feat: change certmanage to approles

- created approle 'certmanager' using 'certmanager' policy
- update certmanager script to generate token based on roleid
This commit is contained in:
2024-04-04 00:32:08 +11:00
parent e69b3a9dc4
commit 5bde96fb4d
4 changed files with 26 additions and 5 deletions
@@ -1,4 +1,4 @@
#!/usr/bin/env <%= @venv_path %>/bin/python
#!<%= @venv_path %>/bin/python
import argparse
import requests
@@ -15,9 +15,28 @@ def load_config(config_path):
config = yaml.safe_load(file)
return config['vault']
def authenticate_approle(vault_config):
url = f"{vault_config['addr']}/v1/auth/{vault_config['approle_path']}/login"
payload = {
"role_id": vault_config['role_id'],
}
response = requests.post(url, json=payload, verify=False)
if response.status_code == 200:
auth_response = response.json()
return auth_response['auth']['client_token']
else:
print(f"Error authenticating with AppRole: {response.text}")
return None
def request_certificate(common_name, alt_names, ip_sans, expiry_days, vault_config):
# Authenticate using AppRole and get a token
client_token = authenticate_approle(vault_config)
if not client_token:
print("Failed to authenticate with Vault using AppRole.")
return None
url = f"{vault_config['addr']}/v1/{vault_config['mount_point']}/issue/{vault_config['role_name']}"
headers = {'X-Vault-Token': vault_config['token']}
headers = {'X-Vault-Token': client_token}
payload = {
"common_name": common_name,
"alt_names": ",".join(alt_names),
@@ -1,7 +1,7 @@
vault:
addr: '<%= @vault_config['addr'] %>'
token: '<%= @vault_config['token'] %>'
role_id: '<%= @vault_config['role_id'] %>'
approle_path: '<%= @vault_config['approle_path'] %>'
mount_point: '<%= @vault_config['mount_point'] %>'
role_name: '<%= @vault_config['role_name'] %>'
output_path: '<%= @vault_config['output_path'] %>'