netbox-community
[Bug]: nb_lookup incompatible with netbox_secretstore plugin
Ansible NetBox Collection version
v.3.9.0
Ansible version
ansible [core 2.13.6]
config file = /home/user/ansible/id4-iac/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/user/.local/lib/python3.8/site-packages/ansible
ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
jinja version = 3.0.3
libyaml = True
NetBox version
v3.3.7
Python version
3.8
Steps to Reproduce
- Install a version of NetBox which no longer has native secrets feature included (>3.0)
- Install https://github.com/DanSheps/netbox-secretstore in Netbox Try to fetch secret from NetBox:
tags:
- debug
set_fact:
ansible_user: "{{ query('netbox.netbox.nb_lookup', 'netbox_secretstore', api_filter='role=windows-administrator&virtual_machine='+inventory_hostname, api_endpoint=netbox_host, token=netbox_token, validate_certs=False , key_file='/home/user/.ssh/id_rsa.pem') }}"
Expected Behavior
Lookup plugin uses netbox-secretstore plugin URL to get decrypted secret
Observed Behavior
fatal: [windows-2019-test2]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'netbox.netbox.nb_lookup'. Error was a <class 'pynetbox.core.query.RequestError'>, original message: The requested url: https://netbox.domain.at/api/secrets/get-session-key/?preserve_key=True could not be found.. The requested url: https://netbox.domain.at/api/secrets/get-session-key/?preserve_key=True could not be found."}
So https://netbox.domain.at/api/secrets/get-session-key/?preserve_key=True 404's - that sounds like an issue with your netbox installation. Please report this issue to them.
I see documentation here where the URL is http://netbox/api/plugins/netbox_secretstore/secrets/get-session-key/ - is there a version mismatch between your lookup plugin version and the secrets plugin installed in your netbox?
Hi @sc68cal thanks for your response. In my understanding (but this predates my involvement with NetBox so I might have history wrong) is that secrets used to be functionality of core NetBox. However in version 3.0.0 of NetBox this feature was removed from NetBox core and "transformed" into a plugin.
After a bit of further investigation it seems this is a limitation of the pynetbox python library: https://github.com/netbox-community/pynetbox/pull/430 where it was decided to not support the secrets plugin currently. IMO this currently renders the secret functionality in nb_lookup useless for NetBox >= 3.0.0.
If confirmed by somebody with more experience in Netbox I'd volunteer to update the documentation with this limitation?
@marinus81 Ah yes, thanks for the refresher. I had forgotten about that detail
We discussed some parts of this also in #495, where I did not really want to deal with managing a plugin either. My intention was to punt this over to pynetbox to handle since it's really where it would need to be. So, I think if pynetbox is not willing to handle the plugin, I don't think we can either.
In fact we should probably put some sort of error in our code about trying to use the lookup on that API endpoint with NetBox >= 3.0.0 that it is not supported. @rodvand ?
We should at least remove any example using the nb_lookup feature to lookup secrets...
