def _get_secret_provider_for_service(service_name, cluster_names=None): if not is_service_folder(os.getcwd(), service_name): print( "{} not found.\n" "You must run this tool from the root of your local yelpsoa checkout\n" "The tool modifies files in yelpsoa-configs that you must then commit\n" "and push back to git.".format(os.path.join(service_name, "service.yaml")) ) sys.exit(1) system_paasta_config = load_system_paasta_config() secret_provider_kwargs = { "vault_cluster_config": system_paasta_config.get_vault_cluster_config() } clusters = ( cluster_names.split(",") if cluster_names else list_clusters(service=service_name, soa_dir=os.getcwd()) ) return get_secret_provider( secret_provider_name=system_paasta_config.get_secret_provider_name(), soa_dir=os.getcwd(), service_name=service_name, cluster_names=clusters, secret_provider_kwargs=secret_provider_kwargs, )
def decrypt_secret_environment_variables( secret_provider_name, environment, soa_dir, service_name, cluster_name, secret_provider_kwargs, ): secret_environment = {} secret_env_vars = {k: v for k, v in environment.items() if is_secret_ref(v)} if secret_env_vars: secret_provider = get_secret_provider( secret_provider_name=secret_provider_name, soa_dir=soa_dir, service_name=service_name, cluster_names=[cluster_name], secret_provider_kwargs=secret_provider_kwargs, ) try: secret_environment = secret_provider.decrypt_environment( secret_env_vars, ) except Exception as e: paasta_print(f"Failed to retrieve secrets with {e.__class__.__name__}: {e}") paasta_print("If you don't need the secrets for local-run, you can add --skip-secrets") sys.exit(1) return secret_environment
def renew_issue_cert(system_paasta_config: SystemPaastaConfig, cluster: str) -> None: secret_provider_kwargs = { "vault_cluster_config": system_paasta_config.get_vault_cluster_config() } sp = get_secret_provider( secret_provider_name=system_paasta_config.get_secret_provider_name(), cluster_names=[cluster], secret_provider_kwargs=secret_provider_kwargs, soa_dir=None, service_name=None, ) sp.renew_issue_cert( pki_backend=system_paasta_config.get_pki_backend(), ttl=system_paasta_config.get_auth_certificate_ttl(), )
def test_get_secret_provider(): with mock.patch("paasta_tools.secret_providers.SecretProvider", autospec=True) as mock_secret_provider: ret = get_secret_provider( secret_provider_name="paasta_tools.secret_providers", soa_dir="/nail/blah", service_name="test-service", cluster_names=["norcal-devc"], secret_provider_kwargs={"some": "thing"}, ) mock_secret_provider.assert_called_with( soa_dir="/nail/blah", service_name="test-service", cluster_names=["norcal-devc"], some="thing", ) assert ret == mock_secret_provider.return_value
def decrypt_secret_environment_for_service( secret_env_vars, service_name, secret_provider_name, soa_dir, cluster_name, secret_provider_kwargs, ): if not secret_env_vars: return {} secret_provider = get_secret_provider( secret_provider_name=secret_provider_name, soa_dir=soa_dir, service_name=service_name, cluster_names=[cluster_name], secret_provider_kwargs=secret_provider_kwargs, ) return secret_provider.decrypt_environment(secret_env_vars)
def test_get_secret_provider(): with mock.patch( 'paasta_tools.secret_providers.SecretProvider', autospec=True, ) as mock_secret_provider: ret = get_secret_provider( secret_provider_name='paasta_tools.secret_providers', soa_dir='/nail/blah', service_name='test-service', cluster_names=['norcal-devc'], secret_provider_kwargs={'some': 'thing'}, ) mock_secret_provider.assert_called_with( soa_dir='/nail/blah', service_name='test-service', cluster_names=['norcal-devc'], some='thing', ) assert ret == mock_secret_provider.return_value
def decrypt_secret_environment_variables( secret_provider_name, environment, soa_dir, service_name, cluster_name, secret_provider_kwargs, ): secret_environment = {} secret_env_vars = {k: v for k, v in environment.items() if is_secret_ref(v)} if secret_env_vars: secret_provider = get_secret_provider( secret_provider_name=secret_provider_name, soa_dir=soa_dir, service_name=service_name, cluster_names=[cluster_name], secret_provider_kwargs=secret_provider_kwargs, ) secret_environment = secret_provider.decrypt_environment( secret_env_vars, ) return secret_environment
def _get_secret_provider_for_service(service_name, cluster_names=None): if not is_service_folder(os.getcwd(), service_name): paasta_print( "You must run this tool from the root of your local yelpsoa checkout\n" "The tool modifies files in yelpsoa-configs that you must then commit\n" "and push back to git.", ) sys.exit(1) system_paasta_config = load_system_paasta_config() secret_provider_kwargs = { 'vault_cluster_config': system_paasta_config.get_vault_cluster_config(), } clusters = cluster_names.split(',') if cluster_names else list_clusters( service=service_name, soa_dir=os.getcwd(), ) return get_secret_provider( secret_provider_name=system_paasta_config.get_secret_provider_name(), soa_dir=os.getcwd(), service_name=service_name, cluster_names=clusters, secret_provider_kwargs=secret_provider_kwargs, )
def sync_secrets( kube_client: KubeClient, cluster: str, service: str, secret_provider_name: str, vault_cluster_config: Mapping[str, str], soa_dir: str, ) -> bool: secret_dir = os.path.join(soa_dir, service, "secrets") secret_provider_kwargs = { 'vault_cluster_config': vault_cluster_config, # TODO: make vault-tools support k8s auth method so we don't have to # mount a token in. 'vault_auth_method': 'token', 'vault_token_file': '/root/.vault_token', } secret_provider = get_secret_provider( secret_provider_name=secret_provider_name, soa_dir=soa_dir, service_name=service, cluster_names=[cluster], secret_provider_kwargs=secret_provider_kwargs, ) with os.scandir(secret_dir) as secret_file_paths: for secret_file_path in secret_file_paths: if secret_file_path.path.endswith('json'): secret = secret_file_path.name.replace('.json', '') with open(secret_file_path, 'r') as secret_file: secret_data = json.load(secret_file) secret_signature = secret_provider.get_secret_signature_from_data( secret_data) if secret_signature: kubernetes_secret_signature = get_kubernetes_secret_signature( kube_client=kube_client, secret=secret, service=service, ) if not kubernetes_secret_signature: log.info(f"{secret} for {service} not found, creating") try: create_secret( kube_client=kube_client, secret=secret, service=service, secret_provider=secret_provider, ) except ApiException as e: if e.status == 409: log.warning( f"Secret {secret} for {service} already exists" ) else: raise create_kubernetes_secret_signature( kube_client=kube_client, secret=secret, service=service, secret_signature=secret_signature, ) elif secret_signature != kubernetes_secret_signature: log.info( f"{secret} for {service} needs updating as signature changed" ) update_secret( kube_client=kube_client, secret=secret, service=service, secret_provider=secret_provider, ) update_kubernetes_secret_signature( kube_client=kube_client, secret=secret, service=service, secret_signature=secret_signature, ) else: log.info(f"{secret} for {service} up to date") return True