certwrangler.stores.vault module

certwrangler.stores.vault module#

pydantic model certwrangler.stores.vault.BaseAuth[source]#

Bases: BaseModel

Base vault auth class.

Show Entity Relationship Diagram

digraph "Entity Relationship Diagram created by erdantic" { graph [fontcolor=gray66, fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=9, nodesep=0.5, rankdir=LR, ranksep=1.5 ]; node [fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=14, label="\N", shape=plain ]; edge [dir=both]; "certwrangler.stores.vault.BaseAuth" [label=<<table border="0" cellborder="1" cellspacing="0"><tr><td port="_root" colspan="1"><b>BaseAuth</b></td></tr></table>>, tooltip="certwrangler.stores.vault.BaseAuth&#xA;&#xA;Base vault auth class.&#xA;"]; }

Show JSON schema
{
   "title": "BaseAuth",
   "description": "Base vault auth class.",
   "type": "object",
   "properties": {}
}

abstractmethod login(client: Client) None[source]#

This should be overridden by subclasses to provide the login logic.

pydantic model certwrangler.stores.vault.AppRoleAuth[source]#

Bases: BaseAuth

AppRole auth class.

Show Entity Relationship Diagram

digraph "Entity Relationship Diagram created by erdantic" { graph [fontcolor=gray66, fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=9, nodesep=0.5, rankdir=LR, ranksep=1.5 ]; node [fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=14, label="\N", shape=plain ]; edge [dir=both]; "certwrangler.stores.vault.AppRoleAuth" [label=<<table border="0" cellborder="1" cellspacing="0"><tr><td port="_root" colspan="2"><b>AppRoleAuth</b></td></tr><tr><td>method</td><td port="method">Literal['approle']</td></tr><tr><td>mount_point</td><td port="mount_point">Optional[str]</td></tr><tr><td>role_id</td><td port="role_id">str</td></tr><tr><td>secret_id</td><td port="secret_id">str</td></tr></table>>, tooltip="certwrangler.stores.vault.AppRoleAuth&#xA;&#xA;AppRole auth class.&#xA;"]; }

Show JSON schema
{
   "title": "AppRoleAuth",
   "description": "AppRole auth class.",
   "type": "object",
   "properties": {
      "method": {
         "const": "approle",
         "title": "Method",
         "type": "string"
      },
      "mount_point": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "Optional mount point for the auth method.",
         "title": "Mount Point"
      },
      "role_id": {
         "description": "The AppRole role_id.",
         "title": "Role Id",
         "type": "string"
      },
      "secret_id": {
         "description": "The AppRole secret_id.",
         "title": "Secret Id",
         "type": "string"
      }
   },
   "required": [
      "method",
      "role_id",
      "secret_id"
   ]
}

Fields:
field method: Literal['approle'] [Required]#
field mount_point: str | None = None#

Optional mount point for the auth method.

field role_id: str [Required]#

The AppRole role_id.

field secret_id: str [Required]#

The AppRole secret_id.

login(client: Client) None[source]#

Login logic for AppRole auth.

pydantic model certwrangler.stores.vault.KubernetesAuth[source]#

Bases: BaseAuth

Kubernetes auth class.

Show Entity Relationship Diagram

digraph "Entity Relationship Diagram created by erdantic" { graph [fontcolor=gray66, fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=9, nodesep=0.5, rankdir=LR, ranksep=1.5 ]; node [fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=14, label="\N", shape=plain ]; edge [dir=both]; "certwrangler.stores.vault.KubernetesAuth" [label=<<table border="0" cellborder="1" cellspacing="0"><tr><td port="_root" colspan="2"><b>KubernetesAuth</b></td></tr><tr><td>method</td><td port="method">Literal['kubernetes']</td></tr><tr><td>mount_point</td><td port="mount_point">Optional[str]</td></tr><tr><td>role</td><td port="role">str</td></tr><tr><td>token_path</td><td port="token_path">str</td></tr></table>>, tooltip="certwrangler.stores.vault.KubernetesAuth&#xA;&#xA;Kubernetes auth class.&#xA;"]; }

Show JSON schema
{
   "title": "KubernetesAuth",
   "description": "Kubernetes auth class.",
   "type": "object",
   "properties": {
      "method": {
         "const": "kubernetes",
         "title": "Method",
         "type": "string"
      },
      "mount_point": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "Optional mount point for the auth method.",
         "title": "Mount Point"
      },
      "role": {
         "description": "The name of the role.",
         "title": "Role",
         "type": "string"
      },
      "token_path": {
         "default": "/var/run/secrets/kubernetes.io/serviceaccount/token",
         "description": "The path to the kubernetes service account token.",
         "title": "Token Path",
         "type": "string"
      }
   },
   "required": [
      "method",
      "role"
   ]
}

Fields:
field method: Literal['kubernetes'] [Required]#
field mount_point: str | None = None#

Optional mount point for the auth method.

field role: str [Required]#

The name of the role.

field token_path: str = '/var/run/secrets/kubernetes.io/serviceaccount/token'#

The path to the kubernetes service account token.

login(client: Client) None[source]#

Login logic for kubernetes auth.

pydantic model certwrangler.stores.vault.TokenAuth[source]#

Bases: BaseAuth

Token auth class.

