Merge pull request #44 from nautobot/develop

Develop to main for 1.3.0 release

.github/workflows/ci.yml

@@ -74,8 +74,8 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python-version: ["3.9"]
-        nautobot-version: ["1.2.1"]
+        python-version: ["3.10"]
+        nautobot-version: ["1.3"]
     env:
       INVOKE_NAUTOBOT_SECRETS_PROVIDERS_PYTHON_VER: "${{ matrix.python-version }}"
       INVOKE_NAUTOBOT_SECRETS_PROVIDERS_NAUTOBOT_VER: "${{ matrix.nautobot-version }}"
@@ -111,8 +111,11 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python-version: ["3.6", "3.7", "3.8", "3.9"]
-        nautobot-version: ["1.2.1"]
+        python-version: ["3.7", "3.8", "3.9", "3.10"]
+        nautobot-version: ["1.2.11", "1.3"]
+        exclude:
+          - python-version: "3.10"
+            nautobot-version: "1.2.11"
     runs-on: "ubuntu-20.04"
     env:
       INVOKE_NAUTOBOT_SECRETS_PROVIDERS_PYTHON_VER: "${{ matrix.python-version }}"
@@ -155,7 +158,7 @@ jobs:
       - name: "Set up Python"
         uses: "actions/setup-python@v2"
         with:
-          python-version: "3.9"
+          python-version: "3.10"
       - name: "Install Python Packages"
         run: "pip install poetry"
       - name: "Set env"
@@ -184,7 +187,7 @@ jobs:
       - name: "Set up Python"
         uses: "actions/setup-python@v2"
         with:
-          python-version: "3.9"
+          python-version: "3.10"
       - name: "Install Python Packages"
         run: "pip install poetry"
       - name: "Set env"

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Nautobot Secrets Providers Changelog
 
+## v1.3.0 (2022-08-29)
+
+### Added
+
+- [#32](https://github.com/nautobot/nautobot-plugin-secrets-providers/issues/32) Add support for skipping certificate validation when connecting to HashiCorp Vault.
+- [#34](https://github.com/nautobot/nautobot-plugin-secrets-providers/issues/34) Add support for alternate authentication to HashiCorp Vault via AWS and Kubernetes authentication methods.
+- [#38](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/38) Add support for Python 3.10.
+- [#40](https://github.com/nautobot/nautobot-plugin-secrets-providers/issues/40) Add `default_mount_point` config option for HashiCorp Vault.
+
+### Changed
+
+- [#42](https://github.com/nautobot/nautobot-plugin-secrets-providers/issues/42) Now requires python-tss-sdk version v1.2 or later
+
+### Fixed
+
+- [#31](https://github.com/nautobot/nautobot-plugin-secrets-providers/issues/31) Fixed NameError at startup when installed as `nautobot_secrets_providers[thycotic]`, i.e. without HashiCorp Vault support.
+- [#37](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/37) Various fixes and improvements to the development environment.
+
+### Removed
+
+- [#38](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/38) - Dropped support for end-of-life Python 3.6
+
 ## v1.2.0 (2022-05-25)
 
 ### Added

GETTING_STARTED.md

@@ -64,7 +64,7 @@ The first thing you need to do is build the necessary Docker image for Nautobot
 #14 exporting layers
 #14 exporting layers 1.2s done
 #14 writing image sha256:2d524bc1665327faa0d34001b0a9d2ccf450612bf8feeb969312e96a2d3e3503 done
-#14 naming to docker.io/secrets/nautobot:1.2.0-py3.6 done
+#14 naming to docker.io/secrets/nautobot:1.2.0-py3.7 done
 ```
 
 ### Invoke - Starting the Development Environment
@@ -97,9 +97,9 @@ This will start all of the Docker containers used for hosting Nautobot. Once the
 ```bash
 ➜ docker ps
 ****CONTAINER ID   IMAGE                            COMMAND                  CREATED          STATUS          PORTS                                       NAMES
-ee90fbfabd77   secrets/nautobot:1.2.0-py3.6   "nautobot-server rqw…"   16 seconds ago   Up 13 seconds                                               nautobot_secrets_providers_worker_1
-b8adb781d013   secrets/nautobot:1.2.0-py3.6   "/docker-entrypoint.…"   20 seconds ago   Up 15 seconds   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   nautobot_secrets_providers_nautobot_1
-d64ebd60675d   secrets/nautobot:1.2.0-py3.6   "mkdocs serve -v -a …"   25 seconds ago   Up 18 seconds   0.0.0.0:8001->8080/tcp, :::8001->8080/tcp   nautobot_secrets_providers_docs_1
+ee90fbfabd77   secrets/nautobot:1.2.0-py3.7   "nautobot-server rqw…"   16 seconds ago   Up 13 seconds                                               nautobot_secrets_providers_worker_1
+b8adb781d013   secrets/nautobot:1.2.0-py3.7   "/docker-entrypoint.…"   20 seconds ago   Up 15 seconds   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   nautobot_secrets_providers_nautobot_1
+d64ebd60675d   secrets/nautobot:1.2.0-py3.7   "mkdocs serve -v -a …"   25 seconds ago   Up 18 seconds   0.0.0.0:8001->8080/tcp, :::8001->8080/tcp   nautobot_secrets_providers_docs_1
 e72d63129b36   postgres:13-alpine               "docker-entrypoint.s…"   25 seconds ago   Up 19 seconds   0.0.0.0:5432->5432/tcp, :::5432->5432/tcp   nautobot_secrets_providers_postgres_1
 96c6ff66997c   redis:6-alpine                   "docker-entrypoint.s…"   25 seconds ago   Up 21 seconds   0.0.0.0:6379->6379/tcp, :::6379->6379/tcp   nautobot_secrets_providers_redis_1
 ```
@@ -265,7 +265,7 @@ namespace.configure(
     {
         "nautobot_secrets_providers": {
             ...
-            "python_ver": "3.6",
+            "python_ver": "3.7",
 	    ...
         }
     }

README.md

@@ -11,8 +11,8 @@ This plugin supports the following popular secrets backends:
 | Secrets Backend                                              | Supported Secret Types                                       | Supported Authentication Methods                             |
 | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
 | [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) | [Other: Key/value pairs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) | [AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) (see Usage section below) |
-| [HashiCorp Vault](https://www.vaultproject.io)               | [K/V Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2) | [Token](https://www.vaultproject.io/docs/auth/token)         |
-| [Thycotic Secret Server](https://thycotic.com/)               | [Secret Server Cloud](https://github.com/thycotic/python-tss-sdk#secret-server-cloud)<br/>[Secret Server (on-prem)](https://github.com/thycotic/python-tss-sdk#secret-server)| [Access Token Authorization](https://github.com/thycotic/python-tss-sdk#access-token-authorization)<br/>[Domain Authorization](https://github.com/thycotic/python-tss-sdk#domain-authorization)<br/>[Password Authorization](https://github.com/thycotic/python-tss-sdk#password-authorization)<br/>         |
+| [HashiCorp Vault](https://www.vaultproject.io)               | [K/V Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2) | [Token](https://www.vaultproject.io/docs/auth/token)<br/>[AppRole](https://www.vaultproject.io/docs/auth/approle)<br/>[AWS](https://www.vaultproject.io/docs/auth/aws)<br/>[Kubernetes](https://www.vaultproject.io/docs/auth/kubernetes)         |
+| [Delinea/Thycotic Secret Server](https://delinea.com/products/secret-server)               | [Secret Server Cloud](https://github.com/DelineaXPM/python-tss-sdk#secret-server-cloud)<br/>[Secret Server (on-prem)](https://github.com/DelineaXPM/python-tss-sdk#initializing-secretserver)| [Access Token Authorization](https://github.com/DelineaXPM/python-tss-sdk#access-token-authorization)<br/>[Domain Authorization](https://github.com/DelineaXPM/python-tss-sdk#domain-authorization)<br/>[Password Authorization](https://github.com/DelineaXPM/python-tss-sdk#password-authorization)<br/>         |
 
 ## Screenshots
 
@@ -32,11 +32,11 @@ This plugin supports the following popular secrets backends:
 
 ---
 
-![Screenshot of secret using Thycotic Secret Server by ID](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot05.png "Secret using Thycotic Secret Server by ID")
+![Screenshot of secret using Delinea/Thycotic Secret Server by ID](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot05.png "Secret using Thycotic Secret Server by ID")
 
 ---
 
-![Screenshot of secret using Thycotic Secret Server by Path](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot06.png "Secret using Thycotic Secret Server by Path")
+![Screenshot of secret using Delinea/Thycotic Secret Server by Path](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot06.png "Secret using Thycotic Secret Server by Path")
 
 ## Installation
 
@@ -76,9 +76,9 @@ The HashiCorp Vault provider requires the `hvac` library. This can easily be ins
 pip install nautobot-secrets-providers[hashicorp]
 ```
 
