def check_secrets_for_instance(instance_config_dict, soa_dir, service_path,
vault_env):
return_value = True
for env_value in instance_config_dict.get("env", {}).values():
if is_secret_ref(env_value):
secret_name = get_secret_name_from_ref(env_value)
if is_shared_secret(env_value):
secret_file_name = f"{soa_dir}/_shared/secrets/{secret_name}.json"
else:
secret_file_name = f"{service_path}/secrets/{secret_name}.json"
if os.path.isfile(secret_file_name):
secret_json = get_config_file_dict(secret_file_name)
if "ciphertext" not in secret_json["environments"].get(
vault_env, {}):
print(
failure(
f"Secret {secret_name} not defined for ecosystem {vault_env} on secret file {secret_file_name}",
"",
))
return_value = False
else:
print(
failure(f"Secret file {secret_file_name} not defined", ""))
return_value = False
return return_value
def get_secret_env(self) -> Mapping[str, dict]:
base_env = self.config_dict.get("env", {})
secret_env = {}
for k, v in base_env.items():
if is_secret_ref(v):
secret = get_secret_name_from_ref(v)
sanitised_secret = sanitise_kubernetes_name(secret)
service = (
self.service if not is_shared_secret(v) else SHARED_SECRET_SERVICE
)
sanitised_service = sanitise_kubernetes_name(service)
secret_env[k] = {
"secret_name": f"tron-secret-{sanitised_service}-{sanitised_secret}",
"key": secret,
}
return secret_env
def decrypt_secret_environment_variables(
secret_provider_name,
environment,
soa_dir,
service_name,
cluster_name,
secret_provider_kwargs,
):
decrypted_secrets = {}
service_secret_env = {}
shared_secret_env = {}
for k, v in environment.items():
if is_secret_ref(v):
if is_shared_secret(v):
shared_secret_env[k] = v
else:
service_secret_env[k] = v
provider_args = {
"secret_provider_name": secret_provider_name,
"soa_dir": soa_dir,
"cluster_name": cluster_name,
"secret_provider_kwargs": secret_provider_kwargs,
}
secret_provider_kwargs["vault_num_uses"] = len(service_secret_env) + len(
shared_secret_env
)
try:
decrypted_secrets.update(
decrypt_secret_environment_for_service(
service_secret_env, service_name, **provider_args
)
)
decrypted_secrets.update(
decrypt_secret_environment_for_service(
shared_secret_env, SHARED_SECRET_SERVICE, **provider_args
)
)
except Exception as e:
paasta_print(f"Failed to retrieve secrets with {e.__class__.__name__}: {e}")
paasta_print(
"If you don't need the secrets for local-run, you can add --skip-secrets"
)
sys.exit(1)
return decrypted_secrets