From b8621332d6328d9b883f8ceab6131b81367aa49f Mon Sep 17 00:00:00 2001
From: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date: Thu, 12 Sep 2024 23:48:42 +0200
Subject: [PATCH] feat: add draft python code

---
 kubernetes/requirements.txt  |  2 +
 kubernetes/vault-snapshot.py | 72 ++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100755 kubernetes/requirements.txt
 create mode 100755 kubernetes/vault-snapshot.py

diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt
new file mode 100755
index 0000000..75629c1
--- /dev/null
+++ b/kubernetes/requirements.txt
@@ -0,0 +1,2 @@
+boto3
+hvac
diff --git a/kubernetes/vault-snapshot.py b/kubernetes/vault-snapshot.py
new file mode 100755
index 0000000..a1ad6d1
--- /dev/null
+++ b/kubernetes/vault-snapshot.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python
+
+import logging
+import boto3
+from botocore.exceptions import ClientError
+from hvac.api.auth_methods import Kubernetes
+import hvac
+import os
+from datetime import datetime
+
+vault_addr           = os.environ['VAULT_ADDR']
+vault_token          = os.environ['VAULT_TOKEN']
+s3_access_key_id     = os.environ['AWS_ACCESS_KEY_ID']
+s3_secret_access_key = os.environ['AWS_SECRET_ACCESS_KEY']
+# Example "https://my-remote-s3.com"
+s3_host              = os.environ['S3_HOST']
+# Example "my-bucket"
+s3_bucket            = os.environ['S3_BUCKET']
+
+# Authenticate with Kubernetes ServiceAccount if vault_token is empty
+# https://hvac.readthedocs.io/en/stable/usage/auth_methods/kubernetes.html
+#hvac_client = hvac.Client(url=url, verify=certificate_path)
+#f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
+#jwt = f.read()
+####VAULT_TOKEN=$(vault write -field=token  auth/kubernetes/login role="${VAULT_ROLE}" jwt="${JWT}")
+#Kubernetes(hvac_client.adapter).login(role=role, jwt=jwt)
+
+hvac_client = hvac.Client(url=vault_addr)
+hvac_client.token = vault_token
+
+assert hvac_client.is_authenticated()
+
+# Create snapshot. The snapshot is returned as binary data and should be
+# redirected to a file:
+# - https://developer.hashicorp.com/vault/api-docs/system/storage/raft
+# - https://hvac.readthedocs.io/en/stable/source/hvac_api_system_backend.html
+with hvac_client.sys.take_raft_snapshot() as resp:
+    assert resp.ok
+
+    print("Status code: %d" % resp.status_code)
+
+    date_str = datetime.now().strftime("%F-%H%M")
+    file_name = "vault_%s.snapshot" % (date_str)
+    print("File name:" + file_name)
+
+    # Upload the file
+    # - https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-uploading-files.html
+    # - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/put_object.html
+    s3_client = boto3.client(service_name='s3',
+                             endpoint_url=s3_host,
+                             aws_access_key_id=s3_access_key_id,
+                             aws_secret_access_key=s3_secret_access_key)
+    try:
+        response = s3_client.put_object(
+            Body=resp.content,
+            Bucket=s3_bucket,
+            Key=file_name,
+        )
+        print(response)
+    except ClientError as e:
+        logging.error(e)
+
+# Iterate and remove expired snapshots:
+# https://boto3.amazonaws.com/v1/documentation/api/latest/guide/migrations3.html
+s3 = boto3.resource(service_name='s3',
+                    endpoint_url=s3_host,
+                    aws_access_key_id=s3_access_key_id,
+                    aws_secret_access_key=s3_secret_access_key)
+bucket = s3.Bucket(s3_bucket)
+for key in bucket.objects.all():
+    print(key.key)
+    # todo: do the S3_EXPIRE_DAYS magic