Show Entity Relationship Diagram

digraph "Entity Relationship Diagram created by erdantic" { graph [fontcolor=gray66, fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=9, nodesep=0.5, rankdir=LR, ranksep=1.5 ]; node [fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=14, label="\N", shape=plain ]; edge [dir=both]; "certwrangler.stores.vault.TokenAuth" [label=<<table border="0" cellborder="1" cellspacing="0"><tr><td port="_root" colspan="2"><b>TokenAuth</b></td></tr><tr><td>method</td><td port="method">Literal['token']</td></tr><tr><td>token</td><td port="token">str</td></tr></table>>, tooltip="certwrangler.stores.vault.TokenAuth&#xA;&#xA;Token auth class.&#xA;"]; }

Show JSON schema
{
   "title": "TokenAuth",
   "description": "Token auth class.",
   "type": "object",
   "properties": {
      "method": {
         "const": "token",
         "title": "Method",
         "type": "string"
      },
      "token": {
         "description": "The vault token.",
         "title": "Token",
         "type": "string"
      }
   },
   "required": [
      "method",
      "token"
   ]
}

Fields:
field method: Literal['token'] [Required]#
field token: str [Required]#

The vault token.

login(client: Client) None[source]#

Login logic for token auth.

pydantic model certwrangler.stores.vault.VaultStore[source]#

Bases: Store

Vault storage driver.

Show Entity Relationship Diagram

digraph "Entity Relationship Diagram created by erdantic" { graph [fontcolor=gray66, fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=9, nodesep=0.5, rankdir=LR, ranksep=1.5 ]; node [fontname="Times New Roman,Times,Liberation Serif,serif", fontsize=14, label="\N", shape=plain ]; edge [dir=both]; "certwrangler.stores.vault.AppRoleAuth" [label=<<table border="0" cellborder="1" cellspacing="0"><tr><td port="_root" colspan="2"><b>AppRoleAuth</b></td></tr><tr><td>method</td><td port="method">Literal['approle']</td></tr><tr><td>mount_point</td><td port="mount_point">Optional[str]</td></tr><tr><td>role_id</td><td port="role_id">str</td></tr><tr><td>secret_id</td><td port="secret_id">str</td></tr></table>>, tooltip="certwrangler.stores.vault.AppRoleAuth&#xA;&#xA;AppRole auth class.&#xA;"]; "certwrangler.stores.vault.KubernetesAuth" [label=<<table border="0" cellborder="1" cellspacing="0"><tr><td port="_root" colspan="2"><b>KubernetesAuth</b></td></tr><tr><td>method</td><td port="method">Literal['kubernetes']</td></tr><tr><td>mount_point</td><td port="mount_point">Optional[str]</td></tr><tr><td>role</td><td port="role">str</td></tr><tr><td>token_path</td><td port="token_path">str</td></tr></table>>, tooltip="certwrangler.stores.vault.KubernetesAuth&#xA;&#xA;Kubernetes auth class.&#xA;"]; "certwrangler.stores.vault.TokenAuth" [label=<<table border="0" cellborder="1" cellspacing="0"><tr><td port="_root" colspan="2"><b>TokenAuth</b></td></tr><tr><td>method</td><td port="method">Literal['token']</td></tr><tr><td>token</td><td port="token">str</td></tr></table>>, tooltip="certwrangler.stores.vault.TokenAuth&#xA;&#xA;Token auth class.&#xA;"]; "certwrangler.stores.vault.VaultStore" [label=<<table border="0" cellborder="1" cellspacing="0"><tr><td port="_root" colspan="2"><b>VaultStore</b></td></tr><tr><td>driver</td><td port="driver">Literal['vault']</td></tr><tr><td>server</td><td port="server">HttpUrl</td></tr><tr><td>ca_cert</td><td port="ca_cert">Optional[Path]</td></tr><tr><td>mount_point</td><td port="mount_point">str</td></tr><tr><td>path</td><td port="path">Path</td></tr><tr><td>version</td><td port="version">Literal[1, 2]</td></tr><tr><td>auth</td><td port="auth">Union[AppRoleAuth, TokenAuth, KubernetesAuth]</td></tr></table>>, tooltip="certwrangler.stores.vault.VaultStore&#xA;&#xA;Vault storage driver.&#xA;"]; "certwrangler.stores.vault.VaultStore":auth:e -> "certwrangler.stores.vault.AppRoleAuth":_root:w [arrowhead=noneteetee, arrowtail=nonenone]; "certwrangler.stores.vault.VaultStore":auth:e -> "certwrangler.stores.vault.KubernetesAuth":_root:w [arrowhead=noneteetee, arrowtail=nonenone]; "certwrangler.stores.vault.VaultStore":auth:e -> "certwrangler.stores.vault.TokenAuth":_root:w [arrowhead=noneteetee, arrowtail=nonenone]; }

