jetbrains / teamcity-hashicorp-vault-plugin Goto Github PK
View Code? Open in Web Editor NEWTeamCity plugin to support HashiCorp Vault
License: Apache License 2.0
teamcity-hashicorp-vault-plugin's People
Contributors
Stargazers
Watchers
Forkers
hakon bhanditz alexey-mylnikov playrix orybak jeffwecan semiria dstewart-jetbrains pavankumarthati sokomishalov bencamareno isabella232 shchuko edipdemirbilek tony-sol milltechfx hiway-mediateamcity-hashicorp-vault-plugin's Issues
Vault token is shown in plaintext in build parameters after the build.
When the build is finished or in progress, the vault wrapped token used by build to fetch secrets can be viewed in plain text. Event though the token is one-time and uses wrapping it is possible to trick the agent on not using it for this single time. After that the agent will fail with the error leaving the token usabele to fetch the secrets used by build.
Proposed solution: set type=password, display=hidden on teamcity.vault.wrapped.token
TeamCity server logs show unable to revoke token
What happened:
TeamCity server logs show an error stating it is unable to revoke a token after running a build that fetched secrets from Vault successfully.
What you expected to happen:
TeamCity server logs show no error upon revoking token.
How to reproduce it (as minimally and precisely as possible):
- Do a minimal build configuration that gets secrets from Vault
- Run build configuration
- Go to TeamCity server logs
- Notice the error message in the logs
More information:
TeamCity server logs:
[2020-07-28 17:19:43,162] WARN [@2e0f68e1"; Normal executor 13] - ty.vault.server.VaultConnector - Failed to revoke token: org.springframework.web.client.HttpClientErrorException: 400 Bad Request
Plugin configuration:
- Vault URL:
https://vault.url.com/v1 - AppRole auth endpoint path:
approle - AppRole Role ID:
**** - AppRole Secret ID:
****
Vault policy for approle:
path "secret/teamcity/build-configurations/*" {
capabilities = ["read", "list"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/revoke-self" {
capabilities = ["update"]
}
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}Build configuration and parameters:
Related to comment:
#19 (comment)
Pass Vault token to build steps as a parameter
It would be convenient to make Vault token available to build steps as a special parameter (like %vault:$token%)
Build scripts can use this value to perform custom requests to Vault to use secrets engines other than key-value store (e.g. sign custom SSH certificates, access AD passwords and so on).
Considering security, it would be preferable for agents to use prepared temporary token from the server (obtained through AppRole or other method) instead of authenticating to Vault on their own.
Can't set password for uploaded SSH key
For secured passwords, like Uploaded Key Passphrase of SSH Exec step, Hasicorp Vault plugin lookup is not executed.
So, setting the password to "%vault:/secret/data/test!/password%" will not lookup to vault, but will use this string as exact password
Unable to retrieve data from a Vault cluster using https from build agent
Am using Vault and Build agents within a kubernetes cluster and am using the current Jetbrains plugin.
Vault is configured as a 3 node HA set and accessed via the URL: "https://vault.infrastructure.svc.cluster.local:8200"
Teamcity can connect using this URL and connection tests are succesful.
Teamcity build agents fails to retrieve data using the argument "vault:/vault/secret/cicd/blue!/foo"
However with a local vault install the same path will return:
vault read secret/cicd/blue
Key Value
--- -----
refresh_interval 168h
foo hello
The cluster is using self signed certs however the JVM and also vault environment variables are configured as is keystore loading on container creation into the JVM.
This has also been tried using http only as well.
Failure on agent side of the plugin(Class 'org.springframework.core.log.LogDelegateFactory' was not found)
Full error stack trace
[11:40:47] HashiCorp Vault
[11:40:47] [HashiCorp Vault] Exception occured: org/springframework/core/log/LogDelegateFactory
java.lang.NoClassDefFoundError: org/springframework/core/log/LogDelegateFactory
at org.springframework.http.HttpLogging.forLog(HttpLogging.java:68)
at org.springframework.http.HttpLogging.forLogName(HttpLogging.java:57)
at org.springframework.http.converter.AbstractHttpMessageConverter.<init>(AbstractHttpMessageConverter.java:54)
at org.springframework.http.converter.ByteArrayHttpMessageConverter.<init>(ByteArrayHttpMessageConverter.java:45)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:108)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:78)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:72)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:84)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:35)
at org.jetbrains.teamcity.vault.UtilKt.activity(util.kt:171)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature.buildStarted(VaultBuildFeature.kt:79)
at jdk.internal.reflect.GeneratedMethodAccessor46.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:138)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.util.EventDispatcher.dispatch(EventDispatcher.java:132)
at jetbrains.buildServer.util.EventDispatcher$2.invoke(EventDispatcher.java:82)
at com.sun.proxy.$Proxy9.buildStarted(Unknown Source)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireBuildStartedStage.doBuildState(FireBuildStartedStage.java:20)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireEventStageBase.doBuildStage(FireEventStageBase.java:28)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:33)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.callRunStage(StagesExecutor.java:76)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.doStages(StagesExecutor.java:35)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor.doStages(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.doStages(BuildRunActionImpl.java:81)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.runBuild(BuildRunActionImpl.java:57)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.doActualBuild(BuildAgentImpl.java:333)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.access$200(BuildAgentImpl.java:58)
at jetbrains.buildServer.agent.impl.BuildAgentImpl$1.run(BuildAgentImpl.java:288)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.ClassNotFoundException: Class 'org.springframework.core.log.LogDelegateFactory' was not found
at jetbrains.buildServer.plugins.classLoaders.TeamCityClassLoader.doLoadClass(TeamCityClassLoader.java:85)
at jetbrains.buildServer.plugins.classLoaders.TeamCityClassLoader.loadClass(TeamCityClassLoader.java:40)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
... 32 more
- TeamCity server version is 2020.2.3 (build 86002)
- Plugin version 0.1.113
rest api
Does the plugin support rest api? We need to connect the vault server using api request
Connection to trusted https URL fails with "PKIX path building failed" if trusted SSL certificate is configured
- configure a connection to a Vault server with https:// URL using certificate issued by a trusted authority, check that "test connection" works OK.
