Merge pull request #84 from nautobot/release/1.4.0

Release/1.4.0

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 # Default owner(s) of all files in this repository
-* @dgarros @itdependsnetworks @jathanism @jedelman8 @jerej
+* @nautobot/core

.github/workflows/ci.yml

@@ -74,8 +74,8 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python-version: ["3.10"]
-        nautobot-version: ["1.3"]
+        python-version: ["3.8"]
+        nautobot-version: ["1.4.10"]
     env:
       INVOKE_NAUTOBOT_SECRETS_PROVIDERS_PYTHON_VER: "${{ matrix.python-version }}"
       INVOKE_NAUTOBOT_SECRETS_PROVIDERS_NAUTOBOT_VER: "${{ matrix.nautobot-version }}"
@@ -112,10 +112,7 @@ jobs:
       fail-fast: true
       matrix:
         python-version: ["3.7", "3.8", "3.9", "3.10"]
-        nautobot-version: ["1.2.11", "1.3"]
-        exclude:
-          - python-version: "3.10"
-            nautobot-version: "1.2.11"
+        nautobot-version: ["1.4.10", "1.5.10"]
     runs-on: "ubuntu-20.04"
     env:
       INVOKE_NAUTOBOT_SECRETS_PROVIDERS_PYTHON_VER: "${{ matrix.python-version }}"

.github/workflows/upstream_testing.yml

@@ -0,0 +1,13 @@
+---
+name: "Nautobot Upstream Monitor"
+
+on:  # yamllint disable-line rule:truthy rule:comments
+  schedule:
+    - cron: "0 4 */2 * *"  # every other day at 4:00
+
+jobs:
+  upstream-test:
+    uses: "nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml@develop"
+    with:  # Below could potentially be collapsed into a single argument if a concrete relationship between both is enforced
+      invoke_context_name: "NAUTOBOT_SECRETS_PROVIDERS"
+      plugin_name: "nautobot-secrets-provider"

CHANGELOG.md

@@ -1,5 +1,21 @@
 # Nautobot Secrets Providers Changelog
 
+## v1.4.0 (2023-04-19)
+
+### Added
+
+- [#48](https://github.com/nautobot/nautobot-plugin-secrets-providers/issues/48) Add token as secret type choice for Delinea/Thycotic
+- [#51](https://github.com/nautobot/nautobot-plugin-secrets-providers/issues/51) Add support for AWS Systems Manager Parameter Store
+- [#53](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/53) Add support for Hashicorp Key/Value v1 response
+- [#66](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/66) Add support for Vault Enterprise Namespace parameter
+
+### Changed
+
+- [#45](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/45) Change references of Thycotic to Delinea
+- [#47](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/47) Change version constraint of HVAC module to allow non-major upgrades
+- [#56](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/56) Change minimum supported Nautobot version to `1.4.0`
+- [#63](https://github.com/nautobot/nautobot-plugin-secrets-providers/pull/63) Update plugin description when installed in Nautobot
+
 ## v1.3.0 (2022-08-29)
 
 ### Added

README.md

@@ -11,7 +11,8 @@ This plugin supports the following popular secrets backends:
 | Secrets Backend                                              | Supported Secret Types                                       | Supported Authentication Methods                             |
 | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
 | [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) | [Other: Key/value pairs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) | [AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) (see Usage section below) |
-| [HashiCorp Vault](https://www.vaultproject.io)               | [K/V Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2) | [Token](https://www.vaultproject.io/docs/auth/token)<br/>[AppRole](https://www.vaultproject.io/docs/auth/approle)<br/>[AWS](https://www.vaultproject.io/docs/auth/aws)<br/>[Kubernetes](https://www.vaultproject.io/docs/auth/kubernetes)         |
+| [AWS Systems Manager Parameter Store](https://aws.amazon.com/secrets-manager/) | [Other: Key/value pairs](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) | [AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) (see Usage section below) |
+| [HashiCorp Vault](https://www.vaultproject.io)               | [K/V Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2)<br/>[K/V Version 1](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1) | [Token](https://www.vaultproject.io/docs/auth/token)<br/>[AppRole](https://www.vaultproject.io/docs/auth/approle)<br/>[AWS](https://www.vaultproject.io/docs/auth/aws)<br/>[Kubernetes](https://www.vaultproject.io/docs/auth/kubernetes)         |
 | [Delinea/Thycotic Secret Server](https://delinea.com/products/secret-server)               | [Secret Server Cloud](https://github.com/DelineaXPM/python-tss-sdk#secret-server-cloud)<br/>[Secret Server (on-prem)](https://github.com/DelineaXPM/python-tss-sdk#initializing-secretserver)| [Access Token Authorization](https://github.com/DelineaXPM/python-tss-sdk#access-token-authorization)<br/>[Domain Authorization](https://github.com/DelineaXPM/python-tss-sdk#domain-authorization)<br/>[Password Authorization](https://github.com/DelineaXPM/python-tss-sdk#password-authorization)<br/>         |
 
