status-im
/
infra-shards
mirror of https://github.com/status-im/infra-shards.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

vault: adding lookup and env variables

This commit is contained in:
Alexis Pentori 2024-09-05 11:07:28 +02:00
parent 5649191b4f
commit 720f663dbd
No known key found for this signature in database
GPG Key ID: 65250D2801E47A10
4 changed files with 105 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.envrc Normal file
View File

@ -0,0 +1,4 @@
export VAULT_CACERT=./ansible/files/vault-ca.crt
export VAULT_CLIENT_CERT=./ansible/files/vault-client-user.crt
export VAULT_CLIENT_KEY=./ansible/files/vault-client-user.key
export CONSUL_HTTP_TOKEN=$(pass services/consul/tokens/terraform)

10
Makefile
View File

@ -43,8 +43,16 @@ secrets:
pass services/consul/ca-crt > ansible/files/consul-ca.crt pass services/consul/ca-crt > ansible/files/consul-ca.crt
pass services/consul/client-crt > ansible/files/consul-client.crt pass services/consul/client-crt > ansible/files/consul-client.crt
pass services/consul/client-key > ansible/files/consul-client.key pass services/consul/client-key > ansible/files/consul-client.key
pass services/vault/certs/root-ca/cert > ansible/files/vault-ca.crt
pass services/vault/certs/client-user/cert > ansible/files/vault-client-user.crt
pass services/vault/certs/client-user/privkey > ansible/files/vault-client-user.key
init-terraform: consul-token-check:
ifndef CONSUL_HTTP_TOKEN
$(error No CONSUL_HTTP_TOKEN env variable set!)
endif
init-terraform: consul-token-check
terraform init -upgrade=true terraform init -upgrade=true
cleanup: cleanup:

85
ansible/lookup_plugins/vault.py Normal file
View File

@ -0,0 +1,85 @@
#!/usr/bin/env python
import json
import sys
import os
import hvac
from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase
try:
from __main__ import display
except ImportError:
from ansible.utils.display import Display
display = Display()
DOCUMENTATION = """
lookup: vault
auth:
- Alexis Pentori <alexis@status.im>
requirements:
- hvac library
- VAULT_ADDR environment var
- VAULT_TOKEN environment var
short_description: look up data from a Hashicorp vault
decription:
- Use the hvac library to grab one or more items stored in a Hashicorp Vault
options:
path:
description: path of the secret in the Vault
required: true
field:
description: field to return from vault
required: true
"""
Examples = """
- name: get 'username' from Vault entry 'test'
debug:
msg: "{{ lookup('vault, 'test', field='username' ) }}"
"""
RETURN = """
_raw:
description:
- Items for Hashicorp Vault
"""
class LookupModule(LookupBase):
def run(self, terms, **kwargs):
VAULT_CACERT = os.environ.get('VAULT_CACERT', './ansible/files/vault-ca.crt')
VAULT_CLIENT_CERT = os.environ.get('VAULT_CLIENT_CERT', './ansible/files/vault-client-user.crt')
VAULT_CLIENT_KEY = os.environ.get('VAULT_CLIENT_KEY', './ansible/files/vault-client-user.key')
self.vault = hvac.Client(cert=(VAULT_CLIENT_CERT, VAULT_CLIENT_KEY),verify=VAULT_CACERT)
values = []
for term in terms:
rval = self.lookup(term, kwargs)
if rval is None:
raise AnsibleError("No matching term, field found!")
values.append(rval)
return values
def lookup(self, term, kwargs):
field = kwargs.get('field')
val = self.vault.secrets.kv.read_secret_version(term)
if val:
return str(val['data']['data'][field])
def main():
if len(sys.argv) < 3:
print("Usage: %s <path> <field>" % os.path.basename(__file__))
return -1
print(LookupModule().run(sys.argv[1], field=sys.argv[2]))
return 0
if __name__ == "__main__":
sys.exit(main())

11
flake.nix
View File

@ -15,22 +15,23 @@
pkgs = pkgsFor.${system}; pkgs = pkgsFor.${system};
in { in {
default = let default = let
pythonPkgs = pkgs.python310.withPackages ( pythonPkgs = pkgs.python311.withPackages (
_: with (pkgs.python310Packages); [ _: with (pkgs.python311Packages); [
ipython pyyaml jinja2 PyGithub ipython pyyaml jinja2 PyGithub
pyopenssl cryptography pyopenssl cryptography
hvac
] ]
); );
in pkgs.mkShellNoCC { in pkgs.mkShellNoCC {
packages = with pkgs.buildPackages; [ packages = with pkgs.buildPackages; [
# misc # misc
git openssh jq fzf silver-searcher git openssh jq fzf silver-searcher direnv
# networking # networking
curl nmap nettools dnsutils curl nmap nettools dnsutils
# infra # infra
terraform ansible_2_16 pythonPkgs terraform ansible_2_16 pythonPkgs
# security # security
pass bitwarden-cli yubikey-manager pwgen pass vault bitwarden-cli yubikey-manager pwgen
# cloud # cloud
aliyun-cli awscli doctl google-cloud-sdk aliyun-cli awscli doctl google-cloud-sdk
hcloud s3cmd scaleway-cli hcloud s3cmd scaleway-cli
@ -39,6 +40,8 @@
shellHook = '' shellHook = ''
./ansible/roles.py --check || \ ./ansible/roles.py --check || \
echo -e '\nWARNING: Your role versions appear to be incorrect!' >&2 echo -e '\nWARNING: Your role versions appear to be incorrect!' >&2
eval "$(direnv hook bash)"
direnv allow .
''; '';
}; };
}); });