Merge pull request #2750 from ardichoke/vault_kv2
Add support for Vault KV API v2
This commit is contained in:
commit
70c8c2b5fc
|
@ -37,6 +37,17 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
'validation': '^https?://[a-zA-Z0-9.:-]+$',
|
'validation': '^https?://[a-zA-Z0-9.:-]+$',
|
||||||
'helpMessage': 'Valid URL to Hashi Vault instance'
|
'helpMessage': 'Valid URL to Hashi Vault instance'
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
'name': 'vaultKvApiVersion',
|
||||||
|
'type': 'select',
|
||||||
|
'value': '2',
|
||||||
|
'available': [
|
||||||
|
'1',
|
||||||
|
'2'
|
||||||
|
],
|
||||||
|
'required': True,
|
||||||
|
'helpMessage': 'Version of the Vault KV API to use'
|
||||||
|
},
|
||||||
{
|
{
|
||||||
'name': 'vaultAuthTokenFile',
|
'name': 'vaultAuthTokenFile',
|
||||||
'type': 'str',
|
'type': 'str',
|
||||||
|
@ -98,17 +109,20 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
path = self.get_option('vaultPath', options)
|
path = self.get_option('vaultPath', options)
|
||||||
bundle = self.get_option('bundleChain', options)
|
bundle = self.get_option('bundleChain', options)
|
||||||
obj_name = self.get_option('objectName', options)
|
obj_name = self.get_option('objectName', options)
|
||||||
|
api_version = self.get_option('vaultKvApiVersion', options)
|
||||||
|
|
||||||
with open(token_file, 'r') as file:
|
with open(token_file, 'r') as file:
|
||||||
token = file.readline().rstrip('\n')
|
token = file.readline().rstrip('\n')
|
||||||
|
|
||||||
client = hvac.Client(url=url, token=token)
|
client = hvac.Client(url=url, token=token)
|
||||||
|
client.secrets.kv.default_kv_version = api_version
|
||||||
|
|
||||||
if obj_name:
|
if obj_name:
|
||||||
path = '{0}/{1}'.format(path, obj_name)
|
path = '{0}/{1}'.format(path, obj_name)
|
||||||
else:
|
else:
|
||||||
path = '{0}/{1}'.format(path, cname)
|
path = '{0}/{1}'.format(path, cname)
|
||||||
|
|
||||||
secret = get_secret(url, token, mount, path)
|
secret = get_secret(client, mount, path)
|
||||||
secret['data'][cname] = {}
|
secret['data'][cname] = {}
|
||||||
|
|
||||||
if bundle == 'Nginx' and cert_chain:
|
if bundle == 'Nginx' and cert_chain:
|
||||||
|
@ -123,8 +137,9 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
if isinstance(san_list, list):
|
if isinstance(san_list, list):
|
||||||
secret['data'][cname]['san'] = san_list
|
secret['data'][cname]['san'] = san_list
|
||||||
try:
|
try:
|
||||||
client.secrets.kv.v1.create_or_update_secret(
|
client.secrets.kv.create_or_update_secret(
|
||||||
path=path, mount_point=mount, secret=secret['data'])
|
path=path, mount_point=mount, secret=secret['data']
|
||||||
|
)
|
||||||
except ConnectionError as err:
|
except ConnectionError as err:
|
||||||
current_app.logger.exception(
|
current_app.logger.exception(
|
||||||
"Exception uploading secret to vault: {0}".format(err), exc_info=True)
|
"Exception uploading secret to vault: {0}".format(err), exc_info=True)
|
||||||
|
@ -144,12 +159,14 @@ def get_san_list(body):
|
||||||
return san_list
|
return san_list
|
||||||
|
|
||||||
|
|
||||||
def get_secret(url, token, mount, path):
|
def get_secret(client, mount, path):
|
||||||
""" retreiive existing data from mount path and return dictionary """
|
""" retreiive existing data from mount path and return dictionary """
|
||||||
result = {'data': {}}
|
result = {'data': {}}
|
||||||
try:
|
try:
|
||||||
client = hvac.Client(url=url, token=token)
|
if client.secrets.kv.default_kv_version == '1':
|
||||||
result = client.secrets.kv.v1.read_secret(path=path, mount_point=mount)
|
result = client.secrets.kv.v1.read_secret(path=path, mount_point=mount)
|
||||||
|
else:
|
||||||
|
result = client.secrets.kv.v2.read_secret_version(path=path, mount_point=mount)
|
||||||
except ConnectionError:
|
except ConnectionError:
|
||||||
pass
|
pass
|
||||||
finally:
|
finally:
|
||||||
|
|
Loading…
Reference in New Issue