ffddorf / netbox-vault-secrets Goto Github PK

Work In Progress!

License: BSD 2-Clause "Simplified" License

Shell 0.49% Python 7.60% HTML 1.67% TypeScript 88.49% JavaScript 1.75%

netbox netbox-plugin network-automation secrets vault

netbox-vault-secrets's Introduction

Hashicorp Vault Plugin for Netbox

Provides convenient access to secrets stored in Hashicorp Vault via the Netbox UI. You can attach secrets on a Device, Virtual Machine or Service. The plugin is intended to serve as a possible replacement for the secrets functionality present in Netbox pre 3.0. The Netbox maintainers recommend replacing it with Vault.

It will add a card like this:

The functionality is entirely client side. The plugin uses Javascript in the browser to access the Vault API directly. Your Netbox installation will never have access to the secrets or authentication credentials in Vault.

Secrets are stored at paths per a simple convention:

/device/{id}/{slug} for Devices
/vm/{id}/{slug} for Virtual Machines
/service/{id}/{slug} for Services

Installation

This plugin is not yet available as a PyPi package. Please see the Releases for downloads.

Please note that this plugin needs a run of python manage.py collectstatic to work after being configured. For the official Docker image see the official instructions.

Setup

After installing the package, add the plugin to the Netbox configuration.

PLUGINS = ["netbox_vault_secrets"]

PLUGINS_CONFIG = {
    "netbox_vault_secrets": {
        "api_url": "https://your-vault-deployment/", # can be relative
        "kv_mount_path": "/secret",  # optional
        "secret_path_prefix": "/netbox",  # optional
        "login_methods": ["token", "oidc"], # optional, defaults to ["token"]
        "oidc": {
            "mount_path": "/auth/oidc", # optional
            "roles": { # optional, will use `default_role` if missing
                "demo": "Demo Provider", # maps role name to display name
            }
        },
    }
}

Vault CORS settings

Note that if your Vault installation runs at a different origin than Netbox, you need to enable CORS.

You can use this command (requires sudo privileges):

vault write /sys/config/cors enabled=true allowed_origins="*"

You can also set only the hostname of your Netbox deployment as an allowed origin.

Alternatively, proxy the Vault API on a subpath in your Netbox deployment, thereby moving it to the same origin, so no CORS setup is required.

Vault OIDC Role Setup

The minimal settings required on the role used for OIDC with the plugin are:

vault write auth/oidc/role/<role name> allowed_redirect_uris="https://<your netbox>/plugins/vault/callback" ttl=1h

You should attach a policy similar to this to users who are going to use it:

path "secret/metadata/netbox/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/data/netbox/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

License

This code is licensed under the 2-clause BSD license.

netbox-vault-secrets's People

Contributors

Stargazers

Watchers

Forkers

pieterl75 kemeris2000 kennethfoliwork sd166 jacopo-macri peter2121 erikastr itrepkus viehoang68 kotso jasjukaitis

netbox-vault-secrets's Issues

How to get secret using API?

Error after installing the plugin

Hello,
I manually installed the plugin, following the netbox doc : https://netbox.readthedocs.io/en/stable/plugins/
But after that netbox can't start. This is the log below. Can you understand what's going wrong ?

