def copy_secrets(vault: hvac.Client,
old_path: str,
new_path: str,
kv_base: str = 'secret/'):
def recursive_read(path: str):
list_path = kv_base + 'metadata/' + path
data_path = kv_base + 'data/' + path
try:
data = vault.read(data_path)
if data is not None:
yield path, data['data']['data']
children_resp = vault.list(list_path)
if children_resp is None:
return
children = children_resp.get('data', {}).get('keys', {})
if children != {}:
for child in children:
yield from recursive_read(path + child)
except Forbidden:
print(f"Path {path} is forbidden!")
return
for subpath, secrets in recursive_read(old_path):
new_data_path: str = kv_base + 'data/' + re.sub(
'^' + old_path, new_path, subpath)
print(new_data_path)
result = vault.write(new_data_path, data=secrets)
def init_postgre_backend(client: hvac.Client):
if 'postgresql/' in client.list_secret_backends():
logging.warning('Backend postgresql already exists : it will be modified')
else:
client.enable_secret_backend('postgresql')
ok = False
logging.info('Setting up the postgre backend with the url {}'.format(postgre_url))
while not ok:
try:
# We try a lot because postgre/vault might not be completely up by the time it is launched
client.write('/postgresql/config/connection', connection_url=postgre_url)
ok = True
except hvac.exceptions.InvalidRequest as e:
logging.error(e)
time.sleep(1)
logging.info('Creating role readwrite')
client.write('/postgresql/roles/readwrite', sql=rw_role_request)
logging.info("Ok we're good. You can now request rw on the url postgresql/creds/readwrite")
K8S_CA_CERT_FILE = os.path.join(CURRENT_DIR, '.kube-ca.pem')
vault = Client(url="https://localhost:8200", verify="ssl/certs/ca.pem")
vault_settings = init_vault(vault, SETTINGS_FILE)
unseal_vault(vault, vault_settings)
vault.token = vault_settings["root_token"]
vault.enable_secret_backend(backend_type='pki', mount_point='/pki', config={"max_lease_ttl": 760 * 24 * 60})
bundle = {}
with open(os.path.join(CURRENT_DIR, "ssl", "certs", "ca.pem")) as input:
bundle['cert'] = input.read()
with open(os.path.join(CURRENT_DIR, "ssl", "certs", "ca-key.pem")) as input:
bundle['key'] = input.read()
vault.write(path='/pki/config/ca', pem_bundle="{}\n{}".format(bundle['cert'], bundle['key']))
vault.write('/pki/roles/default', allow_any_name=False, allow_subdomains=True,
allowed_domains="default.svc.cluster.local",
ttl='768h')
vault.write('/pki/roles/servicemesh', allow_any_name=False, allow_subdomains=True,
allowed_domains="default.svc.cluster.local,default.mesh",
ttl='768h')
vault.write('/pki/roles/mongo', allow_any_name=False, allow_subdomains=True,
allowed_domains="mongo.default.svc.cluster.local",
client_flag=True,
server_flag=True,
ttl='768h')