Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vault database secret engine modules #63314

Closed
wants to merge 67 commits into from
Closed

Add vault database secret engine modules #63314

wants to merge 67 commits into from

Conversation

lkubb
Copy link
Contributor

@lkubb lkubb commented Dec 13, 2022

What does this PR do?

Adds modules that allow to manage the Vault database secret engine.

This is based on the improved Vault integration found in #62684, thus this will stay a draft until that PR is merged. I wanted to put this out anyways for visibility and to get possible input.

Note that the tests only verify the mysql database plugin. I cannot test all possible plugins, so there might be some issues left.

What issues does this PR fix or reference?

TODO

Merge requirements satisfied?

Commits signed with GPG?

Yes

lkubb and others added 30 commits October 4, 2022 23:40
@lkubb
Rewrite vault core, orchestrate AppRoles for minions
5449abf 
This commit represents a fundamental rewrite in how Salt interacts with
Vault. The master should still be compatible with minions running the
old code. There should be no breaking changes to public interfaces and
the old configuration format should still apply.

Core:
- Issue AppRoles to minions
- Manage entities with templatable metadata for minions
- Use inbuilt Salt cache
- Separate config cache from token cache
- Cache: introduce connection-scope vs global scope

Utility module:
- Support being imported (__utils__ deprecation)
- Raise exceptions on queries to simplify response handling
- Add classes to wrap complexity, especially regarding KV v2
- Lay some groundwork for renewing tokens

Execution module:
- Add patch_secret
- Add version support to delete_secret
- Allow returning listed keys only in list_secret
- Add policy_[fetch/write/delete] and policies_list
- Add query for arbitrary API queries

State module:
- Make use of execution module
- Change output format

Docs:
- Update for new configuration format
- Correct examples
- Add configuration examples
- Add required policies
@lkubb
Fix linting for rewritten vault integration
8cc6f2f
@lkubb
Add pytest unit tests for utils.vault, fix found issues
60bddc6
@lkubb
Fix old vault runner tests
99260fe
@lkubb
Rewrite vault sdb tests, migrate to pytests
7182b19
@lkubb
Adapt vault ext_pillar tests
7365f6e
@lkubb
Adapt vault execution module tests, migrate to pytests
edf378b
@lkubb
Add more vault execution module unit tests
f09a016
@lkubb
Support python <3.7 (vault util), time-independent tests
9fa4274
@lkubb
Add/migrate vault runner unit tests (pytest)
aa61b88
@lkubb
Add vault state module pytests
e881749
@lkubb
Fix tests lint
48a2256
@lkubb
Refactor Vault container fixture, move to session scope
1cfcc30
@lkubb
Fix for existing vault execution/sdb module integration tests
c233158
@lkubb
Improve existing vault runner integration tests
32090e0
@lkubb
Fix vault test support, add list policies
bf62a15
@lkubb
Add more functional execution module tests, fix deprecated warning
e43f53a
@lkubb
Refactor vault pytest support
71b764d
@lkubb
Add integration tests, improve/fix caching/issue_params
4282caa
@lkubb
Improve caching behavior, fix tests
fd9b796 
* Always use session cache as well
* Also flush session cache when requested
* Make KV metadata caching behavior configurable
* Update tests to account for changes from prev commit
@lkubb
Allow to autodiscover platform default CA bundle
f0942e1
@lkubb
Remove runner approle param overrides
4a28ab3 
There is no simple way to ensure they are kept.
@lkubb
Add clear_cache runner function
88ba07d
@lkubb
Also manage token metadata for issued secret IDs
78db0f1
@lkubb
Cleanup tests
4d00606
@lkubb
Cleanup code, pylint logging suggestions
b1b6884
@lkubb
Do not always invalidate config when verify=default
4d6e89f
@lkubb
Ensure concatted metadata lists are sorted
cf16697
@lkubb
Add changelog (partly)
52e07c3
Merge branch 'master' into approle-minions-vault
f4d0d50
lkubb added 13 commits January 3, 2023 23:29
@lkubb
Refine lease ttl handling/add token lifecycle management
b7e94fd
@lkubb
Merge branch 'master' into approle-minions-vault
c318c32
@lkubb
Fix docs build
17fa4e2
@lkubb
Adapt formatting
ca8322f 
* assert what you get against what you expect
* drop empty parentheses after wrapper
* use `is` to compare against strictly boolean vars
@lkubb
Fix issue param overrides
ad35e70 
* during pillar rendering, they were always reset by the master (for
  AppRoles)
* overrides were only respected for some settings (AppRoles)
* old config syntax was using the old syntax internally (tech debt)
@lkubb
Introduce session-scoped cache
e1a8d42
@lkubb
Tokens with a single use left are unrenewable
f617a09
@lkubb
Allow override of flushing of cached leases during lookup
88e30de
@lkubb
Refactor cache classes, save lease data
0f68834
@lkubb
Rename session token cache key
83458fa
@lkubb
Add lease management utility
618a3e8
@lkubb
Fix runner integration tests
95e2fcb 
after renaming the token cache key
@lkubb
Do not overwrite data of cached leases after renewal
77e2772
@lkubb lkubb mentioned this pull request Jun 16, 2023
Merged
3 tasks
@lkubb
Copy link
Contributor Author

lkubb commented Nov 16, 2023

Closing this since the code this depends on has been moved to https://github.com/salt-extensions/saltext-vault, will submit this there later.

@lkubb lkubb closed this Nov 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lkubb