vault: adding lookup and env variables

2024-09-05 11:07:28 +02:00 · 2024-09-05 11:07:28 +02:00 · 720f663dbd
parent 5649191b4f
commit 720f663dbd
4 changed files with 105 additions and 5 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1,4 @@
+export VAULT_CACERT=./ansible/files/vault-ca.crt
+export VAULT_CLIENT_CERT=./ansible/files/vault-client-user.crt
+export VAULT_CLIENT_KEY=./ansible/files/vault-client-user.key
+export CONSUL_HTTP_TOKEN=$(pass services/consul/tokens/terraform)
--- a/10
+++ b/10
@ -43,8 +43,16 @@ secrets:
 	pass services/consul/ca-crt > ansible/files/consul-ca.crt
 	pass services/consul/client-crt > ansible/files/consul-client.crt
 	pass services/consul/client-key > ansible/files/consul-client.key
+	pass services/vault/certs/root-ca/cert > ansible/files/vault-ca.crt
+	pass services/vault/certs/client-user/cert > ansible/files/vault-client-user.crt
+	pass services/vault/certs/client-user/privkey > ansible/files/vault-client-user.key

-init-terraform:
+consul-token-check:
+ifndef CONSUL_HTTP_TOKEN
+	$(error No CONSUL_HTTP_TOKEN env variable set!)
+endif
+
+init-terraform: consul-token-check
 	terraform init -upgrade=true

 cleanup:
--- a/ansible/lookup_plugins/vault.py
+++ b/ansible/lookup_plugins/vault.py
@ -0,0 +1,85 @@
+#!/usr/bin/env python
+
+import json
+import sys
+import os
+import hvac
+
+
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+
+try:
+    from __main__ import display
+except ImportError:
+    from ansible.utils.display import Display
+    display = Display()
+
+
+DOCUMENTATION = """
+lookup: vault
+auth:
+    -  Alexis Pentori <alexis@status.im>
+requirements:
+    - hvac library
+    - VAULT_ADDR environment var
+    - VAULT_TOKEN environment var
+short_description: look up data from a Hashicorp vault
+decription:
+    - Use the hvac library  to grab one or more items stored in a Hashicorp Vault
+options:
+    path:
+        description: path of the secret in the Vault
+        required: true
+    field:
+        description: field to return from vault
+        required: true
+"""
+
+Examples = """
+- name: get 'username' from Vault entry 'test'
+  debug:
+    msg: "{{ lookup('vault, 'test', field='username' ) }}"
+"""
+
+RETURN = """
+  _raw:
+    description:
+      - Items for Hashicorp Vault
+"""
+
+class LookupModule(LookupBase):
+
+    def run(self, terms, **kwargs):
+        VAULT_CACERT      = os.environ.get('VAULT_CACERT',      './ansible/files/vault-ca.crt')
+        VAULT_CLIENT_CERT = os.environ.get('VAULT_CLIENT_CERT', './ansible/files/vault-client-user.crt')
+        VAULT_CLIENT_KEY  = os.environ.get('VAULT_CLIENT_KEY',  './ansible/files/vault-client-user.key')
+
+        self.vault = hvac.Client(cert=(VAULT_CLIENT_CERT, VAULT_CLIENT_KEY),verify=VAULT_CACERT)
+        values = []
+
+        for term in terms:
+            rval = self.lookup(term, kwargs)
+            if rval is None:
+                raise AnsibleError("No matching term, field found!")
+            values.append(rval)
+
+        return values
+
+    def lookup(self, term, kwargs):
+        field  = kwargs.get('field')
+        val = self.vault.secrets.kv.read_secret_version(term)
+        if val:
+            return str(val['data']['data'][field])
+
+
+def main():
+    if len(sys.argv) < 3:
+        print("Usage: %s <path> <field>" % os.path.basename(__file__))
+        return -1
+    print(LookupModule().run(sys.argv[1], field=sys.argv[2]))
+
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())
--- a/flake.nix
+++ b/flake.nix
@ -15,22 +15,23 @@
        pkgs = pkgsFor.${system};
      in {
        default = let
-          pythonPkgs = pkgs.python310.withPackages (
-            _: with (pkgs.python310Packages); [
+          pythonPkgs = pkgs.python311.withPackages (
+            _: with (pkgs.python311Packages); [
              ipython pyyaml jinja2 PyGithub
              pyopenssl cryptography
+              hvac
            ]
          );
        in pkgs.mkShellNoCC {
          packages = with pkgs.buildPackages; [
            # misc
-            git openssh jq fzf silver-searcher
+            git openssh jq fzf silver-searcher direnv
            # networking
            curl nmap nettools dnsutils
            # infra
            terraform ansible_2_16 pythonPkgs
            # security
-            pass bitwarden-cli yubikey-manager pwgen
+            pass vault bitwarden-cli yubikey-manager pwgen
            # cloud
            aliyun-cli awscli doctl google-cloud-sdk
            hcloud s3cmd scaleway-cli
@ -39,6 +40,8 @@
          shellHook = ''
            ./ansible/roles.py --check || \
              echo -e '\nWARNING: Your role versions appear to be incorrect!' >&2
+            eval "$(direnv hook bash)"
+            direnv allow .
          '';
        };
      });