search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
80 stars 59 forks source link

VAULT_ADDR regression #438

Open sc68cal opened 5 months ago

sc68cal commented 5 months ago

I have noticed issues after upgrading from ansible==7.5.0 and the version of hashi_vault that was included, to more recent versions.

When VAULT_ADDR is set

export VAULT_ADDR=https://vault.mysite.com

{"msg": "An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.vault_read'. Error was a <class 'requests.exceptions.InvalidSchema'>, original message: No connection adapters were found for '\"https://vault.mysite.com\"/v1/secret/myorg/my-path/myapp'. No connection adapters were found for '\"https://vault.mysite.com\"/v1/secret/myorg/my-path/myapp'"}

While setting

export ANSIBLE_HASHI_VAULT_ADDR=https://vault.mysite.com

Does in fact work, but we have a lot of infrastructure that sets VAULT_ADDR and this regression is quite painful.

_Originally posted by @sc68cal in https://github.com/ansible-collections/community.hashi_vault/discussions/368#discussioncomment-9147953_

briantist commented 5 months ago

Thanks for reporting @sc68cal. Are you able to see which version of the collection works and which one doesn't?

sc68cal commented 5 months ago

4.2.0 of community.hashi_vault works correctly with VAULT_ADDR (which is installed along with Ansible version 7.5.0)

6.2.0 of community.hashi_vault does not work correctly with VAULT_ADDR and requires the use of ANSIBLE_HASHI_VAULT_ADDR in order to function (which is installed with the most recent release of Ansible, version 9.x but I'm not sure on the point release)

sc68cal commented 5 months ago

I tried to look in the code, I think the error is thrown at this line because the adapter gets a URL that has double quotes in it ("https://vault.mysite.com")

briantist commented 5 months ago

Thank you! I see from your output that there are quotes in the URL but I don't believe it's due to that line. The adapter is an object, and the only quotes there are for string literals in selecting the protocol. At that point in the code, there is no URL yet since it's constructing the Session object.

Somehow you've got quotes embedded in your URL, I don't think this was due to a regression in this collection but I'm not ruling it out yet.

I'm suspecting that before we introduced the retries, the way the session was being constructed by default may have masked the issue with your VAULT_ADDR containing quotes somehow...

Can you show the exact shell lines you're running to export the variable, and to run ansible? Also the playbook (MVCE) content?

If you add an env lookup call to check VAULT_ADDR do you see its value with embedded quotes?

sc68cal commented 5 months ago

I set VAULT_ADDR in my ~/.profile and it does not have quotes.

sc68cal commented 5 months ago

Ansible 7.5

$ echo $VAULT_ADDR
https://vault.mysite.com

$ ansible --version
ansible [core 2.14.15]

$ ansible -m debug -a "msg={{ lookup('ansible.builtin.env', 'VAULT_ADDR') }}" localhost
localhost | SUCCESS => {
    "msg": "https://vault.mysite.com"
}

$ ansible-galaxy collectio n list | grep 'hashi'
community.hashi_vault         4.2.0

$ ansible -m debug -a "msg={{ lookup('community.hashi_vault.vault_read', 'my-secret-path').data.my-secret-key }}" localhost
localhost | SUCCESS => {
    "msg": "my-secret-value"
}

Ansible 9.4.0

$ ansible --version
ansible [core 2.16.6]

$ ansible -m debug -a "msg={{ lookup('ansible.builtin.env', 'VAULT_ADDR') }}" localhost

localhost | SUCCESS => {
    "msg": "https://vault.mysite.com"
}

$ ansible-galaxy collectio n list | grep 'hashi'

community.hashi_vault                    6.2.0

$ ansible -m debug -a "msg={{ lookup('community.hashi_vault.vault_read', 'my-secret-path').data.my-secret-key }}" localhost
localhost | FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.vault_read'. Error was a <class 'requests.exceptions.InvalidSchema'>, original message: No connection adapters were found for '\"https://vault.mysite.com\"/v1/auth/token/lookup-self'. No connection adapters were found for '\"https://vault.mysite.com\"/v1/auth/token/lookup-self'"
}

$ ANSIBLE_HASHI_VAULT_ADDR=$VAULT_ADDR ansible -m debug -a "msg={{ lookup('community.hashi_vault.vault_read', 'my-secret-path').data.my-secret-key }}" localhost
localhost | SUCCESS => {
    "msg": "my-secret-value"
}
sc68cal commented 5 months ago

I think the most important thing to note, is notice how setting

ANSIBLE_HASHI_VAULT_ADDR=$VAULT_ADDR

Makes it work. It's the exact same value.

sc68cal commented 5 months ago

Both Ansible version use hvac==2.1.0

briantist commented 5 months ago

Thank you for the detailed troubleshooting! I will try to step through and figure out what's going as soon as I can.

sc68cal commented 5 months ago

Happy to help. If there's anything you want me to try, it's very easy to reproduce and I can also test patches too.

In the past I've tried to attach the python debugger to Ansible modules and plugins but it's quite a pain. If you have any tips I can help debug that way too

briantist commented 5 months ago

@sc68cal so far I've been unable to replicate it, the only way I can get that error is if I intentionally put double quotes in the env var value, but then those quotes show in the env lookup output (unlike your output), and it errors out in 4.2.0 also, so there is still something going on but I can't yet reproduce it to dig further.

I don't have good debugging instructions right now, here's a launch.json that I was messing with that could be used with vscode, but it will stop at the beginning of the application so you wouldn't be able to set a breakpoint, it would be a lot of stepping. 

{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Python Debugger: Current File with Arguments",
            "type": "debugpy",
            "request": "launch",
            "program": "/home/briantist/.a216/bin/ansible",
            // ^ output of `which ansible`
            "console": "integratedTerminal",
            //"args": "${command:pickArgs}",
            "args": [
                "localhost",
                "-m",
                "debug",
                "-a",
                "msg=\"{{ lookup('community.hashi_vault.vault_read', 'zzzz') }}\""
            ],
            "stopOnEntry": true,
            "env": {
                "VAULT_ADDR": "http://vault"
            }
        }
    ]
}

There's additional configuration needed to be able to set breakpoints, and you'll want to ensure that the collection is checked out into a collection path (like ~/code/ansible/ansible_collections/community/hashi_vault) so that the ansible collection path can be pointed to the same code on disk.

This article may be of help but I haven't fully tried it: https://medium.com/@tushe_33516/guide-to-writing-and-debugging-ansible-modules-in-vscode-a-nearly-perfect-setup-ad54024a466a

sc68cal commented 4 months ago

Ok. I have gotten pulled in a different direction so the upgrade to a more recent version of Ansible has been put on hold, so I will have to come back to this at a later date