JCasC Vault secret source not working

[jaekunchoi]

Your checklist for this issue

🚨 Please review the guidelines for contributing to this repository.

• [x] Jenkins version

• [x] Plugin version

• [x] OS

Description

• Jenkins version 2.263.4
• JCASC version 1.46
• hashicorp-vault-plugin:3.7.0
• Redhat 7 Docker CasC Vault source with CASC_VAULT_FILE doesn't load. I have defined below in the file:

  CASC_VAULT_TOKEN=VAULT_TOKEN
  CASC_VAULT_PATHS=/dev/jenkins
  CASC_VAULT_URL=VAULT_ADDR
  CASC_VAULT_ENGINE_VERSION=2

All I get is

WARNING i.j.p.c.SecretSourceResolver$UnresolvedLookup#lookup: Configuration import: Found unresolved variable 'password'. Will default to empty string

I don't get any Vault log entries. Is there anything wrong here?

[jetersen]

@jaekunchoi have you checked that the CASC_VAULT_FILE file has the right permission for the Jenkins user so it can be read?

Could you try not using CASC_VAULT_FILE and define the variable directly to confirm that it works?

Can you confirm on the Jenkins server with the vault cli that you can read from /dev/jenkins with the same token?

[jaekunchoi]

I've checked and verified that the owner of the CASC_VAULT_FILE is jenkins and I've also made it 777 to test it.

I've changed it to export environment variables and I get the same issue. No logs or any errors of any Vault plugin secret source getting called. Just silently goes

WARNING i.j.p.c.SecretSourceResolver$UnresolvedLookup#lookup: Configuration import: Found unresolved variable 'password'. Will default to empty string

And attempts to start Jenkins. However I was able to get some errors by putting something completely wrong in CASC_VAULT_URL

When I run with Vault CLI with VAULT_TOKEN (which is the same token used for CASC_VAULT_TOKEN) on Jenkins master container I get the response with below result on with:

vault kv get -field=data -format=json /secret/data/dev/jenkins
{
  "key": "qqqw"
}

Is this because I'm storing it in wrong way? I'm actually saving the data with hvac with kv secret=dict(key="qqqw")

[jaekunchoi]

I've also tried with below:

vault kv get /secret/data/dev/jenkins
=========== Data ===========
Key                    Value
---                    -----
password         qqqwwww

and set CASC_VAULT_PATHS to /secret/data/dev/jenkins but it still doesn't work without any errors in the log about Vault secret source. It seems like it's silently failing somewhere?

@jetersen

[jaekunchoi]

Forgot to mention I'm also setting CASC_VAULT_NAMESPACE

[jaekunchoi]

I was hoping to get at least some log lines from https://github.com/jenkinsci/hashicorp-vault-plugin/blob/5a1eedadbde028ac133764c83bbd2c7af5098b00/src/main/java/com/datapipe/jenkins/vault/jcasc/secrets/VaultSecretSource.java#L87

[jaekunchoi]

Also getting below log which seems to pick up from CASC_VAULT_NAMESPACE

INFO    com.bettercloud.vault.Vault#<init>: The NameSpace jenkins/test has been bound to this Vault instance. Please keep this in mind when running operations.

[jetersen]

I don't have access to namespaced setup so support is based on community support.

[Raminios]

I seem to be experiencing pretty much an identical issue as you've described.

Silent failure with

WARNING i.j.p.c.SecretSourceResolver$UnresolvedLookup#lookup: Configuration import: Found unresolved variable 'foo'. Will default to empty string

Have tried with environment variables and also CASC_VAULT_FILE, neither work. Changing the CASC_VAULT_URL or token to something completely broken shows an error message in the logs, so it seems like the request is being resolved successfully, but the conversion from response body to environment variable is breaking somehow.

[santhu3064]

Even we are facing the same issue.

2022-02-11 12:40:31.874+0000 [id=35] WARNING i.j.p.c.SecretSourceResolver$UnresolvedLookup#lookup: Configuration import: Found unresolved variable 'foo'. Will default to empty string Set the env vars and tried using file for authentication as well. The secrets are not being loaded. hashicorp-vault-plugin:336.v182c0fbaaeb7 configuration-as-code:1346.ve8cfa_3473c94 Please let us know if anyone have found any solution.

[jetersen]

downgrade to older version

[santhu3064]

Would be mind letting me know which version you are using downgraded to 3.7.0 still the same .. There is no connection error can see error when incorrect url or token given. By the way jenkins is running in docker

[sam-mckay]

I workaround this by downgrading 3.6.1 but more importantly, I discovered the way I understood paths was wrong

I have a kv store at some/creds/service_name (containing the key "secret")

This is great but I also have some/creds/some_other_service_name (containing the key "secret")

Which means to use both I must set up jenkins like so

CASC_VAULT_PATHS: some/creds/service,some/creds/some_other_service_name

 - string:
     description: "A password"
     id: "an_id"
     scope: GLOBAL
     secret: "${secrets/creds/service/secret}"
 - string:
     description: "A password"
     id: "another_id"
     scope: GLOBAL
     secret: "${secrets/creds/some_other_service_name/secret}"

What I was getting wrong is the env value for CASC_VAULT_PATHS, I was trying to use some/creds and reference my secrets the same as above, but that does not work.

Worth checking to see if you have the same issue @santhu3064

@jetersen I'm not sure if this is how the plugin is intended to be used, so any wisdom here is appreciated :)

[santhu3064]

@sam-mckay Same issue unable to resolve the variable the vault connection is good and path is also fine what i can see the secrets are not loaded in the pod from vault.

[dshvedchenko]

you can try to add your mounts before value sin PATHS , and remove CASC_VAULT_MOUNT, for me it helps was

CASC_VAULT_PATHS=secret/dev
CASC_VAULT_MOUNT=teams

now it works with just

CASC_VAULT_PATHS=teams/secret/dev