vault: add lookup plugin and certificate file

Signed-off-by: Alexis Pentori <alexis@status.im>
2024-07-05 16:23:30 +02:00 · 2024-07-05 16:23:30 +02:00 · c1b14ab9b5
parent adde766742
commit c1b14ab9b5
3 changed files with 91 additions and 2 deletions
--- a/3
+++ b/3
@ -43,6 +43,9 @@ secrets:
 	pass services/consul/ca-crt > ansible/files/consul-ca.crt
 	pass services/consul/client-crt > ansible/files/consul-client.crt
 	pass services/consul/client-key > ansible/files/consul-client.key
+	pass services/vault/certs/root-ca/cert > ansible/files/vault-ca.crt
+	pass services/vault/certs/client-user/cert > ansible/files/vault-client-user.crt
+	pass services/vault/certs/client-user/privkey > ansible/files/vault-client-user.key

 consul-token-check:
 ifndef CONSUL_HTTP_TOKEN
--- a/ansible/lookup_plugins/vault.py
+++ b/ansible/lookup_plugins/vault.py
@ -0,0 +1,85 @@
+#!/usr/bin/env python
+
+import json
+import sys
+import os
+import hvac
+
+
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+
+try:
+    from __main__ import display
+except ImportError:
+    from ansible.utils.display import Display
+    display = Display()
+
+
+DOCUMENTATION = """
+lookup: vault
+auth:
+    -  Alexis Pentori <alexis@status.im>
+requirements:
+    - hvac library
+    - VAULT_ADDR environment var
+    - VAULT_TOKEN environment var
+short_description: look up data from a Hashicorp vault
+decription:
+    - Use the hvac library  to grab one or more items stored in a Hashicorp Vault
+options:
+    path:
+        description: path of the secret in the Vault
+        required: true
+    field:
+        description: field to return from vault
+        required: true
+"""
+
+Examples = """
+- name: get 'username' from Vault entry 'test'
+  debug:
+    msg: "{{ lookup('vault, 'test', field='username' ) }}"
+"""
+
+RETURN = """
+  _raw:
+    description:
+      - Items for Hashicorp Vault
+"""
+
+class LookupModule(LookupBase):
+
+    def run(self, terms, **kwargs):
+        VAULT_CACERT      = os.environ.get('VAULT_CACERT',      './ansible/files/vault-ca.crt')
+        VAULT_CLIENT_CERT = os.environ.get('VAULT_CLIENT_CERT', './ansible/files/vault-client-user.crt')
+        VAULT_CLIENT_KEY  = os.environ.get('VAULT_CLIENT_KEY',  './ansible/files/vault-client-user.key')
+
+        self.vault = hvac.Client(cert=(VAULT_CLIENT_CERT, VAULT_CLIENT_KEY),verify=VAULT_CACERT)
+        values = []
+
+        for term in terms:
+            rval = self.lookup(term, kwargs)
+            if rval is None:
+                raise AnsibleError("No matching term, field found!")
+            values.append(rval)
+
+        return values
+
+    def lookup(self, term, kwargs):
+        field  = kwargs.get('field')
+        val = self.vault.secrets.kv.read_secret_version(term)
+        if val:
+            return str(val['data']['data'][field])
+
+
+def main():
+    if len(sys.argv) < 3:
+        print("Usage: %s <path> <field>" % os.path.basename(__file__))
+        return -1
+    print(LookupModule().run(sys.argv[1], field=sys.argv[2]))
+
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())
--- a/flake.nix
+++ b/flake.nix
@ -15,10 +15,11 @@
        pkgs = pkgsFor.${system};
      in {
        default = let
-          pythonPkgs = pkgs.python310.withPackages (
-            _: with (pkgs.python310Packages); [
+          pythonPkgs = pkgs.python311.withPackages (
+            _: with (pkgs.python311Packages); [
              ipython pyyaml jinja2 PyGithub
              pyopenssl cryptography
+              hvac
            ]
          );
        in pkgs.mkShellNoCC {