TerryHowe
Fix "Upgrading from non-versioned to versioned data" error
When enabling (or upgrading) KV store v2 using hashivault_secret_engine, the following error might be returned by Vault API:
Upgrading from non-versioned to versioned data. This backend will be unavailable for a brief period and will resume service shortly
To fix this issue, I added a function named retry_until_upgraded() which
retries every 200ms during 10s to do the API call that triggers this
error (ie. client.secrets.kv.v2.configure).
Note that, I couldn't find a way to trigger this error through test playbooks written in this repo. I can still confirm this error disappeared from my project when I upgraded to the patched version of ansible-modules-hashivault.
Also, this error can be triggered with the following Python script:
import hvac
client = hvac.Client(url='https://node1.vault-backends.local:8200',
verify=False)
client.token = 's.xjaKV4LCiQFECCfBpZHizN02'
client.sys.disable_secrets_engine('kvengine')
client.sys.enable_secrets_engine('kv-v2', path='kvengine')
client.secrets.kv.v2.configure(mount_point='kvengine',
cas_required=True)
It seems like it would be more natural to do this in Ansible
Could you elaborate on this please?
Although it's easy to implement in Ansible, this bug comes from Vault API design and how this module uses it. IMO this issue is due to Vault API and hashivault_secret_engine leaking abstraction details (ie. secrets engines mouting are done asynchronously for the former, and calling client.secrets.kv.v2.configure too soon for the latter). As such, it feels strange to put the burden on module's users; at least it'd require to be properly documented.
This should be handled in ansible by iterating over hashivaul_secret_engine calls and looking at the error output.