def grab_secrets_kubernetes_objects(self): """ Gets secrets from KeyVault and creates them as Kubernetes secrets objects """ vault_base_url = os.getenv('VAULT_BASE_URL') secrets_keys = os.getenv('SECRETS_KEYS') self._secrets_namespace = os.getenv('SECRETS_NAMESPACE', 'default') client = self._get_client() _logger.info('Using vault: %s', vault_base_url) # Retrieving all secrets from Key Vault if specified by user if secrets_keys is None: _logger.info('Retrieving all secrets from Key Vault.') all_secrets = list(client.get_secrets(vault_base_url)) secrets_keys = ';'.join( [secret.id.split('/')[-1] for secret in all_secrets]) if secrets_keys is not None: for key_info in filter(None, secrets_keys.split(';')): key_name, key_version, cert_filename, key_filename = self._split_keyinfo( key_info) _logger.info( 'Retrieving secret name:%s with version: %s output certFileName: %s keyFileName: %s', key_name, key_version, cert_filename, key_filename) secret = client.get_secret(vault_base_url, key_name, key_version) self._create_kubernetes_secret_objects(key_name, secret.value)
def grab_secrets_kubernetes_objects(self): """ Gets secrets from KeyVault and creates them as Kubernetes secrets objects """ vault_base_url = os.getenv('VAULT_BASE_URL') secrets_keys = os.getenv('SECRETS_KEYS') self._secrets_namespace = os.getenv('SECRETS_NAMESPACE', 'default') client = self._get_client() _logger.info('Using vault: %s', vault_base_url) # Retrieving all secrets from Key Vault if specified by user if secrets_keys is None: _logger.info('Retrieving all secrets from Key Vault.') all_secrets = list(client.get_secrets(vault_base_url)) secrets_keys = ';'.join( [secret.id.split('/')[-1] for secret in all_secrets]) if secrets_keys is not None: for key_info in filter(None, secrets_keys.split(';')): key_name, key_version, cert_filename, key_filename = self._split_keyinfo( key_info) _logger.info( 'Retrieving secret name:%s with version: %s output certFileName: %s keyFileName: %s', key_name, key_version, cert_filename, key_filename) secret = client.get_secret(vault_base_url, key_name, key_version) secretTypeEnvKey = key_name.upper() + "_SECRET_TYPE" secret_type = os.getenv(secretTypeEnvKey, os.getenv("SECRETS_TYPE", 'Opaque')) if secret_type == 'kubernetes.io/tls': if secret.kid is not None: _logger.info( 'Secret is backing certificate. secret content_type: %s', secret.content_type) if secret.content_type == 'application/x-pkcs12' or secret.content_type == 'application/x-pem-file': self._create_kubernetes_secret_objects( key_name, secret.value, secret_type, secret.content_type) else: _logger.error( 'Secret is not in pkcs12 or pem format. content_type: %s', secret.content_type) sys.exit(1) elif (key_name != cert_filename): _logger.error( 'Cert filename provided for secret %s not backing a certificate.', key_name) sys.exit(( 'Error: Cert filename provided for secret {0} not backing a certificate.' ).format(key_name)) else: self._create_kubernetes_secret_objects( key_name, secret.value, secret_type, secret.content_type)
def grab_secrets(self): """ Gets secrets from KeyVault and stores them in a folder """ vault_base_url = os.getenv('VAULT_BASE_URL') secrets_keys = os.getenv('SECRETS_KEYS') certs_keys = os.getenv('CERTS_KEYS') output_folder = os.getenv('SECRETS_FOLDER') self._secrets_output_folder = os.path.join(output_folder, "secrets") self._certs_output_folder = os.path.join(output_folder, "certs") self._keys_output_folder = os.path.join(output_folder, "keys") self._cert_keys_output_folder = os.path.join(output_folder, "certs_keys") for folder in (self._secrets_output_folder, self._certs_output_folder, self._keys_output_folder, self._cert_keys_output_folder): if not os.path.exists(folder): os.makedirs(folder) client = self._get_client() _logger.info('Using vault: %s', vault_base_url) if secrets_keys is not None: for key_info in filter(None, secrets_keys.split(';')): # Secrets are not renamed. They will have same name # Certs and keys can be renamed key_name, key_version, cert_filename, key_filename = self._split_keyinfo(key_info) _logger.info('Retrieving secret name:%s with version: %s output certFileName: %s keyFileName: %s', key_name, key_version, cert_filename, key_filename) secret = client.get_secret(vault_base_url, key_name, key_version) if secret.kid is not None: _logger.info('Secret is backing certificate. Dumping private key and certificate.') if secret.content_type == 'application/x-pkcs12': self._dump_pfx(secret.value, cert_filename, key_filename) else: _logger.error('Secret is not in pkcs12 format') sys.exit(1) elif (key_name != cert_filename): _logger.error('Cert filename provided for secret %s not backing a certificate.', key_name) sys.exit(('Error: Cert filename provided for secret {0} not backing a certificate.').format(key_name)) # secret has same name as key_name output_path = os.path.join(self._secrets_output_folder, key_name) _logger.info('Dumping secret value to: %s', output_path) with open(output_path, 'w') as secret_file: secret_file.write(self._dump_secret(secret)) if certs_keys is not None: for key_info in filter(None, certs_keys.split(';')): # only cert_filename is needed, key_filename is ignored with _ key_name, key_version, cert_filename, _ = self._split_keyinfo(key_info) _logger.info('Retrieving cert name:%s with version: %s output certFileName: %s', key_name, key_version, cert_filename) cert = client.get_certificate(vault_base_url, key_name, key_version) output_path = os.path.join(self._certs_output_folder, cert_filename) _logger.info('Dumping cert value to: %s', output_path) with open(output_path, 'w') as cert_file: cert_file.write(self._cert_to_pem(cert.cer))