diff options
Diffstat (limited to 'lib/chef')
-rw-r--r-- | lib/chef/secret_fetcher.rb | 7 | ||||
-rw-r--r-- | lib/chef/secret_fetcher/akeyless_vault.rb | 57 | ||||
-rw-r--r-- | lib/chef/secret_fetcher/hashi_vault.rb | 2 |
3 files changed, 63 insertions, 3 deletions
diff --git a/lib/chef/secret_fetcher.rb b/lib/chef/secret_fetcher.rb index e8e4602bb2..af3e1d5cbb 100644 --- a/lib/chef/secret_fetcher.rb +++ b/lib/chef/secret_fetcher.rb @@ -21,7 +21,7 @@ require_relative "exceptions" class Chef class SecretFetcher - SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault hashi_vault}.freeze + SECRET_FETCHERS = %i{example aws_secrets_manager azure_key_vault hashi_vault akeyless_vault}.freeze # Returns a configured and validated instance # of a [Chef::SecretFetcher::Base] for the given @@ -45,10 +45,13 @@ class Chef when :hashi_vault require_relative "secret_fetcher/hashi_vault" Chef::SecretFetcher::HashiVault.new(config, run_context) + when :akeyless_vault + require_relative "secret_fetcher/akeyless_vault" + Chef::SecretFetcher::AKeylessVault.new(config, run_context) when nil, "" raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS) else - raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service}", SECRET_FETCHERS) + raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: '#{service}'", SECRET_FETCHERS) end fetcher.validate! fetcher diff --git a/lib/chef/secret_fetcher/akeyless_vault.rb b/lib/chef/secret_fetcher/akeyless_vault.rb new file mode 100644 index 0000000000..f80eeba7bc --- /dev/null +++ b/lib/chef/secret_fetcher/akeyless_vault.rb @@ -0,0 +1,57 @@ +# +# Author:: Marc Paradise (<marc@chef.io>) +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "base" +require_relative "hashi_vault" + +class Chef + class SecretFetcher + # == Chef::SecretFetcher::AKeylessVault + # A fetcher that fetches a secret from AKeyless Vault. Initial implementation is + # based on HashiVault , because AKeyless provides a compatibility layer that makes this possible. + # Future revisions will use native akeyless authentication. + # + # Required config: + # :access_id - the access id of the API key + # :access_key - the access key of the API key + # + # + # @example + # + # fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: "my-access-id", access_key: "my-access-key" }, run_context ) + # fetcher.fetch("/secret/data/secretkey1") + # + AKEYLESS_VAULT_PROXY_ADDR = "https://hvp.akeyless.io".freeze + class AKeylessVault < HashiVault + def validate! + if config[:access_key].nil? + raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the secret access key in the configuration as :secret_access_key") + end + if config[:access_id].nil? + raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the access key id in the configuration as :access_key_id") + end + + config[:vault_addr] ||= AKEYLESS_VAULT_PROXY_ADDR + config[:auth_method] = :token + config[:token] = "#{config[:access_id]}..#{config[:access_key]}" + super + end + end + end +end + diff --git a/lib/chef/secret_fetcher/hashi_vault.rb b/lib/chef/secret_fetcher/hashi_vault.rb index 7cca57542f..47bf78f5c1 100644 --- a/lib/chef/secret_fetcher/hashi_vault.rb +++ b/lib/chef/secret_fetcher/hashi_vault.rb @@ -57,7 +57,7 @@ class Chef SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze class HashiVault < Base - # Validate and authenticate the current session using the configurated auth strategy and parameters + # Validate and authenticate the current session using the configured auth strategy and parameters def validate! if config[:vault_addr].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr") |