diff options
| author | Mike Crute <mike@crute.us> | 2022-12-04 22:20:03 -0800 |
|---|---|---|
| committer | Mike Crute <mike@crute.us> | 2022-12-04 22:20:03 -0800 |
| commit | 1b297be993b39c38a29f2d4a512fe8f3a9b3cacf (patch) | |
| tree | 5309589797fd0a8e75b3e8aec37ac3acd96c12bb /netbox/django-driver.py | |
| parent | d4efff4950b6105f1d62362f8944a24659af4ea7 (diff) | |
| download | dockerfiles-1b297be993b39c38a29f2d4a512fe8f3a9b3cacf.tar.bz2 dockerfiles-1b297be993b39c38a29f2d4a512fe8f3a9b3cacf.tar.xz dockerfiles-1b297be993b39c38a29f2d4a512fe8f3a9b3cacf.zip | |
netbox: upgrade to 3.3.9 and remove patches
This change migrates to using simplevisor which handles Vault credential
fetching and renewal. It removes quite a lot of fragile hacks at the
Django layer in favor of straightforward environment variable passing.
Diffstat (limited to 'netbox/django-driver.py')
| -rw-r--r-- | netbox/django-driver.py | 77 |
1 files changed, 0 insertions, 77 deletions
diff --git a/netbox/django-driver.py b/netbox/django-driver.py deleted file mode 100644 index 80bfa13..0000000 --- a/netbox/django-driver.py +++ /dev/null | |||
| @@ -1,77 +0,0 @@ | |||
| 1 | import threading | ||
| 2 | from datetime import datetime, timedelta | ||
| 3 | |||
| 4 | from django.core.exceptions import ImproperlyConfigured | ||
| 5 | from django.contrib.vault_client import SimpleVaultClient, Credential | ||
| 6 | from django.db.backends.postgresql.base import DatabaseWrapper as OrigWrapper | ||
| 7 | |||
| 8 | |||
| 9 | def _is_affirmative(value): | ||
| 10 | value = "" if not value else value | ||
| 11 | return value.lower() in ["yes", "true", "on", "1"] | ||
| 12 | |||
| 13 | |||
| 14 | def _must_get(store, key): | ||
| 15 | value = store.get(key) | ||
| 16 | |||
| 17 | if not value: | ||
| 18 | raise ImproperlyConfigured( | ||
| 19 | f"Database parameter {key} is required but not set.") | ||
| 20 | |||
| 21 | return value | ||
| 22 | |||
| 23 | |||
| 24 | class DatabaseWrapper(OrigWrapper): | ||
| 25 | |||
| 26 | def __init__(self, *args, **kwargs): | ||
| 27 | super().__init__(*args, **kwargs) | ||
| 28 | self._vault_cache_lock = threading.Lock() | ||
| 29 | self._vault_cred_cache = Credential.empty() | ||
| 30 | |||
| 31 | def close(self): | ||
| 32 | self._vault_cred_cache = Credential.empty() | ||
| 33 | super().close() | ||
| 34 | |||
| 35 | def close_if_unusable_or_obsolete(self): | ||
| 36 | super().close_if_unusable_or_obsolete() | ||
| 37 | |||
| 38 | if self.connection is None: | ||
| 39 | return | ||
| 40 | |||
| 41 | if not self.is_usable(): | ||
| 42 | self.close() | ||
| 43 | return | ||
| 44 | |||
| 45 | with self._vault_cache_lock: | ||
| 46 | if not self._vault_cred_cache.is_valid: | ||
| 47 | self.close() | ||
| 48 | |||
| 49 | # All of this is done under lock | ||
| 50 | def _get_vault_cred(self): | ||
| 51 | print("Getting credentials from vault") | ||
| 52 | params = self.settings_dict | ||
| 53 | |||
| 54 | verify = not _is_affirmative(params.get("VAULT_SKIP_VERIFY")) | ||
| 55 | url = _must_get(params, "VAULT_ADDR") | ||
| 56 | token = params.get("VAULT_TOKEN") | ||
| 57 | db_role_name = _must_get(params, "VAULT_DB_ROLE_NAME") | ||
| 58 | role_id = _must_get(params, "VAULT_ROLE_ID") | ||
| 59 | role_secret = _must_get(params, "VAULT_SECRET_ID") | ||
| 60 | |||
| 61 | client = SimpleVaultClient(url, role_id, role_secret, verify) | ||
| 62 | |||
| 63 | self._vault_cred_cache = client.get_db_credential(db_role_name) | ||
| 64 | |||
| 65 | def get_connection_params(self): | ||
| 66 | conn_params = super().get_connection_params() | ||
| 67 | |||
| 68 | # Do the fetch under lock to prevent multiple threads from piling onto | ||
| 69 | # the vault server | ||
| 70 | with self._vault_cache_lock: | ||
| 71 | if not self._vault_cred_cache.is_valid: | ||
| 72 | self._get_vault_cred() | ||
| 73 | |||
| 74 | conn_params["user"] = self._vault_cred_cache.username | ||
| 75 | conn_params["password"] = self._vault_cred_cache.password | ||
| 76 | |||
| 77 | return conn_params | ||