示例#1
0
def tune_pki_backend_config_changed():
    if is_unit_paused_set():
        log("The Vault unit is paused, passing on tunning pki backend.")
        return
    if not service_running('vault'):
        set_flag('failed.to.start')
        return
    client = vault.get_client(url=vault.VAULT_LOCALHOST_URL)
    if client.is_sealed():
        log("Unable to tune pki backend, service sealed.")
    else:
        ttl = config()['default-ttl']
        max_ttl = config()['max-ttl']
        vault_pki.tune_pki_backend(ttl=ttl, max_ttl=max_ttl)
        vault_pki.update_roles(max_ttl=max_ttl)
示例#2
0
def publish_ca_info():
    if is_unit_paused_set():
        log("The Vault unit is paused, passing on publishing ca info.")
        return
    if not service_running('vault'):
        set_flag('failed.to.start')
        return
    client = vault.get_client(url=vault.VAULT_LOCALHOST_URL)
    tls = endpoint_from_flag('certificates.available')
    if client.is_sealed():
        log("Unable to publish ca info, service sealed.")
    else:
        tls.set_ca(vault_pki.get_ca())
        chain = vault_pki.get_chain()
        if chain:
            tls.set_chain(chain)
示例#3
0
def publish_ca_info():
    if not client_approle_authorized():
        log("Vault not authorized: Skipping publicsh_ca_info", "WARNING")
        return
    if is_unit_paused_set():
        log("The Vault unit is paused, passing on publishing ca info.")
        return
    if not service_running('vault'):
        set_flag('failed.to.start')
        return
    client = vault.get_client(url=vault.VAULT_LOCALHOST_URL)
    tls = endpoint_from_flag('certificates.available')
    if client.is_sealed():
        log("Unable to publish ca info, service sealed.")
    else:
        tls.set_ca(vault_pki.get_ca())
        try:
            # this might fail if we were restarted and need to be unsealed
            chain = vault_pki.get_chain()
        except vault.hvac.exceptions.VaultDown:
            chain = None
        if chain:
            tls.set_chain(chain)
示例#4
0
def configure_secrets_backend():
    """ Process requests for setup and access to simple kv secret backends """
    @tenacity.retry(wait=tenacity.wait_exponential(multiplier=1, max=10),
                    stop=tenacity.stop_after_attempt(10),
                    reraise=True)
    def _check_vault_status(client):
        if (not service_running('vault') or not client.is_initialized()
                or client.is_sealed()):
            return False
        return True

    # NOTE: use localhost listener as policy only allows 127.0.0.1 to
    #       administer the local vault instances via the charm
    client = vault.get_client(url=vault.VAULT_LOCALHOST_URL)

    status_ok = _check_vault_status(client)
    if not status_ok:
        log(
            'Unable to process new secret backend requests,'
            ' deferring until vault is fully configured',
            level=DEBUG)
        return

    charm_role_id = vault.get_local_charm_access_role_id()
    if charm_role_id is None:
        log(
            'Charm access to vault not configured, deferring'
            ' secrets backend setup',
            level=DEBUG)
        return
    client.auth_approle(charm_role_id)

    secrets = (endpoint_from_flag('endpoint.secrets.new-request')
               or endpoint_from_flag('secrets.connected'))
    requests = secrets.requests()

    # Configure KV secret backends
    backends = set([request['secret_backend'] for request in requests])
    for backend in backends:
        if not backend.startswith('charm-'):
            continue
        vault.configure_secret_backend(client, name=backend)

    refresh_secrets = is_flag_set('secrets.refresh')

    # Configure AppRoles for application unit access
    for request in requests:
        # NOTE: backends must start with charm-
        backend_name = request['secret_backend']
        if not backend_name.startswith('charm-'):
            continue

        unit = request['unit']
        hostname = request['hostname']
        access_address = request['ingress_address']
        isolated = request['isolated']
        unit_name = request.get('unit_name', unit.unit_name).replace('/', '-')
        policy_name = approle_name = 'charm-{}'.format(unit_name)

        if isolated:
            policy_template = vault.SECRET_BACKEND_HCL
        else:
            policy_template = vault.SECRET_BACKEND_SHARED_HCL

        vault.configure_policy(client,
                               name=policy_name,
                               hcl=policy_template.format(backend=backend_name,
                                                          hostname=hostname))

        cidr = '{}/32'.format(access_address)
        new_role = (approle_name not in client.list_roles())

        approle_id = vault.configure_approle(client,
                                             name=approle_name,
                                             cidr=cidr,
                                             policies=[policy_name])

        if new_role or refresh_secrets:
            wrapped_secret = vault.generate_role_secret_id(client,
                                                           name=approle_name,
                                                           cidr=cidr)
            secrets.set_role_id(unit=unit,
                                role_id=approle_id,
                                token=wrapped_secret)

    clear_flag('endpoint.secrets.new-request')
    clear_flag('secrets.refresh')
示例#5
0
 def test_get_client(self, get_api_url, hvac_Client):
     get_api_url.return_value = 'http://this-unit'
     vault.get_client()
     hvac_Client.assert_called_once_with(url='http://this-unit')