 ## Screenshots
@@ -40,7 +41,7 @@ This plugin supports the following popular secrets backends:
 
 ## Installation
 
-> Nautobot Secrets Providers is compatible with Nautobot 1.2.0 and higher. Support for Thycotic Secret Server requires Python 3.7 or later.
+> Nautobot Secrets Providers is compatible with Nautobot 1.4.0 and higher. Support for Thycotic Secret Server requires Python 3.7 or later.
 
 The package is available as a Python package in PyPI and can be installed with `pip`:
 
@@ -60,9 +61,9 @@ For this plugin to operate you must install at least one of the dependent librar
 
 **You must install the dependencies for at least one of the supported secrets providers or a `RuntimeError` will be raised.**
 
-#### AWS Secrets Manager
+#### AWS
 
-The AWS Secrets Manager provider requires the `boto3` library. This can be easily installed along with the plugin using the following command:
+AWS Secrets Manager and Systems Manager Parameter Store are supported. Both providers require the `boto3` library. This can be easily installed along with the plugin using the following command:
 
 ```no-highlight
 pip install nautobot-secrets-providers[aws]
@@ -111,7 +112,7 @@ Before you proceed, you must have **at least one** of the dependent libaries ins
 
 Please do not enable this plugin until you are able to install the dependencies, as it will block Nautobot from starting.
 
-### AWS Secrets Manager
+### AWS
 
 #### Authentication
 
@@ -128,7 +129,7 @@ Boto3 credentials can be configured in multiple ways (eight as of this writing)
 7. Boto2 config file (`/etc/boto.cfg` and `~/.boto`)
 8. Instance metadata service on an Amazon EC2 instance that has an IAM role configured.
 
-**The AWS Secrets Manager provider only supports methods 3-8. Methods 1 and 2 ARE NOT SUPPORTED at this time.**
+**The AWS providers only support methods 3-8. Methods 1 and 2 ARE NOT SUPPORTED at this time.**
 
 We highly recommend you defer to using environment variables for your deployment as specified in the credentials documentation linked above. The values specified in the linked documentation should be [set within your `~.bashrc`](https://nautobot.readthedocs.io/en/latest/installation/nautobot/#update-the-nautobot-bashrc) (or similar profile) on your system.
 
@@ -165,13 +166,15 @@ PLUGINS_CONFIG = {
 - `auth_method` - (optional / defaults to "token") The method used to authenticate against the HashiCorp Vault instance. Either `"approle"`, `"aws"`, `"kubernetes"` or `"token"`.  For information on using AWS authentication with vault see the [authentication](#authentication) section above.
 - `ca_cert` - (optional) Path to a PEM formatted CA certificate to use when verifying the Vault connection.  Can alternatively be set to `False` to ignore SSL verification (not recommended) or `True` to use the system certificates.
 - `default_mount_point` - (optional / defaults to "secret") The default mount point of the K/V Version 2 secrets engine within Hashicorp Vault.
+- `kv_version` - (optional / defaults to "v2") The version of the KV engine to use, can be `v1` or `v2`
 - `k8s_token_path` - (optional) Path to the kubernetes service account token file.  Defaults to "/var/run/secrets/kubernetes.io/serviceaccount/token".
 - `token` - (optional) Required when `"auth_method": "token"` or `auth_method` is not supplied. The token for authenticating the client with the HashiCorp Vault instance. As with other sensitive service credentials, we recommend that you provide the token value as an environment variable and retrieve it with `{"token": os.getenv("NAUTOBOT_HASHICORP_VAULT_TOKEN")}` rather than hard-coding it in your `nautobot_config.py`.
 - `role_name` - (optional) Required when `"auth_method": "kubernetes"`, optional when `"auth_method": "aws"`.  The Vault Kubernetes role or Vault AWS role to assume which the pod's service account has access to.
 - `role_id` - (optional) Required when `"auth_method": "approle"`. As with other sensitive service credentials, we recommend that you provide the role_id value as an environment variable and retrieve it with `{"role_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_ROLE_ID")}` rather than hard-coding it in your `nautobot_config.py`.
 - `secret_id` - (optional) Required when `"auth_method": "approle"`.As with other sensitive service credentials, we recommend that you provide the secret_id value as an environment variable and retrieve it with `{"secret_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_SECRET_ID")}` rather than hard-coding it in your `nautobot_config.py`.
