def fetch_provider_vault_secret(path, version, name, labels, annotations, type,
integration, integration_version):
# get the fields from vault
vault_client = VaultClient()
raw_data = vault_client.read_all({'path': path, 'version': version})
# construct oc resource
body = {
"apiVersion": "v1",
"kind": "Secret",
"type": type,
"metadata": {
"name": name,
"annotations": annotations
}
}
if labels:
body['metadata']['labels'] = labels
if raw_data.items():
body['data'] = {}
# populate data
for k, v in raw_data.items():
if v == "":
continue
if k.lower().endswith(QONTRACT_BASE64_SUFFIX):
k = k[:-len(QONTRACT_BASE64_SUFFIX)]
elif v is not None:
v = base64.b64encode(v.encode()).decode('utf-8')
body['data'][k] = v
try:
return OR(body, integration, integration_version, error_details=path)
except ConstructResourceError as e:
raise FetchResourceError(str(e))
def fetch_provider_route(path, tls_path, tls_version):
global _log_lock
openshift_resource = fetch_provider_resource(path)
if tls_path is None or tls_version is None:
return openshift_resource
# override existing tls fields from vault secret
openshift_resource.body['spec'].setdefault('tls', {})
tls = openshift_resource.body['spec']['tls']
# get tls fields from vault
vault_client = VaultClient()
raw_data = vault_client.read_all({
'path': tls_path,
'version': tls_version
})
valid_keys = [
'termination', 'insecureEdgeTerminationPolicy', 'certificate', 'key',
'caCertificate', 'destinationCACertificate'
]
for k, v in raw_data.items():
if k in valid_keys:
tls[k] = v
continue
msg = "Route secret '{}' key '{}' not in valid keys {}".format(
tls_path, k, valid_keys)
_log_lock.acquire()
logging.info(msg)
_log_lock.release()
host = openshift_resource.body['spec'].get('host')
certificate = openshift_resource.body['spec']['tls'].get('certificate')
if host and certificate:
match = openssl.certificate_matches_host(certificate, host)
if not match:
e_msg = "Route host does not match CN (common name): {}"
raise FetchRouteError(e_msg.format(path))
return openshift_resource