nautobot secrets

Author: syedhaseebahmed

ansible/playbooks/nautobot-users.yaml

@@ -0,0 +1,24 @@
+---
+- name: Nautobot service accounts for Undercloud services
+  connection: local
+  hosts: nautobot
+  gather_facts: false
+
+  pre_tasks:
+    - name: Load Nautobot credentials from environment
+      ansible.builtin.set_fact:
+        nautobot_data: "{{ lookup('env', 'EXTRA_VARS') | from_json }}"
+
+    - name: Ensure nautobot is up and responding
+      ansible.builtin.uri:
+        url: "https://{{ nautobot_data.hostname }}/health/"
+        method: GET
+        validate_certs: false
+      register: nautobot_up_check
+      until: nautobot_up_check.status == 200
+      retries: 24  # Retries for 24 * 5 seconds = 120 seconds = 2 minutes
+      delay: 5  # Every 5 seconds
+      check_mode: false
+
+  roles:
+    - role: users

ansible/roles/users/defaults/main.yaml

@@ -0,0 +1 @@
+---

ansible/roles/users/library/nautobot_token.py

@@ -0,0 +1,139 @@
+from datetime import datetime, timedelta
+from ansible.module_utils.basic import AnsibleModule
+import requests
+
+
+def check_existing_token(base_url, username, password):
+    """Check existing tokens for user and return token + warning if expiring."""
+    headers = {"Accept": "application/json"}
+    tokens_url = f"{base_url}/api/users/tokens/"
+
+    try:
+        response = requests.get(tokens_url, headers=headers, auth=(username, password))
+        response.raise_for_status()
+    except requests.exceptions.RequestException as e:
+        return None, f"Failed to fetch tokens: {e}"
+
+    data = response.json()
+    tokens = data.get("results", [])
+
+    if not tokens:
+        return None, "No tokens found"
+
+    if len(tokens) > 1:
+        return None, "Multiple tokens found, expected exactly 1"
+
+    token = tokens[0]
+    expires = token.get("expires")
+
+    if expires:
+        try:
+            expire_date = datetime.fromisoformat(expires.replace("Z", "+00:00"))
+            tomorrow = datetime.now(tz=expire_date.tzinfo) + timedelta(days=1)
+            if expire_date <= tomorrow:
+                return token, "Token expiring within 1 day"
+        except ValueError:
+            return token, f"Invalid expiration date format: {expires}"
+
+    return token, None
+
+
+def create_new_token(
+    base_url, username, password, user_token, description="ansible-created-token"
+):
+    """Create a new Nautobot token using Basic Auth."""
+    tokens_url = f"{base_url}/api/users/tokens/"
+    headers = {"Content-Type": "application/json", "Accept": "application/json"}
+    payload = {"key": user_token, "description": description, "write_enabled": True}
+
+    try:
+        response = requests.post(
+            tokens_url, headers=headers, json=payload, auth=(username, password)
+        )
+        response.raise_for_status()
+    except requests.exceptions.RequestException as e:
+        return None, f"Failed to create new token: {e}"
+
+    return response.json(), None
+
+
+def run_module():
+    module_args = dict(
+        base_url=dict(type="str", required=True),
+        username=dict(type="str", required=True),
+        password=dict(type="str", required=True, no_log=True),
+        token=dict(type="str", required=True, no_log=True),
+        replace_if_expiring=dict(type="bool", default=True),
+        create_if_notfound=dict(type="bool", default=True),
+        token_description=dict(type="str", default="ansible-created-token"),
+    )
+
+    module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
+    result = dict(changed=False, token=None, message="")
+
+    base_url = module.params["base_url"].rstrip("/")
+    username = module.params["username"]
+    password = module.params["password"]
+    user_token = module.params["token"]
+    replace_if_expiring = module.params["replace_if_expiring"]
+    create_if_notfound = module.params["create_if_notfound"]
+    token_description = module.params["token_description"]
+
+    if module.check_mode:
+        module.exit_json(**result)
+
+    # Check existing token
+    token, warning = check_existing_token(base_url, username, password)
+
+    if token:
+        # If token is expiring and replace_if_expiring=True → create new token
+        if warning and replace_if_expiring:
+            new_token, err = create_new_token(
+                base_url, username, password, user_token, token_description
+            )
+            if err:
+                module.fail_json(msg=err)
+            result.update(
+                changed=True,
+                message=f"Old token expiring, created new token for {username}",
+            )
+            module.exit_json(**result)
+
+        # Token is valid → return metadata only
+        result.update(
+            changed=False,
+            message=f"Found valid token for {username}",
+            token=dict(
+                id=str(token.get("id")),
+                display=str(token.get("display")),
+                created=str(token.get("created")),
+                expires=str(token.get("expires")),
+                write_enabled=bool(token.get("write_enabled")),
+                description=str(token.get("description", "No description")),
+            ),
+        )
+        module.exit_json(**result)
+
+    # No token found → create new if allowed
+    if create_if_notfound:
+        new_token, err = create_new_token(
+            base_url, username, password, user_token, token_description
+        )
+        if err:
+            module.fail_json(msg=err)
+        result.update(
+            changed=True,
+            message=f"No token found, created new token for {username}",
+        )
+        module.exit_json(**result)
+
+    # No token and not allowed to create → fail
+    module.fail_json(msg=f"No token found for {username} and creation disabled")
+
+
+def main():
+    run_module()
+
+
+if __name__ == "__main__":
+    main()

