From 3ff67fc217bbde8f397bcdad662c72fcc32f6895 Mon Sep 17 00:00:00 2001 From: Manuvaldi Date: Tue, 11 Jul 2017 18:17:04 +0200 Subject: [PATCH] hashi_vault module - Add verify param to support ssl Vault (#25159) * Fix conflic with HVAC library check * Fix pep8 error * hashi_vault add validate_certs parameter --- lib/ansible/plugins/lookup/hashi_vault.py | 26 ++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/lib/ansible/plugins/lookup/hashi_vault.py b/lib/ansible/plugins/lookup/hashi_vault.py index d0f7aa6283..664e8cc348 100644 --- a/lib/ansible/plugins/lookup/hashi_vault.py +++ b/lib/ansible/plugins/lookup/hashi_vault.py @@ -23,6 +23,15 @@ # # The mount_point param defaults to ldap, so is only required if you have a custom mount point. # +# To use a ssl Vault add verify param: +# +# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}} +# +# The validate_certs param posible values are: True or False. By default it's in True. If False no verify of ssl will be done. +# To use ca certificate file you can specify the path as parameter cacert +# +# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}} +# # You can skip setting the url if you set the VAULT_ADDR environment variable # or if you want it to default to localhost:8200 # @@ -38,6 +47,7 @@ import os from ansible.errors import AnsibleError from ansible.plugins.lookup import LookupBase +from ansible.constants import mk_boolean as boolean HAS_HVAC = False try: @@ -46,6 +56,7 @@ try: except ImportError: HAS_HVAC = False + ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200' if os.getenv('VAULT_ADDR') is not None: @@ -101,7 +112,9 @@ class HashiVault: if self.token is None: raise AnsibleError("No Vault Token specified") - self.client = hvac.Client(url=self.url, token=self.token) + self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', '')) + + self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify) if not self.client.is_authenticated(): raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup") @@ -135,6 +148,17 @@ class HashiVault: self.client.auth_ldap(username, password, mount_point) + def boolean_or_cacert(self, validate_certs, cacert): + validate_certs = boolean(validate_certs) + '''' return a bool or cacert ''' + if validate_certs is True: + if cacert != '': + return cacert + else: + return True + else: + return False + class LookupModule(LookupBase): def run(self, terms, variables, **kwargs):