Show JSON schema
{
   "title": "VaultStore",
   "description": "Vault storage driver.",
   "type": "object",
   "properties": {
      "driver": {
         "const": "vault",
         "title": "Driver",
         "type": "string"
      },
      "server": {
         "description": "The URI of the vault server.",
         "format": "uri",
         "maxLength": 2083,
         "minLength": 1,
         "title": "Server",
         "type": "string"
      },
      "ca_cert": {
         "anyOf": [
            {
               "format": "path",
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "Optional path to a CA cert for requests to vault.",
         "title": "Ca Cert"
      },
      "mount_point": {
         "description": "Mount point of the secrets engine.",
         "title": "Mount Point",
         "type": "string"
      },
      "path": {
         "description": "Path where secrets should be written.",
         "format": "path",
         "title": "Path",
         "type": "string"
      },
      "version": {
         "default": 2,
         "description": "The version of the vault secrets engine.",
         "enum": [
            1,
            2
         ],
         "title": "Version",
         "type": "integer"
      },
      "auth": {
         "description": "The config for authenticating with vault.",
         "discriminator": {
            "mapping": {
               "approle": "#/$defs/AppRoleAuth",
               "kubernetes": "#/$defs/KubernetesAuth",
               "token": "#/$defs/TokenAuth"
            },
            "propertyName": "method"
         },
         "oneOf": [
            {
               "$ref": "#/$defs/AppRoleAuth"
            },
            {
               "$ref": "#/$defs/TokenAuth"
            },
            {
               "$ref": "#/$defs/KubernetesAuth"
            }
         ],
         "title": "Auth"
      }
   },
   "$defs": {
      "AppRoleAuth": {
         "description": "AppRole auth class.",
         "properties": {
            "method": {
               "const": "approle",
               "title": "Method",
               "type": "string"
            },
            "mount_point": {
               "anyOf": [
                  {
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null,
               "description": "Optional mount point for the auth method.",
               "title": "Mount Point"
            },
            "role_id": {
               "description": "The AppRole role_id.",
               "title": "Role Id",
               "type": "string"
            },
            "secret_id": {
               "description": "The AppRole secret_id.",
               "title": "Secret Id",
               "type": "string"
            }
         },
         "required": [
            "method",
            "role_id",
            "secret_id"
         ],
         "title": "AppRoleAuth",
         "type": "object"
      },
      "KubernetesAuth": {
         "description": "Kubernetes auth class.",
         "properties": {
            "method": {
               "const": "kubernetes",
               "title": "Method",
               "type": "string"
            },
            "mount_point": {
               "anyOf": [
                  {
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null,
               "description": "Optional mount point for the auth method.",
               "title": "Mount Point"
            },
            "role": {
               "description": "The name of the role.",
               "title": "Role",
               "type": "string"
            },
            "token_path": {
               "default": "/var/run/secrets/kubernetes.io/serviceaccount/token",
               "description": "The path to the kubernetes service account token.",
               "title": "Token Path",
               "type": "string"
            }
         },
         "required": [
            "method",
            "role"
         ],
         "title": "KubernetesAuth",
         "type": "object"
      },
      "TokenAuth": {
         "description": "Token auth class.",
         "properties": {
            "method": {
               "const": "token",
               "title": "Method",
               "type": "string"
            },
            "token": {
               "description": "The vault token.",
               "title": "Token",
               "type": "string"
            }
         },
         "required": [
            "method",
            "token"
         ],
         "title": "TokenAuth",
         "type": "object"
      }
   },
   "required": [
      "driver",
      "server",
      "mount_point",
      "path",
      "auth"
   ]
}

Fields:
field driver: Literal['vault'] [Required]#
field server: HttpUrl [Required]#

The URI of the vault server.

field ca_cert: Path | None = None#

Optional path to a CA cert for requests to vault.

field mount_point: str [Required]#

Mount point of the secrets engine.

field path: Path [Required]#

Path where secrets should be written.

field version: Literal[1, 2] = 2#

The version of the vault secrets engine.

field auth: AppRoleAuth | TokenAuth | KubernetesAuth [Required]#

The config for authenticating with vault.

_client: hvac.Client | None#
property client: Client#
initialize() None[source]#

hvac will try to read the token from an $VAULT_TOKEN or ~/.vault_token. This explicitly clears out the token to ensure we read from config.

publish(cert: Cert) None[source]#

Publish the cert to the configured location in vault.

Raises:

StoreError – Raised on authentication failures or failures reading or writing to vault.

_read_v1(path: Path) Dict[str, str][source]#

Read the contents of a secret from a v1 vault endpoint.

_write_v1(path: Path, secret: Dict[str, str]) None[source]#

Write the contents of a secret to a v1 vault endpoint.

_read_v2(path: Path) Dict[str, str][source]#

Read the contents of a secret from a v2 vault endpoint.

_write_v2(path: Path, secret: Dict[str, str]) None[source]#

Write the contents of a secret to a v1 vault endpoint.

Contents