 - `login_kwargs` - (optional) Additional optional parameters to pass to the login method for [`approle`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.AppRole.login), [`aws`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.Aws.iam_login) and [`kubernetes`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.Kubernetes.login) authentication methods.
-
+- `namespace` - (optional) Namespace to use for the [`X-Vault-Namespace` header](https://github.com/hvac/hvac/blob/main/hvac/adapters.py#L287) on all hvac client requests. Required when the [`Namespaces`](https://developer.hashicorp.com/vault/docs/enterprise/namespaces#usage) feature is enabled in Vault Enterprise.
+
 ### Delinea/Thycotic Secret Server (TSS)
 
 The Delinea/Thycotic Secret Server plugin includes two providers:
@@ -246,7 +249,7 @@ Below is a quick start guide if you're already familiar with the development env
 
 The [PyInvoke](http://www.pyinvoke.org/) library is used to provide some helper commands based on the environment.  There are a few configuration parameters which can be passed to PyInvoke to override the default configuration:
 
-* `nautobot_ver`: the version of Nautobot to use as a base for any built docker containers (default: 1.2.0)
+* `nautobot_ver`: the version of Nautobot to use as a base for any built docker containers (default: 1.4.10)
 * `project_name`: the default docker compose project name (default: nautobot_secrets_providers)
 * `python_ver`: the version of Python to use as a base for any built docker containers (default: 3.7)
 * `local`: a boolean flag indicating if invoke tasks should be run on the host or inside the docker containers (default: False, commands will be run in docker containers)

development/Dockerfile

@@ -1,37 +1,78 @@
-ARG NAUTOBOT_VER="1.2.1"
-ARG PYTHON_VER=3.8
-FROM ghcr.io/nautobot/nautobot-dev:${NAUTOBOT_VER}-py${PYTHON_VER}
+# -------------------------------------------------------------------------------------
+# Nautobot App Developement Dockerfile Template
+# Version: 1.1.0
+#
+# Apps that need to add additional steps or packages can do in the section below.
+# -------------------------------------------------------------------------------------
+# !!! USE CAUTION WHEN MODIFYING LINES BELOW
 
-ENV prometheus_multiproc_dir=/prom_cache
+# Accepts a desired Nautobot version as build argument, default to 1.4.10
+ARG NAUTOBOT_VER="1.4.10"
+
+# Accepts a desired Python version as build argument, default to 3.8
+ARG PYTHON_VER="3.8"
 
+# Retrieve published development image of Nautobot base which should include most CI dependencies
+FROM ghcr.io/nautobot/nautobot-dev:${NAUTOBOT_VER}-py${PYTHON_VER}
+
+# Runtime argument and environment setup
 ARG NAUTOBOT_ROOT=/opt/nautobot
 
+ENV prometheus_multiproc_dir=/prom_cache
 ENV NAUTOBOT_ROOT ${NAUTOBOT_ROOT}
 
-WORKDIR $NAUTOBOT_ROOT
-
-# Configure poetry
-RUN poetry config virtualenvs.create false \
-    && poetry config installer.parallel false
+# Install Poetry manually via its installer script;
+# We might be using an older version of Nautobot that includes an older version of Poetry
+# and CI and local development may have a newer version of Poetry
+# Since this is only used for development and we don't ship this container, pinning Poetry back is not expressly necessary
+# We also don't need virtual environments in container
+RUN curl -sSL https://install.python-poetry.org | python3 - && \
+  poetry config virtualenvs.create false
 
+# !!! USE CAUTION WHEN MODIFYING LINES ABOVE
 # -------------------------------------------------------------------------------------
-# Install Nautobot Plugin
+# App-specifc system build/test dependencies.
+# 
+# Example: LDAP requires `libldap2-dev` to be apt-installed before the Python package.
 # -------------------------------------------------------------------------------------
-WORKDIR /tmp
+# --> Start safe to modify section
 
-# Copy in only pyproject.toml/poetry.lock to help with caching this layer if no updates to dependencies
-COPY poetry.lock pyproject.toml /tmp/
-# --no-root declares not to install the project package since we're wanting to take advantage of caching dependency installation
-# and the project is copied in and installed after this step
-RUN poetry add nautobot=$NAUTOBOT_VER && \
-    poetry update --lock && \
-    poetry install --no-interaction --no-ansi --no-root
+# Uncomment the lines below if you are apt-installing any package.
