def vault_create_policy(self):
"""
Create a vault policy and generate token
Raises:
VaultOperationError exception
"""
policy = (f'path "{self.vault_backend_path}/*" {{\n'
f' capabilities = ["create", "read", "update","delete"]'
f"\n}}\n"
f'path "sys/mounts" {{\n'
f'capabilities = ["read"]\n'
f"}}")
vault_hcl = tempfile.NamedTemporaryFile(mode="w+",
prefix="test",
delete=False)
with open(vault_hcl.name, "w") as hcl:
hcl.write(policy)
if not config.ENV_DATA.get("VAULT_POLICY"):
self.vault_policy_name = (
f"{constants.VAULT_DEFAULT_POLICY_PREFIX}-"
f"{self.cluster_id}")
else:
self.vault_policy_name = config.ENV_DATA.get("VAULT_POLICY")
cmd = f"vault policy write {self.vault_policy_name} {vault_hcl.name}"
out = subprocess.check_output(shlex.split(cmd))
if "Success" in out.decode():
logger.info(f"vault policy {self.vault_policy_name} created")
else:
raise VaultOperationError(
f"Failed to create policy f{self.vault_policy_name}")
self.vault_path_token = self.generate_vault_token()
def vault_create_backend_path(self):
"""
create vault path to be used by OCS
Raises:
VaultOperationError exception
"""
if config.ENV_DATA.get("VAULT_BACKEND_PATH"):
self.vault_backend_path = config.ENV_DATA.get("VAULT_BACKEND_PATH")
else:
# Generate backend path name using prefix "ocs"
# "ocs-<cluster-id>"
self.cluster_id = get_running_cluster_id()
self.vault_backend_path = (
f"{constants.VAULT_DEFAULT_PATH_PREFIX}-{self.cluster_id}-"
f"{get_cluster_name(config.ENV_DATA['cluster_path'])}"
)
cmd = f"vault secrets enable -path={self.vault_backend_path} kv"
out = subprocess.check_output(shlex.split(cmd))
if "Success" in out.decode():
logger.info(f"vault path {self.vault_backend_path} created")
else:
raise VaultOperationError(
f"Failed to create path f{self.vault_backend_path}"
)
self.vault_create_policy()
def create_namespace(self, vault_namespace):
"""
Create a vault namespace
Args:
vault_namespace (str): name of the vault namespace
Raises:
VaultOperationError: If namespace is not created successfully
"""
cmd = f"vault namespace create {vault_namespace}"
proc = subprocess.Popen(
shlex.split(cmd), stdout=subprocess.PIPE, stderr=subprocess.PIPE
)
out, err = proc.communicate()
if proc.returncode:
raise VaultOperationError("Namespace creation failed", err)
# Check if namespace gets listed
if self.vault_namespace_exists(vault_namespace):
logger.info(f"Namespace {vault_namespace} successfully created")
else:
logger.error(f"Namespace {vault_namespace} not found in the list")
raise VaultOperationError()
def vault_unseal(self):
"""
Unseal vault if sealed
Raises:
VaultOperationError: In case unseal operation failed
"""
if self.vault_sealed():
logger.info("Vault is sealed, Unsealing now..")
for i in range(3):
kkey = f"UNSEAL_KEY{i+1}"
self._vault_unseal(self.vault_conf[kkey])
# Check if vault is unsealed or not
if self.vault_sealed():
raise VaultOperationError("Failed to Unseal vault")
else:
logger.info("Vault has been successfully unsealed")
else:
logger.info("Vault is not sealed")