- in the Root TeamCity project, add a certificate to "SSL / HTTPS Certificates"
Observe that now Vault test connection fails with a message like:
I/O error on POST request for "https://XXX/v1/auth/approle/login": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The problem is that once there is at least one trusted SSL certificate configured, only those configured are considered trusted and the default trusted keystore is disregarded.
Plugin version: 0.1.98
NPE when trying to get wrapped token
[2017-11-27 12:16:44,634] WARN - aultBuildStartContextProcessor - Failed to fetch HashiCorp Vault wrapped token: null
java.lang.NullPointerException
at org.jetbrains.teamcity.vault.server.VaultConnector$Companion.doRequestWrappedToken(VaultConnector.kt:162)
at org.jetbrains.teamcity.vault.server.VaultConnector.requestWrappedToken(VaultConnector.kt:246)
at org.jetbrains.teamcity.vault.server.VaultBuildStartContextProcessor.updateParameters(VaultBuildStartContextProcessor.kt:51)
at jetbrains.buildServer.serverSide.impl.RunningBuildImpl.prepareRunners(RunningBuildImpl.java:1247)
at jetbrains.buildServer.serverSide.impl.RunningBuildImpl.createAgentBuild(RunningBuildImpl.java:1037)
at jetbrains.buildServer.serverSide.impl.BuildStarter$1.run(BuildStarter.java:132)
at jetbrains.buildServer.serverSide.impl.BuildStarter$2$1.run(BuildStarter.java:165)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:71)
at jetbrains.buildServer.serverSide.impl.BuildStarter$2.run(BuildStarter.java:163)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Teamcity2018.2.4 and Vault 1.4.0 plugin
ERROR: I/O error on POST request for "https://10.101.4.147:8200/v1/auth/approle/login": Connect to 10.101.4.147:8200 [/10.101.4.147] failed: connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to 10.101.4.147:8200 [/10.101.4.147] failed: connect timed out
java.lang.LinkageError and java.lang.NoClassDefFoundError when testing IAM connection
I tried to set up a Vault Connection using IAM Authentication. When I clicked "Test Connection", I got a popup with the error:
java.lang.LinkageError: loader constraint violation: when resolving method 'void org.springframework.http.converter.json.MappingJackson2HttpMessageConverter.<init>(com.fasterxml.jackson.databind.ObjectMapper)' the class loader jetbrains.buildServer.plugins.classLoaders.PluginStandaloneClassLoader @178aded3 of the current class, org/springframework/vault/client/VaultResponses, and the class loader org.apache.catalina.loader.ParallelWebappClassLoader @14d1b094 for the method's defining class, org/springframework/http/converter/json/MappingJackson2HttpMessageConverter, have different Class objects for the type com/fasterxml/jackson/databind/ObjectMapper used in the signature (org.springframework.vault.client.VaultResponses is in unnamed module of loader jetbrains.buildServer.plugins.classLoaders.PluginStandaloneClassLoader @178aded3, parent loader org.apache.catalina.loader.ParallelWebappClassLoader @14d1b094; org.springframework.http.converter.json.MappingJackson2HttpMessageConverter is in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @14d1b094, parent loader java.net.URLClassLoader @20398b7c)
Subsequents attempts to click "Test Connection" give a different error message:
java.lang.NoClassDefFoundError: Could not initialize class org.springframework.vault.client.VaultResponses
This occurred on TeamCity Enterprise 2022.04.4 (build 108763) using version 0.1.113 of this plugin and Temurin JDK 11.0.16+8 (AdoptOpenJDK).
Feature to disable plugin output to build log
There is a security/usage issue with this plugin in TC.
Plugin allows you to configure only one connection to Vault, so it means you can run only 1 AppRole, but I think I am not the only one, who has use case where multiple different teams can store secrets in Vault and use with TC, but they do not want that anyone else could access it.
So after making AppRole, you add all the policies which could be used with that AppRole and the safeguard would be a secret path, without exact path you can't get the secret values.
Currently plugin gives the output to buildlog, so partialy anyone can look at build log and see this information.
[12:38:00]
The build is removed from the queue to be prepared for the start
[12:38:00]
Starting the build on the agent build-agent-name
[12:38:01]
HashiCorp Vault
[12:38:01]
[HashiCorp Vault] HashiCorp Vault token successfully fetched
[12:38:01]
[HashiCorp Vault] 1 Vault reference to resolve: [vault:secret/path/to/some/very/secret!/value]
[12:38:01]
Clearing temporary directory: /mnt/temp/buildTmp
[12:38:01]
Publishing internal artifactsIt doesn't help if you make hidden or password in parameters, because it's exposed in a code.
