def _auth_kubernetes(self, _client: hvac.Client) -> None: if not self.kubernetes_jwt_path: raise VaultError( "The kubernetes_jwt_path should be set here. This should not happen." ) with open(self.kubernetes_jwt_path) as f: jwt = f.read() _client.auth_kubernetes(role=self.kubernetes_role, jwt=jwt)
class GetAuthToken(): def __init__(self): if not os.getenv("SERVICE_ACCOUNT_TOEKN_PATH"): self.k8s_service_account_token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token" else: self.k8s_service_account_token_path = os.getenv("SERVICE_ACCOUNT_TOEKN_PATH") if not os.getenv("VAULT_ROLE"): raise Exception('VAULT_ROLE is a mandatory env variable') else: self.role = os.getenv("VAULT_ROLE") if not os.getenv("VAULT_URL"): raise Exception("VAULT_URL is a mandatory env variable") else: self.vault_url = os.getenv("VAULT_URL") self.client = Client(url=self.vault_url) def get_auth_token(self): try: service_account_token = open(self.k8s_service_account_token_path) jwt = service_account_token.read() data = self.client.auth_kubernetes(role=self.role, jwt=jwt) return data["auth"]["client_token"] except Exception as e: print(e) finally: service_account_token.close()
def _get_client_token(self, client: hvac.Client) -> str: with open(self.auth_token_path) as f: sa_token = f.read() auth_info = client.auth_kubernetes(role=self.role, jwt=sa_token, mount_point=self.auth_mount_point) client_token = auth_info.get("auth", {}).get("client_token") if not client_token: raise ValueError("Not found vault token.") return str(client_token)
def test_auth_kubernetes(self, test_label, test_role, test_jwt, mount_point, requests_mocker): mock_response = { 'auth': { 'accessor': 'accessor-1234-5678-9012-345678901234', 'client_token': 'cltoken-1234-5678-9012-345678901234', 'lease_duration': 10000, 'metadata': { 'role': 'custom_role', 'service_account_name': 'vault-auth', 'service_account_namespace': 'default', 'service_account_secret_name': 'vault-auth-token-pd21c', 'service_account_uid': 'aa9aa8ff-98d0-11e7-9bb7-0800276d99bf' }, 'policies': [ 'default', 'custom_role' ], 'renewable': True }, 'data': None, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': 'requesti-1234-5678-9012-345678901234', 'warnings': [], 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'kubernetes' if mount_point is None else mount_point) requests_mocker.register_uri( method='POST', url=mock_url, json=mock_response ) client = Client() test_arguments = dict( role=test_role, jwt=test_jwt, ) if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.auth_kubernetes(**test_arguments) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)
def test_auth_kubernetes(self, test_label, test_role, test_jwt, mount_point, requests_mocker): mock_response = { 'auth': { 'accessor': 'accessor-1234-5678-9012-345678901234', 'client_token': 'cltoken-1234-5678-9012-345678901234', 'lease_duration': 10000, 'metadata': { 'role': 'custom_role', 'service_account_name': 'vault-auth', 'service_account_namespace': 'default', 'service_account_secret_name': 'vault-auth-token-pd21c', 'service_account_uid': 'aa9aa8ff-98d0-11e7-9bb7-0800276d99bf' }, 'policies': ['default', 'custom_role'], 'renewable': True }, 'data': None, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': 'requesti-1234-5678-9012-345678901234', 'warnings': [], 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'kubernetes' if mount_point is None else mount_point) requests_mocker.register_uri(method='POST', url=mock_url, json=mock_response) client = Client() test_arguments = dict( role=test_role, jwt=test_jwt, ) if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.auth_kubernetes(**test_arguments) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)