Error when disabling plugin

[ambis]

When trying to disable the plugin, an error is thrown.

I did this with the older 0.4.1 version multiple times without any problems.

$ vault secrets disable gitlab
Error disabling secrets engine at gitlab/: Error making API request.

URL: DELETE https://my-vault/v1/sys/mounts/gitlab
Code: 400. Errors:

* failed to revoke "gitlab/config/default/rotate/bL7mHiAEF3AR3fnfBjjLEzk1" (1 / 3): failed to revoke entry: resp: (*logical.Response)(nil) err: secret is unsupported by this backend
exit 2

vault secrets list
{
  "gitlab/": {
    "uuid": "a6426a90-ff2d-e56e-a534-689cf082bb8d",
    "type": "gitlab",
    "description": "Secret backend which generates Personal Access Tokens in GitLab.",
    "accessor": "gitlab_71909f06",
    "config": {
      "default_lease_ttl": 0,
      "max_lease_ttl": 0,
      "force_no_cache": false
    },
    "options": {},
    "local": false,
    "seal_wrap": false,
    "external_entropy_access": false,
    "plugin_version": "v0.6.0",
    "running_plugin_version": "v0.6.0",
    "running_sha256": "143c80298df33fea4ec3263b7dcdbb3c4b22b8ec9d51bc28ac072c44c15e389f",
    "deprecation_status": ""
  },

vault --version Vault v1.14.4 ('ccdd48d1f7b95fc99fd11d67fc1c687576b338de+CHANGES'), built 2023-09-22T21:29:05Z

[ilijamt]

Can you try and replicate it with a local Vault? And send me the instructions? Probably something I introduced when I added multiple configs

When I try to disable

❯ vault secrets disable gitlab
Success! Disabled the secrets engine (if it existed) at: gitlab/
❯ vault --version
Vault v1.18.0 (77f26ba561a4b6b1ccd5071b8624cefef7a72e84), built 2024-10-08T09:12:52Z

[ilijamt]

Managed to replicate this, it only happens after token rotate of the config.

❯ vault write -f gitlab/config/default/rotate

Key                   Value
---                   -----
lease_id              gitlab/config/default/rotate/C4uUPqBg5mC0A5Mxa2h9h7XR
lease_duration        768h
lease_renewable       false
auto_rotate_before    48h0m0s
auto_rotate_token     true
base_url              http://localhost:8080
name                  default
scopes                api, read_api, read_user, sudo, admin_mode, create_runner, k8s_proxy, read_repository, write_repository, ai_features, read_service_ping
token_created_at      2024-07-11T18:53:26Z
token_expires_at      2024-10-15T09:48:57Z
token_id              55
token_sha1_hash       337efde23b9eef9c76f89028db960c871a4e486b
type                  self-managed

❯ vault secrets disable gitlab
Error disabling secrets engine at gitlab/: Error making API request.

URL: DELETE http://127.0.0.1:8200/v1/sys/mounts/gitlab
Code: 400. Errors:

* failed to revoke "gitlab/config/default/rotate/C4uUPqBg5mC0A5Mxa2h9h7XR" (1 / 1): failed to revoke entry: resp: (*logical.Response)(nil) err: secret is unsupported by this backend

[ambis]

Oh, vault --version told me the (homebrew) client version, server is 1.18.

I'll try to replicate it. I've done so much testing and tried putting an invalid token (empty and random value) that maybe one bad token value got in.

I think one way to test is to delete the token from gitlab that the plugin was configured with, and see if that causes this.

[ilijamt]

Fixed with v0.6.1 , can you please check and confirm?

[ambis]

I've done everything in the vault plugin upgrade guide, and I just cant get the plugin to update all the way:

vault secrets list -detailed
    "plugin_version": "v0.6.0",
    "running_plugin_version": "v0.6.1",

The problem still persists, even after restarting the vault instance. Maybe it cannot truly reload it due to the bug..?

Commands I've run

vault plugin register \ -sha256=26862483ea31d694be788b01b4e019cc76fce6f6d9385020ae5e2570f4799da2 \ -command=vault-plugin-secrets-gitlab \ -version=v0.6.1 \ secret \ gitlab

vault plugin reload -plugin=gitlab -scope=global -type=secret

vault write sys/plugins/pins/secret/gitlab version=v0.6.1

[ilijamt]

You have to stop vault and start it up. You should be able to do it afterward. If not, you will have to remove the backend, stop, start Vault and then install it anew.

[ilijamt]

@ambis did this work?

[ilijamt]

Please reopen if the issue hasn't been solved yet.