diff --git a/hieradata/roles/infra/puppet/master.eyaml b/hieradata/roles/infra/puppet/master.eyaml index 2efc6d9..46f1d03 100644 --- a/hieradata/roles/infra/puppet/master.eyaml +++ b/hieradata/roles/infra/puppet/master.eyaml @@ -1,2 +1,3 @@ --- certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] +certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=] diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index b489b30..b5b6830 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -30,6 +30,7 @@ profiles::puppet::gems::puppet: profiles::helpers::certmanager::vault_config: addr: 'https://198.18.17.39:8200' mount_point: 'pki_int' + approle_path: 'approle' role_name: 'servers_default' output_path: '/tmp/certmanager' - token: "%{lookup('certmanager::vault_token')}" + role_id: "%{lookup('certmanager::role_id')}" diff --git a/site/profiles/templates/helpers/certmanager.erb b/site/profiles/templates/helpers/certmanager.erb index d1d2c0b..7266fde 100644 --- a/site/profiles/templates/helpers/certmanager.erb +++ b/site/profiles/templates/helpers/certmanager.erb @@ -1,4 +1,4 @@ -#!/usr/bin/env <%= @venv_path %>/bin/python +#!<%= @venv_path %>/bin/python import argparse import requests @@ -15,9 +15,28 @@ def load_config(config_path): config = yaml.safe_load(file) return config['vault'] +def authenticate_approle(vault_config): + url = f"{vault_config['addr']}/v1/auth/{vault_config['approle_path']}/login" + payload = { + "role_id": vault_config['role_id'], + } + response = requests.post(url, json=payload, verify=False) + if response.status_code == 200: + auth_response = response.json() + return auth_response['auth']['client_token'] + else: + print(f"Error authenticating with AppRole: {response.text}") + return None + def request_certificate(common_name, alt_names, ip_sans, expiry_days, vault_config): + # Authenticate using AppRole and get a token + client_token = authenticate_approle(vault_config) + if not client_token: + print("Failed to authenticate with Vault using AppRole.") + return None + url = f"{vault_config['addr']}/v1/{vault_config['mount_point']}/issue/{vault_config['role_name']}" - headers = {'X-Vault-Token': vault_config['token']} + headers = {'X-Vault-Token': client_token} payload = { "common_name": common_name, "alt_names": ",".join(alt_names), diff --git a/site/profiles/templates/helpers/certmanager_config.yaml.erb b/site/profiles/templates/helpers/certmanager_config.yaml.erb index aea4d18..1b3e1ed 100644 --- a/site/profiles/templates/helpers/certmanager_config.yaml.erb +++ b/site/profiles/templates/helpers/certmanager_config.yaml.erb @@ -1,7 +1,7 @@ vault: addr: '<%= @vault_config['addr'] %>' - token: '<%= @vault_config['token'] %>' + role_id: '<%= @vault_config['role_id'] %>' + approle_path: '<%= @vault_config['approle_path'] %>' mount_point: '<%= @vault_config['mount_point'] %>' role_name: '<%= @vault_config['role_name'] %>' output_path: '<%= @vault_config['output_path'] %>' -