Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #2750 from ardichoke/vault_kv2 

Add support for Vault KV API v2
This commit is contained in:
Hossein Shafagh 2019-04-09 08:25:28 -07:00 committed by GitHub
parent a865675537 e10007ef7b
commit 70c8c2b5fc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
lemur/plugins/lemur_vault_dest/plugin.py
View File

@ -37,6 +37,17 @@ class VaultDestinationPlugin(DestinationPlugin):
'validation': '^https?://[a-zA-Z0-9.:-]+$', 'validation': '^https?://[a-zA-Z0-9.:-]+$',
'helpMessage': 'Valid URL to Hashi Vault instance' 'helpMessage': 'Valid URL to Hashi Vault instance'
}, },
{
'name': 'vaultKvApiVersion',
'type': 'select',
'value': '2',
'available': [
'1',
'2'
],
'required': True,
'helpMessage': 'Version of the Vault KV API to use'
},
{ {
'name': 'vaultAuthTokenFile', 'name': 'vaultAuthTokenFile',
'type': 'str', 'type': 'str',
@ -98,17 +109,20 @@ class VaultDestinationPlugin(DestinationPlugin):
path = self.get_option('vaultPath', options) path = self.get_option('vaultPath', options)
bundle = self.get_option('bundleChain', options) bundle = self.get_option('bundleChain', options)
obj_name = self.get_option('objectName', options) obj_name = self.get_option('objectName', options)
api_version = self.get_option('vaultKvApiVersion', options)
with open(token_file, 'r') as file: with open(token_file, 'r') as file:
token = file.readline().rstrip('\n') token = file.readline().rstrip('\n')
client = hvac.Client(url=url, token=token) client = hvac.Client(url=url, token=token)
client.secrets.kv.default_kv_version = api_version
if obj_name: if obj_name:
path = '{0}/{1}'.format(path, obj_name) path = '{0}/{1}'.format(path, obj_name)
else: else:
path = '{0}/{1}'.format(path, cname) path = '{0}/{1}'.format(path, cname)
secret = get_secret(url, token, mount, path) secret = get_secret(client, mount, path)
secret['data'][cname] = {} secret['data'][cname] = {}
if bundle == 'Nginx' and cert_chain: if bundle == 'Nginx' and cert_chain:
@ -123,8 +137,9 @@ class VaultDestinationPlugin(DestinationPlugin):
if isinstance(san_list, list): if isinstance(san_list, list):
secret['data'][cname]['san'] = san_list secret['data'][cname]['san'] = san_list
try: try:
client.secrets.kv.v1.create_or_update_secret( client.secrets.kv.create_or_update_secret(
path=path, mount_point=mount, secret=secret['data']) path=path, mount_point=mount, secret=secret['data']
)
except ConnectionError as err: except ConnectionError as err:
current_app.logger.exception( current_app.logger.exception(
"Exception uploading secret to vault: {0}".format(err), exc_info=True) "Exception uploading secret to vault: {0}".format(err), exc_info=True)
@ -144,12 +159,14 @@ def get_san_list(body):
return san_list return san_list
def get_secret(url, token, mount, path): def get_secret(client, mount, path):
""" retreiive existing data from mount path and return dictionary """ """ retreiive existing data from mount path and return dictionary """
result = {'data': {}} result = {'data': {}}
try: try:
client = hvac.Client(url=url, token=token) if client.secrets.kv.default_kv_version == '1':
result = client.secrets.kv.v1.read_secret(path=path, mount_point=mount) result = client.secrets.kv.v1.read_secret(path=path, mount_point=mount)
else:
result = client.secrets.kv.v2.read_secret_version(path=path, mount_point=mount)
except ConnectionError: except ConnectionError:
pass pass
finally: finally: