Attempting to add support to use Kubernetes secrets for vault root token, unseal keys and app role data
All checks were successful
Build and deploy Bridgeman Accessible Hashicorp Vault Implementation / deploy (push) Successful in 2m48s
All checks were successful
Build and deploy Bridgeman Accessible Hashicorp Vault Implementation / deploy (push) Successful in 2m48s
This commit is contained in:
Alan Bridgeman
parent
f8cb28246f
commit
dd5a8abd55
7 changed files with 171 additions and 21 deletions
|
|
@ -1,5 +1,6 @@
|
|||
import os, json
|
||||
from CommandRunner import CommandRunner
|
||||
from KubernetesSecretsManager import KubernetesSecretsManager
|
||||
|
||||
class Initializer:
|
||||
def check_if_initialized(self) -> bool:
|
||||
|
|
@ -83,8 +84,13 @@ class Initializer:
|
|||
# UPDATE: Is mounted as a volume instead
|
||||
#CommandRunner.run_command('mkdir /vault/creds')
|
||||
|
||||
self.create_unseal_keys_file()
|
||||
self.create_root_token_file()
|
||||
if os.environ.get('MODE') == 'file':
|
||||
self.create_unseal_keys_file()
|
||||
self.create_root_token_file()
|
||||
else:
|
||||
k8s_manager = KubernetesSecretsManager()
|
||||
k8s_manager.publish_unseal_keys_credentials('vault-unseal-keys', self.unseal_keys)
|
||||
k8s_manager.publish_root_token_credentials('vault-root-token', self.root_token)
|
||||
|
||||
def is_vault_sealed(self) -> bool:
|
||||
"""Check if the vault is sealed or not
|
||||
|
|
@ -164,7 +170,7 @@ class Initializer:
|
|||
print(f'Policy Capabilities: {os.getenv("POLICY_CAPABILITIES")}')
|
||||
|
||||
# Run the custom entrypoint Python script
|
||||
CommandRunner.run_command_in_real_time(f'python3 /setup-scripts/app-role-access.py {self.root_token}')
|
||||
CommandRunner.run_command_in_real_time(f'source .venv/bin/activate && python3 /vault/setup/setup-scripts/app-role-access.py {self.root_token}')
|
||||
|
||||
def main():
|
||||
initializer = Initializer()
|
||||
|
|
@ -174,11 +180,15 @@ def main():
|
|||
if not initializer.check_if_initialized():
|
||||
initializer.init_vault()
|
||||
|
||||
# This is just a safety check/measure to ensure the script can continue
|
||||
# The only time this would likely be triggered is if there was some kind of PV desyncronization but it shouldn't really happen.
|
||||
if not initializer.check_root_token_and_unseal_keys_files_exist():
|
||||
raise RuntimeError('Vault is in an inconsistent state for this script to continue. Please ensure the vault can be initialized OR both the root token and unseal keys files exist alongside and initialized vault.')
|
||||
|
||||
if os.environ.get('MODE') == 'file':
|
||||
# This is just a safety check / measure to ensure the script can continue
|
||||
# The only time this would likely be triggered is if there was some kind of PV desyncronization but it shouldn't really happen.
|
||||
if not initializer.check_root_token_and_unseal_keys_files_exist():
|
||||
raise RuntimeError('Vault is in an inconsistent state for this script to continue. Please ensure the vault can be initialized OR both the root token and unseal keys files exist alongside and initialized vault.')
|
||||
else:
|
||||
# In Kubernetes mode we expect the secrets to be created so we can pull them back down if needed, but we don't necessarily need to check for them here since we aren't relying on files for the credentials in this mode.
|
||||
pass
|
||||
|
||||
# Check if the vault is sealed (as we need to unseal it to set it up)
|
||||
if initializer.is_vault_sealed():
|
||||
initializer.unseal_vault()
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue