Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F27207526
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
19 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/_modules/credentials.py b/_modules/credentials.py
index b693413..5da229e 100644
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -1,322 +1,331 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — Credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: Credentials-related execution module methods
# License: BSD-2-Clause
# -------------------------------------------------------------
import ipaddress
import os
from salt.utils.files import fopen
VAULT_PREFIX = "ops/secrets/"
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def _are_credentials_hidden():
return "CONFIG_PUBLISHER" in os.environ or "state.show_sls" in os.environ.get(
"SUDO_COMMAND", ""
)
# -------------------------------------------------------------
# HOF utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def _filter_discard_empty_string_values(haystack):
if type(haystack) is dict:
return {k: v for k, v in haystack.items() if v != ""}
if type(haystack) is list:
return [v for v in haystack if v != ""]
raise ValueError("Argument isn't a list or a dict: " + str(type(haystack)))
def _join_document_fragments(fragments):
filtered = _filter_discard_empty_string_values(fragments)
return "\n\n".join(filtered)
# -------------------------------------------------------------
# Fetch credentials from Vault
#
# Methods signatures are compatible with Zemke-Rhyne module.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def _get_default_secret_path():
return VAULT_PREFIX
def read_secret(key, prefix=None):
if _are_credentials_hidden():
return "credential for " + key
if prefix is None:
prefix = _get_default_secret_path()
return __salt__["vault.read_secret"](f"{prefix}/{key}")
def get_password(key, prefix=None):
"""
A function to fetch credential on Vault
CLI Example:
salt docker-001 credentials.get_password nasqueron.foo.bar
:param key: The key in ops/secrets namespace
:param prefix: the prefix path for that key, by default "ops/secrets/"
:return: The username
"""
return read_secret(key, prefix)["password"]
def get_username(key, prefix=None):
"""
A function to fetch the username associated to a credential
through Vault
CLI Example:
salt docker-001 credentials.get_username nasqueron.foo.bar
:param key: The key in ops/secrets namespace
:param prefix: the prefix path for that key, by default "ops/secrets/"
:return: The secret value
"""
return read_secret(key, prefix)["username"]
def get_token(key, prefix=None):
"""
A function to fetch credential through Vault
CLI Example:
salt docker-001 credentials.get_token nasqueron.foo.bar
:param key: The key in ops/secrets namespace
:param prefix: the prefix path for that key, by default "ops/secrets/"
:return: The secret value
For Vault, this is actually an alias of the get_password method.
"""
return get_password(key, prefix)
def get_dsn(host, key, prefix=None):
if _are_credentials_hidden():
return "credential for " + key
secret = read_secret(key, prefix)
return f"{secret['username']}:{secret['password']}@{host}"
# -------------------------------------------------------------
# Helpers for IPv6 DUID credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_duid_credential_paths(node):
return {
key: _get_duid_path(interface)
for key, interface in _get_duid_interfaces(node).items()
}
def get_duid_credentials():
id = __grains__["id"]
return {
key: _read_duid_secret(interface)
for key, interface in _get_duid_interfaces(id).items()
}
def _get_duid_interfaces(node):
return {
key: interface
for key, interface in __pillar__["nodes"][node]["network"]["interfaces"].items()
if _is_duid_interface(interface)
}
def _is_duid_interface(interface):
return (
"ipv6" in interface
and "flags" in interface
and "ipv6_dhcp_duid" in interface["flags"]
)
def _read_duid_secret(interface):
path = _get_duid_path(interface)
return __salt__["vault.read_secret"](path)["password"]
def _get_duid_path(interface):
address = interface["ipv6"]["address"]
prefixlen = interface["ipv6"]["prefix"]
prefix = _get_prefix(address, prefixlen)
return f"ops/secrets/network/DUID/{prefix}"
def _get_prefix(address, prefixlen):
