Page MenuHomeDevCentral

D2649.id6696.diff
No OneTemporary

D2649.id6696.diff

diff --git a/_modules/credentials.py b/_modules/credentials.py
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -9,9 +9,25 @@
# -------------------------------------------------------------
+import os
+
from salt.utils.files import fopen
+VAULT_PREFIX = "ops/secrets/"
+
+
+# -------------------------------------------------------------
+# Configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def _are_credentials_hidden():
+ return "CONFIG_PUBLISHER" in os.environ or "state.show_sls" in os.environ.get(
+ "SUDO_COMMAND", ""
+ )
+
+
# -------------------------------------------------------------
# HOF utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ -32,6 +48,88 @@
return "\n\n".join(filtered)
+# -------------------------------------------------------------
+# Fetch credentials from Vault
+#
+# Methods signatures are compatible with Zemke-Rhyne module.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def _get_default_secret_path():
+ return VAULT_PREFIX
+
+
+def _read_secret(key, prefix=None):
+ if prefix is None:
+ prefix = _get_default_secret_path()
+
+ return __salt__["vault.read_secret"](f"{prefix}/{key}")
+
+
+def get_password(key, prefix=None):
+ """
+ A function to fetch credential on Vault
+
+ CLI Example:
+
+ salt docker-001 credentials.get_password nasqueron.foo.bar
+
+ :param key: The key in ops/secrets namespace
+ :param prefix: the prefix path for that key, by default "ops/secrets/"
+ :return: The username
+ """
+ if _are_credentials_hidden():
+ return "credential for " + key
+
+ return _read_secret(key, prefix)["password"]
+
+
+def get_username(key, prefix=None):
+ """
+ A function to fetch the username associated to a credential
+ through Vault
+
+ CLI Example:
+
+ salt docker-001 credentials.get_username nasqueron.foo.bar
+
+ :param key: The key in ops/secrets namespace
+ :param prefix: the prefix path for that key, by default "ops/secrets/"
+ :return: The secret value
+ """
+ return _read_secret(key, prefix)["username"]
+
+
+def get_token(key, prefix=None):
+ """
+ A function to fetch credential through Vault
+
+ CLI Example:
+
+ salt docker-001 credentials.get_token nasqueron.foo.bar
+
+ :param key: The key in ops/secrets namespace
+ :param prefix: the prefix path for that key, by default "ops/secrets/"
+ :return: The secret value
+
+ For Vault, this is actually an alias of the get_password method.
+ """
+ return get_password(key, prefix)
+
+
+def get_sentry_dsn(args):
+ if _are_credentials_hidden():
+ return "credential for " + args["credential"]
+
+ host = __pillar__["sentry_realms"][args["realm"]]["host"]
+ credential = _read_secret(args["credential"])
+
+ return (
+ f"https://{credential['username']}:{credential['password']}"
+ f"@{host}/{args['project_id']}"
+ )
+
+
# -------------------------------------------------------------
# Build Vault policies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
--- a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+++ b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
@@ -17,7 +17,9 @@
# and will be lost if the state is redeployed.
# </auto-generated>
-SECRET_KEY=$(zr getcredentials {{ credential_id }} token)
+set -e
+
+SECRET_KEY=$(credential {{ credential_key }})
docker run -it --rm \
-e SENTRY_SECRET_KEY=$SECRET_KEY \
diff --git a/roles/paas-docker/containers/sentry.sls b/roles/paas-docker/containers/sentry.sls
--- a/roles/paas-docker/containers/sentry.sls
+++ b/roles/paas-docker/containers/sentry.sls
@@ -29,7 +29,7 @@
- makedirs: True
- context:
links: {{ args['links'] }}
- credential_id: {{ salt['zr.get_credential_id'](args['credential']) }}
+ credential_key: args['credential']
{% if has_selinux %}
selinux_context_{{ realm }}_sentry_data:
diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/salt/files/credential.sh
old mode 100644
new mode 100755
copy from roles/paas-docker/containers/files/sentry/sentry.sh.jinja
copy to roles/paas-docker/salt/files/credential.sh
--- a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+++ b/roles/paas-docker/salt/files/credential.sh
@@ -1,13 +1,10 @@
#!/bin/sh
-
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
-# Description: Wrapper for sentry command (local instance)
-# Source file: roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+# Source file: roles/paas-docker/salt/files/credential.sh
# -------------------------------------------------------------
#
# <auto-generated>
@@ -17,10 +14,9 @@
# and will be lost if the state is redeployed.
# </auto-generated>
-SECRET_KEY=$(zr getcredentials {{ credential_id }} token)
+if [ "$#" -eq 0 ]; then
+ echo "Usage: $0 <credential key>" 1>&2;
+ exit 1
+fi
-docker run -it --rm \
- -e SENTRY_SECRET_KEY=$SECRET_KEY \
- --link {{ links.postgresql }}:postgres \
- --link {{ links.redis }}:redis \
- sentry "$@"
+sudo salt-call credentials.get_password "$1" --out=json | jq .local
diff --git a/roles/paas-docker/salt/init.sls b/roles/paas-docker/salt/init.sls
--- a/roles/paas-docker/salt/init.sls
+++ b/roles/paas-docker/salt/init.sls
@@ -6,7 +6,7 @@
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-{% from "map.jinja" import packages_prefixes with context %}
+{% from "map.jinja" import dirs, packages_prefixes with context %}
# -------------------------------------------------------------
# Dependencies for Docker Salt minions
@@ -20,3 +20,12 @@
- bin_env: /usr/bin/pip3
- require:
- pkg: required_python_packages_for_docker_and_salt
+
+# -------------------------------------------------------------
+# Wrapper to fetch a credential
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.bin }}/credential:
+ file.managed:
+ - source: salt://roles/paas-docker/salt/files/credential.sh
+ - mode: 755

File Metadata

Mime Type
text/plain
Expires
Tue, Dec 24, 06:08 (4 h, 42 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2313659
Default Alt Text
D2649.id6696.diff (6 KB)

Event Timeline