centos-infra

Clone
Source Code
GIT

#127 broken vault integration after last upgrade
Closed: Fixed 3 years ago by arrfab. Opened 3 years ago by jmelis.

Closed: Fixed
Reopen Issue

Hello,

We are the SRE team that are responsible for Devtools jobs:
https://ci.centos.org/view/Devtools

All our Devtools jobs retrieve secrets from our Vault instance (https://vault.devshift.net/), but the vault plugin seems to have been recently upgraded in Jenkins, and it has changed the default K/V store for Vault from 1 to 2, therefore breaking all our jobs.

This currently blocks hundreds of developers, as all the jobs under Devtools are broken.

We would like to request you to change the default k/v version for Vault to 1.

In order to make this change, please refer to this paragraph:

Go to Configure of failed job and change Vault Engine in Advanced Settings and choose your
version on KV Engine 1 or 2 from a select menu K/V Engine Version for ALL Vault Secrets and save.

from this page: https://plugins.jenkins.io/hashicorp-vault-plugin/

Go to Configure of failed job and change Vault Engine in Advanced Settings and choose your
version on KV Engine 1 or 2 from a select menu K/V Engine Version for ALL Vault Secrets and save.

This seems like something you can do it yourself (as you should have access to the job configs.
We expects tenants to maintain their own job configs and we just used to take care of global configs (or credentials if they were needed).
Also recommended that the project move to OCP4 cluster where you own the namespace and have all the accesses in jenkins.

@siddharthvipul1 please note that you introduced a breaking change that broke all our jobs, and for you it's just one knob.

We can't do what you suggest because we manage our jobs via jjb and this option (the k/v version) is not supported:
https://docs.openstack.org/infra/jenkins-job-builder/wrappers.html#wrappers.vault-secrets

Please reconsider.

I was just talking to Fabian, and he pointed me at a mistake I made in my first comment.

Essentially, our request is for you to change the default k/v of the plugin, not for each job. Sorry for the confusion.

Metadata Update from @arrfab:
- Issue assigned to arrfab
3 years ago

Metadata Update from @arrfab:
- Issue tagged with: centos-ci-infra, low-gain, low-trouble
3 years ago

Discussing with @jmelis about this but we can switch the default version in global jenkins settings (which would reflect previous behaviour) so applied and testing that it works for them

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata

centos-ci-infra low-trouble low-gain

None
None
Needs Review
Boards 1
CentOS CI Infra Status: Done
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.