def get_vault_tf_secrets(self, init_spec): account = init_spec['account'] data = init_spec['data'] type = init_spec['type'] secrets_path = data['secrets_path'] secret = vault_client.read_all(secrets_path + '/' + type) return (account, type, secret)
def fetch_provider_vault_secret(path, version, name, labels, annotations, type, integration, integration_version): # get the fields from vault raw_data = vault_client.read_all({'path': path, 'version': version}) # construct oc resource body = { "apiVersion": "v1", "kind": "Secret", "type": type, "metadata": { "name": name, "annotations": annotations } } if labels: body['metadata']['labels'] = labels if raw_data.items(): body['data'] = {} # populate data for k, v in raw_data.items(): if v == "": v = None if k.lower().endswith(QONTRACT_BASE64_SUFFIX): k = k[:-len(QONTRACT_BASE64_SUFFIX)] elif v is not None: v = base64.b64encode(v.encode()).decode('utf-8') body['data'][k] = v try: return OR(body, integration, integration_version, error_details=path) except ConstructResourceError as e: raise FetchResourceError(str(e))
def read_all(secret, settings=None): """Returns a dictionary of keys and values from Vault secret or configuration file. The input secret is a dictionary which contains the following fields: * path - path to the secret in Vault or config * version (optional) - Vault secret version to read * Note: if this is Vault secret and a v2 KV engine The input settings is an optional app-interface-settings object queried from app-interface. It is a dictionary containing `value: true` if Vault is to be used as the secret backend. Default vault setting is false, to allow using a config file without creating app-interface-settings. """ if settings and settings.get('vault'): try: data = vault_client.read_all(secret) except hvac.exceptions.Forbidden: raise VaultForbidden(f'permission denied reading vault secret at ' f'{secret["path"]}') return data else: return config.read_all(secret)
def config_from_vault(vault_path): config = {} required_keys = ('password', 'port', 'require_tls', 'server', 'username') try: data = vault_client.read_all(vault_path) except vault_client.SecretNotFound as e: raise Exception( "Could not retrieve SMTP config from vault: {}".format(e)) try: for k in required_keys: config[k] = data[k] except KeyError as e: raise Exception( "Missing expected SMTP config key in vault secret: {}".format(e)) return config
def fetch_provider_route(path, tls_path, tls_version): global _log_lock openshift_resource = fetch_provider_resource(path) if tls_path is None or tls_version is None: return openshift_resource # override existing tls fields from vault secret openshift_resource.body['spec'].setdefault('tls', {}) tls = openshift_resource.body['spec']['tls'] # get tls fields from vault raw_data = \ vault_client.read_all({'path': tls_path, 'version': tls_version}) valid_keys = [ 'termination', 'insecureEdgeTerminationPolicy', 'certificate', 'key', 'caCertificate', 'destinationCACertificate' ] for k, v in raw_data.items(): if k in valid_keys: tls[k] = v continue msg = "Route secret '{}' key '{}' not in valid keys {}".format( tls_path, k, valid_keys) _log_lock.acquire() logging.info(msg) _log_lock.release() host = openshift_resource.body['spec'].get('host') certificate = openshift_resource.body['spec']['tls'].get('certificate') if host and certificate: match = openssl.certificate_matches_host(certificate, host) if not match: e_msg = "Route host does not match CN (common name): {}" raise FetchRouteError(e_msg.format(path)) return openshift_resource
def get_vault_tf_secrets(self, init_spec): account = init_spec['account'] data = init_spec['data'] secrets_path = data['secrets_path'] secret = vault_client.read_all(secrets_path + '/config') return (account, secret)