1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

allow for vault enterprise namespaces (#50462)

* enable namespaces feature for hashi_vault lookup

* include version_added dict in options documentation
This commit is contained in:
drewmullen 2019-01-03 11:51:13 -05:00 committed by Brian Coca
parent d863027159
commit 04a9a887d5

View file

@ -52,6 +52,10 @@ DOCUMENTATION = """
description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
type: boolean type: boolean
default: True default: True
namespace:
version_added: "2.8"
description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+
default: None
""" """
EXAMPLES = """ EXAMPLES = """
@ -77,6 +81,10 @@ EXAMPLES = """
- name: authenticate with a Vault app role - name: authenticate with a Vault app role
debug: debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}" msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
- name: Return all secrets from a path in a namespace
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"
""" """
RETURN = """ RETURN = """
@ -109,6 +117,7 @@ class HashiVault:
def __init__(self, **kwargs): def __init__(self, **kwargs):
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR) self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
self.namespace = kwargs.get('namespace', None)
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value' # split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
s = kwargs.get('secret') s = kwargs.get('secret')
@ -134,7 +143,10 @@ class HashiVault:
self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', '')) self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
if self.auth_method and self.auth_method != 'token': if self.auth_method and self.auth_method != 'token':
try: try:
self.client = hvac.Client(url=self.url, verify=self.verify) if self.namespace is not None:
self.client = hvac.Client(url=self.url, verify=self.verify, namespace=self.namespace)
else:
self.client = hvac.Client(url=self.url, verify=self.verify)
# prefixing with auth_ to limit which methods can be accessed # prefixing with auth_ to limit which methods can be accessed
getattr(self, 'auth_' + self.auth_method)(**kwargs) getattr(self, 'auth_' + self.auth_method)(**kwargs)
except AttributeError: except AttributeError:
@ -153,7 +165,10 @@ class HashiVault:
if self.token is None: if self.token is None:
raise AnsibleError("No Vault Token specified") raise AnsibleError("No Vault Token specified")
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify) if self.namespace is not None:
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify, namespace=self.namespace)
else:
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)
if not self.client.is_authenticated(): if not self.client.is_authenticated():
raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup") raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")