Page MenuHomeDevCentral

D3273.id8404.diff
No OneTemporary

D3273.id8404.diff

diff --git a/_modules/credentials.py b/_modules/credentials.py
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -126,6 +126,23 @@
return f"{secret['username']}:{secret['password']}@{host}"
+# -------------------------------------------------------------
+# Fetch credentials from Vault
+#
+# Methods signatures are sui generis.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def inject_vault_approle(initial_config, credentials_key, prefix=None):
+ args = initial_config
+
+ secret = read_secret(credentials_key, prefix)
+ args["role_id"] = secret["username"]
+ args["secret_id"] = secret["password"]
+
+ return args
+
+
# -------------------------------------------------------------
# Helpers for IPv6 DUID credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/pillar/paas/docker/dwellers/airflow.sls b/pillar/paas/docker/dwellers/airflow.sls
--- a/pillar/paas/docker/dwellers/airflow.sls
+++ b/pillar/paas/docker/dwellers/airflow.sls
@@ -57,6 +57,12 @@
admin_account: nasqueron/airflow/admin_account
fernet_key: nasqueron/airflow/fernet
postgresql: dbserver/cluster-A/users/airflow
+ vault: nasqueron/airflow/vault
+ vault:
+ url: https://172.27.27.7:8200
+ auth_type: approle
+ mount_point: apps
+ connections_path: airflow/connections
sentry:
realm: nasqueron
project_id: 4
diff --git a/roles/paas-docker/containers/airflow.sls b/roles/paas-docker/containers/airflow.sls
--- a/roles/paas-docker/containers/airflow.sls
+++ b/roles/paas-docker/containers/airflow.sls
@@ -78,6 +78,8 @@
{% set postgresql_dsn = salt["credentials.get_dsn"](realm_args["services"]["postgresql"], realm_args["credentials"]["postgresql"]) %}
+{% set secrets_backend_args = inject_vault_approle(realm_args["vault"], realm_args["credentials"]["vault"]) %}
+
{{ instance }}:
docker_container.running:
- detach: True
@@ -101,6 +103,9 @@
- AIRFLOW__DATABASE__SQL_ALCHEMY_CONN: postgresql+psycopg2://{{ postgresql_dsn }}/airflow
+ - AIRFLOW__SECRETS__BACKEND: airflow.providers.hashicorp.secrets.vault.VaultBackend
+ - AIRFLOW__SECRETS__BACKEND__KWARGS: {{ secrets_backend_args | tojson }}
+
- AIRFLOW__SENTRY__SENTRY_ON: "True"
- AIRFLOW__SENTRY__SENTRY_DSN: {{ salt["credentials.get_sentry_dsn"](realm_args["sentry"]) }}
{% if "app_port" in container %}

File Metadata

Mime Type
text/plain
Expires
Sat, Nov 23, 02:25 (16 h, 31 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2256877
Default Alt Text
D3273.id8404.diff (2 KB)

Event Timeline