.clients[ecosystem] = get_vault_client(
ecosystem=ecosystem,
num_uses=vault_num_uses,
vault_auth_method=self.vault_auth_method,
vault_token_file=self.vault_token_file,
username=username,
password=password,
)
def decrypt_environment(
self,
environment: Dict[str, str],
**kwargs: Any,
) -> Dict[str, str]:
self.ecosystem = self.get_vault_ecosystems_for_clusters()[0]
self.client = get_vault_client(
ecosystem=self.ecosystem,
num_uses=len(environment),
vault_auth_method=self.vault_auth_method,
vault_token_file=self.vault_token_file,
)
secret_environment = {}
for k, v in environment.items():
secret_name = get_secret_name_from_ref(v)
secret_path = os.path.join(
self.secret_dir,
f"{secret_name}.json",
)
secret = get_plaintext(
client=self.client,
env=self.ecosystem,
path=secret_path,
cache_enabled=False,
cache_dir=None,
cache_key=None,
context=self.service_name,
).decode('utf-8')
secret_environment[k] = secret
return secret_environment
def write_secret(
self,
action: str,
secret_name: str,
plaintext: bytes,
) -> None:
with TempGpgKeyring(overwrite=True):
ecosystems = self.get_vault_ecosystems_for_clusters()
if 'VAULT_TOKEN_OVERRIDE' not in os.environ:
username = getpass.getuser()
password = getpass.getpass("Please enter your LDAP password to auth with Vault\n")
else:
username = None
password = None
for ecosystem in ecosystems:
client = get_vault_client(
ecosystem=ecosystem,
username=username,
password=password,
)
encrypt_secret(
client=client,
action=action,
ecosystem=ecosystem,
secret_name=secret_name,
soa_dir=self.soa_dir,
plaintext=plaintext,
service_name=self.service_name,
transit_key=self.encryption_key,
)
def decrypt_secret(self, secret_name: str) -> str:
ecosystem = self.get_vault_ecosystems_for_clusters()[0]
if 'VAULT_TOKEN_OVERRIDE' not in os.environ:
username = getpass.getuser()
password = getpass.getpass("Please enter your LDAP password to auth with Vault\n")
else:
username = None
password = None
client = get_vault_client(
ecosystem=ecosystem,
username=username,
password=password,
)
secret_path = os.path.join(
self.secret_dir,
f"{secret_name}.json",
)
return get_plaintext(
client=client,
path=secret_path,
env=ecosystem,
cache_enabled=False,
cache_key=None,
cache_dir=None,
context=self.service_name,
).decode('utf-8')
