certwrangler.stores.vault module

class certwrangler.stores.vault.BaseAuth

Bases: BaseModel

Base vault auth class.

abstractmethod login(client: Client) → None

This should be overridden by subclasses to provide the login logic.

model_config

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class certwrangler.stores.vault.AppRoleAuth(*, method: Literal['approle'], mount_point: str | None = None, role_id: str, secret_id: str)

Bases: BaseAuth

AppRole auth class.

method: Literal['approle']

mount_point: str | None

role_id: str

secret_id: str

login(client: Client) → None

Login logic for AppRole auth.

model_config

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class certwrangler.stores.vault.KubernetesAuth(*, method: Literal['kubernetes'], mount_point: str | None = None, role: str, token_path: str = '/var/run/secrets/kubernetes.io/serviceaccount/token')

Bases: BaseAuth

Kubernetes auth class.

method: Literal['kubernetes']

mount_point: str | None

role: str

token_path: str

login(client: Client) → None

Login logic for kubernetes auth.

model_config

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class certwrangler.stores.vault.TokenAuth(*, method: Literal['token'], token: str)

Bases: BaseAuth

Token auth class.

method: Literal['token']

token: str

login(client: Client) → None

Login logic for token auth.

model_config

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class certwrangler.stores.vault.VaultStore(*, driver: Literal['vault'], server: HttpUrl, ca_cert: Path | None = None, mount_point: str, path: Path, version: Literal[1, 2] = 2, auth: AppRoleAuth | TokenAuth | KubernetesAuth)

Bases: Store

Vault storage driver.

driver: Literal['vault']

server: HttpUrl

ca_cert: Path | None

mount_point: str

path: Path

version: Literal[1, 2]

auth: AppRoleAuth | TokenAuth | KubernetesAuth

_client: hvac.Client | None

property client: Client

initialize() → None

hvac will try to read the token from an $VAULT_TOKEN or ~/.vault_token. This explicitly clears out the token to ensure we read from config.

publish(cert: Cert) → None

Publish the cert to the configured location in vault.

Raises:

StoreError – Raised on authentication failures or failures reading or writing to vault.

_read_v1(path: Path) → Dict[str, str]

Read the contents of a secret from a v1 vault endpoint.

_write_v1(path: Path, secret: Dict[str, str]) → None

Write the contents of a secret to a v1 vault endpoint.

_read_v2(path: Path) → Dict[str, str]

Read the contents of a secret from a v2 vault endpoint.

_write_v2(path: Path, secret: Dict[str, str]) → None

Write the contents of a secret to a v1 vault endpoint.

model_config

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].