1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

hashi_vault module - Add verify param to support ssl Vault (#25159)

* Fix conflic with HVAC library check

* Fix pep8 error

* hashi_vault add validate_certs parameter
This commit is contained in:
Manuvaldi 2017-07-11 18:17:04 +02:00 committed by Jonathan Davila
parent 0fc0b6f059
commit 3ff67fc217

View file

@ -23,6 +23,15 @@
#
# The mount_point param defaults to ldap, so is only required if you have a custom mount point.
#
# To use a ssl Vault add verify param:
#
# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}
#
# The validate_certs param posible values are: True or False. By default it's in True. If False no verify of ssl will be done.
# To use ca certificate file you can specify the path as parameter cacert
#
# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}
#
# You can skip setting the url if you set the VAULT_ADDR environment variable
# or if you want it to default to localhost:8200
#
@ -38,6 +47,7 @@ import os
from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase
from ansible.constants import mk_boolean as boolean
HAS_HVAC = False
try:
@ -46,6 +56,7 @@ try:
except ImportError:
HAS_HVAC = False
ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200'
if os.getenv('VAULT_ADDR') is not None:
@ -101,7 +112,9 @@ class HashiVault:
if self.token is None:
raise AnsibleError("No Vault Token specified")
self.client = hvac.Client(url=self.url, token=self.token)
self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)
if not self.client.is_authenticated():
raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")
@ -135,6 +148,17 @@ class HashiVault:
self.client.auth_ldap(username, password, mount_point)
def boolean_or_cacert(self, validate_certs, cacert):
validate_certs = boolean(validate_certs)
'''' return a bool or cacert '''
if validate_certs is True:
if cacert != '':
return cacert
else:
return True
else:
return False
class LookupModule(LookupBase):
def run(self, terms, variables, **kwargs):