Need v2 K/V secrets engine support

[wknapik]

Server started with:

% vault server -dev

Example code from https://pypi.org/project/ansible-modules-hashivault/:

% export VAULT_ADDR='http://127.0.0.1:8200'
% cat >example.yml <<EOF
---
- hosts: localhost
  vars:
    foo_value: 'fum'
    fie_value: 'fum'
  tasks:
    - hashivault_status:
      register: 'vault_status'
    - hashivault_write:
        secret: 'giant'
        data:
            foo: '{{foo_value}}'
            fie: '{{fie_value}}'
      register: 'vault_write'
    - hashivault_read:
        secret: 'giant'
        key: 'fie'
      register: 'vault_read'
EOF
% ansible-playbook example.yml
PLAY [localhost] ******************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [hashivault_status] **********************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [hashivault_write] ***********************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {
    "changed": false, 
    "rc": 1
}

MSG:

Exception: {"request_id":"4c06a0be-9e8d-a4f0-6603-1c96d258a876","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation."],"auth":null}

        to retry, use: --limit @/some/path/example.retry

PLAY RECAP ************************************************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=1   
%

Manual query:

% vault kv put secret/foo value=bar
Key              Value
---              -----
created_time     2018-05-18T15:25:50.377136792Z
deletion_time    n/a
destroyed        false
version          1
% vault kv get secret/foo       
====== Metadata ======
Key              Value
---              -----
created_time     2018-05-18T15:25:50.377136792Z
deletion_time    n/a
destroyed        false
version          1

==== Data ====
Key      Value
---      -----
value    bar
% vault write secret/bar value=baz 
Error writing data to secret/bar: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/secret/bar
Code: 404. Errors:


WARNING! The following warnings were returned from Vault:

  * Invalid path for a versioned K/V secrets engine. See the API docs for the
  appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put'
  for this operation.
%

Versions:

% vault --version
Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd+CHANGES')
% ansible --version
ansible 2.5.2
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/foo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.5 (default, May 11 2018, 04:00:52) [GCC 8.1.0]
% uname -a
Linux something 4.16.8-1-ARCH #1 SMP PREEMPT Wed May 9 11:25:02 UTC 2018 x86_64 GNU/Linux
%

[wknapik]

Seems to be an issue with hvac. Reported it here hvac/hvac#183.

[laurentribot]

The hvac issue is closed with adding support to k/v v2 api.
Unfortunately, without autodection of the bakend version
Perhaps hashivault modules should implement a new parameter to set the api version to use
@TerryHowe

[TerryHowe]

Yes. Docs https://hvac.readthedocs.io/en/latest/usage/secrets_engines/kv_v2.html

[drewmullen]

FYI - you can prepend your secret option in your play with data and it works fine. example:

    - name: terry howe vault read
      hashivault_read:
        secret: data/test

reads a secret at secret/test (kv2) just fine

[drewmullen]

I'm picking this issue up for hashivault_write, @TerryHowe whats the purpose of this function?
NVM, this wasnt as hard as i thought. PR inc

ansible-modules-hashivault/ansible/modules/hashivault/hashivault_write.py

Lines 86 to 104 in e3cb5f8

	def _convert_to_seconds(original_value):
	try:
	value = str(original_value)
	seconds = 0
	if 'h' in value:
	ray = value.split('h')
	seconds = int(ray.pop(0)) * 3600
	value = ''.join(ray)
	if 'm' in value:
	ray = value.split('m')
	seconds += int(ray.pop(0)) * 60
	value = ''.join(ray)
	if value:
	ray = value.split('s')
	seconds += int(ray.pop(0))
	return seconds
	except Exception:
	pass
	return original_value

also, how do you feel about me setting the version as an option and default it to version 2? defaulting to 1 as thats the majority of tests in functional/

[ventris]

I can see that support for kv v2 engine is now supported but I cant get it to work, is there any examples or documentation regarding this anywhere?

[drewmullen]

Check that pr, there's an example there

[ventris]

@drewmullen

In that example namespace is specfied which is something that only the pro version offers.
I get the error with copied example, both on read and write. Is the namespace part needed for the kv2 stuff to work?

Task:

    - name: write to kv2
      hashivault_write:
        secret: kv2/test
        data:
            password: mypass
        version: 2

TASK [write to kv2] *****************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error InvalidPath(no handler for route 'secret/data/kv2/test') writing secret/kv2/test", "rc": 1}

[drewmullen]

Looks like an issue on the vault side. Did you upgrade the mount to v2?

I'm off this week but if you're still having trouble next week I can help

*The namespace is optional for any task using this set of modules

[TerryHowe]

This issue should probably be closed.

[TerryHowe]

If there is anything else to this or problems I think a new issue would be best.