mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-04-30 06:11:26 -07:00
bc4ef99533
* openstack: standardize tls params * tower: tower_verify_ssl->validate_certs * docker: use standard tls config params - cacert_path -> ca_cert - cert_path -> client_cert - key_path -> client_key - tls_verify -> validate_certs * k8s: standardize tls connection params - verify_ssl -> validate_certs - ssl_ca_cert -> ca_cert - cert_file -> client_cert - key_file -> client_key * ingate: verify_ssl -> validate_certs * manageiq: standardize tls params - verify_ssl -> validate_certs - ca_bundle_path -> ca_cert * mysql: standardize tls params - ssl_ca -> ca_cert - ssl_cert -> client_cert - ssl_key -> client_key * nios: ssl_verify -> validate_certs * postgresql: ssl_rootcert -> ca_cert * rabbitmq: standardize tls params - cacert -> ca_cert - cert -> client_cert - key -> client_key * rackspace: verify_ssl -> validate_certs * vca: verify_certs -> validate_certs * kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs * lxd: standardize tls params - key_file -> client_key - cert_file -> client_cert * get_certificate: ca_certs -> ca_cert * get_certificate.py: clarify one or more certs in a file Co-Authored-By: jamescassell <code@james.cassell.me> * zabbix: tls_issuer -> ca_cert * bigip_device_auth_ldap: standardize tls params - ssl_check_peer -> validate_certs - ssl_client_cert -> client_cert - ssl_client_key -> client_key - ssl_ca_cert -> ca_cert * vdirect: vdirect_validate_certs -> validate_certs * mqtt: standardize tls params - ca_certs -> ca_cert - certfile -> client_cert - keyfile -> client_key * pulp_repo: standardize tls params remove `importer_ssl` prefix * rhn_register: sslcacert -> ca_cert * yum_repository: standardize tls params The fix for yum_repository is not straightforward since this module is only a thin wrapper for the underlying commands and config. In this case, we add the new values as aliases, keeping the old as primary, only due to the internal structure of the module. Aliases added: - sslcacert -> ca_cert - sslclientcert -> client_cert - sslclientkey -> client_key - sslverify -> validate_certs * gitlab_hook: enable_ssl_verification -> hook_validate_certs * Adjust arguments for docker_swarm inventory plugin. * foreman callback: standardize tls params - ssl_cert -> client_cert - ssl_key -> client_key * grafana_annotations: validate_grafana_certs -> validate_certs * nrdp callback: validate_nrdp_certs -> validate_certs * kubectl connection: standardize tls params - kubectl_cert_file -> client_cert - kubectl_key_file -> client_key - kubectl_ssl_ca_cert -> ca_cert - kubectl_verify_ssl -> validate_certs * oc connection: standardize tls params - oc_cert_file -> client_cert - oc_key_file -> client_key - oc_ssl_ca_cert -> ca_cert - oc_verify_ssl -> validate_certs * psrp connection: cert_trust_path -> ca_cert TODO: cert_validation -> validate_certs (multi-valued vs bool) * k8s inventory: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * openshift inventory: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * tower inventory: verify_ssl -> validate_certs * hashi_vault lookup: cacert -> ca_cert * k8s lookup: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * laps_passord lookup: cacert_file -> ca_cert * changelog for TLS parameter standardization
282 lines
10 KiB
Python
282 lines
10 KiB
Python
# (c) 2015, Jonathan Davila <jonathan(at)davila.io>
|
|
# (c) 2017 Ansible Project
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
DOCUMENTATION = """
|
|
lookup: hashi_vault
|
|
author: Jonathan Davila <jdavila(at)ansible.com>
|
|
version_added: "2.0"
|
|
short_description: retrieve secrets from HashiCorp's vault
|
|
requirements:
|
|
- hvac (python library)
|
|
description:
|
|
- retrieve secrets from HashiCorp's vault
|
|
notes:
|
|
- Due to a current limitation in the HVAC library there won't necessarily be an error if a bad endpoint is specified.
|
|
options:
|
|
secret:
|
|
description: query you are making.
|
|
required: True
|
|
token:
|
|
description: vault token.
|
|
env:
|
|
- name: VAULT_TOKEN
|
|
url:
|
|
description: URL to vault service.
|
|
env:
|
|
- name: VAULT_ADDR
|
|
default: 'http://127.0.0.1:8200'
|
|
username:
|
|
description: Authentication user name.
|
|
password:
|
|
description: Authentication password.
|
|
role_id:
|
|
description: Role id for a vault AppRole auth.
|
|
env:
|
|
- name: VAULT_ROLE_ID
|
|
secret_id:
|
|
description: Secret id for a vault AppRole auth.
|
|
env:
|
|
- name: VAULT_SECRET_ID
|
|
auth_method:
|
|
description:
|
|
- Authentication method to be used.
|
|
- C(userpass) is added in version 2.8.
|
|
env:
|
|
- name: VAULT_AUTH_METHOD
|
|
choices:
|
|
- userpass
|
|
- ldap
|
|
- approle
|
|
mount_point:
|
|
description: vault mount point, only required if you have a custom mount point.
|
|
default: ldap
|
|
ca_cert:
|
|
description: path to certificate to use for authentication.
|
|
aliases: [ cacert ]
|
|
validate_certs:
|
|
description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
|
|
type: boolean
|
|
default: True
|
|
namespace:
|
|
version_added: "2.8"
|
|
description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+.
|
|
default: None
|
|
"""
|
|
|
|
EXAMPLES = """
|
|
- debug:
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
|
|
|
|
- name: Return all secrets from a path
|
|
debug:
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
|
|
|
|
- name: Vault that requires authentication via LDAP
|
|
debug:
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
|
|
|
|
- name: Vault that requires authentication via username and password
|
|
debug:
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}"
|
|
|
|
- name: Using an ssl vault
|
|
debug:
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
|
|
|
|
- name: using certificate auth
|
|
debug:
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
|
|
|
|
- name: authenticate with a Vault app role
|
|
debug:
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
|
|
|
|
- name: Return all secrets from a path in a namespace
|
|
debug:
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"
|
|
"""
|
|
|
|
RETURN = """
|
|
_raw:
|
|
description:
|
|
- secrets(s) requested
|
|
"""
|
|
|
|
import os
|
|
|
|
from ansible.errors import AnsibleError
|
|
from ansible.module_utils.parsing.convert_bool import boolean
|
|
from ansible.plugins.lookup import LookupBase
|
|
|
|
HAS_HVAC = False
|
|
try:
|
|
import hvac
|
|
HAS_HVAC = True
|
|
except ImportError:
|
|
HAS_HVAC = False
|
|
|
|
|
|
ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200'
|
|
|
|
if os.getenv('VAULT_ADDR') is not None:
|
|
ANSIBLE_HASHI_VAULT_ADDR = os.environ['VAULT_ADDR']
|
|
|
|
|
|
class HashiVault:
|
|
def __init__(self, **kwargs):
|
|
|
|
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
|
|
self.namespace = kwargs.get('namespace', None)
|
|
self.avail_auth_method = ['approle', 'userpass', 'ldap']
|
|
|
|
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
|
|
s = kwargs.get('secret')
|
|
if s is None:
|
|
raise AnsibleError("No secret specified for hashi_vault lookup")
|
|
|
|
s_f = s.rsplit(':', 1)
|
|
self.secret = s_f[0]
|
|
if len(s_f) >= 2:
|
|
self.secret_field = s_f[1]
|
|
else:
|
|
self.secret_field = ''
|
|
|
|
self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
|
|
|
|
# If a particular backend is asked for (and its method exists) we call it, otherwise drop through to using
|
|
# token auth. This means if a particular auth backend is requested and a token is also given, then we
|
|
# ignore the token and attempt authentication against the specified backend.
|
|
#
|
|
# to enable a new auth backend, simply add a new 'def auth_<type>' method below.
|
|
#
|
|
self.auth_method = kwargs.get('auth_method', os.environ.get('VAULT_AUTH_METHOD'))
|
|
self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
|
|
if self.auth_method and self.auth_method != 'token':
|
|
try:
|
|
if self.namespace is not None:
|
|
self.client = hvac.Client(url=self.url, verify=self.verify, namespace=self.namespace)
|
|
else:
|
|
self.client = hvac.Client(url=self.url, verify=self.verify)
|
|
# prefixing with auth_ to limit which methods can be accessed
|
|
getattr(self, 'auth_' + self.auth_method)(**kwargs)
|
|
except AttributeError:
|
|
raise AnsibleError("Authentication method '%s' not supported."
