search

hqdncw / vault-autopilot

HashiCorp Vault management made easy. Define your desired state, automate the rest.
https://hqdncw.github.io/vault-autopilot/
MIT License
2 stars 0 forks source link

False-positive updates due to type conversion #24

Open hqdncw opened 1 month ago

hqdncw commented 1 month ago

Manifests

# cat /etc/vault-autopilot/issuers.yaml
kind: Issuer
spec:
  name: root
  secretsEngineRef: pki
  certificate:
    type: internal
    commonName: localhost
  options:
    issuingCertificates:
      - "vault.vault.svc.cluster.local:8200/v1/pki/ca"
    crlDistributionPoints:
      - "vault.vault.svc.cluster.local:8200/v1/pki/crl"
# cat /etc/vault-autopilot/pkiroles.yaml
kind: PKIRole
spec:
  name: root
  role:
    issuerRef: pki/root
    allowedDomains:
      - localhost
    allowSubdomains: true
# cat /etc/vault-autopilot/secretsengines.yaml
kind: SecretsEngine
spec:
  path: pki
  engine:
    type: pki

Output

$ vault-autopilot --debug apply -f /etc/vault-autopilot/**.yaml  # run this command at least twice to see the following result
DEBUG:asyncio:Using selector: EpollSelector
DEBUG:vault_autopilot.parser:parsing files
DEBUG:vault_autopilot._cli.commands.apply:streaming manifest '/etc/vault-autopilot/issuers.yaml'
DEBUG:vault_autopilot.parser:parsed ManifestObject(root=IssuerApplyDTO(kind='Issuer', spec={'name': 'root', 'secrets_engine_ref': 'pki', 'certificate': {'common_name': 'localhost', 'type': 'internal'}, 'options': {'issuing_certificates': ('vault.vault.svc.cluster.local:8200/v1/pki/ca',), 'crl_distribution_points': ('vault.vault.svc.cluster.local:8200/v1/pki/crl',)}}))
DEBUG:vault_autopilot._cli.commands.apply:streaming manifest '/etc/vault-autopilot/secretsengines.yaml'
DEBUG:vault_autopilot.parser:parsed ManifestObject(root=SecretsEngineApplyDTO(kind='SecretsEngine', spec={'path': 'pki', 'engine': {'type': 'pki'}}))
DEBUG:vault_autopilot._cli.commands.apply:streaming manifest '/etc/vault-autopilot/pkiroles.yaml'
DEBUG:vault_autopilot.parser:parsed ManifestObject(root=PKIRoleApplyDTO(kind='PKIRole', spec={'name': 'root', 'role': {'issuer_ref': 'pki/root', 'allowed_domains': ['localhost'], 'allow_subdomains': True}}))
DEBUG:vault_autopilot._cli.commands.apply:found 3 manifest(s) matching pattern '/etc/vault-autopilot/**.yaml'
DEBUG:vault_autopilot.parser:parsed files successfully
DEBUG:vault_autopilot.storage:the secrets engine 'hqdncw.github.io/vault-autopilot/user-data' is already created
DEBUG:vault_autopilot.processor.abstract:[IssuerApplyProcessor] add node SecretsEngineFallbackNode(absolute_path='pki')
DEBUG:vault_autopilot.processor.abstract:[PKIRoleApplyProcessor] add node IssuerFallbackNode(absolute_path='pki/root')
DEBUG:vault_autopilot.processor.secrets_engine:applying finished 'pki'
DEBUG:vault_autopilot.processor.abstract:creating task for flushing node IssuerNode(node_hash=1694023832515850743, absolute_path='pki/root')
DEBUG:vault_autopilot.service.abstract:[IssuerService] diff: {'type_changes': {"root['spec']['options']['issuingCertificates']": {'old_type': <class 'list'>, 'new_type': <class 'tuple'>, 'old_value': ['vault.vault.svc.cluster.local:8200/v1/pki/ca'], 'new_value': ('vault.vault.svc.cluster.local:8200/v1/pki/ca',)}, "root['spec']['options']['crlDistributionPoints']": {'old_type': <class 'list'>, 'new_type': <class 'tuple'>, 'old_value': ['vault.vault.svc.cluster.local:8200/v1/pki/crl'], 'new_value': ('vault.vault.svc.cluster.local:8200/v1/pki/crl',)}}}
DEBUG:vault_autopilot.processor.issuer:applying finished 'pki/root'
DEBUG:vault_autopilot.processor.abstract:creating task for flushing node PKIRoleNode(absolute_path='pki/root', payload=PKIRoleApplyDTO(kind='PKIRole', spec={'name': 'root', 'role': {'issuer_ref': 'pki/root', 'allowed_domains': ['localhost'], 'allow_subdomains': True}}))
DEBUG:vault_autopilot.service.abstract:[PKIRoleService] diff: {'type_changes': {"root['spec']['role']['allowed_domains']": {'old_type': <class 'list'>, 'new_type': <class 'ruamel.yaml.comments.CommentedSeq'>, 'old_value': ['localhost'], 'new_value': ['localhost']}}}
DEBUG:vault_autopilot.processor.pki_role:applying finished 'pki/root'
DEBUG:vault_autopilot.processor.abstract:[PKIRoleApplyProcessor] flushing pending downstreams for upstream -6092045368410116636
DEBUG:vault_autopilot.processor.abstract:[PKIRoleApplyProcessor] no pending downstreams were found for node -6092045368410116636, flushing aborted
DEBUG:vault_autopilot.processor.abstract:[IssuerApplyProcessor] flushing pending downstreams for upstream 1694023832515850743
DEBUG:vault_autopilot.processor.abstract:[IssuerApplyProcessor] no pending downstreams were found for node 1694023832515850743, flushing aborted
[+] Applying manifests (0.0243 seconds) FINISHED
 => Updating Issuer 'pki/root'... done
 => Verifying integrity of SecretsEngine 'pki'... done
 => Updating PKIRole 'pki/root'... done
Thanks for choosing Vault Autopilot!