Code Monkey home page Code Monkey logo

nautobot-app-secrets-providers's Introduction

Nautobot

Nautobot

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database.

Key Use Cases

1. Flexible Source of Truth for Networking - Nautobot core data models are used to define the intended state of network infrastructure enabling it as a Source of Truth. While a baseline set of models are provided (such as IP networks and addresses, devices and racks, circuits and cable, etc.) it is Nautobot's goal to offer maximum data model flexibility. This is enabled through features such as user-defined relationships, custom fields on any model, and data validation that permits users to codify everything from naming standards to having automated tests run before data can be populated into Nautobot.

2. Extensible Data Platform for Automation - Nautobot has a rich feature set to seamlessly integrate with network automation solutions. Nautobot offers GraphQL and native Git integration along with REST APIs and webhooks. Git integration dynamically loads YAML data files as Nautobot config contexts. Nautobot also has an evolving plugin system that enables users to create custom models, APIs, and UI elements. The plugin system is also used to unify and aggregate disparate data sources creating a Single Source of Truth to streamline data management for network automation.

3. Platform for Network Automation Apps - The Nautobot plugin system enables users to create Network Automation Apps. Apps can be as lightweight or robust as needed based on user needs. Using Nautobot for creating custom applications saves up to 70% development time by re-using features such as authentication, permissions, webhooks, GraphQL, change logging, etc. all while having access to the data already stored in Nautobot. Some production ready applications include:

The complete documentation for Nautobot can be found at Read the Docs.

Questions? Comments? Start by perusing our GitHub discussions for the topic you have in mind, or join the #nautobot channel on Network to Code's Slack community!

Build Status

Branch Status
main Build Status
develop Build Status
next Build Status

Screenshots

Gif of main page

Gif of config contexts

Gif of prefix hierarchy

Gif of GraphQL

Gif of Modes

Installation

Please see the documentation for instructions on installing Nautobot.

Application Stack

Below is a simplified overview of the Nautobot application stack for reference:

Application stack diagram

Plugins and Extensibility

Nautobot offers the ability to customize your setup to better align with your direct business needs. It does so through the use of various plugins that have been developed for network automation, and are designed to be used in environments where needed.

There are many plugins available within the Nautobot Apps ecosystem. The below screenshots are an example of some popular ones that are currently available.

Plugin Screenshots

Golden Config Plugin

Gif of golden config

ChatOps Plugin

Gif of chatops

Device Lifecycle Management Plugin

Gif of DLM

Providing Feedback

The best platform for general feedback, assistance, and other discussion is our GitHub discussions. To report a bug or request a specific feature, please open a GitHub issue using the appropriate template.

If you are interested in contributing to the development of Nautobot, please read our contributing guide prior to beginning any work.

Related projects

Please check out the GitHub nautobot topic for a list of relevant community projects.

Notices

Nautobot was initially developed as a fork of NetBox (v2.10.4). NetBox was originally developed by Jeremy Stretch at DigitalOcean and the NetBox Community.

nautobot-app-secrets-providers's People

Contributors

briddo avatar bryanculver avatar dependabot[bot] avatar glennmatthews avatar hanlinmiao avatar hellerve avatar jathanism avatar jedelman8 avatar jfach avatar jifox avatar jifoxpa avatar k0rventen avatar kacem-expereo avatar nautobot-bot avatar nniehoff avatar scetron avatar snaselj avatar ubajze avatar whitej6 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

jifox flolaco matt852 nniehoff scetron openssl-sg-insights jfach meganerddev blackdark kacem-expereo edificomsa jifoxpa layereighttechnologies never77 viehoang68

nautobot-app-secrets-providers's Issues

botocore ModuleNotFoundError when not installing aws dependencies

Environment

  • Python version: any
  • Nautobot version: 1.2.0
  • secrets version: 1.0.0

Expected Behavior

Botocore should not be attempted to be imported if aws is not in use OR if boto3 is set to None on import

Observed Behavior

ModuleNotFoundError on attempting to import botocore

Steps to Reproduce

  1. Install plugin for only hashivault
  2. Configure just hashivault
  3. Start Nautobot service

Will not be observed in development container, dev dependencies are installed in the container which includes boto3 ap botocore in a dependency of boto3.

Recommended fix

try:
    import boto3
except ImportError:
    boto3 = None
if boto3:
    from botocore.foo import bar

Add Azure Keyvault as Supported Secret Backend

Environment

  • Nautobot version: 1.2.4
  • secrets version: 1.0.1

Proposed Functionality

Add Azure Keyvault as a supported secrets backend.

Use Case

We have multiple network environments that utilize various Azure Keyvaults as secret storage for access credentials to network devices, ssl private keys, etc. The goal would be to use nautobot secret storage feature to store the secrets within the same keyvault environment. We deal with many enterprises that do not have AWS presence, but prefer Azure.

