Merge pull request #44185 from sakateka/fix_requests_ssl_verify_error

Add requests verify option in vault section
2024-11-07 00:55:19 +00:00 · 2017-10-24 04:23:53 -06:00 · 2017-10-24 04:23:53 -06:00 · 405b882438
commit 405b882438
parent de83ed914b c755fc7235
3 changed files with 21 additions and 4 deletions
--- a/salt/modules/vault.py
+++ b/salt/modules/vault.py
@ -21,6 +21,7 @@ Functions to interact with Hashicorp Vault.

        vault:
            url: https://vault.service.domain:8200
+            verify: /etc/ssl/certs/ca-certificates.crt
            auth:
                method: token
                token: 11111111-2222-3333-4444-555555555555
@ -32,6 +33,12 @@ Functions to interact with Hashicorp Vault.
    url
        Url to your Vault installation. Required.

+    verify
+        For details please see
+        http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
+
+        .. versionadded:: Oxygen
+
    auth
        Currently only token auth is supported. The token must be able to create
        tokens with the policies that should be assigned to minions. Required.
--- a/salt/runners/vault.py
+++ b/salt/runners/vault.py
@ -56,14 +56,20 @@ def generate_token(minion_id, signature, impersonated_by_master=False):
                    'metadata': audit_data
                  }

+        verify = config.get('verify', None)
+
        log.trace('Sending token creation request to Vault')
-        response = requests.post(url, headers=headers, json=payload)
+        response = requests.post(url, headers=headers, json=payload, verify=verify)

        if response.status_code != 200:
            return {'error': response.reason}

        authData = response.json()['auth']
-        return {'token': authData['client_token'], 'url': config['url']}
+        return {
+            'token': authData['client_token'],
+            'url': config['url'],
+            'verify': verify,
+        }
    except Exception as e:
        return {'error': str(e)}

--- a/salt/utils/vault.py
+++ b/salt/utils/vault.py
@ -90,7 +90,8 @@ def _get_token_and_url_from_master():
        raise salt.exceptions.CommandExecutionError(result)
    return {
            'url': result['url'],
-            'token': result['token']
+            'token': result['token'],
+            'verify': result['verify'],
           }


@ -104,7 +105,8 @@ def _get_vault_connection():
        try:
            return {
                'url': __opts__['vault']['url'],
-                'token': __opts__['vault']['auth']['token']
+                'token': __opts__['vault']['auth']['token'],
+                'verify': __opts__['vault'].get('verify', None)
            }
        except KeyError as err:
            errmsg = 'Minion has "vault" config section, but could not find key "{0}" within'.format(err.message)
@ -124,6 +126,8 @@ def make_request(method, resource, profile=None, **args):

    connection = _get_vault_connection()
    token, vault_url = connection['token'], connection['url']
+    if 'verify' not in args:
+        args['verify'] = connection['verify']

    url = "{0}/{1}".format(vault_url, resource)
    headers = {'X-Vault-Token': token, 'Content-Type': 'application/json'}