Exemple #1
0
    def _get_backend(self, type_name):
        "imports and registers backend according to type_name"
        try:
            return self.backends[type_name]
        except KeyError:
            ref_kwargs = {"embed_refs": self.embed_refs}
            if type_name == "plain":
                from kapitan.refs.base import PlainRefBackend

                # XXX embed_refs in plain backend does nothing
                self.register_backend(PlainRefBackend(self.path, **ref_kwargs))
            elif type_name == "base64":
                from kapitan.refs.base64 import Base64RefBackend

                self.register_backend(Base64RefBackend(self.path, **ref_kwargs))
            elif type_name == "gpg":
                from kapitan.refs.secrets.gpg import GPGBackend

                self.register_backend(GPGBackend(self.path, **ref_kwargs))
            elif type_name == "gkms":
                from kapitan.refs.secrets.gkms import GoogleKMSBackend

                self.register_backend(GoogleKMSBackend(self.path, **ref_kwargs))
            elif type_name == "awskms":
                from kapitan.refs.secrets.awskms import AWSKMSBackend

                self.register_backend(AWSKMSBackend(self.path, **ref_kwargs))
            elif type_name == "vaultkv":
                from kapitan.refs.secrets.vaultkv import VaultBackend

                self.register_backend(VaultBackend(self.path, **ref_kwargs))
            else:
                raise RefBackendError(f"no backend for ref type: {type_name}")
        return self.backends[type_name]
Exemple #2
0
 def _get_backend(self, type_name):
     "imports and registers backend according to type_name"
     try:
         return self.backends[type_name]
     except KeyError:
         if type_name == 'ref':
             from kapitan.refs.base import RefBackend
             self.register_backend(RefBackend(self.path))
         elif type_name == 'gpg':
             from kapitan.refs.secrets.gpg import GPGBackend
             self.register_backend(GPGBackend(self.path))
         else:
             raise RefBackendError('no backend for ref type: {}'.format(type_name))
     return self.backends[type_name]
Exemple #3
0
def secret_update_validate(args, ref_controller):
    "Validate and/or update target secrets"
    # update recipients for all secrets in secrets_path
    # use --secrets-path to set scanning path
    inv = inventory_reclass(args.inventory_path)
    targets = set(inv['nodes'].keys())
    secrets_path = os.path.abspath(args.secrets_path)
    target_token_paths = search_target_token_paths(secrets_path, targets)
    ret_code = 0
    ref_controller.register_backend(
        GPGBackend(secrets_path))  # override gpg backend for new secrets_path
    # TODO: Implement --update-targets and --validate-targets for KMS
    for target_name, token_paths in target_token_paths.items():
        try:
            try:
                recipients = inv['nodes'][target_name]['parameters'][
                    'kapitan']['secrets']['gpg']['recipients']
            except KeyError:
                # TODO: Keeping gpg recipients backwards-compatible until we make a breaking release
                logger.warning(
                    "WARNING: parameters.kapitan.secrets.recipients is deprecated, "
                    +
                    "please move them to parameters.kapitan.secrets.gpg.recipients"
                )
                recipients = inv['nodes'][target_name]['parameters'][
                    'kapitan']['secrets']['recipients']
            for token_path in token_paths:
                secret_obj = ref_controller.backends['gpg'][token_path]
                target_fingerprints = set(lookup_fingerprints(recipients))
                secret_fingerprints = set(
                    lookup_fingerprints(secret_obj.recipients))
                if target_fingerprints != secret_fingerprints:
                    if args.validate_targets:
                        logger.info("%s recipient mismatch", token_path)
                        ret_code = 1
                    else:
                        new_recipients = [
                            dict([
                                ("fingerprint", f),
                            ]) for f in target_fingerprints
                        ]
                        secret_obj.update_recipients(new_recipients)
                        ref_controller.backends['gpg'][token_path] = secret_obj
        except KeyError:
            logger.debug(
                "secret_gpg_update_target: target: %s has no inventory recipients, skipping",
                target_name)
    sys.exit(ret_code)
Exemple #4
0
 def _get_backend(self, type_name):
     "imports and registers backend according to type_name"
     try:
         return self.backends[type_name]
     except KeyError:
         if type_name == 'plain':
             from kapitan.refs.base import PlainRefBackend
             self.register_backend(PlainRefBackend(self.path))
         elif type_name == 'base64':
             from kapitan.refs.base64 import Base64RefBackend
             self.register_backend(Base64RefBackend(self.path))
         elif type_name == 'gpg':
             from kapitan.refs.secrets.gpg import GPGBackend
             self.register_backend(GPGBackend(self.path))
         elif type_name == 'gkms':
             from kapitan.refs.secrets.gkms import GoogleKMSBackend
             self.register_backend(GoogleKMSBackend(self.path))
         elif type_name == 'awskms':
             from kapitan.refs.secrets.awskms import AWSKMSBackend
             self.register_backend(AWSKMSBackend(self.path))
         else:
             raise RefBackendError(
                 'no backend for ref type: {}'.format(type_name))
     return self.backends[type_name]
Exemple #5
0
def main():
    """main function for command line usage"""
    parser = argparse.ArgumentParser(prog=PROJECT_NAME,
                                     description=DESCRIPTION)
    parser.add_argument('--version', action='version', version=VERSION)
    subparser = parser.add_subparsers(help="commands")

