feat: change certmanage to approles

- created approle 'certmanager' using 'certmanager' policy
- update certmanager script to generate token based on roleid

hieradata/roles/infra/puppet/master.eyaml

@@ -1,2 +1,3 @@
 ---
 certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
+certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=]

hieradata/roles/infra/puppet/master.yaml

@@ -30,6 +30,7 @@ profiles::puppet::gems::puppet:
 profiles::helpers::certmanager::vault_config:
   addr: 'https://198.18.17.39:8200'
   mount_point: 'pki_int'
+  approle_path: 'approle'
   role_name: 'servers_default'
   output_path: '/tmp/certmanager'
-  token: "%{lookup('certmanager::vault_token')}"
+  role_id: "%{lookup('certmanager::role_id')}"

site/profiles/templates/helpers/certmanager.erb

@@ -1,4 +1,4 @@
-#!/usr/bin/env <%= @venv_path %>/bin/python
+#!<%= @venv_path %>/bin/python
 
 import argparse
 import requests
@@ -15,9 +15,28 @@ def load_config(config_path):
         config = yaml.safe_load(file)
     return config['vault']
 
+def authenticate_approle(vault_config):
+    url = f"{vault_config['addr']}/v1/auth/{vault_config['approle_path']}/login"
+    payload = {
+        "role_id": vault_config['role_id'],
+    }
+    response = requests.post(url, json=payload, verify=False)
+    if response.status_code == 200:
+        auth_response = response.json()
+        return auth_response['auth']['client_token']
+    else:
+        print(f"Error authenticating with AppRole: {response.text}")
+        return None
+
 def request_certificate(common_name, alt_names, ip_sans, expiry_days, vault_config):
+    # Authenticate using AppRole and get a token
+    client_token = authenticate_approle(vault_config)
+    if not client_token:
+        print("Failed to authenticate with Vault using AppRole.")
+        return None
+
     url = f"{vault_config['addr']}/v1/{vault_config['mount_point']}/issue/{vault_config['role_name']}"
-    headers = {'X-Vault-Token': vault_config['token']}
+    headers = {'X-Vault-Token': client_token}
     payload = {
         "common_name": common_name,
         "alt_names": ",".join(alt_names),

site/profiles/templates/helpers/certmanager_config.yaml.erb

@@ -1,7 +1,7 @@
 vault:
   addr: '<%= @vault_config['addr'] %>'
-  token: '<%= @vault_config['token'] %>'
+  role_id: '<%= @vault_config['role_id'] %>'
+  approle_path: '<%= @vault_config['approle_path'] %>'
   mount_point: '<%= @vault_config['mount_point'] %>'
   role_name: '<%= @vault_config['role_name'] %>'
 output_path: '<%= @vault_config['output_path'] %>'
-