hiera-consul 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 73f393c35a128be6bfaae874febd674059dba594
+  data.tar.gz: c1e33bcd1a674e40faaf21a64c76070a1cea1014
+SHA512:
+  metadata.gz: ac2dab1523653d471e01dca3f5ebbb366ec039fda5f0d92cce61435732e67d6889f3cc404975eb1b9347c215e1f53111acf7e996e7173f1e33cbc16c7a7c00de
+  data.tar.gz: 86944abef51a03957ac77321dd493f2903fccd1b5404490c2782de554c21e6ffd596e38f6131b4a7714709b6d616858793043191d5090833683aa605ba9e5b4f

data/lib/hiera/backend/consul_backend.rb

@@ -0,0 +1,123 @@
+# Hiera backend for Consul
+class Hiera
+  module Backend
+    class Consul_backend
+
+      def initialize()
+        require 'base64'
+        require 'net/http'
+        require 'json'
+        require 'uri'
+
+        @config = Config[:consul]
+        if ENV['CONSUL_HTTP_ADDR']
+          # By convention the ENV var does not contain a scheme, but URI
+          # requires one. Net::HTTP will switch to https if configured later.
+          uri = URI('http://' + ENV['CONSUL_HTTP_ADDR'])
+          @consul = Net::HTTP.new(uri.host, uri.port)
+        elsif (@config[:host] && @config[:port])
+          @consul = Net::HTTP.new(@config[:host], @config[:port])
+        else
+          raise "[hiera-consul] Missing minimum configuration, please check hiera.yaml"
+        end
+
+        Hiera.debug("[hiera-consul] Client configured to connect to #{@consul.address}:#{@consul.port}")
+
+        @consul.read_timeout = @config[:http_read_timeout] || 10
+        @consul.open_timeout = @config[:http_connect_timeout] || 10
+      end
+
+      def lookup(key, scope, order_override, resolution_type)
+        answer = nil
+
+        paths = @config[:paths].map { |p| Backend.parse_string(p, scope, { 'key' => key }) }
+        paths.insert(0, order_override) if order_override
+
+        paths.each do |path|
+          Hiera.debug("[hiera-consul] Looking up #{path}/#{key} in consul backend")
+
+          # Check that we are not looking somewhere that will make hiera crash subsequent lookups
+          if "#{path}/#{key}".match("//")
+            Hiera.debug("[hiera-consul] The specified path #{path}/#{key} is malformed, skipping")
+            next
+          end
+
+          query_path = "#{path}/#{key}"
+          recurse = resolution_type == :hash
+
+          result = wrapquery(query_path, recurse)
+          next unless result
+
+          api_prefix = /^\/v\d\/kv\//
+          prefix = query_path.sub(api_prefix, '')
+          answer = parse_result(result, prefix)
+          next unless answer
+
+          Hiera.debug("[hiera-consul] Read key #{key} from path #{path}")
+          break
+        end
+
+        answer
+      end
+
+      private
+
+      def wrapquery(path, recurse = false)
+          path += "?recurse" if recurse
+          httpreq = Net::HTTP::Get.new("#{path}")
+
+          data = nil
+          begin
+            response = @consul.request(httpreq)
+            case response
+            when Net::HTTPSuccess
+              data = response.body
+            else
+              Hiera.debug("[hiera-consul] Could not read key: #{path}")
+            end
+          rescue Exception => e
+            Hiera.warn("[hiera-consul] Error occurred read value #{path}: #{e}")
+          end
+
+          data
+      end
+
+      def parse_result(res, prefix)
+          if res == "null"
+            Hiera.debug("[hiera-consul] Skipped null result")
+            return nil
+          end
+
+          res_array = JSON.parse(res)
+          case res_array.length
+          when 0
+            Hiera.debug("[hiera-consul] Skipped empty result")
+            answer = nil
+          when 1
+            answer = Base64.decode64(res_array.first['Value'])
+          else
+            # Interpret the results as a nested Hash
+            answer = res_array.each_with_object({}) do |entry, memo|
+              # Strip the mount prefix and leading slash
+              k = entry['Key'][(prefix.length+1)..-1]
+              v = entry['Value'].nil? ? {} : Base64.decode64(entry['Value'])
+              deep_merge!(memo, k.split('/').reverse.inject(v) { |a, n| { n => a } })
+            end
+          end
+
+          answer
+      end
+
+      def deep_merge!(tgt_hash, src_hash)
+        tgt_hash.merge!(src_hash) do |key, oldval, newval|
+          if oldval.kind_of?(Hash) && newval.kind_of?(Hash)
+            deep_merge!(oldval, newval)
+          else
+            newval
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/hiera/backend/vault_backend.rb

@@ -0,0 +1,60 @@
+# Vault backend for Hiera
+class Hiera
+  module Backend
+    class Vault_backend
+
+      def initialize()
+        require 'json'
+        require 'vault'
+
+        @config = Config[:vault]
+        @config[:mounts] ||= {}
+        @config[:mounts][:generic] ||= ['secret']
+
+        begin
+          @vault = Vault::Client.new(address: @config[:addr], token: @config[:token])
+          fail if @vault.sys.seal_status.sealed?
+          Hiera.debug("[hiera-vault] Client configured to connect to #{@vault.address}")
+        rescue Exception => e
+          @vault = nil
+          Hiera.warn("[hiera-vault] Skipping backend. Configuration error: #{e}")
+        end
+      end
+
+      def lookup(key, scope, order_override, resolution_type)
+        return nil if @vault.nil?
+
+        answer = nil
+
+        # Only generic mounts supported so far
+        @config[:mounts][:generic].each do |mount|
+          path = Backend.parse_string(mount, scope, { 'key' => key })
+          answer = lookup_generic("#{path}/#{key}", scope)
+
+          break if answer.kind_of? Hash
+        end
+
+        answer
+      end
+
+      def lookup_generic(key, scope)
+          begin
+            secret = @vault.logical.read(key)
+          rescue Vault::HTTPConnectionError
+            Hiera.debug("[hiera-vault] Could not connect to read secret: #{key}")
+          rescue Vault::HTTPError => e
+            Hiera.warn("[hiera-vault] Could not read secret #{key}: #{e.errors.join("\n").rstrip}")
+          end
+
+          return nil if secret.nil?
+
+          Hiera.debug("[hiera-vault] Read secret: #{key}")
+          # Turn secret's hash keys into strings
+          data = secret.data.inject({}) { |h, (k, v)| h[k.to_s] = v; h }
+
+          return Backend.parse_answer(data, scope)
+      end
+
+    end
+  end
+end

metadata

@@ -0,0 +1,59 @@
+--- !ruby/object:Gem::Specification
+name: hiera-consul
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Jonathan Sokolowski
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-06-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Hiera backend for looking up KV data stored in Vault
+email: jonathan.sokolowski@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/hiera/backend/consul_backend.rb
+- lib/hiera/backend/vault_backend.rb
+homepage: http://github.com/jsok/hiera-consul
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Module for using consul as a hiera backend
+test_files: []