def vault_create_policy(self): """ Create a vault policy and generate token Raises: VaultOperationError exception """ policy = (f'path "{self.vault_backend_path}/*" {{\n' f' capabilities = ["create", "read", "update","delete"]' f"\n}}\n" f'path "sys/mounts" {{\n' f'capabilities = ["read"]\n' f"}}") vault_hcl = tempfile.NamedTemporaryFile(mode="w+", prefix="test", delete=False) with open(vault_hcl.name, "w") as hcl: hcl.write(policy) if not config.ENV_DATA.get("VAULT_POLICY"): self.vault_policy_name = ( f"{constants.VAULT_DEFAULT_POLICY_PREFIX}-" f"{self.cluster_id}") else: self.vault_policy_name = config.ENV_DATA.get("VAULT_POLICY") cmd = f"vault policy write {self.vault_policy_name} {vault_hcl.name}" out = subprocess.check_output(shlex.split(cmd)) if "Success" in out.decode(): logger.info(f"vault policy {self.vault_policy_name} created") else: raise VaultOperationError( f"Failed to create policy f{self.vault_policy_name}") self.vault_path_token = self.generate_vault_token()
def vault_create_backend_path(self): """ create vault path to be used by OCS Raises: VaultOperationError exception """ if config.ENV_DATA.get("VAULT_BACKEND_PATH"): self.vault_backend_path = config.ENV_DATA.get("VAULT_BACKEND_PATH") else: # Generate backend path name using prefix "ocs" # "ocs-<cluster-id>" self.cluster_id = get_running_cluster_id() self.vault_backend_path = ( f"{constants.VAULT_DEFAULT_PATH_PREFIX}-{self.cluster_id}-" f"{get_cluster_name(config.ENV_DATA['cluster_path'])}" ) cmd = f"vault secrets enable -path={self.vault_backend_path} kv" out = subprocess.check_output(shlex.split(cmd)) if "Success" in out.decode(): logger.info(f"vault path {self.vault_backend_path} created") else: raise VaultOperationError( f"Failed to create path f{self.vault_backend_path}" ) self.vault_create_policy()
def create_namespace(self, vault_namespace): """ Create a vault namespace Args: vault_namespace (str): name of the vault namespace Raises: VaultOperationError: If namespace is not created successfully """ cmd = f"vault namespace create {vault_namespace}" proc = subprocess.Popen( shlex.split(cmd), stdout=subprocess.PIPE, stderr=subprocess.PIPE ) out, err = proc.communicate() if proc.returncode: raise VaultOperationError("Namespace creation failed", err) # Check if namespace gets listed if self.vault_namespace_exists(vault_namespace): logger.info(f"Namespace {vault_namespace} successfully created") else: logger.error(f"Namespace {vault_namespace} not found in the list") raise VaultOperationError()
def vault_unseal(self): """ Unseal vault if sealed Raises: VaultOperationError: In case unseal operation failed """ if self.vault_sealed(): logger.info("Vault is sealed, Unsealing now..") for i in range(3): kkey = f"UNSEAL_KEY{i+1}" self._vault_unseal(self.vault_conf[kkey]) # Check if vault is unsealed or not if self.vault_sealed(): raise VaultOperationError("Failed to Unseal vault") else: logger.info("Vault has been successfully unsealed") else: logger.info("Vault is not sealed")