+# RUN apt-get -y update && apt-get -y install \
+#     libldap2-dev \
+#     && rm -rf /var/lib/apt/lists/*
 
-WORKDIR /source
+# --> Stop safe to modify section
+# -------------------------------------------------------------------------------------
+# Install Nautobot App
+# -------------------------------------------------------------------------------------
+# !!! USE CAUTION WHEN MODIFYING LINES BELOW
 
-# Copy in the rest of the source code and install local Nautobot plugin
+# Copy in the source code
+WORKDIR /source
 COPY . /source
-RUN mv /tmp/poetry.lock /tmp/pyproject.toml /source && \
-    poetry install --no-interaction --no-ansi
+
+# Get container's installed Nautobot version as a forced constraint
+# NAUTOBOT_VER may be a branch name and not a published release therefor we need to get the installed version
+#  so pip can use it to recognize local constraints.
+RUN pip show nautobot | grep "^Version: " | sed -e 's/Version: /nautobot==/' > constraints.txt
+
+# Use Poetry to grab dev dependencies from the lock file
+# Can be improved in Poetry 1.2 which allows `poetry install --only dev`
+#
+# We can't use the entire freeze as it takes forever to resolve with rigidly fixed non-direct dependencies,
+#   especially those that are only direct to Nautobot but the container included versions slightly mismatch
+RUN poetry export -f requirements.txt --without-hashes --output poetry_freeze_base.txt
+RUN poetry export -f requirements.txt --with dev --without-hashes --output poetry_freeze_all.txt
+RUN sort poetry_freeze_base.txt poetry_freeze_all.txt | uniq -u > poetry_freeze_dev.txt
+
+# Install all local project as editable, constrained on Nautobot version, to get any additional
+#   direct dependencies of the app
+RUN pip install -c constraints.txt -e .[all]
+
+# Install any dev dependencies frozen from Poetry
+# Can be improved in Poetry 1.2 which allows `poetry install --only dev`
+RUN pip install -c constraints.txt -r poetry_freeze_dev.txt
 
 COPY development/nautobot_config.py ${NAUTOBOT_ROOT}/nautobot_config.py
+# !!! USE CAUTION WHEN MODIFYING LINES ABOVE

development/creds.example.env

@@ -17,8 +17,8 @@ REDIS_PASSWORD=notverysecurepwd
 # NAUTOBOT_ROOT=./development
 
 #############################################################################
-# Settings for Thycotic Secret-Server-Reader
-#     https://github.com/thycotic/python-tss-sdk
+# Settings for Delinea/Thycotic Secret-Server-Reader
+#     https://github.com/DelineaXPM/python-tss-sdk
 
 SECRET_SERVER_BASE_URL='https://pw.example.local/SecretServer'
 

invoke.example.yml

@@ -1,7 +1,7 @@
 ---
 nautobot_secrets_providers:
   project_name: "nautobot_secrets_providers"
-  nautobot_ver: "1.2.0"
+  nautobot_ver: "1.4.10"
   local: false
   python_ver: "3.7"
   compose_dir: "development"

nautobot_secrets_providers/__init__.py

@@ -15,13 +15,13 @@ class NautobotSecretsProvidersConfig(PluginConfig):
     """Plugin configuration for the nautobot_secrets_providers plugin."""
 
     name = "nautobot_secrets_providers"
-    verbose_name = "Nautobot Secrets Providers"
+    verbose_name = "Secrets Management Extensions"
     version = __version__
     author = "Network to Code, LLC"
-    description = "Nautobot Secrets Providers Plugin."
+    description = "Nautobot App that provides direct integrations with Enterprise secrets management systems. Provides patterns to securely fetch secrets for use by other Nautobot Apps and Nautobot Jobs."
     base_url = "secrets"
     required_settings = []
-    min_version = "1.2.0"
+    min_version = "1.4.0"
     max_version = "1.9999"
     default_settings = {}
     caching_config = {}

nautobot_secrets_providers/providers/__init__.py

@@ -1,11 +1,12 @@
 """Nautobot Secrets Providers."""
 
-from .aws import AWSSecretsManagerSecretsProvider
+from .aws import AWSSecretsManagerSecretsProvider, AWSSystemsManagerParameterStore
 from .hashicorp import HashiCorpVaultSecretsProvider
 from .delinea import ThycoticSecretServerSecretsProviderId, ThycoticSecretServerSecretsProviderPath
 
 __all__ = (  # type: ignore
     AWSSecretsManagerSecretsProvider,  # pylint: disable=invalid-all-object
+    AWSSystemsManagerParameterStore,  # pylint: disable=invalid-all-object
     HashiCorpVaultSecretsProvider,  # pylint: disable=invalid-all-object
     ThycoticSecretServerSecretsProviderId,  # pylint: disable=invalid-all-object
     ThycoticSecretServerSecretsProviderPath,  # pylint: disable=invalid-all-object