-#### Thycotic Secret Server
+#### Delinea/Thycotic Secret Server
 
-The Thycotic Secret Server provider requires the `python-tss-sdk` library. This can easily be installed along with the plugin using the following command:
+The Delinea/Thycotic Secret Server provider requires the `python-tss-sdk` library. This can easily be installed along with the plugin using the following command:
 
 ```no-highlight
 pip install nautobot-secrets-providers[thycotic]
@@ -162,14 +162,19 @@ PLUGINS_CONFIG = {
 ```
 
 - `url` - (required) The URL to the HashiCorp Vault instance (e.g. `http://localhost:8200`).
-- `auth_method` - (optional / defaults to "token") The method used to authenticate against the HashiCorp Vault instance. Either `"token"` or `"approle"`.
+- `auth_method` - (optional / defaults to "token") The method used to authenticate against the HashiCorp Vault instance. Either `"approle"`, `"aws"`, `"kubernetes"` or `"token"`.  For information on using AWS authentication with vault see the [authentication](#authentication) section above.
+- `ca_cert` - (optional) Path to a PEM formatted CA certificate to use when verifying the Vault connection.  Can alternatively be set to `False` to ignore SSL verification (not recommended) or `True` to use the system certificates.
+- `default_mount_point` - (optional / defaults to "secret") The default mount point of the K/V Version 2 secrets engine within Hashicorp Vault.
+- `k8s_token_path` - (optional) Path to the kubernetes service account token file.  Defaults to "/var/run/secrets/kubernetes.io/serviceaccount/token".
 - `token` - (optional) Required when `"auth_method": "token"` or `auth_method` is not supplied. The token for authenticating the client with the HashiCorp Vault instance. As with other sensitive service credentials, we recommend that you provide the token value as an environment variable and retrieve it with `{"token": os.getenv("NAUTOBOT_HASHICORP_VAULT_TOKEN")}` rather than hard-coding it in your `nautobot_config.py`.
+- `role_name` - (optional) Required when `"auth_method": "kubernetes"`, optional when `"auth_method": "aws"`.  The Vault Kubernetes role or Vault AWS role to assume which the pod's service account has access to.
 - `role_id` - (optional) Required when `"auth_method": "approle"`. As with other sensitive service credentials, we recommend that you provide the role_id value as an environment variable and retrieve it with `{"role_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_ROLE_ID")}` rather than hard-coding it in your `nautobot_config.py`.
 - `secret_id` - (optional) Required when `"auth_method": "approle"`.As with other sensitive service credentials, we recommend that you provide the secret_id value as an environment variable and retrieve it with `{"secret_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_SECRET_ID")}` rather than hard-coding it in your `nautobot_config.py`.
+- `login_kwargs` - (optional) Additional optional parameters to pass to the login method for [`approle`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.AppRole.login), [`aws`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.Aws.iam_login) and [`kubernetes`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.Kubernetes.login) authentication methods.
 
-### Thycotic Secret Server (TSS)
+### Delinea/Thycotic Secret Server (TSS)
 
-The Thycotic Secret Server plugin includes two providers:
+The Delinea/Thycotic Secret Server plugin includes two providers:
 
 - **`Thycotic Secret Server by ID`**
 
@@ -243,7 +248,7 @@ The [PyInvoke](http://www.pyinvoke.org/) library is used to provide some helper
 
 * `nautobot_ver`: the version of Nautobot to use as a base for any built docker containers (default: 1.2.0)
 * `project_name`: the default docker compose project name (default: nautobot_secrets_providers)
-* `python_ver`: the version of Python to use as a base for any built docker containers (default: 3.6)
+* `python_ver`: the version of Python to use as a base for any built docker containers (default: 3.7)
 * `local`: a boolean flag indicating if invoke tasks should be run on the host or inside the docker containers (default: False, commands will be run in docker containers)
 * `compose_dir`: the full path to a directory containing the project compose files
 * `compose_files`: a list of compose files applied in order (see [Multiple Compose files](https://docs.docker.com/compose/extends/#multiple-compose-files) for more information)

development/Dockerfile

@@ -17,16 +17,21 @@ RUN poetry config virtualenvs.create false \
 # -------------------------------------------------------------------------------------
 # Install Nautobot Plugin
 # -------------------------------------------------------------------------------------
-WORKDIR /source
+WORKDIR /tmp
 
