Open sc68cal opened 5 months ago
Thanks for reporting @sc68cal. Are you able to see which version of the collection works and which one doesn't?
4.2.0
of community.hashi_vault
works correctly with VAULT_ADDR
(which is installed along with Ansible version 7.5.0
)
6.2.0
of community.hashi_vault
does not work correctly with VAULT_ADDR
and requires the use of ANSIBLE_HASHI_VAULT_ADDR
in order to function (which is installed with the most recent release of Ansible, version 9.x
but I'm not sure on the point release)
I tried to look in the code, I think the error is thrown at this line because the adapter gets a URL that has double quotes in it ("https://vault.mysite.com"
)
Thank you! I see from your output that there are quotes in the URL but I don't believe it's due to that line. The adapter is an object, and the only quotes there are for string literals in selecting the protocol. At that point in the code, there is no URL yet since it's constructing the Session
object.
Somehow you've got quotes embedded in your URL, I don't think this was due to a regression in this collection but I'm not ruling it out yet.
I'm suspecting that before we introduced the retries, the way the session was being constructed by default may have masked the issue with your VAULT_ADDR
containing quotes somehow...
Can you show the exact shell lines you're running to export the variable, and to run ansible? Also the playbook (MVCE) content?
If you add an env
lookup call to check VAULT_ADDR
do you see its value with embedded quotes?
I set VAULT_ADDR
in my ~/.profile
and it does not have quotes.
$ echo $VAULT_ADDR
https://vault.mysite.com
$ ansible --version
ansible [core 2.14.15]
$ ansible -m debug -a "msg={{ lookup('ansible.builtin.env', 'VAULT_ADDR') }}" localhost
localhost | SUCCESS => {
"msg": "https://vault.mysite.com"
}
$ ansible-galaxy collectio n list | grep 'hashi'
community.hashi_vault 4.2.0
$ ansible -m debug -a "msg={{ lookup('community.hashi_vault.vault_read', 'my-secret-path').data.my-secret-key }}" localhost
localhost | SUCCESS => {
"msg": "my-secret-value"
}
$ ansible --version
ansible [core 2.16.6]
$ ansible -m debug -a "msg={{ lookup('ansible.builtin.env', 'VAULT_ADDR') }}" localhost
localhost | SUCCESS => {
"msg": "https://vault.mysite.com"
}
$ ansible-galaxy collectio n list | grep 'hashi'
community.hashi_vault 6.2.0
$ ansible -m debug -a "msg={{ lookup('community.hashi_vault.vault_read', 'my-secret-path').data.my-secret-key }}" localhost
localhost | FAILED! => {
"msg": "An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.vault_read'. Error was a <class 'requests.exceptions.InvalidSchema'>, original message: No connection adapters were found for '\"https://vault.mysite.com\"/v1/auth/token/lookup-self'. No connection adapters were found for '\"https://vault.mysite.com\"/v1/auth/token/lookup-self'"
}
$ ANSIBLE_HASHI_VAULT_ADDR=$VAULT_ADDR ansible -m debug -a "msg={{ lookup('community.hashi_vault.vault_read', 'my-secret-path').data.my-secret-key }}" localhost
localhost | SUCCESS => {
"msg": "my-secret-value"
}
I think the most important thing to note, is notice how setting
ANSIBLE_HASHI_VAULT_ADDR=$VAULT_ADDR
Makes it work. It's the exact same value.
Both Ansible version use hvac==2.1.0
Thank you for the detailed troubleshooting! I will try to step through and figure out what's going as soon as I can.
Happy to help. If there's anything you want me to try, it's very easy to reproduce and I can also test patches too.
In the past I've tried to attach the python debugger to Ansible modules and plugins but it's quite a pain. If you have any tips I can help debug that way too
@sc68cal so far I've been unable to replicate it, the only way I can get that error is if I intentionally put double quotes in the env var value, but then those quotes show in the env
lookup output (unlike your output), and it errors out in 4.2.0
also, so there is still something going on but I can't yet reproduce it to dig further.
I don't have good debugging instructions right now, here's a launch.json
that I was messing with that could be used with vscode, but it will stop at the beginning of the application so you wouldn't be able to set a breakpoint, it would be a lot of stepping.
{
// Use IntelliSense to learn about possible attributes.
// Hover to view descriptions of existing attributes.
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [
{
"name": "Python Debugger: Current File with Arguments",
"type": "debugpy",
"request": "launch",
"program": "/home/briantist/.a216/bin/ansible",
// ^ output of `which ansible`
"console": "integratedTerminal",
//"args": "${command:pickArgs}",
"args": [
"localhost",
"-m",
"debug",
"-a",
"msg=\"{{ lookup('community.hashi_vault.vault_read', 'zzzz') }}\""
],
"stopOnEntry": true,
"env": {
"VAULT_ADDR": "http://vault"
}
}
]
}
There's additional configuration needed to be able to set breakpoints, and you'll want to ensure that the collection is checked out into a collection path (like ~/code/ansible/ansible_collections/community/hashi_vault
) so that the ansible collection path can be pointed to the same code on disk.
This article may be of help but I haven't fully tried it: https://medium.com/@tushe_33516/guide-to-writing-and-debugging-ansible-modules-in-vscode-a-nearly-perfect-setup-ad54024a466a
Ok. I have gotten pulled in a different direction so the upgrade to a more recent version of Ansible has been put on hold, so I will have to come back to this at a later date
I have noticed issues after upgrading from
ansible==7.5.0
and the version ofhashi_vault
that was included, to more recent versions.When
VAULT_ADDR
is set{"msg": "An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.vault_read'. Error was a <class 'requests.exceptions.InvalidSchema'>, original message: No connection adapters were found for '\"https://vault.mysite.com\"/v1/secret/myorg/my-path/myapp'. No connection adapters were found for '\"https://vault.mysite.com\"/v1/secret/myorg/my-path/myapp'"}
While setting
Does in fact work, but we have a lot of infrastructure that sets
VAULT_ADDR
and this regression is quite painful._Originally posted by @sc68cal in https://github.com/ansible-collections/community.hashi_vault/discussions/368#discussioncomment-9147953_