k8s vs vault secret option for js and python (#20)

paulparkinson · web-flow · commit b7a392a41fe4 · 2021-04-01T21:04:50.000-04:00
* k8s vs vault secret option

* k8s vs vault secret option

* k8s vs vault secret option

* k8s vs vault secret option

* k8s vs vault secret option for js and python
diff --git a/grabdish/inventory-nodejs/inventory/app.js b/grabdish/inventory-nodejs/inventory/app.js
@@ -23,21 +23,26 @@ async function getSecret() {
       const secretConfig = {
        secretInfo: {
          regionid: process.env.OCI_REGION,
-         vaultsecretocid: process.env.VAULT_SECRET_OCID
+         vaultsecretocid: process.env.VAULT_SECRET_OCID,
+         k8ssecretdbpassword: process.env.dbpassword
        }
       };
-      console.log("regionid: ", secretConfig.secretInfo.regionid);
-      console.log("vaultsecretocid: ", secretConfig.secretInfo.vaultsecretocid);
-      const client =  new secrets.SecretsClient({
-          authenticationDetailsProvider: provider
-      });
-      const getSecretBundleRequest = {
-            secretId: secretConfig.secretInfo.vaultsecretocid
-          };
-      const getSecretBundleResponse = await client.getSecretBundle(getSecretBundleRequest);
-      const pw = getSecretBundleResponse.secretBundle.secretBundleContent.content;
-      let buff = new Buffer(pw, 'base64');
-      pwDecoded = buff.toString('ascii');
+      if  (secretConfig.secretInfo.vaultsecretocid == "") {
+        pwDecoded = process.env.dbpassword;
+      } else {
+        console.log("regionid: ", secretConfig.secretInfo.regionid);
+        console.log("vaultsecretocid: ", secretConfig.secretInfo.vaultsecretocid);
+        const client =  new secrets.SecretsClient({
+            authenticationDetailsProvider: provider
+        });
+        const getSecretBundleRequest = {
+                secretId: secretConfig.secretInfo.vaultsecretocid
+            };
+        const getSecretBundleResponse = await client.getSecretBundle(getSecretBundleRequest);
+        const pw = getSecretBundleResponse.secretBundle.secretBundleContent.content;
+        let buff = new Buffer(pw, 'base64');
+        pwDecoded = buff.toString('ascii');
+      }
   } catch (e) {
     throw Error(`Failed with error: ${e}`);
   }
diff --git a/grabdish/inventory-python/common/dbmgr.py b/grabdish/inventory-python/common/dbmgr.py
@@ -16,10 +16,9 @@
 db_user =             env.get('DB_USER').strip()
 region_id =             env.get('OCI_REGION').strip()
 vault_secret_ocid =             env.get('VAULT_SECRET_OCID').strip()
-# db_password =         env.get('DB_PASSWORD').strip()
+k8s_secret_dbpassword =         env.get('dbpassword').strip()
 db_connect_string =   env.get('DB_CONNECT_STRING')
 region_id =             env.get('OCI_REGION').strip()
-vault_secret_ocid =             env.get('VAULT_SECRET_OCID').strip()
 
 readyfile = ""
 logger = None
@@ -78,13 +77,21 @@ def run():
 
         logger.debug("Create Connection Pool Started")
         try:
-            signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
-            secrets_client = oci.secrets.SecretsClient(config={'region': region_id}, signer=signer)
-            secret_bundle = secrets_client.get_secret_bundle(secret_id = vault_secret_ocid)
-            logger.debug(secret_bundle)
-            base64_bytes = secret_bundle.data.secret_bundle_content.content.encode('ascii')
-            message_bytes = base64.b64decode(base64_bytes)
-            db_password = message_bytes.decode('ascii')
+
+            db_password = ""
+
+            if vault_secret_ocid != "":
+                reportDown(error.code)
+                signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
+                secrets_client = oci.secrets.SecretsClient(config={'region': region_id}, signer=signer)
+                secret_bundle = secrets_client.get_secret_bundle(secret_id = vault_secret_ocid)
+                logger.debug(secret_bundle)
+                base64_bytes = secret_bundle.data.secret_bundle_content.content.encode('ascii')
+                message_bytes = base64.b64decode(base64_bytes)
+                db_password = message_bytes.decode('ascii')
+            else:
+                db_password = k8s_secret_dbpassword
+
             pool = cx_Oracle.SessionPool(
                 db_user,
                 db_password,
diff --git a/grabdish/supplier-helidon-se/deploy.sh b/grabdish/supplier-helidon-se/deploy.sh
@@ -3,7 +3,7 @@
 ## Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 SCRIPT_DIR=$(dirname $0)
-echo create atpaqadmin deployment and service...
+echo create supplier-helidon-se deployment and service...
 export CURRENTTIME=$( date '+%F_%H:%M:%S' )
 echo CURRENTTIME is $CURRENTTIME  ...this will be appended to generated deployment yaml
 