ip = ipaddress.IPv6Network((address, prefixlen), strict=False)
return str(ip.network_address)
# -------------------------------------------------------------
# Helpers for Sentry credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_sentry_dsn(args):
if _are_credentials_hidden():
return "credential for " + args["credential"]
host = __pillar__["sentry_realms"][args["realm"]]["hostname"]
key = get_username(args["credential"])
return f"https://{key}@{host}/{args['project_id']}"
# -------------------------------------------------------------
# Build Vault policies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
class VaultSaltRolePolicy:
def __init__(self, role):
self.role = role
def build_policy(self):
return _join_document_fragments(
[
self.build_read_secrets_policy(),
self.import_extra_policies(),
]
)
#
# Secrets from pillar entry vault_secrets_by_role
#
def build_read_secrets_policy(self):
vault_paths = __pillar__["vault_secrets_by_role"].get(self.role, [])
return _join_document_fragments(
[_get_read_rule(vault_path) for vault_path in vault_paths]
)
#
# Import policies from pillar entry vault_extra_policies_by_role
#
def import_extra_policies(self):
extra_policies = __pillar__["vault_extra_policies_by_role"].get(self.role, [])
return _join_document_fragments(
[self.import_policy(policy) for policy in extra_policies]
)
@staticmethod
def import_policy(policy):
policy_file = f"{__pillar__['vault_policies_source']}/{policy}.hcl"
if policy_file.startswith("salt://"):
policy_file = __salt__["cp.cache_file"](policy_file)
with fopen(policy_file) as fd:
return fd.read()
def _get_read_rule(vault_path):
resolved_vault_path = _resolve_vault_path(vault_path)
return f"""path \"{resolved_vault_path}\" {{
capabilities = [ \"read\" ]
}}"""
def _resolve_vault_path(vault_path):
for pillar_path, mount_path in __pillar__.get("vault_mount_paths", {}).items():
if vault_path.startswith(pillar_path):
start_position = len(pillar_path)
return mount_path + vault_path[start_position:]
return vault_path
def _compile_roles_policies():
return {
role: VaultSaltRolePolicy(role).build_policy() for role in _get_relevant_roles()
}
def _get_relevant_roles():
return {
role
for pillar_entry in [
"vault_extra_policies_by_role",
"vault_secrets_by_role",
]
for role in __pillar__[pillar_entry].keys()
}
def _build_node_policy(node, roles_policies):
rules = [
roles_policies[role]
for role in __salt__["node.get"]("roles", node)
if role in roles_policies
]
cluster = __salt__["node.get"]("dbserver:cluster", node)
if cluster is not None:
dbserver_rules_paths = __pillar__["vault_secrets_by_dbserver_cluster"].get(
cluster, []
)
rules.append(
_join_document_fragments(
[_get_read_rule(vault_path) for vault_path in dbserver_rules_paths]
)
)
for _, vault_path in get_duid_credential_paths(node).items():
rules.append(_get_read_rule(vault_path))
+ rules.append(
+ _join_document_fragments(
+ [
+ _get_read_rule(vault_path)
+ for vault_path in __pillar__["vault_secrets_ubiquity"]
+ ]
+ )
+ )
+
policy = _join_document_fragments(rules)
if not policy:
policy = "# This policy is intentionally left blank."
policy = policy.replace("%%node%%", node)
return policy
def build_policies_by_node():
roles_policies = _compile_roles_policies()
policies = {
node: _build_node_policy(node, roles_policies)
for node in __pillar__["nodes"].keys()
}
return policies
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
index c3f764c..c8fe51a 100644
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -1,307 +1,313 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Vault configuration
#
# :: vault_policies_path: path on vault server where to store policies
#
# :: vault_policies_source: path to fetch policies from
# if starting by salt://, from salt files server
#
# :: vault_mount_paths: translates secrets paths in policies paths
#
# Generally, Vault paths are the same for policies and data access.
#
# For kv secrets engine, version 2, writing and reading versions
# of a kv value are prefixed with the data/ path.
#
# credentials.build_policies_by_node will use this dictionary
# to be able to rewrite secrets paths in data paths.
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies_path: /srv/policies/vault
vault_policies_source: /srv/policies/vault
vault_mount_paths:
