From aa7174c1bdb0f322beb55bb3c88532bb4c8ea13a Mon Sep 17 00:00:00 2001 From: Oscar Villarraga Date: Mon, 30 May 2022 15:44:57 +0200 Subject: [PATCH] able to sync vault keys in a Vault that has multiple mount_points, roles, acl --- stakewise_cli/commands/sync_vault.py | 14 +++++++++----- stakewise_cli/settings.py | 2 +- stakewise_cli/storages/vault.py | 13 ++++++++----- 3 files changed, 18 insertions(+), 11 deletions(-) diff --git a/stakewise_cli/commands/sync_vault.py b/stakewise_cli/commands/sync_vault.py index ae21521..63b6668 100644 --- a/stakewise_cli/commands/sync_vault.py +++ b/stakewise_cli/commands/sync_vault.py @@ -61,6 +61,7 @@ def validate_operator_address(ctx, param, value): callback=validate_operator_address, ) def sync_vault(network: str, operator: ChecksumAddress) -> None: + global VAULT_VALIDATORS_MOUNT_POINT while True: try: vault_client = get_vault_client() @@ -98,6 +99,14 @@ def sync_vault(network: str, operator: ChecksumAddress) -> None: fg="red", ) + namespace = click.prompt( + "Enter the validators kubernetes namespace", + default="validators", + type=click.STRING, + ) + if VAULT_VALIDATORS_MOUNT_POINT == "": + VAULT_VALIDATORS_MOUNT_POINT = namespace + vault_client.secrets.kv.default_kv_version = 1 try: vault_client.sys.enable_secrets_engine( @@ -126,11 +135,6 @@ def sync_vault(network: str, operator: ChecksumAddress) -> None: "Error: failed to connect to the Kubernetes API host", bold=True, fg="red" ) - namespace = click.prompt( - "Enter the validators kubernetes namespace", - default="validators", - type=click.STRING, - ) mnemonic = click.prompt( 'Enter your mnemonic separated by spaces (" ")', value_proc=validate_mnemonic, diff --git a/stakewise_cli/settings.py b/stakewise_cli/settings.py index e9518e2..76080ce 100644 --- a/stakewise_cli/settings.py +++ b/stakewise_cli/settings.py @@ -19,7 +19,7 @@ ) VAULT_VALIDATORS_MOUNT_POINT = config( - "VAULT_VALIDATORS_MOUNT_POINT", default="validators" + "VAULT_VALIDATORS_MOUNT_POINT", default="" ) IS_LEGACY = config("IS_LEGACY", default=False, cast=bool) diff --git a/stakewise_cli/storages/vault.py b/stakewise_cli/storages/vault.py index 44ebaf6..90b2c5d 100644 --- a/stakewise_cli/storages/vault.py +++ b/stakewise_cli/storages/vault.py @@ -71,6 +71,9 @@ def __init__( self.max_keys_per_validator = NETWORKS[network]["MAX_KEYS_PER_VALIDATOR"] self.operator_address = operator self.check_mnemonic() + global VAULT_VALIDATORS_MOUNT_POINT + if VAULT_VALIDATORS_MOUNT_POINT == "": + VAULT_VALIDATORS_MOUNT_POINT = namespace @cached_property def vault_validator_names(self) -> Set[str]: @@ -341,8 +344,8 @@ def sync_vault_validators(self) -> None: show_pos=True, ) as bar: for validator_name in removed_validators: - self.vault_client.sys.delete_policy(validator_name) - self.vault_client.delete_kubernetes_role(validator_name) + self.vault_client.sys.delete_policy(f"{self.namespace}-{validator_name}") + self.vault_client.delete_kubernetes_role(f"{self.namespace}-{validator_name}") self.vault_client.secrets.kv.delete_secret( path=f"{validator_name}/password", mount_point=VAULT_VALIDATORS_MOUNT_POINT, @@ -355,13 +358,13 @@ def sync_vault_validators(self) -> None: for validator_name in new_validators: self.vault_client.sys.create_or_update_policy( - name=validator_name, + name=f"{self.namespace}-{validator_name}", policy=VALIDATOR_POLICY % (VAULT_VALIDATORS_MOUNT_POINT, validator_name), ) self.vault_client.auth.kubernetes.create_role( - name=validator_name, - policies=[validator_name], + name=f"{self.namespace}-{validator_name}", + policies=[f"{self.namespace}-{validator_name}"], bound_service_account_names=validator_name, bound_service_account_namespaces=self.namespace, )