    eval_parser = subparser.add_parser('eval', help='evaluate jsonnet file')
    eval_parser.add_argument('jsonnet_file', type=str)
    eval_parser.add_argument('--output',
                             type=str,
                             choices=('yaml', 'json', 'str'),
                             default=from_dot_kapitan('eval', 'output',
                                                      'yaml'),
                             help='set output format, default is "yaml"')
    eval_parser.add_argument('--vars',
                             type=str,
                             default=from_dot_kapitan('eval', 'vars', []),
                             nargs='*',
                             metavar='VAR',
                             help='set variables')
    eval_parser.add_argument('--search-paths',
                             '-J',
                             type=str,
                             nargs='+',
                             default=from_dot_kapitan('eval', 'search-paths',
                                                      ['.']),
                             metavar='JPATH',
                             help='set search paths, default is ["."]')

    compile_parser = subparser.add_parser('compile', help='compile targets')
    compile_parser.add_argument('--search-paths',
                                '-J',
                                type=str,
                                nargs='+',
                                default=from_dot_kapitan(
                                    'compile', 'search-paths', ['.']),
                                metavar='JPATH',
                                help='set search paths, default is ["."]')
    compile_parser.add_argument('--verbose',
                                '-v',
                                help='set verbose mode',
                                action='store_true',
                                default=from_dot_kapitan(
                                    'compile', 'verbose', False))
    compile_parser.add_argument('--prune',
                                help='prune jsonnet output',
                                action='store_true',
                                default=from_dot_kapitan(
                                    'compile', 'prune', False))
    compile_parser.add_argument('--quiet',
                                help='set quiet mode, only critical output',
                                action='store_true',
                                default=from_dot_kapitan(
                                    'compile', 'quiet', False))
    compile_parser.add_argument('--output-path',
                                type=str,
                                default=from_dot_kapitan(
                                    'compile', 'output-path', '.'),
                                metavar='PATH',
                                help='set output path, default is "."')
    compile_parser.add_argument('--targets',
                                '-t',
                                help='targets to compile, default is all',
                                type=str,
                                nargs='+',
                                default=from_dot_kapitan(
                                    'compile', 'targets', []),
                                metavar='TARGET')
    compile_parser.add_argument(
        '--parallelism',
        '-p',
        type=int,
        default=from_dot_kapitan('compile', 'parallelism', 4),
        metavar='INT',
        help='Number of concurrent compile processes, default is 4')
    compile_parser.add_argument(
        '--indent',
        '-i',
        type=int,
        default=from_dot_kapitan('compile', 'indent', 2),
        metavar='INT',
        help='Indentation spaces for YAML/JSON, default is 2')
    compile_parser.add_argument(
        '--secrets-path',
        help='set secrets path, default is "./secrets"',
        default=from_dot_kapitan('compile', 'secrets-path', './secrets'))
    compile_parser.add_argument(
        '--reveal',
        help='reveal secrets (warning: this will write sensitive data)',
        action='store_true',
        default=from_dot_kapitan('compile', 'reveal', False))
    compile_parser.add_argument(
        '--inventory-path',
        default=from_dot_kapitan('compile', 'inventory-path', './inventory'),
        help='set inventory path, default is "./inventory"')
    compile_parser.add_argument(
        '--cache',
        '-c',
        help='enable compilation caching to .kapitan_cache, default is False',
        action='store_true',
        default=from_dot_kapitan('compile', 'cache', False))
    compile_parser.add_argument(
        '--cache-paths',
        type=str,
        nargs='+',
        default=from_dot_kapitan('compile', 'cache-paths', []),
        metavar='PATH',
        help='cache additional paths to .kapitan_cache, default is []')
    compile_parser.add_argument('--ignore-version-check',
                                help='ignore the version from .kapitan',
                                action='store_true',
                                default=from_dot_kapitan(
                                    'compile', 'ignore-version-check', False))