ops/secrets: ops/data/secrets
ops/privacy: ops/data/privacy
apps: apps/data
# -------------------------------------------------------------
# Vault policies to deploy as-is, i.e., without templating.
#
# Entries of vault_policies must match a .hcl file in
# the roles /vault/policies/files folder.
#
# If you need a template, create a new pillar entry instead
# and add the parsing logic either:
# - directly to roles/vault/policies/
#
# - through _modules/credentials.py for policies to apply
# to Salt nodes, like e.g., vault_secrets_by_role
#
# App policies can also be defined in terraform/openbao/
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies:
- admin
- airflow
- monitoring
- salt-primary
- sentry
- vault_bootstrap
# -------------------------------------------------------------
# Vault policies for Salt itself
#
# The policy attached to the login method (e.g., approle)
# used by the Salt primary server to log in to Vault.
#
# Source is the name of a policy managed by the vault_policies
# section. Target is the name of the policy attached.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_salt_primary_policy:
source: salt-primary
target: salt
# -------------------------------------------------------------
# Vault full policies to include by role
#
# Declare the extra policies each node needs.
#
# In addition to those extra policies, the vault_secrets_by_role
# will be parsed for the keys.
#
# IMPORTANT: as grains['roles'] can be modified by the node,
# roles are extracted directly from the pillar.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_extra_policies_by_role:
salt-primary:
- salt-primary
# -------------------------------------------------------------
# Vault secrets by role
#
# Paths of the keys the specified role needs access to.
#
# Avoid * notation as this namespace is shared between Vault
# and the applications. As such, only secrets the Salt nodes
# need in a state they need to deploy should be listed here.
#
# Use %%node%% as variable for node name.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_role:
devserver:
- ops/secrets/dbserver/windriver-mariadb/users/*
- ops/secrets/dbserver/windriver-pgsql/users/*
- ops/secrets/nasqueron/notifications/notifications-cli/%%node%%
- ops/secrets/nasqueron/deploy/deploy_keys/alken-orin
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www
mailserver:
- ops/secrets/dbserver/cluster-A/users/mailManagement
- ops/secrets/dbserver/cluster-A/users/dovecot
- ops/secrets/dbserver/cluster-A/users/postfix
- ops/secrets/mailserver/security
netbox:
- ops/secrets/dbserver/windriver-pgsql/users/netbox
- ops/secrets/nasqueron/netbox/key
opensearch:
- ops/secrets/nasqueron/opensearch/infra-logs/internal_users/admin
- ops/secrets/nasqueron/opensearch/infra-logs/internal_users/dashboards
paas-docker-prod:
#
# Personal data or personally identifiable information (PII)
# related to Nasqueron Operations SIG members.
#
- ops/privacy/ops-cidr
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron/service/<...>
#
- ops/secrets/nasqueron/acquisitariat/mysql
- ops/secrets/nasqueron/airflow/admin_account
- ops/secrets/nasqueron/airflow/fernet
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
- ops/secrets/nasqueron/auth-grove/mysql
- ops/secrets/nasqueron/cachet/app_key
- ops/secrets/nasqueron/cachet/mysql
- ops/secrets/nasqueron/devcentral/mailgun
- ops/secrets/nasqueron/devcentral/mail_local
- ops/secrets/nasqueron/devcentral/mysql
- ops/secrets/nasqueron/etherpad/api
- ops/secrets/nasqueron/etherpad/mysql
- ops/secrets/nasqueron/etherpad/users/dereckson
- ops/secrets/nasqueron/notifications/broker
- ops/secrets/nasqueron/notifications/mailgun
- ops/secrets/nasqueron/notifications/sentry
- ops/secrets/nasqueron/notifications/credentials/github/nasqueron
- ops/secrets/nasqueron/notifications/credentials/github/wolfplex
