Class: Hiera::Backend::Vault_backend

Inherits:

Object

• Object
• Hiera::Backend::Vault_backend

Defined in:

lib/hiera/backend/vault_backend.rb

Overview

rubocop:disable Naming/ClassAndModuleCamelCase

Instance Method Summary

• #get_first_value_from_sources(vault_client, key, sources) ⇒ Object
• #get_value(vault_config, key) ⇒ Object
• #initialize ⇒ Vault_backend constructor

  A new instance of Vault_backend.

• #lookup(key, scope, _order_override, resolution_type, _context) ⇒ Object
• #read_kv_value(vault_client, source, key) ⇒ Object
• #valid_vault_address?(vault_config) ⇒ Boolean

Constructor Details

#initialize ⇒ Vault_backend

Returns a new instance of Vault_backend.

# File 'lib/hiera/backend/vault_backend.rb', line 10

def initialize
  Hiera.debug('Hiera vault backend starting')
end

Instance Method Details

#get_first_value_from_sources(vault_client, key, sources) ⇒ Object

# File 'lib/hiera/backend/vault_backend.rb', line 43

def get_first_value_from_sources(vault_client, key, sources)
  sources.each do |source|
    value = read_kv_value(vault_client, source, key)

    return value if value
  end

  throw(:no_such_key)
end

#get_value(vault_config, key) ⇒ Object

# File 'lib/hiera/backend/vault_backend.rb', line 33

def get_value(vault_config, key)
  vault_address = vault_config[:address]
  vault_client = Vault::Client.new(address: vault_address)
  get_first_value_from_sources(
    vault_client,
    key,
    vault_config[:sources]
  )
end

#lookup(key, scope, _order_override, resolution_type, _context) ⇒ Object

# File 'lib/hiera/backend/vault_backend.rb', line 14

def lookup(key, scope, _order_override, resolution_type, _context)
  Hiera.debug("Looking up #{key} in vault backend " \
              "with #{resolution_type}")

  vault_config = Backend.parse_answer(Config[:vault], scope)

  if valid_vault_address?(vault_config)
    Hiera.warn('No vault address provided. Skipping lookup!')
    nil
  else
    Backend.parse_answer(get_value(vault_config, key), scope)
  end
end

#read_kv_value(vault_client, source, key) ⇒ Object

# File 'lib/hiera/backend/vault_backend.rb', line 53

def read_kv_value(vault_client, source, key)
  throw(:unsupported_secrets_engine) unless source[:engine] == 'kv'

  mount = source[:mount]
  full_path = "#{source[:path]}/#{key}"

  Hiera.debug("Looking up #{full_path} at #{mount}")
  secret = vault_client.kv(mount).read(full_path)
  return nil unless secret

  secret.data[:value]
end

#valid_vault_address?(vault_config) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/hiera/backend/vault_backend.rb', line 28

def valid_vault_address?(vault_config)
  vault_address = vault_config[:address]
  vault_address.nil? || vault_address.empty?
end