VaultService#
- class phalanx.services.vault.VaultService(config_storage, vault_storage)#
Bases:
object
Service to manage Vault authentication.
- Parameters:
config_storage (
ConfigStorage
) – Storage object for the Phalanx configuration.vault_storage (
VaultStorage
) – Storage object for Vault.
Methods Summary
audit
(environment)Audit the Vault authentication configuration for an environment.
copy_secrets
(environment, old_path)Copy all Vault secrets from an old path.
create_read_approle
(environment, *[, ...])Create a new Vault read AppRole for the given environment.
create_write_token
(environment, lifetime)Create a new Vault write token for the given environment.
export_secrets
(env_name, path)Generate JSON files of the Vault secrets for an environment.
Methods Documentation
- audit(environment)#
Audit the Vault authentication configuration for an environment.
- copy_secrets(environment, old_path)#
Copy all Vault secrets from an old path.
Only copies secrets one level below the old path, not recursively. Must be called with credentials capable of reading secrets from the old path and writing them to the default path for the environment. Any existing secrets in Vault for the environment with the same application names as in the old path will be overwritten. Subdirectories are skipped.
- Parameters:
- Raises:
VaultNotFoundError – Raised if the old path does not exist.
- Return type:
- create_read_approle(environment, *, token_lifetime=None)#
Create a new Vault read AppRole for the given environment.
This will create (or update) a read policy whose name is the Vault secrets path with the first component (the mount) removed and
/read
appended, and an AppRole, whose name will be the last component of the Vault secrets path.Conventionally, the Vault secrets path will be
phalanx/fqdn
where the last component is the FQDN of the deployed Phalanx environment, so the policy name will bephalanx/fqdn/read
and the AppRole name will befqdn
.- Parameters:
- Returns:
Newly-created Vault AppRole.
- Return type:
- create_write_token(environment, lifetime)#
Create a new Vault write token for the given environment.
This will create (or update) a read policy whose name is the Vault secrets path with the first component (the mount) removed and
/write
appended. Any existing write tokens will be revoked.Must be called with credentials capable of creating tokens and policies and listing accessors of existing tokens.
- Parameters:
- Returns:
Newly-created Vault token.
- Return type:
- export_secrets(env_name, path)#
Generate JSON files of the Vault secrets for an environment.
One file per application with secrets will be written to the provided path. Each file will be named after the application with
.json
appended, and will contain the secret values for that application. Secrets that are required but have no known value will be written as null.