def tune_pki_backend_config_changed(): if is_unit_paused_set(): log("The Vault unit is paused, passing on tunning pki backend.") return if not service_running('vault'): set_flag('failed.to.start') return client = vault.get_client(url=vault.VAULT_LOCALHOST_URL) if client.is_sealed(): log("Unable to tune pki backend, service sealed.") else: ttl = config()['default-ttl'] max_ttl = config()['max-ttl'] vault_pki.tune_pki_backend(ttl=ttl, max_ttl=max_ttl) vault_pki.update_roles(max_ttl=max_ttl)
def publish_ca_info(): if is_unit_paused_set(): log("The Vault unit is paused, passing on publishing ca info.") return if not service_running('vault'): set_flag('failed.to.start') return client = vault.get_client(url=vault.VAULT_LOCALHOST_URL) tls = endpoint_from_flag('certificates.available') if client.is_sealed(): log("Unable to publish ca info, service sealed.") else: tls.set_ca(vault_pki.get_ca()) chain = vault_pki.get_chain() if chain: tls.set_chain(chain)
def publish_ca_info(): if not client_approle_authorized(): log("Vault not authorized: Skipping publicsh_ca_info", "WARNING") return if is_unit_paused_set(): log("The Vault unit is paused, passing on publishing ca info.") return if not service_running('vault'): set_flag('failed.to.start') return client = vault.get_client(url=vault.VAULT_LOCALHOST_URL) tls = endpoint_from_flag('certificates.available') if client.is_sealed(): log("Unable to publish ca info, service sealed.") else: tls.set_ca(vault_pki.get_ca()) try: # this might fail if we were restarted and need to be unsealed chain = vault_pki.get_chain() except vault.hvac.exceptions.VaultDown: chain = None if chain: tls.set_chain(chain)
def configure_secrets_backend(): """ Process requests for setup and access to simple kv secret backends """ @tenacity.retry(wait=tenacity.wait_exponential(multiplier=1, max=10), stop=tenacity.stop_after_attempt(10), reraise=True) def _check_vault_status(client): if (not service_running('vault') or not client.is_initialized() or client.is_sealed()): return False return True # NOTE: use localhost listener as policy only allows 127.0.0.1 to # administer the local vault instances via the charm client = vault.get_client(url=vault.VAULT_LOCALHOST_URL) status_ok = _check_vault_status(client) if not status_ok: log( 'Unable to process new secret backend requests,' ' deferring until vault is fully configured', level=DEBUG) return charm_role_id = vault.get_local_charm_access_role_id() if charm_role_id is None: log( 'Charm access to vault not configured, deferring' ' secrets backend setup', level=DEBUG) return client.auth_approle(charm_role_id) secrets = (endpoint_from_flag('endpoint.secrets.new-request') or endpoint_from_flag('secrets.connected')) requests = secrets.requests() # Configure KV secret backends backends = set([request['secret_backend'] for request in requests]) for backend in backends: if not backend.startswith('charm-'): continue vault.configure_secret_backend(client, name=backend) refresh_secrets = is_flag_set('secrets.refresh') # Configure AppRoles for application unit access for request in requests: # NOTE: backends must start with charm- backend_name = request['secret_backend'] if not backend_name.startswith('charm-'): continue unit = request['unit'] hostname = request['hostname'] access_address = request['ingress_address'] isolated = request['isolated'] unit_name = request.get('unit_name', unit.unit_name).replace('/', '-') policy_name = approle_name = 'charm-{}'.format(unit_name) if isolated: policy_template = vault.SECRET_BACKEND_HCL else: policy_template = vault.SECRET_BACKEND_SHARED_HCL vault.configure_policy(client, name=policy_name, hcl=policy_template.format(backend=backend_name, hostname=hostname)) cidr = '{}/32'.format(access_address) new_role = (approle_name not in client.list_roles()) approle_id = vault.configure_approle(client, name=approle_name, cidr=cidr, policies=[policy_name]) if new_role or refresh_secrets: wrapped_secret = vault.generate_role_secret_id(client, name=approle_name, cidr=cidr) secrets.set_role_id(unit=unit, role_id=approle_id, token=wrapped_secret) clear_flag('endpoint.secrets.new-request') clear_flag('secrets.refresh')
def test_get_client(self, get_api_url, hvac_Client): get_api_url.return_value = 'http://this-unit' vault.get_client() hvac_Client.assert_called_once_with(url='http://this-unit')