added kubernetes auth for vault
This commit is contained in:
parent
a65c4c94a0
commit
409b499217
|
@ -50,11 +50,19 @@ class VaultSourcePlugin(SourcePlugin):
|
||||||
"helpMessage": "Version of the Vault KV API to use",
|
"helpMessage": "Version of the Vault KV API to use",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "vaultAuthTokenFile",
|
"name": "authenticationMethod",
|
||||||
|
"type": "select",
|
||||||
|
"value": "token",
|
||||||
|
"available": ["token", "kubernetes"],
|
||||||
|
"required": True,
|
||||||
|
"helpMessage": "Authentication method to use",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "tokenFile/VaultRole",
|
||||||
"type": "str",
|
"type": "str",
|
||||||
"required": True,
|
"required": True,
|
||||||
"validation": "(/[^/]+)+",
|
"validation": "^([a-zA-Z0-9/._-]+/?)+$",
|
||||||
"helpMessage": "Must be a valid file path!",
|
"helpMessage": "Must be vaild file path for token based auth and valid role if k8s based auth",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "vaultMount",
|
"name": "vaultMount",
|
||||||
|
@ -85,7 +93,8 @@ class VaultSourcePlugin(SourcePlugin):
|
||||||
cert = []
|
cert = []
|
||||||
body = ""
|
body = ""
|
||||||
url = self.get_option("vaultUrl", options)
|
url = self.get_option("vaultUrl", options)
|
||||||
token_file = self.get_option("vaultAuthTokenFile", options)
|
auth_method = self.get_option("authenticationMethod", options)
|
||||||
|
auth_key = self.get_option("tokenFile/vaultRole", options)
|
||||||
mount = self.get_option("vaultMount", options)
|
mount = self.get_option("vaultMount", options)
|
||||||
path = self.get_option("vaultPath", options)
|
path = self.get_option("vaultPath", options)
|
||||||
obj_name = self.get_option("objectName", options)
|
obj_name = self.get_option("objectName", options)
|
||||||
|
@ -93,10 +102,17 @@ class VaultSourcePlugin(SourcePlugin):
|
||||||
cert_filter = "-----BEGIN CERTIFICATE-----"
|
cert_filter = "-----BEGIN CERTIFICATE-----"
|
||||||
cert_delimiter = "-----END CERTIFICATE-----"
|
cert_delimiter = "-----END CERTIFICATE-----"
|
||||||
|
|
||||||
with open(token_file, "r") as tfile:
|
client = hvac.Client(url=url)
|
||||||
token = tfile.readline().rstrip("\n")
|
if auth_method == 'token':
|
||||||
|
with open(auth_key, "r") as tfile:
|
||||||
|
token = tfile.readline().rstrip("\n")
|
||||||
|
client.token = token
|
||||||
|
|
||||||
|
if auth_method == 'kubernetes':
|
||||||
|
f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
|
||||||
|
jwt = f.read()
|
||||||
|
client.auth_kubernetes(auth_key, jwt)
|
||||||
|
|
||||||
client = hvac.Client(url=url, token=token)
|
|
||||||
client.secrets.kv.default_kv_version = api_version
|
client.secrets.kv.default_kv_version = api_version
|
||||||
|
|
||||||
path = "{0}/{1}".format(path, obj_name)
|
path = "{0}/{1}".format(path, obj_name)
|
||||||
|
@ -160,11 +176,19 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
"helpMessage": "Version of the Vault KV API to use",
|
"helpMessage": "Version of the Vault KV API to use",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "vaultAuthTokenFile",
|
"name": "authenticationMethod",
|
||||||
|
"type": "select",
|
||||||
|
"value": "token",
|
||||||
|
"available": ["token", "kubernetes"],
|
||||||
|
"required": True,
|
||||||
|
"helpMessage": "Authentication method to use",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "tokenFile/VaultRole",
|
||||||
"type": "str",
|
"type": "str",
|
||||||
"required": True,
|
"required": True,
|
||||||
"validation": "(/[^/]+)+",
|
"validation": "^([a-zA-Z0-9/._-]+/?)+$",
|
||||||
"helpMessage": "Must be a valid file path!",
|
"helpMessage": "Must be vaild file path for token based auth and valid role if k8s based auth",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "vaultMount",
|
"name": "vaultMount",
|
||||||
|
@ -219,7 +243,8 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
cname = common_name(parse_certificate(body))
|
cname = common_name(parse_certificate(body))
|
||||||
|
|
||||||
url = self.get_option("vaultUrl", options)
|
url = self.get_option("vaultUrl", options)
|
||||||
token_file = self.get_option("vaultAuthTokenFile", options)
|
auth_method = self.get_option("authenticationMethod", options)
|
||||||
|
auth_key = self.get_option("tokenFile/vaultRole", options)
|
||||||
mount = self.get_option("vaultMount", options)
|
mount = self.get_option("vaultMount", options)
|
||||||
path = self.get_option("vaultPath", options)
|
path = self.get_option("vaultPath", options)
|
||||||
bundle = self.get_option("bundleChain", options)
|
bundle = self.get_option("bundleChain", options)
|
||||||
|
@ -245,10 +270,17 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
exc_info=True,
|
exc_info=True,
|
||||||
)
|
)
|
||||||
|
|
||||||
with open(token_file, "r") as tfile:
|
client = hvac.Client(url=url)
|
||||||
token = tfile.readline().rstrip("\n")
|
if auth_method == 'token':
|
||||||
|
with open(auth_key, "r") as tfile:
|
||||||
|
token = tfile.readline().rstrip("\n")
|
||||||
|
client.token = token
|
||||||
|
|
||||||
|
if auth_method == 'kubernetes':
|
||||||
|
f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
|
||||||
|
jwt = f.read()
|
||||||
|
client.auth_kubernetes(auth_key, jwt)
|
||||||
|
|
||||||
client = hvac.Client(url=url, token=token)
|
|
||||||
client.secrets.kv.default_kv_version = api_version
|
client.secrets.kv.default_kv_version = api_version
|
||||||
|
|
||||||
if obj_name:
|
if obj_name:
|
||||||
|
|
Loading…
Reference in New Issue