[Bug]: nb_lookup incompatible with netbox_secretstore plugin

[marinus81]

Ansible NetBox Collection version

v.3.9.0

Ansible version

ansible [core 2.13.6]
  config file = /home/user/ansible/id4-iac/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
  jinja version = 3.0.3
  libyaml = True

NetBox version

v3.3.7

Python version

3.8

Steps to Reproduce

• Install a version of NetBox which no longer has native secrets feature included (>3.0)
• Install https://github.com/DanSheps/netbox-secretstore in Netbox Try to fetch secret from NetBox:

      tags:
       - debug
      set_fact:
        ansible_user: "{{ query('netbox.netbox.nb_lookup', 'netbox_secretstore', api_filter='role=windows-administrator&virtual_machine='+inventory_hostname, api_endpoint=netbox_host, token=netbox_token, validate_certs=False , key_file='/home/user/.ssh/id_rsa.pem') }}"

Expected Behavior

Lookup plugin uses netbox-secretstore plugin URL to get decrypted secret

Observed Behavior

fatal: [windows-2019-test2]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'netbox.netbox.nb_lookup'. Error was a <class 'pynetbox.core.query.RequestError'>, original message: The requested url: https://netbox.domain.at/api/secrets/get-session-key/?preserve_key=True could not be found.. The requested url: https://netbox.domain.at/api/secrets/get-session-key/?preserve_key=True could not be found."}

[sc68cal]

So https://netbox.domain.at/api/secrets/get-session-key/?preserve_key=True 404's - that sounds like an issue with your netbox installation. Please report this issue to them.

[sc68cal]

I see documentation here where the URL is http://netbox/api/plugins/netbox_secretstore/secrets/get-session-key/ - is there a version mismatch between your lookup plugin version and the secrets plugin installed in your netbox?

[marinus81]

Hi @sc68cal thanks for your response. In my understanding (but this predates my involvement with NetBox so I might have history wrong) is that secrets used to be functionality of core NetBox. However in version 3.0.0 of NetBox this feature was removed from NetBox core and "transformed" into a plugin.

After a bit of further investigation it seems this is a limitation of the pynetbox python library: https://github.com/netbox-community/pynetbox/pull/430 where it was decided to not support the secrets plugin currently. IMO this currently renders the secret functionality in nb_lookup useless for NetBox >= 3.0.0.

If confirmed by somebody with more experience in Netbox I'd volunteer to update the documentation with this limitation?

[sc68cal]

@marinus81 Ah yes, thanks for the refresher. I had forgotten about that detail

We discussed some parts of this also in #495, where I did not really want to deal with managing a plugin either. My intention was to punt this over to pynetbox to handle since it's really where it would need to be. So, I think if pynetbox is not willing to handle the plugin, I don't think we can either.

In fact we should probably put some sort of error in our code about trying to use the lookup on that API endpoint with NetBox >= 3.0.0 that it is not supported. @rodvand ?

[rodvand]

We should at least remove any example using the nb_lookup feature to lookup secrets...

[ryanmerolle]

Adding @hollow since they raised a PR.