Netbox v3.0.2

Traceback (most recent call last):
  File "/data/netbox-3.0.2/netbox/manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
    utility.execute()
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/core/management/__init__.py", line 363, in execute
    settings.INSTALLED_APPS
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/conf/__init__.py", line 82, in __getattr__
    self._setup(name)
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/conf/__init__.py", line 69, in _setup
    self._wrapped = Settings(settings_module)
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/conf/__init__.py", line 170, in __init__
    mod = importlib.import_module(self.SETTINGS_MODULE)
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 790, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/data/netbox-3.0.2/netbox/netbox/settings.py", line 584, in <module>
    plugin = importlib.import_module(plugin_name)
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 790, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/netbox_vault_secrets-0.0.1-py3.9.egg/netbox_vault_secrets/__init__.py", line 7, in <module>
    class VaultSecretsConfig(PluginConfig):
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/netbox_vault_secrets-0.0.1-py3.9.egg/netbox_vault_secrets/__init__.py", line 8, in VaultSecretsConfig
    name = pkg_info.name
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/pkg_resources/__init__.py", line 2816, in __getattr__
    return getattr(self._provider, attr)
AttributeError: 'PathMetadata' object has no attribute 'name'
(venv) root@svc-ces8-lab1:/opt/netbox/netbox# vi netbox/configuration.py
(venv) root@svc-ces8-lab1:/opt/netbox/netbox# python manage.py collectstatic
/data/netbox-3.0.2/netbox/netbox/settings.py:50: UserWarning: The CACHE_TIMEOUT configuration parameter was removed in v3.0.0 and no longer has any effect.
  warnings.warn(
Traceback (most recent call last):
  File "/data/netbox-3.0.2/netbox/manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
    utility.execute()
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/core/management/__init__.py", line 363, in execute
    settings.INSTALLED_APPS
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/conf/__init__.py", line 82, in __getattr__
    self._setup(name)
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/conf/__init__.py", line 69, in _setup
    self._wrapped = Settings(settings_module)
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/django/conf/__init__.py", line 170, in __init__
    mod = importlib.import_module(self.SETTINGS_MODULE)
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 790, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/data/netbox-3.0.2/netbox/netbox/settings.py", line 584, in <module>
    plugin = importlib.import_module(plugin_name)
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 790, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/netbox_vault_secrets-0.0.1-py3.9.egg/netbox_vault_secrets/__init__.py", line 7, in <module>
    class VaultSecretsConfig(PluginConfig):
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/netbox_vault_secrets-0.0.1-py3.9.egg/netbox_vault_secrets/__init__.py", line 8, in VaultSecretsConfig
    name = pkg_info.name
  File "/data/netbox-3.0.2/venv/lib/python3.9/site-packages/pkg_resources/__init__.py", line 2816, in __getattr__
    return getattr(self._provider, attr)
AttributeError: 'PathMetadata' object has no attribute 'name'

This plugin is not displayed in ui

I added this plugin to netbox. I added config

In configuration.py

PLUGINS = ["netbox_dns", "netbox_bgp", "netbox_vault_secrets"]

PLUGINS_CONFIG = {
  "netbox_vault_secrets": {
    "api_url": "https://my.ru",
  }
}

COPY configuration/configuration.py /etc/netbox/config/configuration.py
RUN /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input

But in netbox I can't see this plugin. netbox v3.2.5
There are no errors in the logs. How can I check or understand what is wrong?

'NoneType' object has no attribute '_base_manager' after adding the plugin to netbox

Download the release in: https://github.com/ffddorf/netbox-vault-secrets/releases
Put that tarball downloaded in the root folder of netbox-docker
I installed the release in Dockerfile-Plugin as below:

FROM netboxcommunity/netbox:latest

COPY ./netbox_vault_secrets-0.0.1.tar.gz / 
RUN /opt/netbox/venv/bin/pip install --no-warn-script-location /netbox_vault_secrets-0.0.1.tar.gz
COPY configuration/configuration.py /etc/netbox/config/configuration.py
RUN SECRET_KEY="dummy" /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input

Then I add the plugin to the Netbox configuration
Try building and start the netbox

I got below error:

Server Error
There was a problem with your request. Please contact an administrator.

The complete exception is provided below:

<class 'AttributeError'>

'NoneType' object has no attribute '_base_manager'

Python version: 3.10.6
NetBox version: 3.4.7

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

Update GitHub Artifact Actions to v4 (major) (actions/download-artifact, actions/upload-artifact)
Update actions/setup-node action to v4
Update actions/setup-python action to v5
Update dependency webpack-dev-server to v5
Update netboxcommunity/netbox Docker tag to v4
Update postgres Docker tag to v16
🔐 Create all rate-limited PRs at once 🔐

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Update dependency webpack to v5.76.0 [SECURITY]
Update netboxcommunity/netbox Docker tag to v3.7.8
Update vault Docker tag to v1.13.3
Update actions/checkout action to v4
Update dependency babel-loader to v9
Update dependency typescript to v5
Update dependency ubuntu to v22
Update dependency webpack-cli to v5
Click on this checkbox to rebase all open PRs at once

