kolla-ansible/kolla_ansible/hashi_vault.py
Scott Solkhon 6bf74aa20d Support storing passwords in Hashicorp Vault
This commit adds two new cli commands to allow an operator
to read and write passwords into a configured Hashicorp Vault
KV.

Change-Id: Icf0eaf7544fcbdf7b83f697cc711446f47118a4d
2021-06-30 15:16:12 +01:00

65 lines
2.4 KiB
Python

#!/usr/bin/env python3
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import os
import sys
import hvac
def hashicorp_vault_client(vault_namespace, vault_addr, vault_role_id,
vault_secret_id, vault_token, vault_cacert):
"""Connect to a Vault sever and create a client.
:param vault_namespace: Vault namespace (enterprise only).
:param vault_addr: Address to connect to an existing Hashicorp Vault.
:param vault_role_id: Role-ID to authenticate to Vault. This must be used
in conjunction with --secret-id.
:param vault_secret_id: Secret-ID to authenticate to Vault. This must be
used in conjunction with --role-id.
:param vault_token: Vault token to authenticate to Vault.
:param vault_cacert: Path to CA certificate file.
:returns: Hashicorp Vault Client (hvac.Client).
"""
if any([vault_role_id, vault_secret_id]):
if vault_token:
print("ERROR: Vault token cannot be used at the same time as "
"role-id and secret-id")
sys.exit(1)
if not all([vault_role_id, vault_secret_id]):
print("ERROR: role-id and secret-id must be provided together")
sys.exit(1)
elif not vault_token:
print("ERROR: You must provide either a Vault token or role-id and "
"secret-id")
sys.exit(1)
# Authenticate to Hashicorp Vault
if vault_cacert != "":
os.environ['REQUESTS_CA_BUNDLE'] = vault_cacert
if vault_token != "": # nosec
client = hvac.Client(url=vault_addr, token=vault_token,
namespace=vault_namespace)
else:
client = hvac.Client(url=vault_addr, namespace=vault_namespace)
client.auth_approle(vault_role_id, vault_secret_id)
if not client.is_authenticated():
print('Failed to authenticate to vault')
sys.exit(1)
return client