def check_secrets_for_instance(instance_config_dict, soa_dir, service_path, vault_env): return_value = True for env_value in instance_config_dict.get("env", {}).values(): if is_secret_ref(env_value): secret_name = get_secret_name_from_ref(env_value) if is_shared_secret(env_value): secret_file_name = f"{soa_dir}/_shared/secrets/{secret_name}.json" else: secret_file_name = f"{service_path}/secrets/{secret_name}.json" if os.path.isfile(secret_file_name): secret_json = get_config_file_dict(secret_file_name) if "ciphertext" not in secret_json["environments"].get( vault_env, {}): print( failure( f"Secret {secret_name} not defined for ecosystem {vault_env} on secret file {secret_file_name}", "", )) return_value = False else: print( failure(f"Secret file {secret_file_name} not defined", "")) return_value = False return return_value
def get_secret_env(self) -> Mapping[str, dict]: base_env = self.config_dict.get("env", {}) secret_env = {} for k, v in base_env.items(): if is_secret_ref(v): secret = get_secret_name_from_ref(v) sanitised_secret = sanitise_kubernetes_name(secret) service = ( self.service if not is_shared_secret(v) else SHARED_SECRET_SERVICE ) sanitised_service = sanitise_kubernetes_name(service) secret_env[k] = { "secret_name": f"tron-secret-{sanitised_service}-{sanitised_secret}", "key": secret, } return secret_env
def decrypt_secret_environment_variables( secret_provider_name, environment, soa_dir, service_name, cluster_name, secret_provider_kwargs, ): decrypted_secrets = {} service_secret_env = {} shared_secret_env = {} for k, v in environment.items(): if is_secret_ref(v): if is_shared_secret(v): shared_secret_env[k] = v else: service_secret_env[k] = v provider_args = { "secret_provider_name": secret_provider_name, "soa_dir": soa_dir, "cluster_name": cluster_name, "secret_provider_kwargs": secret_provider_kwargs, } secret_provider_kwargs["vault_num_uses"] = len(service_secret_env) + len( shared_secret_env ) try: decrypted_secrets.update( decrypt_secret_environment_for_service( service_secret_env, service_name, **provider_args ) ) decrypted_secrets.update( decrypt_secret_environment_for_service( shared_secret_env, SHARED_SECRET_SERVICE, **provider_args ) ) except Exception as e: paasta_print(f"Failed to retrieve secrets with {e.__class__.__name__}: {e}") paasta_print( "If you don't need the secrets for local-run, you can add --skip-secrets" ) sys.exit(1) return decrypted_secrets