 # Copy in only pyproject.toml/poetry.lock to help with caching this layer if no updates to dependencies
-COPY poetry.lock pyproject.toml /source/
+COPY poetry.lock pyproject.toml /tmp/
 # --no-root declares not to install the project package since we're wanting to take advantage of caching dependency installation
 # and the project is copied in and installed after this step
-RUN poetry install --no-interaction --no-ansi --no-root
+RUN poetry add nautobot=$NAUTOBOT_VER && \
+    poetry update --lock && \
+    poetry install --no-interaction --no-ansi --no-root
+
+WORKDIR /source
 
 # Copy in the rest of the source code and install local Nautobot plugin
 COPY . /source
-RUN poetry install --no-interaction --no-ansi
+RUN mv /tmp/poetry.lock /tmp/pyproject.toml /source && \
+    poetry install --no-interaction --no-ansi
 
 COPY development/nautobot_config.py ${NAUTOBOT_ROOT}/nautobot_config.py

development/creds.example.env

@@ -1,9 +1,17 @@
-POSTGRES_PASSWORD=notverysecurepwd
-REDIS_PASSWORD=notverysecurepwd
-SECRET_KEY=r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj
+NAUTOBOT_DB_PASSWORD=notverysecurepwd
+NAUTOBOT_REDIS_PASSWORD=notverysecurepwd
+NAUTOBOT_SECRET_KEY=r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj
 NAUTOBOT_CREATE_SUPERUSER=true
 NAUTOBOT_SUPERUSER_API_TOKEN=0123456789abcdef0123456789abcdef01234567
 NAUTOBOT_SUPERUSER_PASSWORD=admin
+
+# Needed for Postgres, must match the values for Nautobot above
+PGPASSWORD=notverysecurepwd
+POSTGRES_PASSWORD=notverysecurepwd
+
+# Needed for Redis, must match the values for Nautobot above
+REDIS_PASSWORD=notverysecurepwd
+
 # POSTGRES_HOST=localhost
 # REDIS_HOST=localhost
 # NAUTOBOT_ROOT=./development
@@ -36,3 +44,5 @@ SECRET_SERVER_PASSWORD='my_thycotic_password'
 #   Specify the trusted certificates file path for self signed certificates
 #   e.g. '/etc/ssl/certs/ca-bundle.trust.crt'
 #REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt'
+
+VAULT_TOKEN=nautobot

development/dev.env

@@ -1,17 +1,19 @@
-ALLOWED_HOSTS=*
-BANNER_TOP="Local"
-CHANGELOG_RETENTION=0
-DEBUG=True
-MAX_PAGE_SIZE=0
-METRICS_ENABLED=True
-NAPALM_TIMEOUT=5
-NAUTOBOT_ROOT=/opt/nautobot
-POSTGRES_DB=nautobot
-POSTGRES_HOST=postgres
-POSTGRES_USER=nautbot
-REDIS_HOST=redis
-REDIS_PORT=6379
-# REDIS_SSL=True
+NAUTOBOT_ALLOWED_HOSTS=*
+NAUTOBOT_CHANGELOG_RETENTION=0
+NAUTOBOT_CONFIG=/opt/nautobot/nautobot_config.py
+NAUTOBOT_DB_HOST=postgres
+NAUTOBOT_DB_NAME=nautobot
+NAUTOBOT_DB_USER=nautobot
+NAUTOBOT_DB_TIMEOUT=300
+NAUTOBOT_DEBUG=True
+NAUTOBOT_NAPALM_TIMEOUT=5
+NAUTOBOT_REDIS_HOST=redis
+NAUTOBOT_REDIS_PORT=6379
 # Uncomment REDIS_SSL if using SSL
-SUPERUSER_EMAIL=[email protected]
-SUPERUSER_NAME=admin
+# NAUTOBOT_REDIS_SSL=True
+
+# Needed for Postgres, must match the values for Nautobot above
+POSTGRES_USER=${NAUTOBOT_DB_USER}
+POSTGRES_DB=${NAUTOBOT_DB_NAME}
+
+VAULT_URL=http://vault:8200

development/docker-compose.base.yml

@@ -23,8 +23,8 @@ services:
       - "redis"
     <<: *nautobot-build
     <<: *nautobot-base
-  worker:
-    entrypoint: "nautobot-server rqworker"
+  celery_worker:
+    entrypoint: "nautobot-server celery worker -l INFO"
     depends_on:
       - "nautobot"
     healthcheck:

development/docker-compose.dev.yml

@@ -10,7 +10,7 @@ services:
     volumes:
       - "./nautobot_config.py:/opt/nautobot/nautobot_config.py"
       - "../:/source"
-  worker:
+  celery_worker:
     volumes:
       - "./nautobot_config.py:/opt/nautobot/nautobot_config.py"
       - "../:/source"