Commit 68c1eb50a04c9042dec217cbe7bc1ce879cd8616 - python-castellan

Replaces _get_api_version with config option This patch fixes the issue when guessing the KV API version fails. From now on, a configuration option should be used to set vault's API version. Change-Id: I962b29519c189dddf9723689e6aaeed2cac3ff2c Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com> Moisés Guimarães de Medeiros 3 years ago

2 changed file(s) with 19 addition(s) and 21 deletion(s). Raw diff Collapse all Expand all

-21

castellan/key_manager/vault_key_manager.py less more

40	40
41	41	_DEFAULT_VAULT_URL = "http://127.0.0.1:8200"
42	42	_DEFAULT_MOUNTPOINT = "secret"
	43	_DEFAULT_VERSION = 2
43	44
44	45	_vault_opts = [
45	46	cfg.StrOpt('root_token_id',

52	53	default=_DEFAULT_MOUNTPOINT,
53	54	help='Mountpoint of KV store in Vault to use, for example: '
54	55	'{}'.format(_DEFAULT_MOUNTPOINT)),
	56	cfg.IntOpt('kv_version',
	57	default=_DEFAULT_VERSION,
	58	help='Version of KV store in Vault to use, for example: '
	59	'{}'.format(_DEFAULT_VERSION)),
55	60	cfg.StrOpt('vault_url',
56	61	default=_DEFAULT_VAULT_URL,
57	62	help='Use this endpoint to connect to Vault, for example: '

91	96	self._approle_token_ttl = None
92	97	self._approle_token_issue = None
93	98	self._kv_mountpoint = self._conf.vault.kv_mountpoint
	99	self._kv_version = self._conf.vault.kv_version
94	100	self._vault_url = self._conf.vault.vault_url
95	101	if self._vault_url.startswith("https://"):
96	102	self._verify_server = self._conf.vault.ssl_ca_crt_file or True
97	103	else:
98	104	self._verify_server = False
99		self._vault_kv_version = None
100	105
101	106	def _get_url(self):
102	107	if not self._vault_url.endswith('/'):
103	108	self._vault_url += '/'
104	109	return self._vault_url
105	110
106		def _get_api_version(self):
107		if self._vault_kv_version:
108		return self._vault_kv_version
109
110		resource_url = '{}v1/sys/internal/ui/mounts/{}'.format(
111		self._get_url(),
112		self._kv_mountpoint
113		)
114		resp = self._do_http_request(self._session.get, resource_url)
115
116		if resp.status_code == requests.codes['not_found']:
117		self._vault_kv_version = '1'
118		else:
119		self._vault_kv_version = resp.json()['data']['options']['version']
120
121		return self._vault_kv_version
122
123	111	def _get_resource_url(self, key_id=None):
124	112	return '{}v1/{}/{}{}'.format(
125	113	self._get_url(),
126	114	self._kv_mountpoint,
127	115
128		'' if self._get_api_version() == '1' else
	116	'' if self._kv_version == 1 else
129	117	'data/' if key_id else
130	118	'metadata/', # no key_id is for listing and 'data/' doesn't works
131	119

267	255	'name': value.name,
268	256	'created': value.created
269	257	}
270		if self._get_api_version() != '1':
	258	if self._kv_version > 1:
271	259	record = {'data': record}
272	260
273	261	self._do_http_request(self._session.post,

312	300	raise exception.ManagedObjectNotFoundError(uuid=key_id)
313	301
314	302	record = resp.json()['data']
315		if self._get_api_version() != '1':
	303	if self._kv_version > 1:
316	304	record = record['data']
317	305
318	306	key = None if metadata_only else binascii.unhexlify(record['value'])

+10

-0

releasenotes/notes/fix-vault-flaky-kv-api-version-b0cd9d62a39d2907.yaml less more

	0	---
	1	fixes:
	2	- \|
	3	In some situations, vault will not provide KV API version in the options
	4	structure. Vault documentation [1] doesn't cover cases when KV API version
	5	is not provided. A new configuration option, with default value equivalent
	6	to the latest KV API version available (kv_version=2) was added to allow
	7	precise configuration of the KV API being used.
	8
	9	[1] https://learn.hashicorp.com/vault/secrets-management/sm-versioned-kv