From 2703be8368f1e1510866b2c3049c329e40ccbebf Mon Sep 17 00:00:00 2001 From: Johannes Brunswicker Date: Tue, 9 Oct 2018 20:25:31 +0200 Subject: [PATCH] Backport/2.7/42456 - Added SSL Support to consul_kv lookup plugin (#46466) * Add ssl support to consul_kv lookup (#42456) * implemented lookup_consul_kv * added missing version_added for consul_url ini section * added default value for ANSIBLE_CONSUL_CLIENT_CERT and added some more documentation * removed trailing whitespaces * fixed indention * Fixes in Documentation * removed trailing whitespace * removed trailing whitespace (cherry picked from commit bacbd4e9fc8c66f25c87aa3433af2be24e2d474b) * * added changelog fragment --- .../fragments/42456-consul_kv-lookup.yaml | 3 + lib/ansible/plugins/lookup/consul_kv.py | 58 ++++++++++++++++--- 2 files changed, 53 insertions(+), 8 deletions(-) create mode 100644 changelogs/fragments/42456-consul_kv-lookup.yaml diff --git a/changelogs/fragments/42456-consul_kv-lookup.yaml b/changelogs/fragments/42456-consul_kv-lookup.yaml new file mode 100644 index 00000000000..489b63ebea8 --- /dev/null +++ b/changelogs/fragments/42456-consul_kv-lookup.yaml @@ -0,0 +1,3 @@ +minor_changes: + - added capability to set the scheme for the consul_kv lookup. + - added optional certificate and certificate verification for consul_kv lookups \ No newline at end of file diff --git a/lib/ansible/plugins/lookup/consul_kv.py b/lib/ansible/plugins/lookup/consul_kv.py index 60f98c2dc65..63ef4c631f4 100644 --- a/lib/ansible/plugins/lookup/consul_kv.py +++ b/lib/ansible/plugins/lookup/consul_kv.py @@ -2,12 +2,13 @@ # (c) 2017 Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) from __future__ import (absolute_import, division, print_function) + __metaclass__ = type DOCUMENTATION = """ lookup: consul_kv version_added: "1.9" - short_description: Fetch metadata from a Consul key value store. + short_description: Fetch metadata from a Consul key value store. description: - Lookup metadata for a playbook from the key value store in a Consul cluster. Values can be easily set in the kv store with simple rest commands @@ -24,18 +25,51 @@ DOCUMENTATION = """ description: If true, will retrieve all the values that have the given key as prefix. default: False index: - description: If the key has a value with the specified index then this is returned allowing access to historical values. + description: + - If the key has a value with the specified index then this is returned allowing access to historical values. token: description: The acl token to allow access to restricted values. host: default: localhost description: - - The target to connect to, must be a resolvable address. + - The target to connect to, must be a resolvable address. + Will be determined from C(ANSIBLE_CONSUL_URL) if that is set. + - "C(ANSIBLE_CONSUL_URL) should look like this: C(https://my.consul.server:8500)" env: - name: ANSIBLE_CONSUL_URL + ini: + - section: lookup_consul + key: host + version_added: "2.8" port: - description: The port of the target host to connect to. + description: + - The port of the target host to connect to. + - If you use C(ANSIBLE_CONSUL_URL) this value will be used from there. default: 8500 + scheme: + default: http + description: + - Whether to use http or https. + - If you use C(ANSIBLE_CONSUL_URL) this value will be used from there. + version_added: "2.8" + validate_certs: + default: True + description: Whether to verify the ssl connection or not. + env: + - name: ANSIBLE_CONSUL_VALIDATE_CERTS + ini: + - section: lookup_consul + key: validate_certs + version_added: "2.8" + client_cert: + default: None + description: The client cert to verify the ssl connection. + env: + - name: ANSIBLE_CONSUL_CLIENT_CERT + ini: + - section: lookup_consul + key: client_cert + version_added: "2.8" """ EXAMPLES = """ @@ -62,7 +96,6 @@ RETURN = """ """ import os -import sys from ansible.module_utils.six.moves.urllib.parse import urlparse from ansible.errors import AnsibleError, AnsibleAssertionError from ansible.plugins.lookup import LookupBase @@ -71,6 +104,7 @@ import json try: import consul + HAS_CONSUL = True except ImportError as e: HAS_CONSUL = False @@ -81,7 +115,8 @@ class LookupModule(LookupBase): def run(self, terms, variables=None, **kwargs): if not HAS_CONSUL: - raise AnsibleError('python-consul is required for consul_kv lookup. see https://python-consul.readthedocs.io/en/latest/#installation') + raise AnsibleError( + 'python-consul is required for consul_kv lookup. see http://python-consul.readthedocs.org/en/latest/#installation') values = [] try: @@ -89,12 +124,19 @@ class LookupModule(LookupBase): params = self.parse_params(term) try: url = os.environ['ANSIBLE_CONSUL_URL'] + validate_certs = os.environ['ANSIBLE_CONSUL_VALIDATE_CERTS'] or True + client_cert = os.environ['ANSIBLE_CONSUL_CLIENT_CERT'] or None u = urlparse(url) - consul_api = consul.Consul(host=u.hostname, port=u.port, scheme=u.scheme) + consul_api = consul.Consul(host=u.hostname, port=u.port, scheme=u.scheme, verify=validate_certs, + cert=client_cert) except KeyError: port = kwargs.get('port', '8500') host = kwargs.get('host', 'localhost') - consul_api = consul.Consul(host=host, port=port) + scheme = kwargs.get('scheme', 'http') + validate_certs = kwargs.get('validate_certs', True) + client_cert = kwargs.get('client_cert', None) + consul_api = consul.Consul(host=host, port=port, scheme=scheme, verify=validate_certs, + cert=client_cert) results = consul_api.kv.get(params['key'], token=params['token'],