VaultService#

class phalanx.services.vault.VaultService(config_storage, vault_storage)#

Bases: object

Service to manage Vault authentication.

Parameters:
  • config_storage (ConfigStorage) – Storage object for the Phalanx configuration.

  • vault_storage (VaultStorage) – Storage object for Vault.

Methods Summary

audit(environment)

Audit the Vault authentication configuration for an environment.

copy_secrets(environment, old_path)

Copy all Vault secrets from an old path.

create_read_approle(environment, *[, ...])

Create a new Vault read AppRole for the given environment.

create_write_token(environment, lifetime)

Create a new Vault write token for the given environment.

export_secrets(env_name, path)

Generate JSON files of the Vault secrets for an environment.

Methods Documentation

audit(environment)#

Audit the Vault authentication configuration for an environment.

Parameters:

environment (str) – Name of the environment.

Returns:

Human-readable text report of any problems found.

Return type:

str

copy_secrets(environment, old_path)#

Copy all Vault secrets from an old path.

Only copies secrets one level below the old path, not recursively. Must be called with credentials capable of reading secrets from the old path and writing them to the default path for the environment. Any existing secrets in Vault for the environment with the same application names as in the old path will be overwritten. Subdirectories are skipped.

Parameters:
  • environment (str) – Name of the environment.

  • old_path (str) – Old path in Vault from which to copy secrets for that environment.

Raises:

VaultNotFoundError – Raised if the old path does not exist.

Return type:

None

create_read_approle(environment, *, token_lifetime=None)#

Create a new Vault read AppRole for the given environment.

This will create (or update) a read policy whose name is the Vault secrets path with the first component (the mount) removed and /read appended, and an AppRole, whose name will be the last component of the Vault secrets path.

Conventionally, the Vault secrets path will be phalanx/fqdn where the last component is the FQDN of the deployed Phalanx environment, so the policy name will be phalanx/fqdn/read and the AppRole name will be fqdn.

Parameters:
  • environment (str) – Name of the environment.

  • token_lifetime (timedelta | None, default: None) – If given, limit the token lifetime (both default and renewable) to the given length of time.

Returns:

Newly-created Vault AppRole.

Return type:

VaultAppRole

create_write_token(environment, lifetime)#

Create a new Vault write token for the given environment.

This will create (or update) a read policy whose name is the Vault secrets path with the first component (the mount) removed and /write appended. Any existing write tokens will be revoked.

Must be called with credentials capable of creating tokens and policies and listing accessors of existing tokens.

Parameters:
  • environment (str) – Name of the environment.

  • lifetime (str) – Token lifetime in Vault duration format.

Returns:

Newly-created Vault token.

Return type:

VaultToken

export_secrets(env_name, path)#

Generate JSON files of the Vault secrets for an environment.

One file per application with secrets will be written to the provided path. Each file will be named after the application with .json appended, and will contain the secret values for that application. Secrets that are required but have no known value will be written as null.

Parameters:
  • env_name (str) – Name of the environment.

  • path (Path) – Output path.

Return type:

None