allow for vault enterprise namespaces (#50462)

* enable namespaces feature for hashi_vault lookup * include version_added dict in options documentation
2019-01-03 11:51:13 -05:00 · 2019-01-03 11:51:13 -05:00 · 04a9a887d5
commit 04a9a887d5
parent d863027159
1 changed files with 17 additions and 2 deletions
--- a/lib/ansible/plugins/lookup/hashi_vault.py
+++ b/lib/ansible/plugins/lookup/hashi_vault.py
@ -52,6 +52,10 @@ DOCUMENTATION = """
      description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
      type: boolean
      default: True
+    namespace:
+      version_added: "2.8"
+      description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+
+      default: None
 """

 EXAMPLES = """
@ -77,6 +81,10 @@ EXAMPLES = """
 - name: authenticate with a Vault app role
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
+
+- name: Return all secrets from a path in a namespace
+  debug:
+    msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"
 """

 RETURN = """
@ -109,6 +117,7 @@ class HashiVault:
    def __init__(self, **kwargs):

        self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
+        self.namespace = kwargs.get('namespace', None)

        # split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
        s = kwargs.get('secret')
@ -134,7 +143,10 @@ class HashiVault:
        self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
        if self.auth_method and self.auth_method != 'token':
            try:
-                self.client = hvac.Client(url=self.url, verify=self.verify)
+                if self.namespace is not None:
+                    self.client = hvac.Client(url=self.url, verify=self.verify, namespace=self.namespace)
+                else:
+                    self.client = hvac.Client(url=self.url, verify=self.verify)
                # prefixing with auth_ to limit which methods can be accessed
                getattr(self, 'auth_' + self.auth_method)(**kwargs)
            except AttributeError:
@ -153,7 +165,10 @@ class HashiVault:
            if self.token is None:
                raise AnsibleError("No Vault Token specified")

-            self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)
+            if self.namespace is not None:
+                self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify, namespace=self.namespace)
+            else:
+                self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)

        if not self.client.is_authenticated():
            raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")