kubernetes-watch 0.1.3__py3-none-any.whl → 0.1.4__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- kube_watch/modules/providers/aws.py +2 -2
- kube_watch/modules/providers/vault.py +56 -3
- kube_watch/watch/helpers.py +34 -7
- {kubernetes_watch-0.1.3.dist-info → kubernetes_watch-0.1.4.dist-info}/METADATA +1 -1
- {kubernetes_watch-0.1.3.dist-info → kubernetes_watch-0.1.4.dist-info}/RECORD +7 -7
- {kubernetes_watch-0.1.3.dist-info → kubernetes_watch-0.1.4.dist-info}/LICENSE +0 -0
- {kubernetes_watch-0.1.3.dist-info → kubernetes_watch-0.1.4.dist-info}/WHEEL +0 -0
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
#========================================================================
|
|
2
2
|
# This class is deprecated. Please refer to aws.py
|
|
3
3
|
#========================================================================
|
|
4
|
-
import boto3
|
|
5
|
-
import base64
|
|
6
4
|
import json
|
|
5
|
+
import base64
|
|
7
6
|
from datetime import datetime , timezone, timedelta
|
|
7
|
+
import boto3
|
|
8
8
|
from botocore.exceptions import ClientError
|
|
9
9
|
from prefect import get_run_logger
|
|
10
10
|
from kube_watch.enums.providers import AwsResources
|
|
@@ -31,7 +31,7 @@ def login(url, app_role_id, secret_id, path):
|
|
|
31
31
|
logger.info("Authenticated with existing token.")
|
|
32
32
|
return vault_client
|
|
33
33
|
except hvac.exceptions.InvalidRequest as e:
|
|
34
|
-
logger.warning("Failed to authenticate with the existing token:
|
|
34
|
+
logger.warning(f"Failed to authenticate with the existing token: {str(e)}")
|
|
35
35
|
|
|
36
36
|
# If token is not valid or not present, authenticate with AppRole
|
|
37
37
|
try:
|
|
@@ -47,7 +47,7 @@ def login(url, app_role_id, secret_id, path):
|
|
|
47
47
|
|
|
48
48
|
return vault_client
|
|
49
49
|
except hvac.exceptions.InvalidRequest as e:
|
|
50
|
-
logger.error("Authentication failed with provided secret_id:
|
|
50
|
+
logger.error(f"Authentication failed with provided secret_id: {str(e)}")
|
|
51
51
|
raise RuntimeError("Authentication failed: unable to log in with the provided credentials.") from e
|
|
52
52
|
|
|
53
53
|
|
|
@@ -105,9 +105,62 @@ def generate_provider_creds(vault_client, provider, backend_path, role_name):
|
|
|
105
105
|
|
|
106
106
|
|
|
107
107
|
def generate_new_secret_id(vault_client, role_name, vault_path, env_var_name):
|
|
108
|
+
"""
|
|
109
|
+
Generates new secret_id. Note an admin role is required for this.
|
|
110
|
+
"""
|
|
108
111
|
new_secret_response = vault_client.auth.approle.generate_secret_id(
|
|
109
112
|
role_name=role_name,
|
|
110
113
|
mount_point=f'approle/{vault_path}'
|
|
111
114
|
)
|
|
112
115
|
|
|
113
|
-
return { env_var_name : new_secret_response['data']['secret_id'] }
|
|
116
|
+
return { env_var_name : new_secret_response['data']['secret_id'] }
|
|
117
|
+
|
|
118
|
+
|
|
119
|
+
|
|
120
|
+
def delete_secret_id(vault_client, role_name, secret_id, vault_path):
|
|
121
|
+
"""
|
|
122
|
+
Delete (revoke) a secret ID associated with a role in Vault.
|
|
123
|
+
|
|
124
|
+
Parameters:
|
|
125
|
+
vault_client (hvac.Client): An authenticated Vault client.
|
|
126
|
+
role_name (str): The name of the role the secret ID is associated with.
|
|
127
|
+
secret_id (str): The secret ID to be deleted.
|
|
128
|
+
vault_path (str): The path where the AppRole is enabled.
|
|
129
|
+
"""
|
|
130
|
+
try:
|
|
131
|
+
vault_client.auth.approle.destroy_secret_id(
|
|
132
|
+
mount_point=f"approle/{vault_path}",
|
|
133
|
+
role_name=role_name,
|
|
134
|
+
secret_id=secret_id
|
|
135
|
+
)
|
|
136
|
+
|
|
137
|
+
logger.info("Secret ID successfully revoked.")
