Open pasuder opened 2 years ago
Same behavior on Jenkins 2.333 and Vault 1.9.3
I went deep..
tl;dr: %2F
instead of /
same issue https://github.com/jenkinsci/hashicorp-vault-plugin/issues/75#issuecomment-582105896
Longer version:
A bit more context of deployment where Jenkins and Vault are setup. Both are deployed with images pulled from docker.io, runs on the same server and are behind Traefik. Communication between Jenkins and Vault happens over Traefik. Did not check what Traefik does with URLs, but what I found is following:
That part of code:
Should return call this:
public LogicalResponse read(final String path) throws VaultException {
if (this.engineVersionForSecretPath(path).equals(2)) {
return read(path, true, logicalOperations.readV2);
} else return read(path, true, logicalOperations.readV1);
}
For Vault URL creation, that helper is called:
public static String adjustPathForReadOrWrite(final String path, final int prefixPathLength,
final Logical.logicalOperations operation) {
final List<String> pathSegments = getPathSegments(path);
if (operation.equals(Logical.logicalOperations.readV2) || operation
.equals(Logical.logicalOperations.writeV2)) {
// Version 2
final StringBuilder adjustedPath = new StringBuilder(
addQualifierToPath(pathSegments, prefixPathLength, "data"));
if (path.endsWith("/")) {
adjustedPath.append("/");
}
return adjustedPath.toString();
} else {
// Version 1
return path;
}
}
It does the job with setting data
as per README (permalink).
And the question is: at which level that %2F
is converted to /
? In this plugin, in that external library used to access Vault, somewhere in Jenkins, on Traefik (it does SSL termination)?
Excluded Traefik from communication between Jenkins and Vault - used direct URL aka http://vault:8200
and same error with /
in secret engine name:
com.datapipe.jenkins.vault.exception.VaultPluginException: Vault credentials not found for 'secret/testing_v2/testing'
With secret%2Ftesting_v2/testing
as path
it does work fine.
Take a look to this : https://github.com/jenkinsci/hashicorp-vault-plugin/issues/209
Based on following example, I tried to setup working retrieval of secrets from Vault KV version 2 engine and was unable to have it working:
Working example of scripted pipeline for KV version 1 secret engine:
Not working example of scripted pipeline for KV version 2 secret engine:
Build error:
vault_token
is a token used to access Vault configured with JCasCjenkins.yml
Vault secrets retrievals using Vault CLI:
Versions:
May I ask if KV v2 secrets retrieval does work? If yes, how to setup it? Thanks!