Would be great to have opportunity to "silence" this.
Support Vault cluster installations
It's actually cause of #4.
Sometimes when we trying to get wrapped token server responds with
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Location: https://vault-node-2.internal:8200/v1/auth/approle/login
Date: Mon, 27 Nov 2017 15:16:51 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Add automatic veryfication of Vault KV version
In #11 was the comment -
"Unfortunately it's unclear how do that automatically since secret backend could be mounted anywhere"
Actually, it is not a very comfortable to update manually hundreds parameter variables which use values from Vault (secret/test -> secret/data/test) in case of migration from KV to KV v2.
However, I guess that it is possible to get a secret backend name from a secret path - the first word (e.g. secret/test -> secret/) and then use such request:
"curl --header "X-Vault-Token: " <VAULT_ADDRESS>/v1/sys/mounts"
for checking a version of secret backend. The Vault ACL rule is required for this:
path "sys/mounts" {
policy = "read"
}
I'd like to pay your attention that secret backend v1 can be have two possible types:
"kv"
"generic".
It makes migration process (KV -> KVv2) much more easier in case the plugin will be able to identify KV version on the fly
TeamCity Enterprise 2021.1 (build 92597)
After upgrade to TeamCity Enterprise 2021.1 (build 92597) plugin stopped working:
Failed to fetch HashiCorp Vault wrapped token: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module: java.lang.ClassCastException: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module, see teamcity-server.log for details
teamcity-server.log:
[2021-06-01 10:07:30,581] WARN - aultBuildStartContextProcessor - Failed to fetch HashiCorp Vault wrapped token: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module
java.lang.ClassCastException: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module
at org.jetbrains.teamcity.vault.support.Jackson2ObjectMapperBuilder.registerWellKnownModulesIfAvailable(Jackson2ObjectMapperBuilder.java:140)
at org.jetbrains.teamcity.vault.support.Jackson2ObjectMapperBuilder.configure(Jackson2ObjectMapperBuilder.java:85)
at org.jetbrains.teamcity.vault.support.Jackson2ObjectMapperBuilder.build(Jackson2ObjectMapperBuilder.java:72)
at org.jetbrains.teamcity.vault.support.MappingJackson2HttpMessageConverter.(MappingJackson2HttpMessageConverter.java:50)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:97)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:74)
at org.jetbrains.teamcity.vault.support.VaultTemplate.createSessionTemplate(VaultTemplate.java:102)
at org.jetbrains.teamcity.vault.support.VaultTemplate.(VaultTemplate.java:76)
at org.jetbrains.teamcity.vault.server.VaultConnector$Companion.doRequestWrappedToken(VaultConnector.kt:167)
at org.jetbrains.teamcity.vault.server.VaultConnector.requestWrappedToken(VaultConnector.kt:239)
at org.jetbrains.teamcity.vault.server.VaultBuildStartContextProcessor.updateParameters(VaultBuildStartContextProcessor.kt:88)
at jetbrains.buildServer.serverSide.impl.RunningBuildImpl.prepareRunners(RunningBuildImpl.java:202)
at jetbrains.buildServer.serverSide.impl.RunningBuildImpl.createAgentBuild(RunningBuildImpl.java:2)
at jetbrains.buildServer.serverSide.impl.BuildStarter.startBuildOnAgent(BuildStarter.java:200)
at jetbrains.buildServer.serverSide.impl.BuildStarter.afterChangesCollecting(BuildStarter.java:161)
at jetbrains.buildServer.serverSide.impl.BuildStarter.waitForChangesCollectingAndContinue(BuildStarter.java:167)
at jetbrains.buildServer.serverSide.impl.BuildStarter.lambda$null$0(BuildStarter.java:201)
at jetbrains.buildServer.serverSide.impl.BuildStarter.handleBuildStartAction(BuildStarter.java:76)
at jetbrains.buildServer.serverSide.impl.BuildStarter.lambda$null$1(BuildStarter.java:117)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.serverSide.impl.BuildStarter.lambda$startBuildAsync$2(BuildStarter.java:317)
at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1626)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[2021-06-01 10:07:30,612] INFO - jetbrains.buildServer.SERVER - Build interrupted (INTERRUPTED_WITH_RERUN) with details: [comment: Failed to fetch HashiCorp Vault wrapped token: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module: java.lang.ClassCastException: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module, see teamcity-server.log for details]. Build: MedM Backend Images Builder / health_backend builds {id=MedMBackendImagesBuilder_HealthBackendBuilds, internal id=bt3438} #1616 {promotion id=423591, branch=CUSTOMER_LIFE365, agent="server-6" {id=2509}, triggered by "Git" (##vcsName='jetbrains.git' type='vcs' triggerId='vcsTrigger'), canceled=[comment: Failed to fetch HashiCorp Vault wrapped token: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module: java.lang.ClassCastException: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module, see teamcity-server.log for details]. Started 2021-06-01 10:07:28.162, running}
Add "teamcity.vault.supported" requirement
Add teamcity.vault.supported requirement to all sub-builds. This feature will exclude incompatible agents from agent list automatically.
Fetch client_id AND client_secret from Azure Secret backend
Using the Teamcity plugin I am trying to login to azure using a dynamic service principal however it does not seem possible because it needs to return two parameters : "client_id" and "client_secret"
I tried to do :
%vault:azure/creds/role1!/client_id%
%vault:azure/creds/role1!/client_secret%
in two different parameters. But it generates two service principals.