|
|
138
|
+
except hvac.exceptions.InvalidRequest as e:
|
|
139
|
+
logger.error("Failed to revoke the secret ID: %s", str(e))
|
|
140
|
+
raise RuntimeError("Failed to delete the secret ID.") from e
|
|
141
|
+
|
|
142
|
+
|
|
143
|
+
def clean_secret_ids(vault_client, role_name, secret_id_env, vault_path, has_kube_secret_updated):
|
|
144
|
+
"""
|
|
145
|
+
This function removes all idle secret-ids from `role_name`, except the
|
|
146
|
+
inputted `secret_id_env`.
|
|
147
|
+
|
|
148
|
+
Note: secret_id_env is a dictionary. The key, VAULT_SECRET_ID, has the secret_id value.
|
|
149
|
+
"""
|
|
150
|
+
secret_id = secret_id_env.get("VAULT_SECRET_ID")
|
|
151
|
+
if has_kube_secret_updated:
|
|
152
|
+
secret_ids_path = f'auth/approle/{vault_path}/role/{role_name}/secret-id'
|
|
153
|
+
try:
|
|
154
|
+
response = vault_client.list(secret_ids_path)
|
|
155
|
+
if 'data' in response:
|
|
156
|
+
secret_ids = response['data']['keys']
|
|
157
|
+
for idx in secret_ids:
|
|
158
|
+
if idx != secret_id:
|
|
159
|
+
delete_secret_id(vault_client, role_name, secret_id, vault_path)
|
|
160
|
+
logger.info(f"Revoking idle secret id for role: {role_name}")
|
|
161
|
+
else:
|
|
162
|
+
logger.info("No secrets found at this path.")
|
|
163
|
+
except hvac.exceptions.Forbidden:
|
|
164
|
+
logger.error("Access denied. Ensure your token has the correct policies to read this path.")
|
|
165
|
+
except Exception as e:
|
|
166
|
+
logger.error(f"An error occurred: {e}")
|
kube_watch/watch/helpers.py
CHANGED
|
@@ -39,9 +39,9 @@ def func_task(name="default_task_name", task_input_type: TaskInputsType = TaskIn
|
|
|
39
39
|
return execute_task
|
|
40
40
|
if task_input_type == TaskInputsType.DICT:
|
|
41
41
|
@task(name=name)
|
|
42
|
-
def
|
|
42
|
+
def execute_task_dict(func, dict_inp):
|
|
43
43
|
return func(dict_inp)
|
|
44
|
-
return
|
|
44
|
+
return execute_task_dict
|
|
45
45
|
raise ValueError(f'Unknow Task Input Type. It should either be {TaskInputsType.ARG} or {TaskInputsType.DICT} but {task_input_type} is provided.')
|
|
46
46
|
|
|
47
47
|
|
|
@@ -79,10 +79,10 @@ def get_task_function(module_name, task_name, plugin_path=None):
|
|
|
79
79
|
raise ImportError(f"Unable to import module '{module_name}': {e}")
|
|
80
80
|
except AttributeError as e:
|
|
81
81
|
raise AttributeError(f"The module '{module_name}' does not have a function named '{task_name}': {e}")
|
|
82
|
-
finally:
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
82
|
+
# finally:
|
|
83
|
+
# if plugin_path:
|
|
84
|
+
# # Remove the plugin path from sys.path after importing
|
|
85
|
+
# sys.path.pop(0) # Using pop(0) is safer in the context of insert(0, plugin_path)
|
|
86
86
|
|
|
87
87
|
|
|
88
88
|
|
|
@@ -141,4 +141,31 @@ def resolve_runner(runner):
|
|
|
141
141
|
if runner == TaskRunners.RAY:
|
|
142
142
|
raise ValueError("Ray Not Implemented")
|
|
143
143
|
# return RayTaskRunner
|
|
144
|
-
raise ValueError("Invalid task runner type")
|
|
144
|
+
raise ValueError("Invalid task runner type")
|
|
145
|
+
|
|
146
|
+
|
|
