D2649.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D2649.diff
View Options

	diff --git a/_modules/credentials.py b/_modules/credentials.py
	--- a/_modules/credentials.py
	+++ b/_modules/credentials.py
	@@ -9,9 +9,25 @@
	# -------------------------------------------------------------


	+import os
	+
	from salt.utils.files import fopen


	+VAULT_PREFIX = "ops/secrets/"
	+
	+
	+# -------------------------------------------------------------
	+# Configuration
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+
	+
	+def _are_credentials_hidden():
	+ return "CONFIG_PUBLISHER" in os.environ or "state.show_sls" in os.environ.get(
	+ "SUDO_COMMAND", ""
	+ )
	+
	+
	# -------------------------------------------------------------
	# HOF utilities
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	@@ -32,6 +48,88 @@
	return "\n\n".join(filtered)


	+# -------------------------------------------------------------
	+# Fetch credentials from Vault
	+#
	+# Methods signatures are compatible with Zemke-Rhyne module.
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+
	+
	+def _get_default_secret_path():
	+ return VAULT_PREFIX
	+
	+
	+def _read_secret(key, prefix=None):
	+ if prefix is None:
	+ prefix = _get_default_secret_path()
	+
	+ return __salt__["vault.read_secret"](f"{prefix}/{key}")
	+
	+
	+def get_password(key, prefix=None):
	+ """
	+ A function to fetch credential on Vault
	+
	+ CLI Example:
	+
	+ salt docker-001 credentials.get_password nasqueron.foo.bar
	+
	+ :param key: The key in ops/secrets namespace
	+ :param prefix: the prefix path for that key, by default "ops/secrets/"
	+ :return: The username
	+ """
	+ if _are_credentials_hidden():
	+ return "credential for " + key
	+
	+ return _read_secret(key, prefix)["password"]
	+
	+
	+def get_username(key, prefix=None):
	+ """
	+ A function to fetch the username associated to a credential
	+ through Vault
	+
	+ CLI Example:
	+
	+ salt docker-001 credentials.get_username nasqueron.foo.bar
	+
	+ :param key: The key in ops/secrets namespace
	+ :param prefix: the prefix path for that key, by default "ops/secrets/"
	+ :return: The secret value
	+ """
	+ return _read_secret(key, prefix)["username"]
	+
	+
	+def get_token(key, prefix=None):
	+ """
	+ A function to fetch credential through Vault
	+
	+ CLI Example:
	+
	+ salt docker-001 credentials.get_token nasqueron.foo.bar
	+
	+ :param key: The key in ops/secrets namespace
	+ :param prefix: the prefix path for that key, by default "ops/secrets/"
	+ :return: The secret value
	+
	+ For Vault, this is actually an alias of the get_password method.
	+ """
	+ return get_password(key, prefix)
	+
	+
	+def get_sentry_dsn(args):
	+ if _are_credentials_hidden():
	+ return "credential for " + args["credential"]
	+
	+ host = __pillar__["sentry_realms"][args["realm"]]["host"]
	+ credential = _read_secret(args["credential"])
	+
	+ return (
	+ f"https://{credential['username']}:{credential['password']}"
	+ f"@{host}/{args['project_id']}"
	+ )
	+
	+
	# -------------------------------------------------------------
	# Build Vault policies
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
	--- a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
	+++ b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
	@@ -17,7 +17,9 @@
	# and will be lost if the state is redeployed.
	# </auto-generated>

	-SECRET_KEY=$(zr getcredentials {{ credential_id }} token)
	+set -e
	+
	+SECRET_KEY=$(credential {{ credential_key }})

	docker run -it --rm \
	-e SENTRY_SECRET_KEY=$SECRET_KEY \
	diff --git a/roles/paas-docker/containers/sentry.sls b/roles/paas-docker/containers/sentry.sls
	--- a/roles/paas-docker/containers/sentry.sls
	+++ b/roles/paas-docker/containers/sentry.sls
	@@ -29,7 +29,7 @@
	- makedirs: True
	- context:
	links: {{ args['links'] }}
	- credential_id: {{ salt['zr.get_credential_id'](args['credential']) }}
	+ credential_key: args['credential']

	{% if has_selinux %}
	selinux_context_{{ realm }}_sentry_data:
	diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/salt/files/credential.sh
	old mode 100644
	new mode 100755
	copy from roles/paas-docker/containers/files/sentry/sentry.sh.jinja
	copy to roles/paas-docker/salt/files/credential.sh
	--- a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
	+++ b/roles/paas-docker/salt/files/credential.sh
	@@ -1,13 +1,10 @@
	#!/bin/sh
	-
	# -------------------------------------------------------------
	# PaaS Docker
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	-# Created: 2018-11-10
	# License: Trivial work, not eligible to copyright
	-# Description: Wrapper for sentry command (local instance)
	-# Source file: roles/paas-docker/containers/files/sentry/sentry.sh.jinja
	+# Source file: roles/paas-docker/salt/files/credential.sh
	# -------------------------------------------------------------
	#
	# <auto-generated>
	@@ -17,10 +14,9 @@
	# and will be lost if the state is redeployed.
	# </auto-generated>

	-SECRET_KEY=$(zr getcredentials {{ credential_id }} token)
	+if [ "$#" -eq 0 ]; then
	+ echo "Usage: $0 <credential key>" 1>&2;
	+ exit 1
	+fi

	-docker run -it --rm \
	- -e SENTRY_SECRET_KEY=$SECRET_KEY \
	- --link {{ links.postgresql }}:postgres \
	- --link {{ links.redis }}:redis \
	- sentry "$@"
	+sudo salt-call credentials.get_password "$1" --out=json \| jq .local
	diff --git a/roles/paas-docker/salt/init.sls b/roles/paas-docker/salt/init.sls
	--- a/roles/paas-docker/salt/init.sls
	+++ b/roles/paas-docker/salt/init.sls
	@@ -6,7 +6,7 @@
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	-{% from "map.jinja" import packages_prefixes with context %}
	+{% from "map.jinja" import dirs, packages_prefixes with context %}

	# -------------------------------------------------------------
	# Dependencies for Docker Salt minions
	@@ -20,3 +20,12 @@
	- bin_env: /usr/bin/pip3
	- require:
	- pkg: required_python_packages_for_docker_and_salt
	+
	+# -------------------------------------------------------------
	+# Wrapper to fetch a credential
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+
	+{{ dirs.bin }}/credential:
	+ file.managed:
	+ - source: salt://roles/paas-docker/salt/files/credential.sh
	+ - mode: 755

File Metadata

Mime Type: text/plain
Expires: Sat, Nov 23, 05:15 (17 h, 45 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 2257283
Default Alt Text: D2649.diff (6 KB)

D2649.diffNo OneTemporaryActions

D2649.diffView Options

File Metadata

Event Timeline

D2649.diff
No OneTemporary
Actions

D2649.diff
View Options