0

I'm having some issues when trying to use Hashicorp vault template (with terraform to.be.continuous).

Actually when I use it with terraform-vault template I got an error message.

This is a summary of .gitlab-ci.yml

include:
 - project: "to-be-continuous/terraform"
    ref: "2.4.0"
    file: "templates/gitlab-ci-terraform.yml"
 # Vault variant
  - project: 'to-be-continuous/terraform'
    ref: '2.4.0'
    file: '/templates/gitlab-ci-terraform-vault.yml'

variables:
  VAULT_BASE_URL: "https://vault.secrets.tech.orange/v1"
  VAULT_ROLE_ID: $VAULT_ROLE_ID
  VAULT_SECRET_ID: $VAULT_SECRET_ID
  GCP_MYSECRET: "@url@http://vault-secrets-provider/api/secrets/XXX/gcp/credentials?field=mygcpsecret"

Error Message:

[ERROR] Failed getting secret GCP_MYSECRET:
... Connecting to vault-secrets-provider (127.0.0.1:80)
... wget: server returned error: HTTP/1.1 404 Not Found

I tried without vault template and it works.

Would you please help me with this? Or perhaps, where I can ask for some help?

Matthew Schuchard
  • 25,172
  • 3
  • 47
  • 67
Hélène Saliou
  • 1
  • I would recommend taking a look at: https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/. That also works with CE. – Matthew Schuchard Jan 26 '22 at 13:38
  • @Helene Issues with Vault can be tough to analyse. I think `404` is probably due to a wrong secret path or a wrong field (the query parameter). I recommend you to follow the [How to test & debug](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider/#how-to-test-debug) chapter from **to be continuous** doc to troubleshoot your problem... – pismy Feb 03 '22 at 22:48
  • Anyway you wouldn't have a `404` if GitLab CI wasn't recognising the `vault-secrets-provider` host alias. It's definitely an issue in the secret path :) – pismy Feb 03 '22 at 22:58
  • It is not a problem of path but an issue en vautl template. 2 services are listening on port 80. An issue has been opened – Hélène Saliou Feb 08 '22 at 15:19
  • You're right, two services are listening on port 80, but on different hostnames (service aliases). I'm 90% sure 404 is answered by the right service (vault secrets provided). Could you perform some troubleshooting please? This way you will get an explicit error message. – pismy Feb 12 '22 at 22:40

1 Answers1

1

It turns out you were facing this issue due to a Kubernetes runners limitation.

As stated in GitLab documentation,

Kubernetes runners cannot use several services using the same port

As a result, using the tracking service in addition to another one using the same port (80) fails.

It has now been fixed.

pismy
  • 733
  • 5
  • 12