Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3774986
D3357.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D3357.diff
View Options
diff --git a/roles/salt-primary/software/init.sls b/roles/salt-primary/software/init.sls
--- a/roles/salt-primary/software/init.sls
+++ b/roles/salt-primary/software/init.sls
@@ -21,6 +21,8 @@
- {{ packages_prefixes.python3 }}gitpython
# Pillar
- {{ packages_prefixes.python3 }}salt-tower
+ # For Vault helper scripts
+ - {{ packages_prefixes.python3 }}hvac
{{ dirs.bin }}/staging-commit-message:
file.managed:
diff --git a/utils/vault/issue-admin-token.py b/utils/vault/issue-admin-token.py
new file mode 100755
--- /dev/null
+++ b/utils/vault/issue-admin-token.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+
+# -------------------------------------------------------------
+# Salt :: Issue admin token
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: Issue admin token, with or without certificate check
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+
+import hvac
+import yaml
+import sys
+
+
+VAULT_TLS_CERTIFICATE_PATH = "/usr/local/share/certs/nasqueron-root-ca.crt"
+
+
+def get_config_path():
+ # As long as we deploy primary servers on FreeBSD,
+ # this path is stable.
+ return "/usr/local/etc/salt/master.d/vault.conf"
+
+
+def load_config():
+ with open(get_config_path()) as fd:
+ return yaml.safe_load(fd)
+
+
+def connect_to_vault(verify):
+ config = load_config()
+
+ client = hvac.Client(url=config["vault"]["url"], verify=verify)
+ client.auth.approle.login(
+ role_id=config["vault"]["auth"]["role_id"],
+ secret_id=config["vault"]["auth"]["secret_id"],
+ )
+
+ return client
+
+
+# -------------------------------------------------------------
+# Application entry point
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def run(verify):
+ client = connect_to_vault(verify)
+
+ token = client.auth.token.create(policies=["admin"], ttl="30d")
+ print(token["auth"]["client_token"])
+
+
+if __name__ == "__main__":
+ verify_tls_certificate = VAULT_TLS_CERTIFICATE_PATH
+
+ argc = len(sys.argv)
+
+ if argc > 1:
+ if sys.argv[1] == "--insecure":
+ verify_tls_certificate = False
+ else:
+ print(f"Usage: {sys.argv[0]} [--insecure]", file=sys.stderr)
+ sys.exit(1)
+
+ run(verify_tls_certificate)
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Nov 25, 15:53 (20 h, 58 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2262728
Default Alt Text
D3357.diff (2 KB)
Attached To
Mode
D3357: Allow to issue Vault token with admin policy
Attached
Detach File
Event Timeline
Log In to Comment