"""
Use Consul K/V as a Pillar source with values parsed as YAML
:depends: - python-consul
In order to use an consul server, a profile must be created in the master
configuration file:
.. code-block:: yaml
my_consul_config:
consul.host: 127.0.0.1
consul.port: 8500
consul.token: b6376760-a8bb-edd5-fcda-33bc13bfc556
consul.scheme: http
consul.consistency: default
consul.dc: dev
consul.verify: True
All parameters are optional.
The ``consul.token`` requires python-consul >= 0.4.7.
If you have a multi-datacenter Consul cluster you can map your ``pillarenv``
entries to your data centers by providing a dictionary of mappings in
``consul.dc`` field:
.. code-block:: yaml
my_consul_config:
consul.dc:
dev: us-east-1
prod: us-west-1
In the example above we specifying static mapping between Pillar environments
and data centers: the data for ``dev`` and ``prod`` Pillar environments will
be fetched from ``us-east-1`` and ``us-west-1`` datacenter respectively.
In fact when ``consul.dc`` is set to dictionary keys are processed as regular
expressions (that can capture named parameters) and values are processed as
string templates as per PEP 3101.
.. code-block:: yaml
my_consul_config:
consul.dc:
^dev-.*$: dev-datacenter
^(?P<region>.*)-prod$: prod-datacenter-{region}
This example maps all Pillar environments starting with ``dev-`` to
``dev-datacenter`` whereas Pillar environment like ``eu-prod`` will be
mapped to ``prod-datacenter-eu``.
Before evaluation patterns are sorted by length in descending order.
If Pillar environment names correspond to data center names a single pattern
can be used:
.. code-block:: yaml
my_consul_config:
consul.dc:
^(?P<env>.*)$: '{env}'
After the profile is created, configure the external pillar system to use it.
Optionally, a root may be specified.
.. code-block:: yaml
ext_pillar:
- consul: my_consul_config
ext_pillar:
- consul: my_consul_config root=salt
Using these configuration profiles, multiple consul sources may also be used:
.. code-block:: yaml
ext_pillar:
- consul: my_consul_config
- consul: my_other_consul_config
Either the ``minion_id``, or the ``role``, or the ``environment`` grain may be used in the ``root``
path to expose minion-specific information stored in consul.
.. code-block:: yaml
ext_pillar:
- consul: my_consul_config root=salt/%(minion_id)s
- consul: my_consul_config root=salt/%(role)s
- consul: my_consul_config root=salt/%(environment)s
Minion-specific values may override shared values when the minion-specific root
appears after the shared root:
.. code-block:: yaml
ext_pillar:
- consul: my_consul_config root=salt-shared
- consul: my_other_consul_config root=salt-private/%(minion_id)s
If using the ``role`` or ``environment`` grain in the consul key path, be sure to define it using
`/etc/salt/grains`, or similar:
.. code-block:: yaml
role: my-minion-role
environment: dev
It's possible to lock down where the pillar values are shared through minion
targeting. Note that double quotes ``"`` are required around the target value
and cannot be used inside the matching statement. See the section on Compound
Matchers for more examples.
.. code-block:: yaml
ext_pillar:
- consul: my_consul_config root=salt target="L@salt.example.com and G@osarch:x86_64"
The data from Consul can be merged into a nested key in Pillar.
.. code-block:: yaml
ext_pillar:
- consul: my_consul_config pillar_root=consul_data
By default, keys containing YAML data will be deserialized before being merged into Pillar.
This behavior can be disabled by setting ``expand_keys`` to ``false``.
.. code-block:: yaml
ext_pillar:
- consul: my_consul_config expand_keys=false
"""
import logging
import re
import salt.utils.minions
import salt.utils.yaml
from salt.exceptions import CommandExecutionError
from salt.utils.dictupdate import update as dict_merge
try:
import consul
if not hasattr(consul, "__version__"):
consul.__version__ = ( # Some packages has no version, and so this pillar crashes on access to it.
"0.1"
)
except ImportError:
consul = None
__virtualname__ = "consul"
# Set up logging
log = logging.getLogger(__name__)
[docs]
def __virtual__():
"""
Only return if python-consul is installed
"""
return __virtualname__ if consul is not None else False
[docs]
def ext_pillar(minion_id, pillar, conf): # pylint: disable=W0613
"""
Check consul for all data
"""
opts = {}
temp = conf
target_re = re.compile('target="(.*?)"')
