Codebase list python-castellan / afb539f
vault: support configuration of KV mountpoint Support end user configuration of KV store in Vault to use for key storage allowing more flexibility in Vault configuration. Change-Id: I625a819c2b9b542677258de709a9c520fb86858b Closes-Bug: 1797148 James Page 4 years ago
4 changed file(s) with 48 addition(s) and 4 deletion(s). Raw diff Collapse all Expand all
+12
-2
castellan/key_manager/vault_key_manager.py less more
4343 from castellan.key_manager import key_manager
4444
4545 DEFAULT_VAULT_URL = "http://127.0.0.1:8200"
46 DEFAULT_MOUNTPOINT = "secret"
4647
4748 vault_opts = [
4849 cfg.StrOpt('root_token_id',
5152 help='AppRole role_id for authentication with vault'),
5253 cfg.StrOpt('approle_secret_id',
5354 help='AppRole secret_id for authentication with vault'),
55 cfg.StrOpt('kv_mountpoint',
56 default=DEFAULT_MOUNTPOINT,
57 help='Mountpoint of KV store in Vault to use, for example: '
58 '{}'.format(DEFAULT_MOUNTPOINT)),
5459 cfg.StrOpt('vault_url',
5560 default=DEFAULT_VAULT_URL,
5661 help='Use this endpoint to connect to Vault, for example: '
97102 self._cached_approle_token_id = None
98103 self._approle_token_ttl = None
99104 self._approle_token_issue = None
105 self._kv_mountpoint = self._conf.vault.kv_mountpoint
100106 self._vault_url = self._conf.vault.vault_url
101107 if self._vault_url.startswith("https://"):
102108 self._verify_server = self._conf.vault.ssl_ca_crt_file or True
113119 if self._vault_kv_version:
114120 return self._vault_kv_version
115121
116 resource_url = self._get_url() + 'v1/sys/internal/ui/mounts/secret'
122 resource_url = '{}v1/sys/internal/ui/mounts/{}'.format(
123 self._get_url(),
124 self._kv_mountpoint
125 )
117126 resp = self._do_http_request(self._session.get, resource_url)
118127
119128 if resp.status_code == requests.codes['not_found']:
124133 return self._vault_kv_version
125134
126135 def _get_resource_url(self, key_id=None):
127 return '{}v1/secret/{}{}'.format(
136 return '{}v1/{}/{}{}'.format(
128137 self._get_url(),
138 self._kv_mountpoint,
129139
130140 '' if self._get_api_version() == '1' else
131141 'data/' if key_id else
+5
-1
castellan/options.py less more
4040 retry_delay=None, number_of_retries=None, verify_ssl=None,
4141 api_class=None, vault_root_token_id=None,
4242 vault_approle_role_id=None, vault_approle_secret_id=None,
43 vault_url=None,
43 vault_kv_mountpoint=None, vault_url=None,
4444 vault_ssl_ca_crt_file=None, vault_use_ssl=None,
4545 barbican_endpoint_type=None):
4646 """Set defaults for configuration values.
5858 :param vault_approle_role_id: Use this for the approle role_id for vault.
5959 :param vault_approle_secret_id: Use this for the approle secret_id
6060 for vault.
61 :param vault_kv_mountpoint: Mountpoint of KV store in vault to use.
6162 :param vault_url: Use this for the url for vault.
6263 :param vault_use_ssl: Use this to force vault driver to use ssl.
6364 :param vault_ssl_ca_crt_file: Use this for the CA file for vault.
108109 if vault_approle_secret_id is not None:
109110 conf.set_default('approle_secret_id', vault_approle_secret_id,
110111 group=vkm.VAULT_OPT_GROUP)
112 if vault_kv_mountpoint is not None:
113 conf.set_default('kv_mountpoint', vault_kv_mountpoint,
114 group=vkm.VAULT_OPT_GROUP)
111115 if vault_url is not None:
112116 conf.set_default('vault_url', vault_url,
113117 group=vkm.VAULT_OPT_GROUP)
+25
-1
castellan/tests/functional/key_manager/test_vault_key_manager.py less more
129129
130130 class VaultKeyManagerAppRoleTestCase(VaultKeyManagerOSLOContextTestCase):
131131
132 mountpoint = 'secret'
133
132134 def _create_key_manager(self):
133135 key_mgr = vault_key_manager.VaultKeyManager(cfg.CONF)
134136
146148 self.session = requests.Session()
147149 self.session.headers.update({'X-Vault-Token': self.root_token_id})
148150
151 self._mount_kv(self.mountpoint)
149152 self._enable_approle()
150153 self._create_policy(vault_policy)
151154 self._create_approle(vault_approle, vault_policy)
153156 key_mgr._approle_role_id, key_mgr._approle_secret_id = (
154157 self._retrieve_approle(vault_approle)
155158 )
159 key_mgr._kv_mountpoint = self.mountpoint
156160 key_mgr._vault_url = self.vault_url
157161 return key_mgr
162
163 def _mount_kv(self, vault_mountpoint):
164 backends = self.session.get(
165 '{}/v1/sys/mounts'.format(self.vault_url)).json()
166 if vault_mountpoint not in backends:
167 params = {
168 'type': 'kv',
169 'options': {
170 'version': 2,
171 }
172 }
173 self.session.post(
174 '{}/v1/sys/mounts/{}'.format(self.vault_url,
175 vault_mountpoint),
176 json=params)
158177
159178 def _enable_approle(self):
160179 params = {
170189
171190 def _create_policy(self, vault_policy):
172191 params = {
173 'rules': TEST_POLICY.format(backend='secret'),
192 'rules': TEST_POLICY.format(backend=self.mountpoint),
174193 }
175194 self.session.put(
176195 '{}/{}'.format(
212231 )).json()['data']['secret_id']
213232 )
214233 return (approle_role_id, approle_secret_id)
234
235
236 class VaultKeyManagerAltMountpointTestCase(VaultKeyManagerAppRoleTestCase):
237
238 mountpoint = 'different-secrets'
+6
-0
releasenotes/notes/vault-kv-mountpoint-919eb547764a0c74.yaml less more
0 ---
1 features:
2 - |
3 Added configuration option to the Vault key manager to allow
4 the KV store mountpoint in Vault to be specified; the existing
5 default of 'secret' is maintained.