|
|
" Available options are %r" % (self.auth_method, self.avail_auth_method))
|
|
else:
|
|
self.token = kwargs.get('token', os.environ.get('VAULT_TOKEN', None))
|
|
if self.token is None and os.environ.get('HOME'):
|
|
token_filename = os.path.join(
|
|
os.environ.get('HOME'),
|
|
'.vault-token'
|
|
)
|
|
if os.path.exists(token_filename):
|
|
with open(token_filename) as token_file:
|
|
self.token = token_file.read().strip()
|
|
|
|
if self.token is None:
|
|
raise AnsibleError("No Vault Token specified")
|
|
|
|
if self.namespace is not None:
|
|
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify, namespace=self.namespace)
|
|
else:
|
|
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)
|
|
|
|
if not self.client.is_authenticated():
|
|
raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")
|
|
|
|
def get(self):
|
|
data = self.client.read(self.secret)
|
|
|
|
if data is None:
|
|
raise AnsibleError("The secret %s doesn't seem to exist for hashi_vault lookup" % self.secret)
|
|
|
|
if self.secret_field == '':
|
|
return data['data']
|
|
|
|
if self.secret_field not in data['data']:
|
|
raise AnsibleError("The secret %s does not contain the field '%s'. for hashi_vault lookup" % (self.secret, self.secret_field))
|
|
|
|
return data['data'][self.secret_field]
|
|
|
|
def check_params(self, **kwargs):
|
|
username = kwargs.get('username')
|
|
if username is None:
|
|
raise AnsibleError("Authentication method %s requires a username" % self.auth_method)
|
|
|
|
password = kwargs.get('password')
|
|
if password is None:
|
|
raise AnsibleError("Authentication method %s requires a password" % self.auth_method)
|
|
|
|
mount_point = kwargs.get('mount_point')
|
|
|
|
return username, password, mount_point
|
|
|
|
def auth_userpass(self, **kwargs):
|
|
username, password, mount_point = self.check_params(**kwargs)
|
|
if mount_point is None:
|
|
mount_point = 'userpass'
|
|
|
|
self.client.auth_userpass(username, password, mount_point=mount_point)
|
|
|
|
def auth_ldap(self, **kwargs):
|
|
username, password, mount_point = self.check_params(**kwargs)
|
|
if mount_point is None:
|
|
mount_point = 'ldap'
|
|
|
|
self.client.auth_ldap(username, password, mount_point=mount_point)
|
|
|
|
def boolean_or_cacert(self, validate_certs, cacert):
|
|
validate_certs = boolean(validate_certs, strict=False)
|
|
'''' return a bool or cacert '''
|
|
if validate_certs is True:
|
|
if cacert != '':
|
|
return cacert
|
|
else:
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
def auth_approle(self, **kwargs):
|
|
role_id = kwargs.get('role_id', os.environ.get('VAULT_ROLE_ID', None))
|
|
if role_id is None:
|
|
raise AnsibleError("Authentication method app role requires a role_id")
|
|
|
|
secret_id = kwargs.get('secret_id', os.environ.get('VAULT_SECRET_ID', None))
|
|
if secret_id is None:
|
|
raise AnsibleError("Authentication method app role requires a secret_id")
|
|
|
|
self.client.auth_approle(role_id, secret_id)
|
|
|
|
|
|
class LookupModule(LookupBase):
|
|
def run(self, terms, variables=None, **kwargs):
|
|
if not HAS_HVAC:
|
|
raise AnsibleError("Please pip install hvac to use the hashi_vault lookup module.")
|
|
|
|
vault_args = terms[0].split()
|
|
vault_dict = {}
|
|
ret = []
|
|
|
|
for param in vault_args:
|
|
try:
|
|
key, value = param.split('=')
|
|
except ValueError:
|
|
raise AnsibleError("hashi_vault lookup plugin needs key=value pairs, but received %s" % terms)
|
|
vault_dict[key] = value
|
|
|
|
if 'ca_cert' in vault_dict.keys():
|
|
vault_dict['cacert'] = vault_dict['ca_cert']
|
|
vault_dict.pop('ca_cert', None)
|
|
|
|
vault_conn = HashiVault(**vault_dict)
|
|
|
|
for term in terms:
|
|
key = term.split()[0]
|
|
value = vault_conn.get()
|
|
ret.append(value)
|
|
|
|
return ret
|