File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/pillar/__pycache__/vault.cpython-310.pyc
o
�����N�g"������������������������@���sP���d�Z�d�d�l�Z�d�d�l�m�Z���d�d�l�Z�e���e���Z�d�d���Z � � � �d
d�d���Z
d�d ��Z�d�S�)�a����
Vault Pillar Module
:maintainer: SaltStack
:maturity: New
:platform: all
.. versionadded:: 2016.11.0
This module allows pillar data to be stored in Hashicorp Vault.
Base configuration instructions are documented in the :ref:`execution module docs <vault-setup>`.
Below are noted extra configuration required for the pillar module, but the base
configuration must also be completed.
After the base Vault configuration is created, add the configuration below to
the ext_pillar section in the Salt master configuration.
.. code-block:: yaml
ext_pillar:
- vault: path=secret/salt
Each key needs to have all the key-value pairs with the names you
require. Avoid naming every key 'password' as you they will collide:
If you want to nest results under a nesting_key name use the following format:
.. code-block:: yaml
ext_pillar:
- vault:
conf: path=secret/salt
nesting_key: vault_key_name
.. code-block:: bash
$ vault write secret/salt auth=my_password master=127.0.0.1
The above will result in two pillars being available, ``auth`` and ``master``.
You can then use normal pillar requests to get each key pair directly from
pillar root. Example:
.. code-block:: bash
$ salt-ssh '*' pillar.get auth
Multiple Vault sources may also be used:
.. code-block:: yaml
ext_pillar:
- vault: path=secret/salt
- vault: path=secret/root
- vault: path=secret/minions/{minion}/pass
- vault: path=secret/roles/{pillar[roles]}/pass
You can also use nesting here as well. Identical nesting keys will get merged.
.. code-block:: yaml
ext_pillar:
- vault:
conf: path=secret/salt
nesting_key: keyname1
- vault:
conf: path=secret/root
nesting_key: keyname1
- vault:
conf: path=secret/minions/{minion}/pass
nesting_key: keyname2
The difference between the return with and without the nesting key is shown below.
This example takes the key value pairs returned from vault as follows:
.. code-block:: text
path=secret/salt
Key Value
--- -----
salt-passwd badpasswd1
path=secret/root
Key Value
--- -----
root-passwd rootbadpasswd1
path=secret/minions/{minion}/pass
Key Value
--- -----
minion-passwd minionbadpasswd1
.. code-block:: yaml
#Nesting Key not defined
local:
----------
salt-passwd:
badpasswd1
root-passwd:
rootbadpasswd1
minion-passwd:
minionbadpasswd1
#Nesting Key defined
local:
----------
keyname1:
----------
salt-passwd:
badpasswd1
root-passwd:
rootbadpasswd1
keyname2:
----------
minion-passwd:
minionbadpasswd1
.. versionadded:: 3006.0
Pillar values from previously rendered pillars can be used to template
vault ext_pillar paths.
Using pillar values to template vault pillar paths requires them to be defined
before the vault ext_pillar is called. Especially consider the significancy
of :conf_master:`ext_pillar_first <ext_pillar_first>` master config setting.
If a pillar pattern matches multiple paths, the results are merged according to
the master configuration values :conf_master:`pillar_source_merging_strategy <pillar_source_merging_strategy>`
and :conf_master:`pillar_merge_lists <pillar_merge_lists>` by default.
If the optional nesting_key was defined, the merged result will be nested below.
There is currently no way to nest multiple results under different keys.
You can override the merging behavior per defined ext_pillar:
.. code-block:: yaml
ext_pillar:
- vault:
conf: path=secret/roles/{pillar[roles]}
merge_strategy: smart
merge_lists: false
�����N)�� HTTPErrorc��������������������C���s����d�S�)�z2
This module has no external dependencies
T��r����r����r�����E/opt/saltstack/salt/lib/python3.10/site-packages/salt/pillar/vault.py��__virtual__����s������r����c���������������� ���C���s.���|�p�i�}�|���d���r�i�S�|�����}�d�d���|�D���}�|�s t���d�|�����i�S�|�p't���d�d���}�|�p/t���d�d���}�i�} |�d ����d
d���}
t�|
|�|���D�]N}�z=t�d���|���}�|�d
��rQ|�d���}�d�|�����}
t�d���d�|
��}�|�������|�� ����d�i���}�|�rs|�d
��rs|�d���}�t
j�j�j
| |�|�|�d���} W�q@��t�y�������t���d�|�����Y�q@w�|�r�|�| i�} | S�)�zD
Get pillar data from Vault for the configuration ``conf``.
Z+_vault_runner_is_compiling_pillar_templatesc��������������������S���s����g�|�] }�|���d���r�|���q�S�)���path=)��
startswith)���.0��compr����r����r�����
<listcomp>����s������z�ext_pillar.<locals>.<listcomp>z+"%s" is not a valid Vault ext_pillar configZ�pillar_source_merging_strategyZ�smartZ�pillar_merge_listsFr����r������z�vault.is_v2Z�v2��dataz�v1/z�vault.make_requestZ�GET)�Z�strategy��merge_listsz�Vault secret not found for: %s)���get��split��log��errorZ�__opts__��replace�
_get_paths� __utils__Z�raise_for_status��json��salt��utilsZ
dictupdate��merger������info)�� minion_id��pillarZ�confZ�nesting_keyZ�merge_strategyr
���Z�extra_minion_data��comps��pathsZ�vault_pillar��path_pattern��pathZ�version2��url��responseZ�vault_pillar_singler����r����r�����
ext_pillar����sJ�����
�����������������������������������
���������������������
�������������r"���c��������������������C���st���|�|�d���}�g�}�z�t�d���|�f�i�|�����D�]
}�|���|�j�d�i�|���������q�W�n���t�y0������t���d�|�����Y�n�w�t���d�|�|�����|�S�)�zB
Get the paths that should be merged into the pillar dict
)�Z�minionr����z�vault.expand_pattern_listsz(Could not resolve pillar path pattern %sz�%s vault pillar paths: %sNr����)�r������append��format��KeyErrorr������warning��debug)�r����r����r����Z�mappingsr����Z�expanded_patternr����r����r����r��������s����
�������������
���������������r����)�NNNN)���__doc__��loggingZ�requests.exceptionsr����Z�salt.utils.dictupdater����� getLogger��__name__r����r����r"���r����r����r����r����r������<module>����s�������������
�����������
��;