    inventory_parser = subparser.add_parser('inventory', help='show inventory')
    inventory_parser.add_argument(
        '--target-name',
        '-t',
        default=from_dot_kapitan('inventory', 'target-name', ''),
        help='set target name, default is all targets')
    inventory_parser.add_argument(
        '--inventory-path',
        default=from_dot_kapitan('inventory', 'inventory-path', './inventory'),
        help='set inventory path, default is "./inventory"')
    inventory_parser.add_argument('--flat',
                                  '-F',
                                  help='flatten nested inventory variables',
                                  action='store_true',
                                  default=from_dot_kapitan(
                                      'inventory', 'flat', False))
    inventory_parser.add_argument(
        '--pattern',
        '-p',
        default=from_dot_kapitan('inventory', 'pattern', ''),
        help=
        'filter pattern (e.g. parameters.mysql.storage_class, or storage_class,'
        + ' or storage_*), default is ""')
    inventory_parser.add_argument('--verbose',
                                  '-v',
                                  help='set verbose mode',
                                  action='store_true',
                                  default=from_dot_kapitan(
                                      'inventory', 'verbose', False))

    searchvar_parser = subparser.add_parser(
        'searchvar', help='show all inventory files where var is declared')
    searchvar_parser.add_argument(
        'searchvar',
        type=str,
        metavar='VARNAME',
        help=
        'e.g. parameters.mysql.storage_class, or storage_class, or storage_*')
    searchvar_parser.add_argument(
        '--inventory-path',
        default=from_dot_kapitan('searchvar', 'inventory-path', './inventory'),
        help='set inventory path, default is "./inventory"')
    searchvar_parser.add_argument('--verbose',
                                  '-v',
                                  help='set verbose mode',
                                  action='store_true',
                                  default=from_dot_kapitan(
                                      'searchvar', 'verbose', False))
    searchvar_parser.add_argument('--pretty-print',
                                  '-p',
                                  help='Pretty print content of var',
                                  action='store_true',
                                  default=from_dot_kapitan(
                                      'searchvar', 'pretty-print', False))