I tried to concatenate it in one like so "%vault:azure/creds/role1!/client_id%,%vault:azure/creds/role1!/client_secret%" but it did the same thing.
I tried to read this path instead "%vault:azure/creds/role1%" but it did not return anything and returned an error.
Is what I'm trying to do something possible or I am completely on the wrong track ?
Thank you :)
Retrieving non-secret information from Vault
Retrieving non-secret information from Vault, for example, project name or login, renders all attributes with such substring to become unusable: plugin replaces every occurence with "*******". So, dependent builds take garbage as an input.
Support for LDAP authentication
Is there a way to use LDAP authentication instead of approle?
Plugin doesn't work with Vault KV v2 secret backend
Tried to change a path to the following formats:
%vault:/secret/data/test!/password%"
%vault:/vault/secret/data/test!/password%"
%vault:vault/secret/data/test!/password%"
%vault:/secret/test!/password%"
%vault:secret/data/test!/password%"
%vault:secret/data/test!password%"
Memory leak in the agent part of the plugin
Seems org.jetbrains.teamcity.vault.agent.VaultBuildFeature keeps some sessions map where key is a build id and value is some session manager. But this map is never cleaned, even on build finish.
Retry revoking token in case of network problems
Observed next line in build log:
Cannot revoke HashiCorp Vault token: I/O error on POST request for "https://vault.consul:8200/v1/auth/token/revoke-self": Read timed out; nested exception is java.net.SocketTimeoutException: Read timed out
org.jetbrains.teamcity.vault.support.LifecycleAwareSessionManager#revoke should retry several times
Remove restriction on namespaces
Hi,
I cannot connect to my namespace because there is a regular expression restriction on the namespace name:
It's possible remove or bypass this restriction?
cannot extract keys with dots in their names
Using vault 1.1.3
Having a K/V 2 keys configured in TeamCity properties as:
prop1: %vault:kv/data/creds!/user1%
prop2: %vault:kv/data/creds!/vasya.p%
The value of prop1 extracts OK
The value of prop2 (wich contains dot in its key) doesnt. The build fails with WARN? (shouldnt it be at least ERROR severity?):
[2019-07-04 10:54:24,915] WARN - .agent.VaultParametersResolver - Cannot extract 'vasya.p' data from '/kv/data/creds', full reference: /kv/data/creds!/vasya.p
com.jayway.jsonpath.PathNotFoundException: Missing property in path $['vasya']
at com.jayway.jsonpath.internal.path.PathToken.handleObjectProperty(PathToken.java:72)
at com.jayway.jsonpath.internal.path.PropertyPathToken.evaluate(PropertyPathToken.java:79)
at com.jayway.jsonpath.internal.path.RootPathToken.evaluate(RootPathToken.java:62)
at com.jayway.jsonpath.internal.path.CompiledPath.evaluate(CompiledPath.java:53)
at com.jayway.jsonpath.internal.path.CompiledPath.evaluate(CompiledPath.java:61)
at com.jayway.jsonpath.JsonPath.read(JsonPath.java:187)
at com.jayway.jsonpath.JsonPath.read(JsonPath.java:157)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.extract(VaultParametersResolver.kt:161)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.getReplacements(VaultParametersResolver.kt:117)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.doFetchAndPrepareReplacements(VaultParametersResolver.kt:84)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.doFetchAndPrepareReplacements(VaultParametersResolver.kt:74)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.doFetchAndPrepareReplacements(VaultParametersResolver.kt:70)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.resolve(VaultParametersResolver.kt:51)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:136)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:33)
at org.jetbrains.teamcity.vault.UtilKt.activity(util.kt:155)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature.buildStarted(VaultBuildFeature.kt:79)
at sun.reflect.GeneratedMethodAccessor35.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:128)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.util.EventDispatcher.dispatch(EventDispatcher.java:122)
at jetbrains.buildServer.util.EventDispatcher$2.invoke(EventDispatcher.java:72)
at com.sun.proxy.$Proxy7.buildStarted(Unknown Source)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireBuildStartedStage.doBuildState(FireBuildStartedStage.java:20)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireEventStageBase.doBuildStage(FireEventStageBase.java:26)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:31)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.callRunStage(StagesExecutor.java:78)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.doStages(StagesExecutor.java:37)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor.doStages(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.doStages(BuildRunActionImpl.java:79)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.runBuild(BuildRunActionImpl.java:55)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.doActualBuild(BuildAgentImpl.java:309)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.access$100(BuildAgentImpl.java:54)
at jetbrains.buildServer.agent.impl.BuildAgentImpl$1.run(BuildAgentImpl.java:272)
at java.lang.Thread.run(Unknown Source)
Plugin cannot connect to Vault
Hey,
I cannot make this plugin to connect to Vault.
Pressing a "Test Connection" prompts an error, that client token is missing.
Running a build gives the same output.
Failed to fetch HashiCorp Vault wrapped token: Cannot log in to HashiCorp Vault using AppRole credentials: missing client token: org.jetbrains.teamcity.vault.server.VaultConnector$ConnectionException: Cannot log in to HashiCorp Vault using AppRole credentials: missing client token, see teamcity-server.log for details`Doing an API call curl --request POST --data @approle-login.json https://my_vault_address:8200/v1/auth/approle/login
I am able to login with the following json
{
"role_id": "bc616551-27e4-c747-6817-0b57efc6c5b3",
"secret_id": "db69f043-7588-95d0-ca1e-3eae912b057b"
}I get the following reply in JSON
{
"request_id": "e19a51ec-c06a-394e-5c3e-e9c2390a6d25",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "734c0d87-491f-07cb-c1e7-03adea9491fd",
"accessor": "6fb6d92f-e6dc-05f2-3794-512b5b7add9e",
"policies": [
"policy_1",
"default",
"policy_2"
],
"token_policies": [
"policy_1",
"default",
"policy_2"
],
"metadata": {
"app": "teamcity",
"role_name": "teamcity"
},
"lease_duration": 600,
"renewable": true,
"entity_id": "3d5eed9e-4f23-ebc5-4366-6ad3fcbad804"
}
}Feature Request: support mTLS authentication
This is a request to add support for mTLS auth to the teamcity vault plugin.
Ideally, rather than providing an AppRole, I would like to use a pkey to be used for authentication to vault and generating the wrapping tokens that are sent to agents.
Agents could continue to use the temporary tokens they are issued and unwrap.
Error when trying to connect to Vault via LDAP
Installed the plug-in, restarted the server and tried logging in to Vault using LDAP. Clicking the "Test Connection" button produces the following error: "Unexpected error during Ajax request processing: java.lang.NoClassDefFoundError: org/springframework/web/util/UriBuilderFactory".
Weยดre using TeamCity Enterpris 2021.2 (build 99542)
Is this plugin dead?
There doesn't seem to be much happening here and key features like support for the AWS backend don't seem to have gotten further than the initial blog post mentioning it's not working.
Parsing GCP private keys - Whitespace issue?
TeamCity Enterprise 2019.2.2 (build 71923)
Plugin 2021 0.1.98
Hi,
I have uploaded a GCP service account key to Vault from a JSON file.
$ vault kv get kv/store/gcp
====== Metadata ======
Key Value
--- -----
created_time 2020-09-14T16:13:34.5395125Z
deletion_time n/a
destroyed false
version 1
=============== Data ===============
Key Value
--- -----
auth_provider_x509_cert_url https://www.googleapis.com/oauth2/v1/certs
auth_uri https://accounts.google.com/o/oauth2/auth
client_email [email protected]
client_id 00000000000
client_x509_cert_url https://www.googleapis.com/robot/v1/metadata/x509/0000000-compute%40developer.gserviceaccount.com
private_key -----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
yyyyyyy==
-----END PRIVATE KEY-----
private_key_id 00000000000000000000
project_id myproject_id
token_uri https://oauth2.googleapis.com/token
type service_account
Ideally I want to pull the whole entry out. But I will settle for fields.
So on the TC side I have a variable GCP_CREDS: %vault:/kv/data/store/gcp!/private_key%
Added this in a build step at I can't debug the creds in TC! ๐
echo "${GCP_CREDS}" > ./gcp_creds
On the agent host
$ cat gcp_creds
-----BEGIN
$
It seems to chop at the first white space?
With agent debug set to max on the agent, I can see the whole GCP key arriving intact . I then see [2021-03-04 12:42:32,310] DEBUG - ath.internal.path.CompiledPath - Evaluating path: $['private_key']
I tried a few ideas on here: https://github.com/json-path/JsonPath as theis seems to be what the code is based on. No joy.
Any ideas? Is it just my iffy BASH in the build step? :)
The vault plugin works fine for simple key value pairs. I can extract any other field from the GCP data correctly, just not "private_key" !
Commit status publisher with Vault
I have a successful connection to Vault. I have pulled passwords from the Vault inside the Build Steps successfully. But I can't use them inside of Build Features (Commit status publisher - GitLab - Private Token). Why?
Unable to fetch secrets from vault
Server Version: TeamCity Professional 2022.10.3 (build 117072)
jetbrains/teamcity-server:2022.10.3 (docker image ID: c0edf4d5ae59)
Vault plugin version: 0.1.119
Agent: jetbrains/teamcity-agent (docker image ID: 45f54a688267)
Documentation referred:
- https://blog.jetbrains.com/teamcity/2017/09/vault/
- https://plugins.jetbrains.com/plugin/10011-hashicorp-vault-support
Steps to reproduce:
- Create a project
- Goto connections -> Add Connection -> Use Vault AppRole - > (Fill necessary parameters) -> Test Connection (Shows Success)
- Create build configuration (name=vault_test) -> Add new parameter (do not mask) -> Name: env.SECRET , Value: %vault:devops/data/api-keys!/devops-na!/secret%
- build step -> command-line
#!/bin/bash
echo SECRET=${SECRET}
Expected Output
SECRET="ActualSecrethere"
Actual Output:
SECRET=%vault:devops/data/api-keys!/devops-na!/secret%
This is same as variable value itself.
Other options tried:
- Name: env.VAULT_SUPPORTED Value: %teamcity.vault.supported% , Output = true
- Name: env.SECRET , Value: %vault:/devops/data/api-keys!/devops-na!/secret% (see / at starting of path), Output = Same as Value string but not actual secret
- Name: env.URL , Value: %teamcity.vault.url% , Output: (as visible in configuration parameters section)
Build Log:
[07:50:57] : [Step 1/1] Starting: /opt/buildagent/temp/agentTmp/custom_script4451755130190608596
[07:50:57] : [Step 1/1] in directory: /opt/buildagent/work/2b35ac7e0452d98f
[07:50:57] : [Step 1/1] VAULT_SUPPORTED=true
[07:50:57] : [Step 1/1] SECRET=%vault:devops/data/api-keys!/devops-na!/secret%
[07:50:57] : [Step 1/1] AWS_SECRET=%vault:aws/data/creds/developer!/access_key%
[07:50:57] : [Step 1/1] Process exited with code 0
[07:50:57] : Publishing internal artifacts
I have read other reported issues in this repo already and the options haven't helped much.
Note that using vault utility on bash works fine though.
Add ability to set the unwrap timeout up
This feature prevents the timeout exceeded during long checkout and disk clean with the following error:
[HashiCorp Vault ('staging' namespace)] Failed to unwrap HashiCorp Vault token: Cannot retrieve Token from Cubbyhole: 403 permission denied
org.springframework.vault.VaultException: Cannot retrieve Token from Cubbyhole: 403 permission denied
Parameter "env.arg=%vault:vault/path!key%" is not fully resolved, using as is.
I configured the plugin to connect to Vault and the "Test connection" is showing that the connection is working.
But the parameter isn't working and i see the message:
Parameter "env.arg=%vault:vault/path!key%" is not fully resolved, using as is.
In the build log
[HH:MM:SS]W: HashiCorp Vault
[HH:MM:SS] : [HashiCorp Vault] HashiCorp Vault token successfully fetched
[HH:MM:SS] : [HashiCorp Vault] 1 Vault references to resolve: [vault:vault/path!key]
[HH:MM:SS]W: [HashiCorp Vault] Failed to fetch data for path 'vault/path!key'
[HH:MM:SS]W: [HashiCorp Vault] Cannot resolve 'vault/path!key': data wasn't received from HashiCorp Vault
Also in the build parameters i see that the plugins seems to be installed:
teamcity.vault.supported = true
teamcity.vault.url = http://vault-server:8200
teamcity.vault.wrapped.token = <XXXXXXX>
TeamCity version: 2017.1.4 (build 47070)
TeamCity HashiCorp Vault Support version: 0.1.43
How can i check the logs/debug why it's not working properly?
Allow stopping build process in case of unable to communicate with Vault
In many cases, it is useless to continue to build w/o some data from Vault.
Plugin doesn't work with recent update (0.1.71)
There's exceptio non agent side which could be found only in agent logs:
Error calling method AgentLifeCycleListener.buildStarted for listener org.jetbrains.teamcity.vault.agent.VaultBuildFeature: java.lang.NoClassDefFoundError: org/apache/http/conn/SchemePortResolver
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:146)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.util.EventDispatcher.dispatch(EventDispatcher.java:120)
at jetbrains.buildServer.util.EventDispatcher$2.invoke(EventDispatcher.java:70)
at com.sun.proxy.$Proxy7.buildStarted(Unknown Source)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireBuildStartedStage.doBuildState(FireBuildStartedStage.java:20)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireEventStageBase.doBuildStage(FireEventStageBase.java:26)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:31)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.callRunStage(StagesExecutor.java:78)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.doStages(StagesExecutor.java:37)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor.doStages(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.doStages(BuildRunActionImpl.java:75)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.runBuild(BuildRunActionImpl.java:55)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.doActualBuild(BuildAgentImpl.java:300)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.access$100(BuildAgentImpl.java:54)
at jetbrains.buildServer.agent.impl.BuildAgentImpl$1.run(BuildAgentImpl.java:264)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NoClassDefFoundError: org/apache/http/conn/SchemePortResolver
at org.jetbrains.teamcity.vault.support.ClientHttpRequestFactoryFactory.create(ClientHttpRequestFactoryFactory.java:69)
at org.jetbrains.teamcity.vault.UtilKt.createClientHttpRequestFactory(util.kt:59)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:64)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:96)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:33)
at org.jetbrains.teamcity.vault.UtilKt.activity(util.kt:155)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature.buildStarted(VaultBuildFeature.kt:79)
at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:126)
... 17 more
Caused by: java.lang.ClassNotFoundException: Class 'org.apache.http.conn.SchemePortResolver' was not found
at jetbrains.buildServer.plugins.classLoaders.TeamCityClassLoader.doLoadClass(TeamCityClassLoader.java:85)
at jetbrains.buildServer.plugins.classLoaders.TeamCityClassLoader.loadClass(TeamCityClassLoader.java:40)
Use AWS IAM Auth Method for Vault authentication
This is feature request to implement login to Vault using AWS IAM auth method
Currently, the plugin logs into Vault using a Vault approle auth. This presents us with a number of issues:
- The Vault approle design by itself creates a chicken and egg situation where we need to authenticate to Vault to fetch the
role-idandsecret-id, which is then used by systems to authenticate to that secret store. Albeit doable, it's difficult to automate the configuration of the plugin - A rotation of an approle
role-idandsecret-idrequires intervention to refresh on TeamCity server side role-idandsecret-idare configured in the plugin to enable TeamCity to authenticate to Vault, and those information are stored on the filesystem of TeamCity server
a. our instance of TeamCity acts as our CICD tool, and some of its build configurations will require secrets that grants access to production
b. givenrole-idandsecret-idare stored on file, should someone gain access to TeamCity server, that person could retrieve those information and generate tokens and gain access to the secrets
Given the reasons mentioned above and given the current state of the plugin, would it be possible to implement the authentication to Vault using AWS IAM auth method? We are willing to work on a Pull Request should this feature make sense in the plugin.
error when trying to connect to vault via IAM
Vault Version is 1.7.2.
Unexpected error occurred on server:<br/>Unexpected error during Ajax request processing: java.lang.NoClassDefFoundError: Could not initialize class org.springframework.vault.client.VaultResponses 6916222305304872546.js:5:790
_log https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
error https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
onUnexpectedError https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
processErrors https://localhost:8080/res/6916222305304872546.js?v=1623926069989:10
onComplete https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
respondToReadyState https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:8
onStateChange https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:8
request https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:8
initialize https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:8
c https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:5
e https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:5
ajaxRequest https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
save https://localhost:8080/res/6916222305304872546.js?v=1623926069989:36
save https://localhost:8080/res/6916222305304872546.js?v=1623926069989:37
submitTestConnection https://localhost:8080/res/-4735258447288317237.js?v=1623926069989 line 6 > eval:4
onclick https://localhost:8080/admin/editProject.html?projectId=_Root&tab=oauthConnections#:1
this also leads to an error in the UI:
Show a variable description and default value
It would be nice and useful to see variable description and a default value if they exist.
variable "desired_capacity" {
description = "The maximum size of the auto scale group."
default = "3"
}
Vault Enterprise namespace support
Hi all,
Correct me if I'm wrong but I cannot find anything related to the subject. Can anyone confirm that this plugin compatible with Vault Enterprise Namespaces?
I saw #10 issue but that didn't solve my problem and looks like that is for multiple sessions with default Vault namespace.
Auth mount path should be customisable
Vault allows to mount auth-backend of any type to any path. Currently this path seems to be hardcoded as "approle".
For example with multiple approle backends I could mount one like this:
vault auth-enable -path teamcity/datacenter1 approle
After that post requests should go to /auth/teamcity/datacenter1/... instead of /auth/approle/...
Configurable ldap auth mount path
Fix plugin documentation
I had a problem with Vault plugin after read documentation from post: https://blog.jetbrains.com/teamcity/2017/09/vault/
Correct format:
%vault:secret/some/path!/somekey%
From documentation:
%vault:secret/some/path!somekey%
Is the post an only one official documentation?
There is a issue, which helped me to solve the problem: #1
But, documentation is still incorrect. Fix it, please.
VCS with Vault
I successfully connected the Vault. Delivery of secrets to build step works. But it is not possible to specify the login for authorization of the VCS (i use configuration parameters).
Why?
Retry request to Vault if it fails because of network connection
If request to Vault fails, it makes sense to retry before failing the build.
This is probbaly actual for the server and agent operations.
BTW, in case of the network errors, it would make sense to include the original error in the build log message.
Here is an example of the failing agent operation:
Build log:
Failed to fetch data for path '/aws-XXX/sts/XXX'
Cannot resolve '/aws-XXX/sts/XXX!/access_key': data wasn't received from HashiCorp Vault
Agent log:
[2021-11-22 14:34:29,052] WARN - .agent.VaultParametersResolver - Failed to fetch data for path '/aws-XXX/sts/XXX'
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://vault.XXX:443/v1/aws-XXX/sts/XXX": Connect to vault.XXX:443 [...] failed: connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to vault.XXX:443 [...] failed: connect timed out
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:607)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557)
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:264)
at org.jetbrains.teamcity.vault.support.VaultTemplate$3.doWithRestOperations(VaultTemplate.java:180)
at org.jetbrains.teamcity.vault.support.VaultTemplate.doWithSession(VaultTemplate.java:166)
at org.jetbrains.teamcity.vault.support.VaultTemplate.doRead(VaultTemplate.java:174)
at org.jetbrains.teamcity.vault.support.VaultTemplate.read(VaultTemplate.java:135)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.fetch(VaultParametersResolver.kt:94)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.doFetchAndPrepareReplacements(VaultParametersResolver.kt:82)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.doFetchAndPrepareReplacements(VaultParametersResolver.kt:74)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.doFetchAndPrepareReplacements(VaultParametersResolver.kt:70)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.resolve(VaultParametersResolver.kt:51)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:138)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:35)
at org.jetbrains.teamcity.vault.UtilKt.activity(util.kt:171)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature.buildStarted(VaultBuildFeature.kt:79)
at sun.reflect.GeneratedMethodAccessor96.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:138)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.util.EventDispatcher.dispatch(EventDispatcher.java:132)
at jetbrains.buildServer.util.EventDispatcher$2.invoke(EventDispatcher.java:82)
at com.sun.proxy.$Proxy7.buildStarted(Unknown Source)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireBuildStartedStage.doBuildState(FireBuildStartedStage.java:20)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireEventStageBase.doBuildStage(FireEventStageBase.java:28)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:33)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.callRunStage(StagesExecutor.java:76)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.doStages(StagesExecutor.java:35)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor.doStages(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.doStages(BuildRunActionImpl.java:81)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.runBuild(BuildRunActionImpl.java:57)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.doActualBuild(BuildAgentImpl.java:332)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.access$200(BuildAgentImpl.java:58)
at jetbrains.buildServer.agent.impl.BuildAgentImpl$1.run(BuildAgentImpl.java:287)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.http.conn.ConnectTimeoutException: Connect to vault.XXX:443 [...] failed: connect timed out
at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:93)
at org.jetbrains.teamcity.vault.support.VaultTemplate$1.intercept(VaultTemplate.java:104)
at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:85)
at org.springframework.http.client.InterceptingClientHttpRequest.executeInternal(InterceptingClientHttpRequest.java:69)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:596)
... 36 more
Caused by: java.net.SocketTimeoutException: connect timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:607)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:244)
at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125)
... 55 more
Plugin fails to work when secrets contain two '%' symbols
Hi.
