Merge de15c0e into 6a93468

paasta_tools/cli/cmds/secret.py

@@ -105,6 +105,16 @@ def add_subparser(subparsers):
         default=False,
         help="Optionally pass the plaintext from stdin",
     )
+    secret_parser.add_argument(
+        "--cross_environment",
+        required=False,
+        type=str,
+        help=(
+            "Provide motivation in case the same value is being duplicated "
+            "across multiple runtime environments when adding or updating a secret"
+        ),
+        metavar="MOTIVATION",
+    )
     secret_parser.set_defaults(command=paasta_secret)
 
 
@@ -209,7 +219,10 @@ def paasta_secret(args):
         if not plaintext:
             print("Warning: Given plaintext is an empty string.")
         secret_provider.write_secret(
-            action=args.action, secret_name=args.secret_name, plaintext=plaintext
+            action=args.action,
+            secret_name=args.secret_name,
+            plaintext=plaintext,
+            cross_environment_motivation=args.cross_environment,
         )
         secret_path = os.path.join(
             secret_provider.secret_dir, f"{args.secret_name}.json"

paasta_tools/secret_providers/__init__.py

@@ -29,7 +29,13 @@ def decrypt_environment(
     ) -> Dict[str, str]:
         raise NotImplementedError
 
-    def write_secret(self, action: str, secret_name: str, plaintext: bytes) -> None:
+    def write_secret(
+        self,
+        action: str,
+        secret_name: str,
+        plaintext: bytes,
+        cross_environment_motivation: Optional[str] = None,
+    ) -> None:
         raise NotImplementedError
 
     def decrypt_secret(self, secret_name: str) -> str:

paasta_tools/secret_providers/vault.py

@@ -106,7 +106,13 @@ def get_vault_ecosystems_for_clusters(self) -> List[str]:
             )
             raise
 
-    def write_secret(self, action: str, secret_name: str, plaintext: bytes) -> None:
+    def write_secret(
+        self,
+        action: str,
+        secret_name: str,
+        plaintext: bytes,
+        cross_environment_motivation: Optional[str] = None,
+    ) -> None:
         with TempGpgKeyring(overwrite=True):
             for ecosystem in self.ecosystems:
                 client = self.clients[ecosystem]
@@ -119,6 +125,7 @@ def write_secret(self, action: str, secret_name: str, plaintext: bytes) -> None:
                     plaintext=plaintext,
                     service_name=self.service_name,
                     transit_key=self.encryption_key,
+                    cross_environment_motivation=cross_environment_motivation,
                 )
 
     def decrypt_secret(self, secret_name: str) -> str:

tests/cli/test_cmds_secret.py

@@ -152,6 +152,7 @@ def test_paasta_secret():
             service="middleearth",
             clusters="mesosstage",
             shared=False,
+            cross_environment="because ...",
         )
         secret.paasta_secret(mock_args)
         mock_get_secret_provider_for_service.assert_called_with(
@@ -161,6 +162,7 @@ def test_paasta_secret():
             action="add",
             secret_name="theonering",
             plaintext=mock_get_plaintext_input.return_value,
+            cross_environment_motivation="because ...",
         )
         mock_log_audit.assert_called_with(
             action="add-secret",
@@ -174,6 +176,7 @@ def test_paasta_secret():
             service="middleearth",
             clusters="mesosstage",
             shared=False,
+            cross_environment=None,
         )
         secret.paasta_secret(mock_args)
         mock_get_secret_provider_for_service.assert_called_with(
@@ -183,6 +186,7 @@ def test_paasta_secret():
             action="update",
             secret_name="theonering",
             plaintext=mock_get_plaintext_input.return_value,
+            cross_environment_motivation=None,
         )
         mock_log_audit.assert_called_with(
             action="update-secret",

tests/secret_providers/test_vault.py

@@ -73,7 +73,10 @@ def test_write_secret(mock_secret_provider):
         "paasta_tools.secret_providers.vault.encrypt_secret", autospec=False
     ) as mock_encrypt_secret:
         mock_secret_provider.write_secret(
-            action="add", secret_name="mysecret", plaintext=b"SECRETSQUIRREL"
+            action="add",
+            secret_name="mysecret",
+            plaintext=b"SECRETSQUIRREL",
+            cross_environment_motivation="because ...",
         )
         mock_encrypt_secret.assert_called_with(
             client=mock_secret_provider.clients["devc"],
@@ -84,6 +87,7 @@ def test_write_secret(mock_secret_provider):
             service_name="universe",
             soa_dir="/nail/blah",
             transit_key="paasta",
+            cross_environment_motivation="because ...",
         )
 
         mock_secret_provider.encryption_key = "special-key"
@@ -99,6 +103,7 @@ def test_write_secret(mock_secret_provider):
             service_name="universe",
             soa_dir="/nail/blah",
             transit_key="special-key",
+            cross_environment_motivation=None,
         )
 
 

yelp_package/extra_requirements_yelp.txt

@@ -13,7 +13,7 @@ signalform-tools==0.0.16
 slo-transcoder==3.3.0
 smmap2==2.0.3
 sticht[yelp_internal]==1.1.12
-vault-tools==0.7.34
+vault-tools==0.9.2
 yelp-cgeom==1.3.1
 yelp-clog==5.0.0
 yelp-logging==1.0.37