You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, thanks as always for this fantastic plugin. We've been using it for several years with no issues.
When you released v2.2.0, we upgraded, but noticed the following:
We could not modify the plugin's sha_256 anymore. Vault reported a successful write, but reading the config back showed the previous version's (v2.1.0) sha256:
$ vault write sys/plugins/catalog/secret/vault-plugin-secrets-github sha_256=dfb99ffad22bf92b2cd98e704139c792d7501938b993a999649decaf4c881e8c command=vault-plugin-secrets-github
Success! Data written to: sys/plugins/catalog/secret/vault-plugin-secrets-github
$ vault read sys/plugins/catalog/secret/vault-plugin-secrets-github
Key Value
--- -----
args [--tls-skip-verify=true]
builtinfalsecommand vault-plugin-secrets-github
name vault-plugin-secrets-github
sha256 a5fd74ebf9053cdebb5d7a05de5d2f7980fea2bdc577308d0a56ddb0096160a4
version n/a
We could no longer use the /github endpoint from a properly auth'ed Vault CLI session. For example:
$ vault read /github/config
No value found at github/config
We use the previous version of this plugin with Vault Secrets Operator's VaultDynamicSecret Kubernetes CRD to generate and refresh GitHub tokens, but it wasn't working with the new plugin, either, complaining like so:
error: empty response from Vault, path="\github/token/private-ci\".
When I dug into the issues, it appears that since Vault v1.12, the plugin registration/upgrade system is quite a bit different than it used to be when we originally began using this plugin:
I then tried the new upgrade mechanism, but that also failed:
vault secrets list -detailed
Path Plugin Accessor Default TTL Max TTL Force No Cache Replication Seal Wrap External Entropy Access Options Description UUID Version Running Version Running SHA256 Deprecation Status
---- ------ -------- ----------- ------- -------------- ----------- --------- ----------------------- ------- ----------- ---- ------- --------------- -------------- ------------------
...
github/ vault-plugin-secrets-github vault-plugin-secrets-github_b9f40627 system system false replicated falsefalse map[] n/a 3202569b-97da-ce96-9dbf-db57d2112373 n/a n/a 0eecbd948fc5370fc9683d4234ef4b851b3aec2d99ef3afde13c00ac7334497b n/a
...
vault plugin register -sha256=dfb99ffad22bf92b2cd98e704139c792d7501938b993a999649decaf4c881e8c -command=vault-plugin-secrets-github -version=v2.2.0 secret vault-plugin-secrets-github
Error registering plugin vault-plugin-secrets-github: Error making API request.
URL: PUT http://127.0.0.1:8100/v1/sys/plugins/catalog/secret/vault-plugin-secrets-github
Code: 400. Errors:
* plugin version mismatch: vault-plugin-secrets-github reported version (2.2.0) did not match requested version (v2.2.0)
vault plugin register -sha256=dfb99ffad22bf92b2cd98e704139c792d7501938b993a999649decaf4c881e8c -command=vault-plugin-secrets-github -version=2.2.0 secret vault-plugin-secrets-github
Error registering plugin vault-plugin-secrets-github: Error making API request.
URL: PUT http://127.0.0.1:8100/v1/sys/plugins/catalog/secret/vault-plugin-secrets-github
Code: 400. Errors:
* plugin version mismatch: vault-plugin-secrets-github reported version (2.2.0) did not match requested version (v2.2.0)
At this point, I considered uninstalling the plugin and re-registering using the new mechanism, but decided to roll back to v2.1.0 and ask here for some guidance, instead. (Thankfully, the rollback worked and we're generating GitHub tokens again.)
Any advice on how to proceed? It's odd that Vault is complaining about the version mismatch (2.2.0 vs v2.2.0) no matter which version I specify.
The text was updated successfully, but these errors were encountered:
Hi, thanks as always for this fantastic plugin. We've been using it for several years with no issues.
When you released
v2.2.0, we upgraded, but noticed the following:sha_256anymore. Vault reported a successful write, but reading the config back showed the previous version's (v2.1.0)sha256:/githubendpoint from a properly auth'ed Vault CLI session. For example:$ vault read /github/config No value found at github/configVaultDynamicSecretKubernetes CRD to generate and refresh GitHub tokens, but it wasn't working with the new plugin, either, complaining like so:error: empty response from Vault, path="\github/token/private-ci\".When I dug into the issues, it appears that since Vault v1.12, the plugin registration/upgrade system is quite a bit different than it used to be when we originally began using this plugin:
https://developer.hashicorp.com/vault/docs/upgrading/plugins
I then tried the new upgrade mechanism, but that also failed:
At this point, I considered uninstalling the plugin and re-registering using the new mechanism, but decided to roll back to
v2.1.0and ask here for some guidance, instead. (Thankfully, the rollback worked and we're generating GitHub tokens again.)Any advice on how to proceed? It's odd that Vault is complaining about the version mismatch (
2.2.0vsv2.2.0) no matter which version I specify.The text was updated successfully, but these errors were encountered: