Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot disable certificate validation when using vault_kv2_get lookup #461

Open
argetlam-coder opened this issue Nov 17, 2024 · 4 comments · May be fixed by #462
Open

Cannot disable certificate validation when using vault_kv2_get lookup #461

argetlam-coder opened this issue Nov 17, 2024 · 4 comments · May be fixed by #462
Labels
bug Something isn't working

Comments

@argetlam-coder
Copy link

argetlam-coder commented Nov 17, 2024

SUMMARY

I am trying to retrieve a secret from my vault using the vault_kv2_get lookup. Since my vault uses a self-signed certificate, I need to disable certificate validation. I have set the corresponding parameter as described in the documentation but still the certificate validation is not deactivated.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

vault_kv2_get lookup

ANSIBLE VERSION
ansible [core 2.17.2]
  python version = 3.11.2 (main, Aug 26 2024, 07:20:54) [GCC 12.2.0]
  jinja version = 3.1.4
COLLECTION VERSION
Collection            Version
--------------------- -------
community.hashi_vault 6.2.0 
CONFIGURATION
[hashi_vault_collection]
auth_method = token
url = https://192.168.1.253:8200
retries = 5
token_path = ./
token_file = .vault-token
STEPS TO REPRODUCE

I have tried all three variants described in the documentation (https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/vault_kv2_get_lookup.html#ansible-collections-community-hashi-vault-vault-kv2-get-lookup). Neither variables nor parameters nor environment variables worked.

Here is my playbook with variables

---
- name: vault test playbook
  hosts:
   - 127.0.0.1
  vars:
   ansible_hashi_vault_engine_mount_point: kv
   ansible_hashi_vault_validate_certs: false
  tasks:    
   - name: Perform a kv2 read with token login, showing the secret
     ansible.builtin.debug:
       msg: "{{ lookup('community.hashi_vault.vault_kv2_get', 'test')['secret'] }}"

and here is my playbook with parameters:

---
- name: vault test playbook
  hosts:
   - 127.0.0.1
  tasks:    
   - name: Perform akv2 read with token login, showing the secret
     ansible.builtin.debug:
       msg: "{{ lookup('community.hashi_vault.vault_kv2_get', 'test', engine_mount_point='kv', validate_certs=false)['secret'] }}"
EXPECTED RESULTS

The secret from the vault should be displayed.

ACTUAL RESULTS

I get the following error:

TASK [Perform akv2 read with a single Vault login, showing the secret] *********************************************************************************************************************
task path: /home/user/Repos/ansible-repository/openbao.yml:29
Loading collection community.hashi_vault from /home/user/Repos/ansible-repository/collections/ansible_collections/community/hashi_vault
[WARNING]: community.hashi_vault: 5 retries remaining.
[WARNING]: community.hashi_vault: 4 retries remaining.
[WARNING]: community.hashi_vault: 3 retries remaining.
[WARNING]: community.hashi_vault: 2 retries remaining.
[WARNING]: community.hashi_vault: 1 retry remaining.
exception during Jinja2 execution: Traceback (most recent call last):
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connectionpool.py", line 466, in _make_request
    self._validate_conn(conn)
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1095, in _validate_conn
    conn.connect()
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connection.py", line 730, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connection.py", line 909, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 469, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 513, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 1108, in _create
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1379, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connectionpool.py", line 789, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connectionpool.py", line 490, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/requests/adapters.py", line 667, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connectionpool.py", line 873, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connectionpool.py", line 873, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connectionpool.py", line 873, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  [Previous line repeated 2 more times]
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/connectionpool.py", line 843, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/urllib3/util/retry.py", line 519, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.1.253', port=8200): Max retries exceeded with url: /v1/kv/data/test (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/ansible/template/__init__.py", line 856, in _lookup
    ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Repos/ansible-repository/collections/ansible_collections/community/hashi_vault/plugins/lookup/vault_kv2_get.py", line 218, in run
    raw = client.secrets.kv.v2.read_secret_version(path=term, version=version, mount_point=engine_mount_point)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/hvac/api/secrets_engines/kv_v2.py", line 153, in read_secret_version
    return self._adapter.get(
           ^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/hvac/adapters.py", line 146, in get
    return self.request("get", url, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/hvac/adapters.py", line 408, in request
    response = super().request(*args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/hvac/adapters.py", line 367, in request
    response = self.session.request(
               ^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.1.253', port=8200): Max retries exceeded with url: /v1/kv/data/test (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)')))
fatal: [127.0.0.1]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.vault_kv2_get'. Error was a <class 'requests.exceptions.SSLError'>, original message: HTTPSConnectionPool(host='192.168.1.253', port=8200): Max retries exceeded with url: /v1/kv/data/test (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)'))). HTTPSConnectionPool(host='192.168.1.253', port=8200): Max retries exceeded with url: /v1/kv/data/test (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)')))"
}
@argetlam-coder
Copy link
Author

argetlam-coder commented Nov 17, 2024

Hi @briantist , I will try an older version. In the meantime, I have tried the vault_kv2_get module. The module works with the following playbook:

---
- name: vault test playbook
  hosts:
   - 127.0.0.1
  vars:
   ansible_hashi_vault_engine_mount_point: kv
   ansible_hashi_vault_validate_certs: false
  tasks:
   - name: Read the latest version of a kv2 secret from Vault via the remote host with userpass auth
     community.hashi_vault.vault_kv2_get:
       url: https://192.168.1.253:8200
       token: xxxxxxxx
       engine_mount_point: kv
       path: test
       validate_certs: false
     register: response
   
   - name: Display the results
     ansible.builtin.debug:
       msg: "{{ response.secret }}"

It seems that only the pluginvault_kv2_get lookup plugin is affected by this problem.

@argetlam-coder
Copy link
Author

I have now tried different versions (2.5.0, 3.4.0, 4.2.1, 5.0.1), but the problem persists in all versions. It works in all versions when I use the module, but not when I use the lookup plugin.

@argetlam-coder
Copy link
Author

The error actually also occurs with the module. I had just accidentally configured the lookup plugin and the module differently.

The cause is the retries parameter. As soon as I set this, the certificate validation is executed regardless of how the validate_certs parameter is set.

I have found the error in the code and will create a pull request.

argetlam-coder added a commit to argetlam-coder/community.hashi_vault that referenced this issue Dec 14, 2024
…as set. Fix now also sets the parameter correctly in the retry request session

Closes ansible-collections#461
@briantist briantist added the bug Something isn't working label Dec 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
2 participants