diff options
author | Mike Crute <mike@crute.us> | 2022-12-04 22:20:03 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2022-12-04 22:20:03 -0800 |
commit | 1b297be993b39c38a29f2d4a512fe8f3a9b3cacf (patch) | |
tree | 5309589797fd0a8e75b3e8aec37ac3acd96c12bb /netbox/django-driver.py | |
parent | d4efff4950b6105f1d62362f8944a24659af4ea7 (diff) | |
download | dockerfiles-1b297be993b39c38a29f2d4a512fe8f3a9b3cacf.tar.bz2 dockerfiles-1b297be993b39c38a29f2d4a512fe8f3a9b3cacf.tar.xz dockerfiles-1b297be993b39c38a29f2d4a512fe8f3a9b3cacf.zip |
netbox: upgrade to 3.3.9 and remove patches
This change migrates to using simplevisor which handles Vault credential
fetching and renewal. It removes quite a lot of fragile hacks at the
Django layer in favor of straightforward environment variable passing.
Diffstat (limited to 'netbox/django-driver.py')
-rw-r--r-- | netbox/django-driver.py | 77 |
1 files changed, 0 insertions, 77 deletions
diff --git a/netbox/django-driver.py b/netbox/django-driver.py deleted file mode 100644 index 80bfa13..0000000 --- a/netbox/django-driver.py +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | import threading | ||
2 | from datetime import datetime, timedelta | ||
3 | |||
4 | from django.core.exceptions import ImproperlyConfigured | ||
5 | from django.contrib.vault_client import SimpleVaultClient, Credential | ||
6 | from django.db.backends.postgresql.base import DatabaseWrapper as OrigWrapper | ||
7 | |||
8 | |||
9 | def _is_affirmative(value): | ||
10 | value = "" if not value else value | ||
11 | return value.lower() in ["yes", "true", "on", "1"] | ||
12 | |||
13 | |||
14 | def _must_get(store, key): | ||
15 | value = store.get(key) | ||
16 | |||
17 | if not value: | ||
18 | raise ImproperlyConfigured( | ||
19 | f"Database parameter {key} is required but not set.") | ||
20 | |||
21 | return value | ||
22 | |||
23 | |||
24 | class DatabaseWrapper(OrigWrapper): | ||
25 | |||
26 | def __init__(self, *args, **kwargs): | ||
27 | super().__init__(*args, **kwargs) | ||
28 | self._vault_cache_lock = threading.Lock() | ||
29 | self._vault_cred_cache = Credential.empty() | ||
30 | |||
31 | def close(self): | ||
32 | self._vault_cred_cache = Credential.empty() | ||
33 | super().close() | ||
34 | |||
35 | def close_if_unusable_or_obsolete(self): | ||
36 | super().close_if_unusable_or_obsolete() | ||
37 | |||
38 | if self.connection is None: | ||
39 | return | ||
40 | |||
41 | if not self.is_usable(): | ||
42 | self.close() | ||
43 | return | ||
44 | |||
45 | with self._vault_cache_lock: | ||
46 | if not self._vault_cred_cache.is_valid: | ||
47 | self.close() | ||
48 | |||
49 | # All of this is done under lock | ||
50 | def _get_vault_cred(self): | ||
51 | print("Getting credentials from vault") | ||
52 | params = self.settings_dict | ||
53 | |||
54 | verify = not _is_affirmative(params.get("VAULT_SKIP_VERIFY")) | ||
55 | url = _must_get(params, "VAULT_ADDR") | ||
56 | token = params.get("VAULT_TOKEN") | ||
57 | db_role_name = _must_get(params, "VAULT_DB_ROLE_NAME") | ||
58 | role_id = _must_get(params, "VAULT_ROLE_ID") | ||
59 | role_secret = _must_get(params, "VAULT_SECRET_ID") | ||
60 | |||
61 | client = SimpleVaultClient(url, role_id, role_secret, verify) | ||
62 | |||
63 | self._vault_cred_cache = client.get_db_credential(db_role_name) | ||
64 | |||
65 | def get_connection_params(self): | ||
66 | conn_params = super().get_connection_params() | ||
67 | |||
68 | # Do the fetch under lock to prevent multiple threads from piling onto | ||
69 | # the vault server | ||
70 | with self._vault_cache_lock: | ||
71 | if not self._vault_cred_cache.is_valid: | ||
72 | self._get_vault_cred() | ||
73 | |||
74 | conn_params["user"] = self._vault_cred_cache.username | ||
75 | conn_params["password"] = self._vault_cred_cache.password | ||
76 | |||
77 | return conn_params | ||