match = target_re.search(temp)
if match:
opts["target"] = match.group(1)
temp = temp.replace(match.group(0), "")
checker = salt.utils.minions.CkMinions(__opts__)
_res = checker.check_minions(opts["target"], "compound")
minions = _res["minions"]
log.debug("Targeted minions: %r", minions)
if minion_id not in minions:
return {}
root_re = re.compile(r"(?<!_)root=(\S*)") # pylint: disable=W1401
match = root_re.search(temp)
if match:
opts["root"] = match.group(1).rstrip("/")
temp = temp.replace(match.group(0), "")
else:
opts["root"] = ""
pillar_root_re = re.compile(r"pillar_root=(\S*)") # pylint: disable=W1401
match = pillar_root_re.search(temp)
if match:
opts["pillar_root"] = match.group(1).rstrip("/")
temp = temp.replace(match.group(0), "")
else:
opts["pillar_root"] = ""
profile_re = re.compile(r"(?:profile=)?(\S+)") # pylint: disable=W1401
match = profile_re.search(temp)
if match:
opts["profile"] = match.group(1)
temp = temp.replace(match.group(0), "")
else:
opts["profile"] = None
expand_keys_re = re.compile("expand_keys=False", re.IGNORECASE) # pylint: disable=W1401
match = expand_keys_re.search(temp)
if match:
opts["expand_keys"] = False
temp = temp.replace(match.group(0), "")
else:
opts["expand_keys"] = True
client = get_conn(__opts__, opts["profile"])
role = __salt__["grains.get"]("role", None)
environment = __salt__["grains.get"]("environment", None)
# put the minion's ID in the path if necessary
opts["root"] %= {"minion_id": minion_id, "role": role, "environment": environment}
try:
pillar_tree = fetch_tree(client, opts["root"], opts["expand_keys"])
if opts["pillar_root"]:
log.debug(
"Merging consul path %s/ into pillar at %s/",
opts["root"],
opts["pillar_root"],
)
pillar = {}
branch = pillar
keys = opts["pillar_root"].split("/")
for i, k in enumerate(keys):
if i == len(keys) - 1:
branch[k] = pillar_tree
else:
branch[k] = {}
branch = branch[k]
else:
pillar = pillar_tree
except KeyError:
log.error("No such key in consul profile %s: %s", opts["profile"], opts["root"])
pillar = {}
return pillar
[docs]
def consul_fetch(client, path):
"""
Query consul for all keys/values within base path
"""
# Unless the root path is blank, it needs a trailing slash for
# the kv get from Consul to work as expected
return client.kv.get("" if not path else path.rstrip("/") + "/", recurse=True)
[docs]
def fetch_tree(client, path, expand_keys):
"""
Grab data from consul, trim base path and remove any keys which
are folders. Take the remaining data and send it to be formatted
in such a way as to be used as pillar data.
"""
_, items = consul_fetch(client, path)
ret = {}
has_children = re.compile(r"/$")
log.debug("Fetched items: %r", items)
if items is None:
return ret
for item in reversed(items):
key = re.sub(r"^" + re.escape(path) + "/?", "", item["Key"])
if key != "":
log.debug("path/key - %s: %s", path, key)
log.debug("has_children? %r", has_children.search(key))
if has_children.search(key) is None:
ret = pillar_format(ret, key.split("/"), item["Value"], expand_keys)
log.debug("Fetching subkeys for key: %r", item)
return ret
[docs]
def get_conn(opts, profile):
"""
Return a client object for accessing consul
"""
opts_pillar = opts.get("pillar", {})
opts_master = opts_pillar.get("master", {})
opts_merged = {}
opts_merged.update(opts_master)
opts_merged.update(opts_pillar)
opts_merged.update(opts)
if profile:
conf = opts_merged.get(profile, {})
else:
conf = opts_merged
params = {}
for key in conf:
if key.startswith("consul."):
params[key.split(".")[1]] = conf[key]
if "dc" in params:
pillarenv = opts_merged.get("pillarenv") or "base"
params["dc"] = _resolve_datacenter(params["dc"], pillarenv)
if consul:
# Sanity check. ACL Tokens are supported on python-consul 0.4.7 onwards only.
if consul.__version__ < "0.4.7" and params.get("target"):
params.pop("target")
return consul.Consul(**params)
else:
raise CommandExecutionError(
"(unable to import consul, "
"module most likely not installed. Download python-consul "
"module and be sure to import consul)"
)
def _resolve_datacenter(dc, pillarenv):
"""
If ``dc`` is a string - return it as is.
If it's a dict then sort it in descending order by key length and try
to use keys as RegEx patterns to match against ``pillarenv``.
The value for matched pattern should be a string (that can use
``str.format`` syntax togetehr with captured variables from pattern)
pointing to targe data center to use.
If none patterns matched return ``None`` which meanse us datacenter of
conencted Consul agent.
"""
log.debug("Resolving Consul datacenter based on: %s", dc)
try:
mappings = dc.items() # is it a dict?
except AttributeError:
log.debug("Using pre-defined DC: '%s'", dc)
return dc
log.debug("Selecting DC based on pillarenv using %d pattern(s)", len(mappings))
log.debug("Pillarenv set to '%s'", pillarenv)
# sort in reverse based on pattern length
# but use alphabetic order within groups of patterns of same length
sorted_mappings = sorted(mappings, key=lambda m: (-len(m[0]), m[0]))
for pattern, target in sorted_mappings:
match = re.match(pattern, pillarenv)
if match:
log.debug("Matched pattern: '%s'", pattern)
result = target.format(**match.groupdict())
log.debug("Resolved datacenter: '%s'", result)
return result
log.debug(
"None of following patterns matched pillarenv=%s: %s",
pillarenv,
", ".join(repr(x) for x in mappings),
)