def get_vault_tf_secrets(self, init_spec):
account = init_spec['account']
data = init_spec['data']
type = init_spec['type']
secrets_path = data['secrets_path']
secret = vault_client.read_all(secrets_path + '/' + type)
return (account, type, secret)
def fetch_provider_vault_secret(path, version, name, labels, annotations, type,
integration, integration_version):
# get the fields from vault
raw_data = vault_client.read_all({'path': path, 'version': version})
# construct oc resource
body = {
"apiVersion": "v1",
"kind": "Secret",
"type": type,
"metadata": {
"name": name,
"annotations": annotations
}
}
if labels:
body['metadata']['labels'] = labels
if raw_data.items():
body['data'] = {}
# populate data
for k, v in raw_data.items():
if v == "":
v = None
if k.lower().endswith(QONTRACT_BASE64_SUFFIX):
k = k[:-len(QONTRACT_BASE64_SUFFIX)]
elif v is not None:
v = base64.b64encode(v.encode()).decode('utf-8')
body['data'][k] = v
try:
return OR(body, integration, integration_version, error_details=path)
except ConstructResourceError as e:
raise FetchResourceError(str(e))
def read_all(secret, settings=None):
"""Returns a dictionary of keys and values
from Vault secret or configuration file.
The input secret is a dictionary which contains the following fields:
* path - path to the secret in Vault or config
* version (optional) - Vault secret version to read
* Note: if this is Vault secret and a v2 KV engine
The input settings is an optional app-interface-settings object
queried from app-interface. It is a dictionary containing `value: true`
if Vault is to be used as the secret backend.
Default vault setting is false, to allow using a config file
without creating app-interface-settings.
"""
if settings and settings.get('vault'):
try:
data = vault_client.read_all(secret)
except hvac.exceptions.Forbidden:
raise VaultForbidden(f'permission denied reading vault secret at '
f'{secret["path"]}')
return data
else:
return config.read_all(secret)
def config_from_vault(vault_path):
config = {}
required_keys = ('password', 'port', 'require_tls', 'server', 'username')
try:
data = vault_client.read_all(vault_path)
except vault_client.SecretNotFound as e:
raise Exception(
"Could not retrieve SMTP config from vault: {}".format(e))
try:
for k in required_keys:
config[k] = data[k]
except KeyError as e:
raise Exception(
"Missing expected SMTP config key in vault secret: {}".format(e))
return config
def fetch_provider_route(path, tls_path, tls_version):
global _log_lock
openshift_resource = fetch_provider_resource(path)
if tls_path is None or tls_version is None:
return openshift_resource
# override existing tls fields from vault secret
openshift_resource.body['spec'].setdefault('tls', {})
tls = openshift_resource.body['spec']['tls']
# get tls fields from vault
raw_data = \
vault_client.read_all({'path': tls_path, 'version': tls_version})
valid_keys = [
'termination', 'insecureEdgeTerminationPolicy', 'certificate', 'key',
'caCertificate', 'destinationCACertificate'
]
for k, v in raw_data.items():
if k in valid_keys:
tls[k] = v
continue
msg = "Route secret '{}' key '{}' not in valid keys {}".format(
tls_path, k, valid_keys)
_log_lock.acquire()
logging.info(msg)
_log_lock.release()
host = openshift_resource.body['spec'].get('host')
certificate = openshift_resource.body['spec']['tls'].get('certificate')
if host and certificate:
match = openssl.certificate_matches_host(certificate, host)
if not match:
e_msg = "Route host does not match CN (common name): {}"
raise FetchRouteError(e_msg.format(path))
return openshift_resource
def get_vault_tf_secrets(self, init_spec):
account = init_spec['account']
data = init_spec['data']
secrets_path = data['secrets_path']
secret = vault_client.read_all(secrets_path + '/config')
return (account, secret)