Detected dependencies

docker-compose

docker-compose.yml

vault 1.10.1

netboxcommunity/netbox v3.2.1

postgres 14-alpine

redis 6-alpine

github-actions

.github/workflows/build-release.yml

actions/checkout v3

actions/setup-node v3

actions/setup-python v3

actions/upload-artifact v3

actions/download-artifact v3

ubuntu 20.04

ubuntu 20.04

npm

package.json

lodash.kebabcase ^4.1.1

preact ^10.6.0

@babel/core ^7.16.0

@babel/plugin-transform-react-jsx ^7.16.0

@babel/preset-env ^7.16.4

@babel/preset-typescript ^7.16.0

babel-loader ^8.2.3

typescript ^4.5.2

webpack ^5.64.2

webpack-cli ^4.9.1

webpack-dev-server ^4.5.0

Check this box to trigger a request for Renovate to run again on this repository

Allow login via alternative login methods

It's likely that production users of Vault will use OIDC or similar login mechanisms instead of a Vault token for login.

We should add:

A config option to specify what login process is desired
Ability to renew tokens that allow it

Error start Docker UP

netbox_1 | Creating /opt/netbox/venv/lib/python3.9/site-packages/netbox-vault-secrets.egg-link (link to .)
netbox_1 | netbox-vault-secrets 0.0.1 is already the active version in easy-install.pth
netbox_1 |
netbox_1 | Installed /src
netbox_1 | Processing dependencies for netbox-vault-secrets==0.0.1
netbox_1 | Finished processing dependencies for netbox-vault-secrets==0.0.1
netbox_1 | 🧬 loaded config '/etc/netbox/config/configuration.py'
netbox_1 | 🧬 loaded config '/etc/netbox/config/extra.py'
netbox_1 | 🧬 loaded config '/etc/netbox/config/logging.py'
netbox_1 | 🧬 loaded config '/etc/netbox/config/plugins.py'
netbox_1 | Traceback (most recent call last):
netbox_1 | File "/opt/netbox/netbox/manage.py", line 10, in
netbox_1 | execute_from_command_line(sys.argv)
netbox_1 | File "/opt/netbox/venv/lib/python3.9/site-packages/django/core/management/init.py", line 419, in execute_from_command_line
netbox_1 | utility.execute()
netbox_1 | File "/opt/netbox/venv/lib/python3.9/site-packages/django/core/management/init.py", line 363, in execute
netbox_1 | settings.INSTALLED_APPS
netbox_1 | File "/opt/netbox/venv/lib/python3.9/site-packages/django/conf/init.py", line 82, in getattr
netbox_1 | self._setup(name)
netbox_1 | File "/opt/netbox/venv/lib/python3.9/site-packages/django/conf/init.py", line 69, in _setup
netbox_1 | self._wrapped = Settings(settings_module)
netbox_1 | File "/opt/netbox/venv/lib/python3.9/site-packages/django/conf/init.py", line 170, in init
netbox_1 | mod = importlib.import_module(self.SETTINGS_MODULE)
netbox_1 | File "/usr/lib/python3.9/importlib/init.py", line 127, in import_module
netbox_1 | return _bootstrap._gcd_import(name[level:], package, level)
netbox_1 | File "", line 1030, in _gcd_import
netbox_1 | File "", line 1007, in _find_and_load
netbox_1 | File "", line 986, in _find_and_load_unlocked
netbox_1 | File "", line 680, in _load_unlocked
netbox_1 | File "", line 855, in exec_module
netbox_1 | File "", line 228, in _call_with_frames_removed
netbox_1 | File "/opt/netbox/netbox/netbox/settings.py", line 593, in
netbox_1 | plugin = importlib.import_module(plugin_name)
netbox_1 | File "/usr/lib/python3.9/importlib/init.py", line 127, in import_module
netbox_1 | return _bootstrap._gcd_import(name[level:], package, level)
netbox_1 | File "", line 1030, in _gcd_import
netbox_1 | File "", line 1007, in _find_and_load
netbox_1 | File "", line 986, in _find_and_load_unlocked
netbox_1 | File "", line 680, in _load_unlocked
netbox_1 | File "", line 855, in exec_module
netbox_1 | File "", line 228, in _call_with_frames_removed
netbox_1 | File "/src/netbox_vault_secrets/init.py", line 7, in
netbox_1 | class VaultSecretsConfig(PluginConfig):
netbox_1 | File "/src/netbox_vault_secrets/init.py", line 8, in VaultSecretsConfig
netbox_1 | name = pkg_info.name
netbox_1 | File "/opt/netbox/venv/lib/python3.9/site-packages/pkg_resources/init.py", line 2819, in getattr
netbox_1 | return getattr(self._provider, attr)
netbox_1 | AttributeError: 'PathMetadata' object has no attribute 'name'
netbox_1 | AttributeError: 'PathMetadata' object has no attribute 'name'
netbox_1 | [ Use DB_WAIT_DEBUG=1 in netbox.env to print full traceback for errors here ]
netbox_1 | ⏳ Waiting on DB... (0s / 30s)
netbox_1 | AttributeError: 'PathMetadata' object has no attribute 'name'
netbox_1 | [ Use DB_WAIT_DEBUG=1 in netbox.env to print full traceback for errors here ]
netbox_1 | ⏳ Waiting on DB... (3s / 30s)
netbox_1 | AttributeError: 'PathMetadata' object has no attribute 'name'
netbox_1 | [ Use DB_WAIT_DEBUG=1 in netbox.env to print full traceback for errors here ]
netbox_1 | ⏳ Waiting on DB... (6s / 30s)