- ops/secrets/nasqueron/notifications/credentials/github/keruald
- ops/secrets/nasqueron/notifications/credentials/github/trustspace
- ops/secrets/nasqueron/notifications/credentials/github/eglide
- ops/secrets/nasqueron/notifications/credentials/phabricator/nasqueron
- apps/notifications-center/dockerhub/notifications
- apps/notifications-center/dockerhub/auth-grove
- ops/secrets/nasqueron/penpot/github
- ops/secrets/nasqueron/penpot/postgresql
- ops/secrets/nasqueron/penpot/secret_key
- ops/secrets/nasqueron/pixelfed/app_key
- ops/secrets/nasqueron/pixelfed/mailgun
- ops/secrets/nasqueron/pixelfed/mysql
- ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/white-rabbit/root
- ops/secrets/nasqueron/reports/acquisitariat
- ops/secrets/nasqueron/sentry/app_key
- ops/secrets/nasqueron/sentry/geoipupdate
- ops/secrets/nasqueron/sentry/postgresql
- ops/secrets/nasqueron/sentry/vault
#
# Credentials used by Nasqueron members private services
# Format: <username>/<service>/<type>
#
- ops/secrets/dereckson/phabricator/mysql
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>/<service>/<type>
#
- ops/secrets/dbserver/cluster-A/users/corspat
- ops/secrets/espacewin/phpbb/mysql_root
- ops/secrets/wolfplex/phabricator/mailgun
- ops/secrets/wolfplex/phabricator/mysql
- ops/secrets/zed/phabricator/mysql
- ops/secrets/zed/phabricator/sendgrid
paas-docker-dev:
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron/service/<...>
#
- ops/secrets/nasqueron/airflow/admin_account
- ops/secrets/nasqueron/airflow/fernet
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/nasqueron/airflow/vault
- ops/secrets/dbserver/cluster-A/users/airflow
- ops/secrets/nasqueron/orbeon/oxf.crypto.password
- ops/secrets/nasqueron/orbeon/users/dereckson
- ops/secrets/nasqueron/orbeon/users/dorianvl
- ops/secrets/dbserver/cluster-A/users/orbeon
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/root
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications
- ops/secrets/nasqueron/notifications/sentry
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>/<service>/<type>
#
- ops/secrets/espacewin/bugzilla/mysql
- ops/secrets/espacewin/bugzilla/mysql_root
reports:
- ops/secrets/nasqueron/rhyne-wyse/vault
saas-mediawiki:
- ops/secrets/dbserver/cluster-B/users/saas-mediawiki
- ops/secrets/dbserver/cluster-B/users/saas-mw-deploy
- ops/secrets/nasqueron/mediawiki/secret_key
saas-wordpress:
- ops/secrets/dbserver/cluster-B/users/dereckson_blog
- ops/secrets/dereckson/wordpress/secrets
viperserv:
- ops/secrets/nasqueron/viperserv/vault
webserver-alkane-prod:
- ops/secrets/dbserver/cluster-B/users/dereckson_www
- ops/secrets/dbserver/cluster-B/users/zed
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/hypership/content_users
- ops/secrets/zed/hypership/secret_key
#
# Wolfplex credentials
#
- ops/secrets/nasqueron/etherpad/api
webserver-alkane-dev:
- ops/secrets/dbserver/cluster-A/users/obsidian
- ops/secrets/dbserver/cluster-B/users/dereckson_www51
- ops/secrets/dbserver/cluster-B/users/obsidian51
webserver-legacy:
#
# Wolfplex credentials
#
- ops/secrets/nasqueron/etherpad/api
# -------------------------------------------------------------
# Vault secrets by dbserver cluster
#
# Paths of the keys the specified role needs access to.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_dbserver_cluster:
# Main PostgreSQL cluster
A:
- ops/secrets/dbserver/cluster-A/users/*
# Main MariaDB cluster - Alkane PaaS, ViperServ
B:
- ops/secrets/dbserver/cluster-B/users/*
+
+vault_secrets_ubiquity:
+
+ # IPsec tunnels
+
+ - ops/secrets/network/ipsec/key
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Sun, May 3, 05:57 (1 d, 29 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3677707
Default Alt Text
(19 KB)
Attached To
Mode
rOPS Nasqueron Operations
Attached
Detach File
Event Timeline
Log In to Comment