    secrets_parser = subparser.add_parser('secrets', help='manage secrets')
    secrets_parser.add_argument(
        '--write',
        '-w',
        help='write secret token',
        metavar='TOKENNAME',
    )
    secrets_parser.add_argument(
        '--update',
        help='update recipients for secret token',
        metavar='TOKENNAME',
    )
    secrets_parser.add_argument('--update-targets',
                                action='store_true',
                                default=from_dot_kapitan(
                                    'secrets', 'update-targets', False),
                                help='update target secrets')
    secrets_parser.add_argument('--validate-targets',
                                action='store_true',
                                default=from_dot_kapitan(
                                    'secrets', 'validate-targets', False),
                                help='validate target secrets')
    secrets_parser.add_argument('--base64',
                                '-b64',
                                help='base64 encode file content',
                                action='store_true',
                                default=from_dot_kapitan(
                                    'secrets', 'base64', False))
    secrets_parser.add_argument('--reveal',
                                '-r',
                                help='reveal secrets',
                                action='store_true',
                                default=from_dot_kapitan(
                                    'secrets', 'reveal', False))
    secrets_parser.add_argument(
        '--file',
        '-f',
        help='read file or directory, set "-" for stdin',
        metavar='FILENAME')
    secrets_parser.add_argument('--target-name',
                                '-t',
                                help='grab recipients from target name')
    secrets_parser.add_argument(
        '--inventory-path',
        default=from_dot_kapitan('secrets', 'inventory-path', './inventory'),
        help='set inventory path, default is "./inventory"')
    secrets_parser.add_argument('--recipients',
                                '-R',
                                help='set recipients',
                                type=str,
                                nargs='+',
                                default=from_dot_kapitan(
                                    'secrets', 'recipients', []),
                                metavar='RECIPIENT')
    secrets_parser.add_argument(
        '--secrets-path',
        help='set secrets path, default is "./secrets"',
        default=from_dot_kapitan('secrets', 'secrets-path', './secrets'))
    secrets_parser.add_argument('--backend',
                                help='set secrets backend, default is "gpg"',
                                type=str,
                                choices=('gpg', ),
                                default=from_dot_kapitan(
                                    'secrets', 'backend', 'gpg'))
    secrets_parser.add_argument(
        '--verbose',
        '-v',
        help='set verbose mode (warning: this will show sensitive data)',
        action='store_true',
        default=from_dot_kapitan('secrets', 'verbose', False))

    args = parser.parse_args()

    logger.debug('Running with args: %s', args)

    try:
        cmd = sys.argv[1]
    except IndexError:
        parser.print_help()
        sys.exit(1)

    if cmd == 'eval':
        file_path = args.jsonnet_file
        search_paths = [os.path.abspath(path) for path in args.search_paths]
        ext_vars = {}
        if args.vars:
            ext_vars = dict(var.split('=') for var in args.vars)
        json_output = None

        def _search_imports(cwd, imp):
            return search_imports(cwd, imp, search_paths)

        json_output = jsonnet_file(
            file_path,
            import_callback=_search_imports,
            native_callbacks=resource_callbacks(search_paths),
            ext_vars=ext_vars)
        if args.output == 'yaml':
            json_obj = json.loads(json_output)
            yaml.safe_dump(json_obj, sys.stdout, default_flow_style=False)
        elif json_output:
            print(json_output)

    elif cmd == 'compile':
        if args.verbose:
            logging.basicConfig(
                level=logging.DEBUG,
                format='%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
        elif args.quiet:
            logging.basicConfig(level=logging.CRITICAL, format="%(message)s")
        else:
            logging.basicConfig(level=logging.INFO, format="%(message)s")

        search_paths = [os.path.abspath(path) for path in args.search_paths]

        if not args.ignore_version_check:
            check_version()

        ref_controller = RefController(args.secrets_path)

        compile_targets(args.inventory_path,
                        search_paths,
                        args.output_path,
                        args.parallelism,
                        args.targets,
                        ref_controller,
                        prune=(args.prune),
                        indent=args.indent,
                        reveal=args.reveal,
                        cache=args.cache,
                        cache_paths=args.cache_paths)

    elif cmd == 'inventory':
        if args.verbose:
            logging.basicConfig(
                level=logging.DEBUG,
                format='%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
        else:
            logging.basicConfig(level=logging.INFO, format="%(message)s")

        if args.pattern and args.target_name == '':
            parser.error("--pattern requires --target_name")
        try:
            inv = inventory_reclass(args.inventory_path)
            if args.target_name != '':
                inv = inv['nodes'][args.target_name]
                if args.pattern != '':
                    pattern = args.pattern.split(".")
                    inv = deep_get(inv, pattern)
            if args.flat:
                inv = flatten_dict(inv)
                yaml.dump(inv, sys.stdout, width=10000)
            else:
                yaml.dump(inv,
                          sys.stdout,
                          Dumper=PrettyDumper,
                          default_flow_style=False)
        except Exception as e:
            if not isinstance(e, KapitanError):
                logger.error("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")
                traceback.print_exc()
            sys.exit(1)

    elif cmd == 'searchvar':
        if args.verbose:
            logging.basicConfig(
                level=logging.DEBUG,
                format='%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
        else:
            logging.basicConfig(level=logging.INFO, format="%(message)s")

        searchvar(args.searchvar, args.inventory_path, args.pretty_print)

    elif cmd == 'secrets':
        if args.verbose:
            logging.basicConfig(
                level=logging.DEBUG,
                format='%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
        else:
            logging.basicConfig(level=logging.INFO, format="%(message)s")

        ref_controller = RefController(args.secrets_path)

        if args.write is not None:
            if args.file is None:
                parser.error('--file is required with --write')
            data = None
            recipients = [dict((("name", name), )) for name in args.recipients]
            if args.target_name:
                inv = inventory_reclass(args.inventory_path)
                # TODO move into kapitan:secrets:gpg:recipients key
                recipients = inv['nodes'][args.target_name]['parameters'][
                    'kapitan']['secrets']['recipients']
            if args.file == '-':
                data = ''
                for line in sys.stdin:
                    data += line
            else:
                with open(args.file) as fp:
                    data = fp.read()
            # TODO deprecate backend and move to passing ref tags in command line
            if args.backend == "gpg":
                secret_obj = GPGSecret(data, recipients, args.base64)
                ref_controller.backends['gpg'][args.write] = secret_obj
        elif args.reveal:
            revealer = Revealer(ref_controller)
            if args.file is None:
                parser.error('--file is required with --reveal')
            if args.file == '-':
                # TODO deal with RefHashMismatchError or KeyError exceptions
                out = revealer.reveal_raw_file(None)
                sys.stdout.write(out)
            elif args.file:
                for rev_obj in revealer.reveal_path(args.file):
                    sys.stdout.write(rev_obj.content)
        elif args.update:
            # update recipients for secret tag
            # args.recipients is a list, convert to recipients dict
            recipients = [
                dict([
                    ("name", name),
                ]) for name in args.recipients
            ]
            if args.target_name:
                inv = inventory_reclass(args.inventory_path)
                # TODO move into kapitan:secrets:gpg:recipients key
                recipients = inv['nodes'][args.target_name]['parameters'][
                    'kapitan']['secrets']['recipients']
            if args.backend == "gpg":
                secret_obj = ref_controller.backends['gpg'][args.update]
                secret_obj.update_recipients(recipients)
                ref_controller.backends['gpg'][args.update] = secret_obj
        elif args.update_targets or args.validate_targets:
            # update recipients for all secrets in secrets_path
            # use --secrets-path to set scanning path
            inv = inventory_reclass(args.inventory_path)
            targets = set(inv['nodes'].keys())
            secrets_path = os.path.abspath(args.secrets_path)
            target_token_paths = search_target_token_paths(
                secrets_path, targets)
            ret_code = 0
            # override gpg backend for new secrets_path
            ref_controller.register_backend(GPGBackend(secrets_path))
            for target_name, token_paths in target_token_paths.items():
                try:
                    recipients = inv['nodes'][target_name]['parameters'][
                        'kapitan']['secrets']['recipients']
                    for token_path in token_paths:
                        secret_obj = ref_controller.backends['gpg'][token_path]
                        target_fingerprints = set(
                            lookup_fingerprints(recipients))
                        secret_fingerprints = set(
                            lookup_fingerprints(secret_obj.recipients))
                        if target_fingerprints != secret_fingerprints:
                            if args.validate_targets:
                                logger.info("%s recipient mismatch",
                                            token_path)
                                ret_code = 1
                            else:
                                new_recipients = [
                                    dict([
                                        ("fingerprint", f),
                                    ]) for f in target_fingerprints
                                ]
                                secret_obj.update_recipients(new_recipients)
                                ref_controller.backends['gpg'][
                                    token_path] = secret_obj
                except KeyError:
                    logger.debug(
                        "secret_gpg_update_target: target: %s has no inventory recipients, skipping",
                        target_name)
            sys.exit(ret_code)