Add requests verify option in vault section

This fix allow pass requests 'verify' option from vault configs If vault certificate signed with Intermediate CA, and Intermedia CA sign by internal root CA, requests will fail verifying vault certificate with error: _ssl.c:510: ... routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 'verify' option allow explicitly specify ca-bundle, or disable verifications. http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
2024-11-09 01:36:48 +00:00 · 2017-10-20 00:11:29 +07:00 · 2017-10-20 00:11:29 +07:00 · 56c91f0895
commit 56c91f0895
parent 5d719a2219
3 changed files with 11 additions and 1 deletions
--- a/salt/modules/vault.py
+++ b/salt/modules/vault.py
@ -16,6 +16,7 @@ Functions to interact with Hashicorp Vault.

        vault:
            url: https://vault.service.domain:8200
+            verify: /etc/ssl/certs/ca-certificates.crt
            auth:
                method: token
                token: 11111111-2222-3333-4444-555555555555
@ -27,6 +28,10 @@ Functions to interact with Hashicorp Vault.
    url
        Url to your Vault installation. Required.

+    verify
+        For details please see
+        http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
+
    auth
        Currently only token auth is supported. The token must be able to create
        tokens with the policies that should be assigned to minions. Required.
--- a/salt/runners/vault.py
+++ b/salt/runners/vault.py
@ -56,8 +56,10 @@ def generate_token(minion_id, signature, impersonated_by_master=False):
                    'metadata': audit_data
                  }

+        verify = config.get('verify', None)
+
        log.trace('Sending token creation request to Vault')
-        response = requests.post(url, headers=headers, json=payload)
+        response = requests.post(url, headers=headers, json=payload, verify=verify)

        if response.status_code != 200:
            return {'error': response.reason}
--- a/salt/utils/vault.py
+++ b/salt/utils/vault.py
@ -124,6 +124,9 @@ def make_request(method, resource, profile=None, **args):
    connection = _get_vault_connection()
    token, vault_url = connection['token'], connection['url']

+    if "verify" not in args:
+        args["verify"] = __opts__['vault'].get('verify', None)
+
    url = "{0}/{1}".format(vault_url, resource)
    headers = {'X-Vault-Token': token, 'Content-Type': 'application/json'}
    response = requests.request(method, url, headers=headers, **args)