Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3797798
D2649.id.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
6 KB
Referenced Files
None
Subscribers
None
D2649.id.diff
View Options
diff --git a/_modules/credentials.py b/_modules/credentials.py
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -9,9 +9,25 @@
# -------------------------------------------------------------
+import os
+
from salt.utils.files import fopen
+VAULT_PREFIX = "ops/secrets/"
+
+
+# -------------------------------------------------------------
+# Configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def _are_credentials_hidden():
+ return "CONFIG_PUBLISHER" in os.environ or "state.show_sls" in os.environ.get(
+ "SUDO_COMMAND", ""
+ )
+
+
# -------------------------------------------------------------
# HOF utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ -32,6 +48,88 @@
return "\n\n".join(filtered)
+# -------------------------------------------------------------
+# Fetch credentials from Vault
+#
+# Methods signatures are compatible with Zemke-Rhyne module.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def _get_default_secret_path():
+ return VAULT_PREFIX
+
+
+def _read_secret(key, prefix=None):
+ if prefix is None:
+ prefix = _get_default_secret_path()
+
+ return __salt__["vault.read_secret"](f"{prefix}/{key}")
+
+
+def get_password(key, prefix=None):
+ """
+ A function to fetch credential on Vault
+
+ CLI Example:
+
+ salt docker-001 credentials.get_password nasqueron.foo.bar
+
+ :param key: The key in ops/secrets namespace
+ :param prefix: the prefix path for that key, by default "ops/secrets/"
+ :return: The username
+ """
+ if _are_credentials_hidden():
+ return "credential for " + key
+
+ return _read_secret(key, prefix)["password"]
+
+
+def get_username(key, prefix=None):
+ """
+ A function to fetch the username associated to a credential
+ through Vault
+
+ CLI Example:
+
+ salt docker-001 credentials.get_username nasqueron.foo.bar
+
+ :param key: The key in ops/secrets namespace
+ :param prefix: the prefix path for that key, by default "ops/secrets/"
+ :return: The secret value
+ """
+ return _read_secret(key, prefix)["username"]
+
+
+def get_token(key, prefix=None):
+ """
+ A function to fetch credential through Vault
+
+ CLI Example:
+
+ salt docker-001 credentials.get_token nasqueron.foo.bar
+
+ :param key: The key in ops/secrets namespace
+ :param prefix: the prefix path for that key, by default "ops/secrets/"
+ :return: The secret value
+
+ For Vault, this is actually an alias of the get_password method.
+ """
+ return get_password(key, prefix)
+
+
+def get_sentry_dsn(args):
+ if _are_credentials_hidden():
+ return "credential for " + args["credential"]
+
+ host = __pillar__["sentry_realms"][args["realm"]]["host"]
+ credential = _read_secret(args["credential"])
+
+ return (
+ f"https://{credential['username']}:{credential['password']}"
+ f"@{host}/{args['project_id']}"
+ )
+
+
# -------------------------------------------------------------
# Build Vault policies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
--- a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+++ b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
@@ -17,7 +17,9 @@
# and will be lost if the state is redeployed.
# </auto-generated>
-SECRET_KEY=$(zr getcredentials {{ credential_id }} token)
+set -e
+
+SECRET_KEY=$(credential {{ credential_key }})
docker run -it --rm \
-e SENTRY_SECRET_KEY=$SECRET_KEY \
diff --git a/roles/paas-docker/containers/sentry.sls b/roles/paas-docker/containers/sentry.sls
--- a/roles/paas-docker/containers/sentry.sls
+++ b/roles/paas-docker/containers/sentry.sls
@@ -29,7 +29,7 @@
- makedirs: True
- context:
links: {{ args['links'] }}
- credential_id: {{ salt['zr.get_credential_id'](args['credential']) }}
+ credential_key: args['credential']
{% if has_selinux %}
selinux_context_{{ realm }}_sentry_data:
diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/salt/files/credential.sh
old mode 100644
new mode 100755
copy from roles/paas-docker/containers/files/sentry/sentry.sh.jinja
copy to roles/paas-docker/salt/files/credential.sh
--- a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+++ b/roles/paas-docker/salt/files/credential.sh
@@ -1,13 +1,10 @@
#!/bin/sh
-
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
-# Description: Wrapper for sentry command (local instance)
-# Source file: roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+# Source file: roles/paas-docker/salt/files/credential.sh
# -------------------------------------------------------------
#
# <auto-generated>
@@ -17,10 +14,9 @@
# and will be lost if the state is redeployed.
# </auto-generated>
-SECRET_KEY=$(zr getcredentials {{ credential_id }} token)
+if [ "$#" -eq 0 ]; then
+ echo "Usage: $0 <credential key>" 1>&2;
+ exit 1
+fi
-docker run -it --rm \
- -e SENTRY_SECRET_KEY=$SECRET_KEY \
- --link {{ links.postgresql }}:postgres \
- --link {{ links.redis }}:redis \
- sentry "$@"
+sudo salt-call credentials.get_password "$1" --out=json | jq .local
diff --git a/roles/paas-docker/salt/init.sls b/roles/paas-docker/salt/init.sls
--- a/roles/paas-docker/salt/init.sls
+++ b/roles/paas-docker/salt/init.sls
@@ -6,7 +6,7 @@
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-{% from "map.jinja" import packages_prefixes with context %}
+{% from "map.jinja" import dirs, packages_prefixes with context %}
# -------------------------------------------------------------
# Dependencies for Docker Salt minions
@@ -20,3 +20,12 @@
- bin_env: /usr/bin/pip3
- require:
- pkg: required_python_packages_for_docker_and_salt
+
+# -------------------------------------------------------------
+# Wrapper to fetch a credential
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.bin }}/credential:
+ file.managed:
+ - source: salt://roles/paas-docker/salt/files/credential.sh
+ - mode: 755
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Fri, Nov 29, 14:30 (11 h, 44 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2271293
Default Alt Text
D2649.id.diff (6 KB)
Attached To
Mode
D2649: Provide compatibility methods with Zemke-Rhyme for Vault
Attached
Detach File
Event Timeline
Log In to Comment