Attempting to add support to use Kubernetes secrets for vault root token, unseal keys and app role data
All checks were successful
Build and deploy Bridgeman Accessible Hashicorp Vault Implementation / deploy (push) Successful in 2m48s
All checks were successful
Build and deploy Bridgeman Accessible Hashicorp Vault Implementation / deploy (push) Successful in 2m48s
This commit is contained in:
Alan Bridgeman
parent
f8cb28246f
commit
dd5a8abd55
7 changed files with 171 additions and 21 deletions
|
|
@ -15,6 +15,7 @@
|
|||
import os, sys, subprocess, json, logging
|
||||
|
||||
from CommandRunner import CommandRunner
|
||||
from KubernetesSecretsManager import KubernetesSecretsManager
|
||||
|
||||
#def run_command(command):
|
||||
# try:
|
||||
|
|
@ -303,19 +304,31 @@ def main(token: str):
|
|||
# Create a role
|
||||
role_id, secret_id = create_app_role(role_name, policy_name)
|
||||
|
||||
# Save the role_id and secret_id to a backup file
|
||||
save_role_vars_to_backup_file(role_name, role_id, secret_id)
|
||||
if os.environ.get('MODE') == 'file':
|
||||
# Save the role_id and secret_id to a backup file
|
||||
save_role_vars_to_backup_file(role_name, role_id, secret_id)
|
||||
|
||||
# Save the role_id and secret_id to a file
|
||||
save_role_vars_to_file(role_id, secret_id)
|
||||
# Save the role_id and secret_id to a file
|
||||
save_role_vars_to_file(role_id, secret_id)
|
||||
else:
|
||||
# In Kubernetes mode we will create Kubernetes secrets with the role_id and secret_id instead of writing to files
|
||||
k8s_manager = KubernetesSecretsManager()
|
||||
if os.environ.get('ROLE_ID_SECRET_NAME') and os.environ.get('SECRET_ID_SECRET_NAME') and os.environ.get('ROLE_ID_SECRET_NAME') == os.environ.get('SECRET_ID_SECRET_NAME'):
|
||||
k8s_manager.publish_approle_credentials(os.environ.get('ROLE_ID_SECRET_NAME'), role_id, secret_id)
|
||||
else:
|
||||
# Get the existing role_id and secret_id
|
||||
role_id = get_role_id(role_name)
|
||||
secret_id = get_secret_id(role_name)
|
||||
|
||||
# Save the role_id and secret_id to a file
|
||||
# QUESTION: Should this be conditional on if the file already exists or not?
|
||||
save_role_vars_to_file(role_id, secret_id)
|
||||
if os.environ.get('MODE') == 'file':
|
||||
# Save the role_id and secret_id to a file
|
||||
# QUESTION: Should this be conditional on if the file already exists or not?
|
||||
save_role_vars_to_file(role_id, secret_id)
|
||||
else:
|
||||
# In Kubernetes mode we will create Kubernetes secrets with the role_id and secret_id instead of writing to files
|
||||
k8s_manager = KubernetesSecretsManager()
|
||||
if os.environ.get('ROLE_ID_SECRET_NAME') and os.environ.get('SECRET_ID_SECRET_NAME') and os.environ.get('ROLE_ID_SECRET_NAME') == os.environ.get('SECRET_ID_SECRET_NAME'):
|
||||
k8s_manager.publish_approle_credentials(os.environ.get('ROLE_ID_SECRET_NAME'), role_id, secret_id)
|
||||
|
||||
logging.info('AppRole setup complete')
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue