def decrypt_environment(
self,
environment: Dict[str, str],
**kwargs: Any,
) -> Dict[str, str]:
self.ecosystem = self.get_vault_ecosystems_for_clusters()[0]
self.client = get_vault_client(
ecosystem=self.ecosystem,
num_uses=len(environment),
vault_auth_method=self.vault_auth_method,
vault_token_file=self.vault_token_file,
)
secret_environment = {}
for k, v in environment.items():
secret_name = get_secret_name_from_ref(v)
secret_path = os.path.join(
self.secret_dir,
f"{secret_name}.json",
)
secret = get_plaintext(
client=self.client,
env=self.ecosystem,
path=secret_path,
cache_enabled=False,
cache_dir=None,
cache_key=None,
context=self.service_name,
).decode('utf-8')
secret_environment[k] = secret
return secret_environment
def check_secrets_for_instance(instance_config_dict, soa_dir, service_path,
vault_env):
return_value = True
for env_value in instance_config_dict.get("env", {}).values():
if is_secret_ref(env_value):
secret_name = get_secret_name_from_ref(env_value)
if is_shared_secret(env_value):
secret_file_name = f"{soa_dir}/_shared/secrets/{secret_name}.json"
else:
secret_file_name = f"{service_path}/secrets/{secret_name}.json"
if os.path.isfile(secret_file_name):
secret_json = get_config_file_dict(secret_file_name)
if "ciphertext" not in secret_json["environments"].get(
vault_env, {}):
print(
failure(
f"Secret {secret_name} not defined for ecosystem {vault_env} on secret file {secret_file_name}",
"",
))
return_value = False
else:
print(
failure(f"Secret file {secret_file_name} not defined", ""))
return_value = False
return return_value
def get_secret_env(self) -> Mapping[str, dict]:
base_env = self.config_dict.get("env", {})
secret_env = {}
for k, v in base_env.items():
if is_secret_ref(v):
secret = get_secret_name_from_ref(v)
sanitised_secret = sanitise_kubernetes_name(secret)
service = (
self.service if not is_shared_secret(v) else SHARED_SECRET_SERVICE
)
sanitised_service = sanitise_kubernetes_name(service)
secret_env[k] = {
"secret_name": f"tron-secret-{sanitised_service}-{sanitised_secret}",
"key": secret,
}
return secret_env
def decrypt_environment(self, environment: Dict[str, str],
**kwargs: Any) -> Dict[str, str]:
client = self.clients[self.ecosystems[0]]
secret_environment = {}
for k, v in environment.items():
secret_name = get_secret_name_from_ref(v)
secret_path = os.path.join(self.secret_dir, f"{secret_name}.json")
secret = get_plaintext(
client=client,
env=self.ecosystems[0],
path=secret_path,
cache_enabled=False,
cache_dir=None,
cache_key=None,
context=self.service_name,
).decode("utf-8")
secret_environment[k] = secret
return secret_environment
def test_get_secret_name_from_ref():
assert get_secret_name_from_ref(
'SECRET(aaa-bbb-222_111)') == 'aaa-bbb-222_111'
def test_get_shared_secret_name_from_ref():
assert (get_secret_name_from_ref("SHARED_SECRET(aaa-bbb-222_111)") ==
"aaa-bbb-222_111")
def test_get_secret_name_from_ref():
assert get_secret_name_from_ref(
"SECRET(aaa-bbb-222_111)") == "aaa-bbb-222_111"