def grab_secrets_kubernetes_objects(self):
"""
Gets secrets from KeyVault and creates them as Kubernetes secrets objects
"""
vault_base_url = os.getenv('VAULT_BASE_URL')
secrets_keys = os.getenv('SECRETS_KEYS')
self._secrets_namespace = os.getenv('SECRETS_NAMESPACE', 'default')
client = self._get_client()
_logger.info('Using vault: %s', vault_base_url)
# Retrieving all secrets from Key Vault if specified by user
if secrets_keys is None:
_logger.info('Retrieving all secrets from Key Vault.')
all_secrets = list(client.get_secrets(vault_base_url))
secrets_keys = ';'.join(
[secret.id.split('/')[-1] for secret in all_secrets])
if secrets_keys is not None:
for key_info in filter(None, secrets_keys.split(';')):
key_name, key_version, cert_filename, key_filename = self._split_keyinfo(
key_info)
_logger.info(
'Retrieving secret name:%s with version: %s output certFileName: %s keyFileName: %s',
key_name, key_version, cert_filename, key_filename)
secret = client.get_secret(vault_base_url, key_name,
key_version)
self._create_kubernetes_secret_objects(key_name, secret.value)
def grab_secrets_kubernetes_objects(self):
"""
Gets secrets from KeyVault and creates them as Kubernetes secrets objects
"""
vault_base_url = os.getenv('VAULT_BASE_URL')
secrets_keys = os.getenv('SECRETS_KEYS')
self._secrets_namespace = os.getenv('SECRETS_NAMESPACE', 'default')
client = self._get_client()
_logger.info('Using vault: %s', vault_base_url)
# Retrieving all secrets from Key Vault if specified by user
if secrets_keys is None:
_logger.info('Retrieving all secrets from Key Vault.')
all_secrets = list(client.get_secrets(vault_base_url))
secrets_keys = ';'.join(
[secret.id.split('/')[-1] for secret in all_secrets])
if secrets_keys is not None:
for key_info in filter(None, secrets_keys.split(';')):
key_name, key_version, cert_filename, key_filename = self._split_keyinfo(
key_info)
_logger.info(
'Retrieving secret name:%s with version: %s output certFileName: %s keyFileName: %s',
key_name, key_version, cert_filename, key_filename)
secret = client.get_secret(vault_base_url, key_name,
key_version)
secretTypeEnvKey = key_name.upper() + "_SECRET_TYPE"
secret_type = os.getenv(secretTypeEnvKey,
os.getenv("SECRETS_TYPE", 'Opaque'))
if secret_type == 'kubernetes.io/tls':
if secret.kid is not None:
_logger.info(
'Secret is backing certificate. secret content_type: %s',
secret.content_type)
if secret.content_type == 'application/x-pkcs12' or secret.content_type == 'application/x-pem-file':
self._create_kubernetes_secret_objects(
key_name, secret.value, secret_type,
secret.content_type)
else:
_logger.error(
'Secret is not in pkcs12 or pem format. content_type: %s',
secret.content_type)
sys.exit(1)
elif (key_name != cert_filename):
_logger.error(
'Cert filename provided for secret %s not backing a certificate.',
key_name)
sys.exit((
'Error: Cert filename provided for secret {0} not backing a certificate.'
).format(key_name))
else:
self._create_kubernetes_secret_objects(
key_name, secret.value, secret_type,
secret.content_type)
def grab_secrets(self):
"""
Gets secrets from KeyVault and stores them in a folder
"""
vault_base_url = os.getenv('VAULT_BASE_URL')
secrets_keys = os.getenv('SECRETS_KEYS')
certs_keys = os.getenv('CERTS_KEYS')
output_folder = os.getenv('SECRETS_FOLDER')
self._secrets_output_folder = os.path.join(output_folder, "secrets")
self._certs_output_folder = os.path.join(output_folder, "certs")
self._keys_output_folder = os.path.join(output_folder, "keys")
self._cert_keys_output_folder = os.path.join(output_folder, "certs_keys")
for folder in (self._secrets_output_folder, self._certs_output_folder, self._keys_output_folder, self._cert_keys_output_folder):
if not os.path.exists(folder):
os.makedirs(folder)
client = self._get_client()
_logger.info('Using vault: %s', vault_base_url)
if secrets_keys is not None:
for key_info in filter(None, secrets_keys.split(';')):
# Secrets are not renamed. They will have same name
# Certs and keys can be renamed
key_name, key_version, cert_filename, key_filename = self._split_keyinfo(key_info)
_logger.info('Retrieving secret name:%s with version: %s output certFileName: %s keyFileName: %s', key_name, key_version, cert_filename, key_filename)
secret = client.get_secret(vault_base_url, key_name, key_version)
if secret.kid is not None:
_logger.info('Secret is backing certificate. Dumping private key and certificate.')
if secret.content_type == 'application/x-pkcs12':
self._dump_pfx(secret.value, cert_filename, key_filename)
else:
_logger.error('Secret is not in pkcs12 format')
sys.exit(1)
elif (key_name != cert_filename):
_logger.error('Cert filename provided for secret %s not backing a certificate.', key_name)
sys.exit(('Error: Cert filename provided for secret {0} not backing a certificate.').format(key_name))
# secret has same name as key_name
output_path = os.path.join(self._secrets_output_folder, key_name)
_logger.info('Dumping secret value to: %s', output_path)
with open(output_path, 'w') as secret_file:
secret_file.write(self._dump_secret(secret))
if certs_keys is not None:
for key_info in filter(None, certs_keys.split(';')):
# only cert_filename is needed, key_filename is ignored with _
key_name, key_version, cert_filename, _ = self._split_keyinfo(key_info)
_logger.info('Retrieving cert name:%s with version: %s output certFileName: %s', key_name, key_version, cert_filename)
cert = client.get_certificate(vault_base_url, key_name, key_version)
output_path = os.path.join(self._certs_output_folder, cert_filename)
_logger.info('Dumping cert value to: %s', output_path)
with open(output_path, 'w') as cert_file:
cert_file.write(self._cert_to_pem(cert.cer))
