Use right API to access Vault secrets

Closes #80 Signed-off-by: Sylvain Hellegouarch <[email protected]>
chaostoolkit · Jan 29, 2019 · 8ea9e6b · 8ea9e6b
1 parent bbd67c3
commit 8ea9e6b
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@
 
 [Unreleased]: https://github.com/chaostoolkit/chaostoolkit-lib/compare/1.0.0rc2...HEAD
 
+### Changed
+
+- Fix differences of API between Vault KV secret v1 and v2 [#80][80]
+
+[80]: https://github.com/chaostoolkit/chaostoolkit-lib/issues/80
+
 ## [1.0.0rc2][] - 2019-01-28
 
 [1.0.0rc2]: https://github.com/chaostoolkit/chaostoolkit-lib/compare/1.0.0rc1...1.0.0rc2

diff --git a/chaoslib/secret.py b/chaoslib/secret.py
@@ -200,16 +200,38 @@ def load_secrets_from_vault(secrets_info: Dict[str, Dict[str, str]],
  return {}
 
  path = value.get("path")
- vault_payload = client.secrets.kv.read_secret(path=path)
+ if path is None:
+ logger.warning(
+ "Missing Vault secret path for '{}'".format(key))
+ continue
+
+ # see https://github.com/chaostoolkit/chaostoolkit/issues/98
+ kv = client.secrets.kv
+ is_kv1 = kv.default_kv_version == "1"
+ if is_kv1:
+ vault_payload = kv.v1.read_secret(path=path)
+ else:
+ vault_payload = kv.v2.read_secret_version(path=path)
+
  if not vault_payload:
- logger.debug(
+ logger.warning(
  "No Vault secret found at path: {}".format(path))
  continue
 
- data = vault_payload.get("data")
+ if is_kv1:
+ data = vault_payload.get("data")
+ else:
+ data = vault_payload.get("data", {}).get("data")
 
  if "key" in value:
- secrets[target][key] = data.get(value["key"])
+ vault_key = value["key"]
+ if vault_key not in data:
+ logger.warning(
+ "No Vault key '{}' at secret path '{}'".format(
+ vault_key, path))
+ continue
+
+ secrets[target][key] = data.get(vault_key)
  else:
  secrets[target][key] = data
 

diff --git a/tests/test_secret.py b/tests/test_secret.py
@@ -76,6 +76,7 @@ def test_should_auth_with_token(hvac):
  config = {
  'vault_addr': 'http:https://someaddr.com',
  'vault_token': 'not_awesome_token',
+ 'vault_kv_version': '1'
  }
 
  fake_client = MagicMock()
@@ -88,10 +89,11 @@ def test_should_auth_with_token(hvac):
 
 
 @patch('chaoslib.secret.hvac')
-def test_read_secrets_from_vault(hvac):
+def test_read_secrets_from_vault_with_kv_version_1(hvac):
  config = {
  'vault_addr': 'http:https://someaddr.com',
  'vault_token': 'not_awesome_token',
+ 'vault_kv_version': '1'
  }
 
  secrets_info = {
@@ -117,7 +119,64 @@ def test_read_secrets_from_vault(hvac):
 
  fake_client = MagicMock()
  hvac.Client.return_value = fake_client
- fake_client.secrets.kv.read_secret.return_value = vault_secret_payload
+ fake_client.secrets.kv.v1.read_secret.return_value = vault_secret_payload
+
+ secrets = load_secrets_from_vault(secrets_info, config)
+ assert secrets["k8s"]["a-secret"] == {
+ "my-important-secret": "bar",
+ "my-less-important-secret": "baz"
+ }
+
+ secrets_info = {
+ "k8s": {
+ "a-secret": {
+ "type": "vault",
+ "path": "foo/stuff",
+ "key": "my-important-secret"
+ }
+ }
+ }
+
+ secrets = load_secrets_from_vault(secrets_info, config)
+ assert secrets["k8s"]["a-secret"] == "bar"
+
+
+@patch('chaoslib.secret.hvac')
+def test_read_secrets_from_vault_with_kv_version_2(hvac):
+ config = {
+ 'vault_addr': 'http:https://someaddr.com',
+ 'vault_token': 'not_awesome_token',
+ 'vault_kv_version': '2'
+ }
+
+ secrets_info = {
+ "k8s": {
+ "a-secret": {
+ "type": "vault",
+ "path": "foo/stuff"
+ }
+ }
+ }
+
+ # secret at secret/foo
+ vault_secret_payload = {
+ "data": {
+ "data": {
+ "my-important-secret": "bar",
+ "my-less-important-secret": "baz"
+ },
+ "metadata": {
+ "auth": None,
+ "lease_duration": 2764800,
+ "lease_id": "",
+ "renewable": False
+ }
+ }
+ }
+
+ fake_client = MagicMock()
+ hvac.Client.return_value = fake_client
+ fake_client.secrets.kv.v2.read_secret_version.return_value = vault_secret_payload
 
  secrets = load_secrets_from_vault(secrets_info, config)
  assert secrets["k8s"]["a-secret"] == {