109 lines
3.8 KiB
Python
109 lines
3.8 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import base64
|
|
import socket
|
|
|
|
from charmhelpers.core import hookenv
|
|
|
|
from charms.reactive import toggle_flag
|
|
from charms.reactive import Endpoint
|
|
|
|
|
|
class VaultKVRequires(Endpoint):
|
|
def manage_flags(self):
|
|
toggle_flag(self.expand_name('{endpoint_name}.connected'),
|
|
self.is_joined)
|
|
toggle_flag(self.expand_name('{endpoint_name}.available'),
|
|
all([self.is_joined,
|
|
self.unit_role_id,
|
|
self.unit_token,
|
|
self.vault_url]))
|
|
|
|
@property
|
|
def endpoint_address(self):
|
|
""" Determine the local endpoint network address """
|
|
try:
|
|
return hookenv.network_get_primary_address(
|
|
self.expand_name('{endpoint_name}')
|
|
)
|
|
except NotImplementedError:
|
|
return hookenv.unit_private_ip()
|
|
|
|
def request_secret_backend(self, name, isolated=True):
|
|
"""Request creation and access to a secret backend
|
|
|
|
:param name: name of secret backend to create/access
|
|
:type name: str
|
|
:param isolated: enforce isolation in backend between units
|
|
:type isolated: bool"""
|
|
for relation in self.relations:
|
|
relation.to_publish['secret_backend'] = name
|
|
relation.to_publish['access_address'] = self.endpoint_address
|
|
relation.to_publish['hostname'] = socket.gethostname()
|
|
relation.to_publish['isolated'] = isolated
|
|
relation.to_publish['unit_name'] = hookenv.local_unit()
|
|
|
|
@property
|
|
def unit_role_id(self):
|
|
"""Retrieve the AppRole ID for this application unit or None
|
|
|
|
:returns role_id: AppRole ID for unit
|
|
:rtype role_id: str"""
|
|
role_key = '{}_role_id'.format(hookenv.local_unit())
|
|
return self.all_joined_units.received.get(role_key)
|
|
|
|
@property
|
|
def unit_token(self):
|
|
"""Retrieve the one-shot token for secret_id retrieval for
|
|
this application unit or None
|
|
|
|
:returns token: Vault one-shot toekn for secret_id response
|
|
:rtype token: str"""
|
|
token_key = '{}_token'.format(hookenv.local_unit())
|
|
return self.all_joined_units.received.get(token_key)
|
|
|
|
@property
|
|
def all_unit_tokens(self):
|
|
"""Retrieve the one-shot token(s) for secret_id retrieval for
|
|
all application units or empty list.
|
|
|
|
:returns token: Vault one-shot token for secret_id response
|
|
:rtype token: str"""
|
|
token_key = '{}_token'.format(hookenv.local_unit())
|
|
tokens = set()
|
|
for relation in self.relations:
|
|
for unit in relation.units:
|
|
token = unit.received.get(token_key)
|
|
if token:
|
|
tokens.add(token)
|
|
|
|
return list(tokens)
|
|
|
|
@property
|
|
def vault_url(self):
|
|
"""Retrieve the URL to access Vault
|
|
|
|
:returns vault_url: URL to access vault
|
|
:rtype vault_url: str"""
|
|
return self.all_joined_units.received.get('vault_url')
|
|
|
|
@property
|
|
def vault_ca(self):
|
|
"""Retrieve the CA published by Vault
|
|
|
|
:returns vault_ca: Vault CA Certificate data
|
|
:rtype vault_ca: str"""
|
|
encoded_ca = self.all_joined_units.received.get('vault_ca')
|
|
if encoded_ca:
|
|
return base64.b64decode(encoded_ca)
|