147
|
+
def filter_attributes(obj):
|
|
148
|
+
import uuid
|
|
149
|
+
from collections.abc import Iterable
|
|
150
|
+
import inspect
|
|
151
|
+
|
|
152
|
+
def is_simple(value):
|
|
153
|
+
""" Check if the value is a simple data type or a collection of simple data types """
|
|
154
|
+
if isinstance(value, (int, float, str, bool, type(None), uuid.UUID)):
|
|
155
|
+
return True
|
|
156
|
+
if isinstance(value, dict):
|
|
157
|
+
return all(is_simple(k) and is_simple(v) for k, v in value.items())
|
|
158
|
+
if isinstance(value, Iterable) and not isinstance(value, (str, bytes)):
|
|
159
|
+
return all(is_simple(item) for item in value)
|
|
160
|
+
return False
|
|
161
|
+
|
|
162
|
+
result = {}
|
|
163
|
+
for attr in dir(obj):
|
|
164
|
+
# Avoid magic methods and attributes
|
|
165
|
+
if attr.startswith("__") and attr.endswith("__"):
|
|
166
|
+
continue
|
|
167
|
+
value = getattr(obj, attr)
|
|
168
|
+
# Filter out methods and check if the attribute value is simple
|
|
169
|
+
if not callable(value) and not inspect.isclass(value) and is_simple(value):
|
|
170
|
+
result[attr] = value
|
|
171
|
+
return result
|
|
@@ -19,15 +19,15 @@ kube_watch/modules/logic/trasnform.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJW
|
|
|
19
19
|
kube_watch/modules/mock/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
20
20
|
kube_watch/modules/mock/mock_generator.py,sha256=j8UfcJeA9giEEyqH9Sf3RGtlMfGO13NbWMZ80dj4UtE,1315
|
|
21
21
|
kube_watch/modules/providers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
22
|
-
kube_watch/modules/providers/aws.py,sha256=
|
|
22
|
+
kube_watch/modules/providers/aws.py,sha256=yvxVwL7seuvxpGR2ZCrmWEMKh9hesWdPTC6LvW7Bi9E,8585
|
|
23
23
|
kube_watch/modules/providers/git.py,sha256=h3rcn1FhU82nF52Ol9YHyFk4cvPxxaz_AxHnip8OXPY,1183
|
|
24
24
|
kube_watch/modules/providers/github.py,sha256=WCpZIKHr4U0a4El1leXkaCv1jznf9ob5xHVeTNSpNG0,5338
|
|
25
|
-
kube_watch/modules/providers/vault.py,sha256=
|
|
25
|
+
kube_watch/modules/providers/vault.py,sha256=kw-S4orCIrVgDKzctzYeICIVD3-A9cT_CyyFAwi4oPM,6215
|
|
26
26
|
kube_watch/standalone/metarecogen/ckan_to_gn.py,sha256=FBiv6McWh4hqV6Bz08zGLzEIe4v1-D3FawjBKYbV7Ms,4767
|
|
27
27
|
kube_watch/watch/__init__.py,sha256=6Ay9P_Ws7rP7ZaIrFRZtp_1uwVK4ZDmkkNhFyqPNQIU,61
|
|
28
|
-
kube_watch/watch/helpers.py,sha256=
|
|
28
|
+
kube_watch/watch/helpers.py,sha256=T0xDSCfrW7NrmQzgIzOiojQzu_HesajMb7S_AX-tt98,6431
|
|
29
29
|
kube_watch/watch/workflow.py,sha256=h0b_P_kfiPxqTFHZ6o2HkDkNaUBOwv1DKJnwEMMVXaI,4203
|
|
30
|
-
kubernetes_watch-0.1.
|
|
31
|
-
kubernetes_watch-0.1.
|
|
32
|
-
kubernetes_watch-0.1.
|
|
33
|
-
kubernetes_watch-0.1.
|
|
30
|
+
kubernetes_watch-0.1.4.dist-info/LICENSE,sha256=StyinJRmy--Pc2vQbRToZSN4sjSVg3zccMFrktVcrEw,1096
|
|
31
|
+
kubernetes_watch-0.1.4.dist-info/METADATA,sha256=n9GU5CEsh33BEGgYDApxctg_Rl0Oav6RfeYwVMM-fzs,4969
|
|
32
|
+
kubernetes_watch-0.1.4.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
|
|
33
|
+
kubernetes_watch-0.1.4.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|