hashi_vault module - Add verify param to support ssl Vault (#25159)
* Fix conflic with HVAC library check * Fix pep8 error * hashi_vault add validate_certs parameter
This commit is contained in:
Manuvaldi
Jonathan Davila
parent
0fc0b6f059
commit
3ff67fc217
1 changed files with 25 additions and 1 deletions
|
|
@ -23,6 +23,15 @@
|
||||||
#
|
#
|
||||||
# The mount_point param defaults to ldap, so is only required if you have a custom mount point.
|
# The mount_point param defaults to ldap, so is only required if you have a custom mount point.
|
||||||
#
|
#
|
||||||
|
# To use a ssl Vault add verify param:
|
||||||
|
#
|
||||||
|
# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}
|
||||||
|
#
|
||||||
|
# The validate_certs param posible values are: True or False. By default it's in True. If False no verify of ssl will be done.
|
||||||
|
# To use ca certificate file you can specify the path as parameter cacert
|
||||||
|
#
|
||||||
|
# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}
|
||||||
|
#
|
||||||
# You can skip setting the url if you set the VAULT_ADDR environment variable
|
# You can skip setting the url if you set the VAULT_ADDR environment variable
|
||||||
# or if you want it to default to localhost:8200
|
# or if you want it to default to localhost:8200
|
||||||
#
|
#
|
||||||
|
|
@ -38,6 +47,7 @@ import os
|
||||||
|
|
||||||
from ansible.errors import AnsibleError
|
from ansible.errors import AnsibleError
|
||||||
from ansible.plugins.lookup import LookupBase
|
from ansible.plugins.lookup import LookupBase
|
||||||
|
from ansible.constants import mk_boolean as boolean
|
||||||
|
|
||||||
HAS_HVAC = False
|
HAS_HVAC = False
|
||||||
try:
|
try:
|
||||||
|
|
@ -46,6 +56,7 @@ try:
|
||||||
except ImportError:
|
except ImportError:
|
||||||
HAS_HVAC = False
|
HAS_HVAC = False
|
||||||
|
|
||||||
|
|
||||||
ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200'
|
ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200'
|
||||||
|
|
||||||
if os.getenv('VAULT_ADDR') is not None:
|
if os.getenv('VAULT_ADDR') is not None:
|
||||||
|
|
@ -101,7 +112,9 @@ class HashiVault:
|
||||||
if self.token is None:
|
if self.token is None:
|
||||||
raise AnsibleError("No Vault Token specified")
|
raise AnsibleError("No Vault Token specified")
|
||||||
|
|
||||||
self.client = hvac.Client(url=self.url, token=self.token)
|
self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
|
||||||
|
|
||||||
|
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)
|
||||||
|
|
||||||
if not self.client.is_authenticated():
|
if not self.client.is_authenticated():
|
||||||
raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")
|
raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")
|
||||||
|
|
@ -135,6 +148,17 @@ class HashiVault:
|
||||||
|
|
||||||
self.client.auth_ldap(username, password, mount_point)
|
self.client.auth_ldap(username, password, mount_point)
|
||||||
|
|
||||||
|
def boolean_or_cacert(self, validate_certs, cacert):
|
||||||
|
validate_certs = boolean(validate_certs)
|
||||||
|
'''' return a bool or cacert '''
|
||||||
|
if validate_certs is True:
|
||||||
|
if cacert != '':
|
||||||
|
return cacert
|
||||||
|
else:
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
class LookupModule(LookupBase):
|
class LookupModule(LookupBase):
|
||||||
def run(self, terms, variables, **kwargs):
|
def run(self, terms, variables, **kwargs):
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue