def _get_secret_provider_for_service(service_name, cluster_names=None):
if not is_service_folder(os.getcwd(), service_name):
print(
"{} not found.\n"
"You must run this tool from the root of your local yelpsoa checkout\n"
"The tool modifies files in yelpsoa-configs that you must then commit\n"
"and push back to git.".format(os.path.join(service_name, "service.yaml"))
)
sys.exit(1)
system_paasta_config = load_system_paasta_config()
secret_provider_kwargs = {
"vault_cluster_config": system_paasta_config.get_vault_cluster_config()
}
clusters = (
cluster_names.split(",")
if cluster_names
else list_clusters(service=service_name, soa_dir=os.getcwd())
)
return get_secret_provider(
secret_provider_name=system_paasta_config.get_secret_provider_name(),
soa_dir=os.getcwd(),
service_name=service_name,
cluster_names=clusters,
secret_provider_kwargs=secret_provider_kwargs,
)
def decrypt_secret_environment_variables(
secret_provider_name,
environment,
soa_dir,
service_name,
cluster_name,
secret_provider_kwargs,
):
secret_environment = {}
secret_env_vars = {k: v for k, v in environment.items() if is_secret_ref(v)}
if secret_env_vars:
secret_provider = get_secret_provider(
secret_provider_name=secret_provider_name,
soa_dir=soa_dir,
service_name=service_name,
cluster_names=[cluster_name],
secret_provider_kwargs=secret_provider_kwargs,
)
try:
secret_environment = secret_provider.decrypt_environment(
secret_env_vars,
)
except Exception as e:
paasta_print(f"Failed to retrieve secrets with {e.__class__.__name__}: {e}")
paasta_print("If you don't need the secrets for local-run, you can add --skip-secrets")
sys.exit(1)
return secret_environment
def renew_issue_cert(system_paasta_config: SystemPaastaConfig, cluster: str) -> None:
secret_provider_kwargs = {
"vault_cluster_config": system_paasta_config.get_vault_cluster_config()
}
sp = get_secret_provider(
secret_provider_name=system_paasta_config.get_secret_provider_name(),
cluster_names=[cluster],
secret_provider_kwargs=secret_provider_kwargs,
soa_dir=None,
service_name=None,
)
sp.renew_issue_cert(
pki_backend=system_paasta_config.get_pki_backend(),
ttl=system_paasta_config.get_auth_certificate_ttl(),
)
def test_get_secret_provider():
with mock.patch("paasta_tools.secret_providers.SecretProvider",
autospec=True) as mock_secret_provider:
ret = get_secret_provider(
secret_provider_name="paasta_tools.secret_providers",
soa_dir="/nail/blah",
service_name="test-service",
cluster_names=["norcal-devc"],
secret_provider_kwargs={"some": "thing"},
)
mock_secret_provider.assert_called_with(
soa_dir="/nail/blah",
service_name="test-service",
cluster_names=["norcal-devc"],
some="thing",
)
assert ret == mock_secret_provider.return_value
def decrypt_secret_environment_for_service(
secret_env_vars,
service_name,
secret_provider_name,
soa_dir,
cluster_name,
secret_provider_kwargs,
):
if not secret_env_vars:
return {}
secret_provider = get_secret_provider(
secret_provider_name=secret_provider_name,
soa_dir=soa_dir,
service_name=service_name,
cluster_names=[cluster_name],
secret_provider_kwargs=secret_provider_kwargs,
)
return secret_provider.decrypt_environment(secret_env_vars)
def test_get_secret_provider():
with mock.patch(
'paasta_tools.secret_providers.SecretProvider',
autospec=True,
) as mock_secret_provider:
ret = get_secret_provider(
secret_provider_name='paasta_tools.secret_providers',
soa_dir='/nail/blah',
service_name='test-service',
cluster_names=['norcal-devc'],
secret_provider_kwargs={'some': 'thing'},
)
mock_secret_provider.assert_called_with(
soa_dir='/nail/blah',