ansible/roles/users/tasks/main.yaml

@@ -0,0 +1,36 @@
+---
+- name: Query user in Nautobot
+  ansible.builtin.uri:
+    url: "https://{{ nautobot_data.hostname }}/api/users/users/{{ nautobot_data.username }}"
+    method: GET
+    headers:
+      Authorization: "Token {{ nautobot_token }}"
+    return_content: true
+    status_code: [200, 404]
+  register: user_query_result
+
+- name: Create user in Nautobot if missing
+  ansible.builtin.uri:
+    url: "https://{{ nautobot_data.hostname }}/api/users/users/"
+    method: POST
+    headers:
+      Authorization: "Token {{ nautobot_token }}"
+      Content-Type: "application/json"
+    body_format: json
+    body:
+      username: "{{ nautobot_data.username }}"
+      password: "{{ nautobot_data.password }}"
+      is_staff: true
+      is_superuser: true
+    status_code: [201]
+  when: user_query_result.status == 404
+
+- name: Ensure Nautobot token exists for user
+  nautobot_token:
+    base_url: "https://{{ nautobot_data.hostname }}"
+    username: "{{ nautobot_data.username }}"
+    password: "{{ nautobot_data.password }}"
+    token: "{{ nautobot_data.token }}"
+    replace_if_expiring: true
+  register: nautobot_token_result
+  # no_log: true   # optionally hide token in logs

apps/kustomization.yaml

@@ -9,6 +9,7 @@ resources:
 - appsets/appset-understack-global.yaml
 - appsets/appset-understack-site.yaml
 - appsets/appset-understack-openstack.yaml
+- appsets/appset-understack-site-only.yaml
 
 # you can do something like below to allow your deployment repo
 # to define the exact versions that you want to use

apps/site/secretstore-gen-secrets.yaml

@@ -0,0 +1,13 @@
+---
+component: nautobot-secrets
+componentNamespace: nautobot
+sources:
+  - ref: understack
+    path: 'components/secretstore-gen-secrets'
+    helm:
+      releaseName: nautobot-secrets
+      valueFiles:
+        - $deploy/{{.name}}/helm-configs/secretstore-nautobot-secrets.yaml
+      ignoreMissingValueFiles: true
+  - ref: deploy
+    path: '{{.name}}/manifests/secret-store'

components/secretstore-gen-secrets/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

components/secretstore-gen-secrets/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: site-secrets
+description: Orchestrating secrets across kubernetes clusters (global-site) using External SecretStore
+type: application
+version: 0.1.0
+appVersion: "1.0"

components/secretstore-gen-secrets/templates/secrets.yaml.tmpl

@@ -0,0 +1,55 @@
+{{- $site := .Values.site }}
+{{- $secretStore := $site.secretStore }}
+{{- range $site.secrets }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ .name }}
+ {{- if .externalLinkAnnotationTemplate }}
+  annotations:
+    link.argocd.argoproj.io/external-link: {{ tpl .externalLinkAnnotationTemplate . }}
+  {{- end }}
+ {{- with .labels }}
+  labels:
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  refreshInterval: {{ .refreshInterval | default "1h" }}
+  secretStoreRef:
+    kind: {{ $secretStore.kind }}
+    name: {{ $secretStore.name }}
+  target:
+    name: {{ .name }}
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      type: {{ .templateType | default "Opaque" }}
+      {{- with .labels }}
+      metadata:
+        labels:
+{{ toYaml . | indent 10 }}
+      {{- end }}
+{{- if .templateData }}
+      data:
+{{- range $k, $v := .templateData }}
+        {{ $k }}: {{ $v | quote }}
+{{- end }}
+{{- end }}
+{{- if .data }}
+  data:
+{{- range .data }}
+    - secretKey: {{ .secretKey }}
+      remoteRef:
+        key: {{ .remoteRef.key }}
+        property: {{ .remoteRef.property }}
+        conversionStrategy: {{ .remoteRef.conversionStrategy | default "Default" }}
+        decodingStrategy: {{ .remoteRef.decodingStrategy | default "None" }}
+        metadataPolicy: {{ .remoteRef.metadataPolicy | default "None" }}
+{{- end }}
+{{- end }}
+{{- if .dataFrom }}
+  dataFrom:
+{{- toYaml .dataFrom | nindent 4 }}
+{{- end }}
+{{- end }}

components/secretstore-gen-secrets/values.yaml

@@ -0,0 +1,8 @@
+site:
+  name: uc-iad3-dev
+  partition: uc-dev
+  env: dev
+  role: aio
+  secretStore:
+    kind: SecretStore
+    name: vault