Duplicate UI Secrets

HI,

I have a strange behavior after I insert 5 secrets on a device these at GUI level are duplicated on Vault instead they are of the correct number.

I noticed from the browser console that it requests the individual passwords twice.
Thank you

Has plugin Netbox v3.1.10 compatibility or missconfig?

Hello.

I try install plugin and use vault. Vault was installed with manual and dev server (vault server -dev)

my config:

PLUGINS_CONFIG = {
    "netbox_vault_secrets": {
        "api_url": "http://127.0.0.1:8200", # can be relative
        "kv_mount_path": "/v1/secret",  # optional
        "secret_path_prefix": "/netbox",  # optional
    }}

Now I open any device and see

Has plugin Netbox v3.1.10 compatibility or my missconfig?

Migrate data from legacy Secrets

It would be wonderful if we would be able to migrate from the legacy Secrets (which has been separated now in its own plugin at https://github.com/DanSheps/netbox-secretstore) to this Vault secret store.

Is such a migration path even possible with the current implementation of this plugin?

[Suggestion] Support flexible paths for secrets

Hello, thanks a lot for this plugin, many people are waiting for it (me too).
There is one problem of the plugin's design though.
If one start 'from scratch' - everything is fine, the secrets will be stored/retrieved at the paths you want:

    /device/{id}/{slug} for Devices
    /vm/{id}/{slug} for Virtual Machines
    /service/{id}/{slug} for Services

   "secret_path_prefix": "/netbox",

But what about the existing Vault installation, where many secrets are ALREADY stored, at some paths?
I think that this plugin should have a flexibility to configure the path for every secret.
It means that the user should be able not only add a secret at the 'standard' path, but he should be able to link an existing secret at a custom path to a device/VM/service too.
It does not seem to be a really complex modification, but it should be done at the beginning of the development of the plugin, because IMHO it will be more difficult later.

Apply netbox-plugin to your repo's github topic

This is a great idea for a netbox-plugin. Thought its not fully packaged with pypi and such, I say you should tag your repo with the github topic netbox-plugin.

On a side note, I have always thought a Hashicorp vault plugin made perfect sense. Ha I just wrote it down in a list of plugin candidates I have heard mentioned in passing quite a bit.

Object not found in Vault

Plugin config set to:

PLUGINS_CONFIG = {
"netbox_vault_secrets": {
"api_url": "http://127.0.0.1:8200/", # can be relative

Do I need to create the engine in Vault or does the plugin do it? Or do I need to add the path to the config?

Error Adding, Editing, and revealing Secret

I am getting the following error when I add a secret

undefined is not an object (evaluating '(await this.requestWithRenew(o,"POST",{options:{cas:n},data:t})).data')

This appears in the WebUI. The password does get added correctly though.

Same one when I edit a secret.

And when I try to reveal a secret, I get from list.tsx:27

Unhandled Promise Rejection: TypeError: undefined is not an object (evaluating 'n.version')

This appears in the console. When I go to edit the password, and reveal the existing one (in the edit page) it works correctly.

The complete exception is provided below:

media_failure.html

Python version: 3.7.12
NetBox version: 3.1.2

If further assistance is required, please post to the NetBox discussion forum on GitHub.
Home Page