Exemplo n.º 1
0
    def vault_create_policy(self):
        """
        Create a vault policy and generate token

        Raises:
            VaultOperationError exception

        """
        policy = (f'path "{self.vault_backend_path}/*" {{\n'
                  f'  capabilities = ["create", "read", "update","delete"]'
                  f"\n}}\n"
                  f'path "sys/mounts" {{\n'
                  f'capabilities = ["read"]\n'
                  f"}}")
        vault_hcl = tempfile.NamedTemporaryFile(mode="w+",
                                                prefix="test",
                                                delete=False)
        with open(vault_hcl.name, "w") as hcl:
            hcl.write(policy)

        if not config.ENV_DATA.get("VAULT_POLICY"):
            self.vault_policy_name = (
                f"{constants.VAULT_DEFAULT_POLICY_PREFIX}-"
                f"{self.cluster_id}")
        else:
            self.vault_policy_name = config.ENV_DATA.get("VAULT_POLICY")

        cmd = f"vault policy write {self.vault_policy_name} {vault_hcl.name}"
        out = subprocess.check_output(shlex.split(cmd))
        if "Success" in out.decode():
            logger.info(f"vault policy {self.vault_policy_name} created")
        else:
            raise VaultOperationError(
                f"Failed to create policy f{self.vault_policy_name}")
        self.vault_path_token = self.generate_vault_token()
Exemplo n.º 2
0
    def vault_create_backend_path(self):
        """
        create vault path to be used by OCS

        Raises:
            VaultOperationError exception
        """
        if config.ENV_DATA.get("VAULT_BACKEND_PATH"):
            self.vault_backend_path = config.ENV_DATA.get("VAULT_BACKEND_PATH")
        else:
            # Generate backend path name using prefix "ocs"
            # "ocs-<cluster-id>"
            self.cluster_id = get_running_cluster_id()
            self.vault_backend_path = (
                f"{constants.VAULT_DEFAULT_PATH_PREFIX}-{self.cluster_id}-"
                f"{get_cluster_name(config.ENV_DATA['cluster_path'])}"
            )
        cmd = f"vault secrets enable -path={self.vault_backend_path} kv"
        out = subprocess.check_output(shlex.split(cmd))
        if "Success" in out.decode():
            logger.info(f"vault path {self.vault_backend_path} created")
        else:
            raise VaultOperationError(
                f"Failed to create path f{self.vault_backend_path}"
            )
        self.vault_create_policy()
Exemplo n.º 3
0
    def create_namespace(self, vault_namespace):
        """
        Create a vault namespace

        Args:
            vault_namespace (str): name of the vault namespace

        Raises:
            VaultOperationError: If namespace is not created successfully

        """
        cmd = f"vault namespace create {vault_namespace}"
        proc = subprocess.Popen(
            shlex.split(cmd), stdout=subprocess.PIPE, stderr=subprocess.PIPE
        )
        out, err = proc.communicate()
        if proc.returncode:
            raise VaultOperationError("Namespace creation failed", err)
        # Check if namespace gets listed
        if self.vault_namespace_exists(vault_namespace):
            logger.info(f"Namespace {vault_namespace} successfully created")
        else:
            logger.error(f"Namespace {vault_namespace} not found in the list")
            raise VaultOperationError()
Exemplo n.º 4
0
    def vault_unseal(self):
        """
        Unseal vault if sealed

        Raises:
            VaultOperationError: In case unseal operation failed

        """
        if self.vault_sealed():
            logger.info("Vault is sealed, Unsealing now..")
            for i in range(3):
                kkey = f"UNSEAL_KEY{i+1}"
                self._vault_unseal(self.vault_conf[kkey])
            # Check if vault is unsealed or not
            if self.vault_sealed():
                raise VaultOperationError("Failed to Unseal vault")
            else:
                logger.info("Vault has been successfully unsealed")
        else:
            logger.info("Vault is not sealed")