hashi_vault module - Add verify param to support ssl Vault (#25159)
* Fix conflic with HVAC library check * Fix pep8 error * hashi_vault add validate_certs parameter
This commit is contained in:
Manuvaldi
Jonathan Davila
parent
0fc0b6f059
commit
3ff67fc217
1 changed files with 25 additions and 1 deletions
|
|
@ -23,6 +23,15 @@
|
|||
#
|
||||
# The mount_point param defaults to ldap, so is only required if you have a custom mount point.
|
||||
#
|
||||
# To use a ssl Vault add verify param:
|
||||
#
|
||||
# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}
|
||||
#
|
||||
# The validate_certs param posible values are: True or False. By default it's in True. If False no verify of ssl will be done.
|
||||
# To use ca certificate file you can specify the path as parameter cacert
|
||||
#
|
||||
# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}
|
||||
#
|
||||
# You can skip setting the url if you set the VAULT_ADDR environment variable
|
||||
# or if you want it to default to localhost:8200
|
||||
#
|
||||
|
|
@ -38,6 +47,7 @@ import os
|
|||
|
||||
from ansible.errors import AnsibleError
|
||||
from ansible.plugins.lookup import LookupBase
|
||||
from ansible.constants import mk_boolean as boolean
|
||||
|
||||
HAS_HVAC = False
|
||||
try:
|
||||
|
|
@ -46,6 +56,7 @@ try:
|
|||
except ImportError:
|
||||
HAS_HVAC = False
|
||||
|
||||
|
||||
ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200'
|
||||
|
||||
if os.getenv('VAULT_ADDR') is not None:
|
||||
|
|
@ -101,7 +112,9 @@ class HashiVault:
|
|||
if self.token is None:
|
||||
raise AnsibleError("No Vault Token specified")
|
||||
|
||||
self.client = hvac.Client(url=self.url, token=self.token)
|
||||
self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
|
||||
|
||||
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)
|
||||
|
||||
if not self.client.is_authenticated():
|
||||
raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")
|
||||
|
|
@ -135,6 +148,17 @@ class HashiVault:
|
|||
|
||||
self.client.auth_ldap(username, password, mount_point)
|
||||
|
||||
def boolean_or_cacert(self, validate_certs, cacert):
|
||||
validate_certs = boolean(validate_certs)
|
||||
'''' return a bool or cacert '''
|
||||
if validate_certs is True:
|
||||
if cacert != '':
|
||||
return cacert
|
||||
else:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
class LookupModule(LookupBase):
|
||||
def run(self, terms, variables, **kwargs):
|
||||
|
|
|
|||
Loading…
Reference in a new issue