service_name='test-service',
cluster_names=['norcal-devc'],
some='thing',
)
assert ret == mock_secret_provider.return_value
def decrypt_secret_environment_variables(
secret_provider_name,
environment,
soa_dir,
service_name,
cluster_name,
secret_provider_kwargs,
):
secret_environment = {}
secret_env_vars = {k: v for k, v in environment.items() if is_secret_ref(v)}
if secret_env_vars:
secret_provider = get_secret_provider(
secret_provider_name=secret_provider_name,
soa_dir=soa_dir,
service_name=service_name,
cluster_names=[cluster_name],
secret_provider_kwargs=secret_provider_kwargs,
)
secret_environment = secret_provider.decrypt_environment(
secret_env_vars,
)
return secret_environment
def _get_secret_provider_for_service(service_name, cluster_names=None):
if not is_service_folder(os.getcwd(), service_name):
paasta_print(
"You must run this tool from the root of your local yelpsoa checkout\n"
"The tool modifies files in yelpsoa-configs that you must then commit\n"
"and push back to git.", )
sys.exit(1)
system_paasta_config = load_system_paasta_config()
secret_provider_kwargs = {
'vault_cluster_config':
system_paasta_config.get_vault_cluster_config(),
}
clusters = cluster_names.split(',') if cluster_names else list_clusters(
service=service_name,
soa_dir=os.getcwd(),
)
return get_secret_provider(
secret_provider_name=system_paasta_config.get_secret_provider_name(),
soa_dir=os.getcwd(),
service_name=service_name,
cluster_names=clusters,
secret_provider_kwargs=secret_provider_kwargs,
)
def sync_secrets(
kube_client: KubeClient,
cluster: str,
service: str,
secret_provider_name: str,
vault_cluster_config: Mapping[str, str],
soa_dir: str,
) -> bool:
secret_dir = os.path.join(soa_dir, service, "secrets")
secret_provider_kwargs = {
'vault_cluster_config': vault_cluster_config,
# TODO: make vault-tools support k8s auth method so we don't have to
# mount a token in.
'vault_auth_method': 'token',
'vault_token_file': '/root/.vault_token',
}
secret_provider = get_secret_provider(
secret_provider_name=secret_provider_name,
soa_dir=soa_dir,
service_name=service,
cluster_names=[cluster],
secret_provider_kwargs=secret_provider_kwargs,
)
with os.scandir(secret_dir) as secret_file_paths:
for secret_file_path in secret_file_paths:
if secret_file_path.path.endswith('json'):
secret = secret_file_path.name.replace('.json', '')
with open(secret_file_path, 'r') as secret_file:
secret_data = json.load(secret_file)
secret_signature = secret_provider.get_secret_signature_from_data(
secret_data)
if secret_signature:
kubernetes_secret_signature = get_kubernetes_secret_signature(
kube_client=kube_client,
secret=secret,
service=service,
)
if not kubernetes_secret_signature:
log.info(f"{secret} for {service} not found, creating")
try:
create_secret(
kube_client=kube_client,
secret=secret,
service=service,
secret_provider=secret_provider,
)
except ApiException as e:
if e.status == 409:
log.warning(
f"Secret {secret} for {service} already exists"
)
else:
raise
create_kubernetes_secret_signature(
kube_client=kube_client,
secret=secret,
service=service,
secret_signature=secret_signature,
)
elif secret_signature != kubernetes_secret_signature:
log.info(
f"{secret} for {service} needs updating as signature changed"
)
update_secret(
kube_client=kube_client,
secret=secret,
service=service,
secret_provider=secret_provider,
)
update_kubernetes_secret_signature(
kube_client=kube_client,
secret=secret,
service=service,
secret_signature=secret_signature,
)
else:
log.info(f"{secret} for {service} up to date")
return True