Found a very rare case with password eventually containing two percent symbols, separated by other symbols. If such password is passed via environment variable, plugin puts the parameter value instead of secret.
Version: TeamCity Enterprise 2019.2.2 (build 71923)
Steps to reproduce
- Create vault secret like
{"password": "asdf%1234%zxcv"} - Pass the secret over the enviromnent vriable parameter, i.e create the env variable with value
%vault:some/path!/password% - Variable will have it's original value
%vault:some/path!/password%instead of password. This only happens with environment variable. - If existing parameter name is used between % symbols (example:
{ "password": "qwer%teamcity.vault.supported%zxcv" }, the enviromnent variable is templated with this parameter. This happens with both - variable and parameter used "as is".
Problems with connection
Hi,
I have lot of problems to connect with the plugin to my Vault instance. I get different errors when I tried some approach with the parameters.
1. With approle in the role path
2. With the path role that I used to read from cli
I used this role Id and secret Id in a http post request and it works:
POST: https://vaultinstance.com/v1/auth/approle/login
{
"role_id":"{{TEMP_ROLE_ID}}",
"secret_id": "{{TEMP_SECRET}}"
}
RESPONSE
{
"request_id": "",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": {
"token": "SSS",
"accessor": "DDDD",
"ttl": 120,
"creation_time": "2020-04-27T16:06:48.271773469Z",
"creation_path": "auth/approle/login",
"wrapped_accessor": "VVV"
},
"warnings": null,
"auth": null
}
TC Version: 2019.2.3 (build 72031)
Plugin version: 0.1.92 (got from TC compilation)
Namespace Vault Parameters
I would like to run multiple copies of the vault-plugin. We have a few globally accessible items but we also have some more restricted passwords that should only be accessible via a single project.
Looking at this line its has a constant of vault:* but it would really be nice if you could just configure in the UI a namespace for example vault_my:* This would allow me to access both the top level vault definition and the single project definition without conflict.
Unable to retrieve kv(v2) secret
Whenever I'm enabling kv(v1) in particular path all secrets retrieves properly
[10:47:27]HashiCorp Vault
[10:47:28]HashiCorp Vault token successfully fetched
[10:47:28]5 Vault references to resolve: [vault:secret/data/keys!/roottoken, vault:secret/data/mysql/webapp!/db_name, vault:secret/data/mysql/webapp!/password, vault:secret/data/mysql/webapp!/url, vault:secret/data/mysql/webapp!/username]
but if I change the kv version to v2 (disable kv1 and enable kv2 in the same path, or simply enable kv2 in another path) it doesn't work and the only messages are as follow:
[2020-09-08 12:15:42,102] WARN - .agent.VaultParametersResolver - Cannot resolve '/secret/data/keys!/roottoken': data wasn't received from HashiCorp Vault
[2020-09-08 12:15:42,102] INFO - nt.impl.BuildRunAgentStateImpl - Stopping build on agent. Reason: fail and stop build command from the agent (Error while fetching data from HashiCorp Vault )
The policy is:
# Read-only permission on 'secret/data/*' path
path "secret/data/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
Cannot get kvs from multiple secrets
When, in one project, I try to set environment variables with kvs from multiple secrets, I get this error:
[HashiCorp Vault ('de_stage' namespace)] 4 Vault references to resolve: [vault:de_stage:/de/stage/external-model-ui!/external-model-ui-qa-access-key, vault:de_stage:/de/stage/external-model-ui!/external-model-ui-qa-secret-key, vault:de_stage:/de/stage/model-deployer!/model-deployer-access-key, vault:de_stage:/de/stage/model-deployer!/model-deployer-secret-key]
[15:17:13]
[HashiCorp Vault ('de_stage' namespace)] Failed to fetch data for path '/de/stage/model-deployer'
[15:17:13]
[HashiCorp Vault ('de_stage' namespace)] Cannot resolve '/de/stage/model-deployer!/model-deployer-access-key': data wasn't received from HashiCorp Vault
[15:17:13]
[HashiCorp Vault ('de_stage' namespace)] Cannot resolve '/de/stage/model-deployer!/model-deployer-secret-key': data wasn't received from HashiCorp Vault
If I only try to get from one secret, there are no issues.
IAM authentication does not allow header_value and role to be configured
HashiCorp's docs recommend that the IAM auth method be configured to use a nonce (X-Vault-AWS-IAM-Server-ID).
In addition, when the role name in Vault is different from the IAM role, the role name must be specified as well.
This plugin does not allow either values to be configured.
To be clear: as per HashiCorp's docs, a client that authenticates using the IAM method on the CLI would do something like the following:
vault login -method=aws header_value=vault.example.com role=dev-role-iam
This plugin needs to allow for the equivalent of the header_value and role above to be specified.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.