`secret_value` in AWS provider not getting set

Environment

  • Python version: 3.8.10
  • Nautobot version: 1.2.7
  • secrets version: 1.3.0

Expected Behavior

The error message from AWS to be passed into the joblogs/jobresult. The below error is printed when I print the err caught in the block here
Dec 22 18:04:17 ip-172-16-11-138 nautobot-server[2211358]: [2022-12-22 18:04:17,668: WARNING/ForkPoolWorker-31] An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::*********:assumed-role/nautobot-stg-webserver-permissions-role/********** is not authorized to perform: secretsmanager:GetSecretValue on resource: sharepoint_account because no identity-based policy allows the secretsmanager:GetSecretValue action

Observed Behavior

The secret_value never gets set so a UnboundLocalError exception is thrown.

Traceback (most recent call last): File "/opt/nautobot/.local/lib/python3.8/site-packages/nautobot/extras/models/secrets.py", line 94, in get_value return provider.get_value_for_secret(self, obj=obj) File "/opt/nautobot/.local/lib/python3.8/site-packages/nautobot_secrets_providers/providers/aws.py", line 94, in get_value_for_secret data = json.loads(secret_value) UnboundLocalError: local variable 'secret_value' referenced before assignment The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/lib/python3.8/code.py", line 90, in runcode exec(code, self.locals) File "<console>", line 1, in <module> File "/opt/nautobot/.local/lib/python3.8/site-packages/nautobot/extras/models/secrets.py", line 98, in get_value raise SecretError(self, provider, str(exc)) from exc nautobot.extras.secrets.exceptions.SecretError: SecretError: Secret "sharepoint_username" (provider "AWSSecretsManagerSecretsProvider"): local variable 'secret_value' referenced before assignment

Steps to Reproduce

  1. Create a secret in AWS
  2. Create a secret in Nautobot
  3. Use an instance profile that does not have access to the AWS secret.
  4. Try to retrieve the secret value either via CLI or a job.

Add support for python-tss-sdk version v1.2

Environment

  • Nautobot version: 1.4
  • secrets version: 1.2.0

Proposed Functionality

Thycotic is now owend by Delinea and changed the development to this new repository https://github.com/DelineaXPM/python-tss-sdk.

Proposed changes:

  • rename thycotic.py to delinea.py

  • Update README

    • Replace 'Thycotic' with 'Delinea/Thycotic'
    • Update all hyperlinks to point to the new repository.

  • Add a compatible import block in delinea.py

    try:
    from delinea.secrets.server import (
        AccessTokenAuthorizer,
        PasswordGrantAuthorizer,
        DomainPasswordGrantAuthorizer,
        SecretServerCloud,
        SecretServer,
        ServerSecret,
        SecretServerError,
    )

    thycotic_installed = True  # pylint: disable=invalid-name
except ImportError:
    try:
        from thycotic.secrets.server import (
            AccessTokenAuthorizer,
            PasswordGrantAuthorizer,
            DomainPasswordGrantAuthorizer,
            SecretServerCloud,
            SecretServer,
            ServerSecret,
            SecretServerError,
        )

        thycotic_installed = True  # pylint: disable=invalid-name
    except ImportError:
        thycotic_installed = False

  • Update pypoetry.toml to import python-tss-sdk '~1.2.0'

  • Update secrets version to 1.2.1

Use Case

Allow future updates.

Check that secret data is correct

Environment

  • Nautobot version: 1.3.10
  • secrets version: 1.3.0

Proposed Functionality

As Nelly the Network Engineer I want to be able to check if a secret can be read from the secrets provider specified.

Use Case

I want to check that secret data entered is correct without leaving the secret detail view.

Prometheus metrics

Environment

  • Nautobot version: 1.5.13 (to get metrics.py support)
  • nautobot-plugin-device-lifecycle-mgmt version: latest

Proposed Functionality

Expose Prometheus metrics for this app. Examples:

Get Value Secrets Total and Errors

Providers like AWS have get_value_secrets method which could expose metrics for its gets and its errors:

  • nautobot_secrets_provider_get_value_secrets_total{provider="aws"} 27.0
  • nautobot_secrets_provider_get_value_secrets_errors_total{provider="aws", error_code="DecryptionFailureException"} 2.0

These are just a few examples.

Use Case

Allow users of the platform to generate time series from their Nautobot instance. In the end this could troubleshoot and get more insight of their Nautobot platform.

Nautobot Worker fails to start if SecretValueNotFoundError from AWS

Environment

  • Python version: 3.11
  • Nautobot version: 1.6.1
  • secrets version: 1.4.1

We have a Job that is loaded by Nautobot. It in turn loads a secret from AWS, that secret does not exist. Unfortunately, nautobot-server (worker) completely fails to start with exit(1). I haven't had time to reproduce this or see if this is by design but wanted to capture the info here.

Expected Behavior

Nautobot throws a warning about the secret not existing and moves on

Observed Behavior

Nautobot fails to start

Steps to Reproduce

This might do it

  1. Create a secret pointing to a nonexistant AWS Secret (with permissions to read from AWS Secrets Manager)
  2. Create a job that gets the credentials
  3. Start the Nautobot Worker

The documentation and README for the nautobot-plugin-secrets-providers do not reflect the newer 2.x version requirements

Environment

  • Python version: na
  • Nautobot version: 1.6.0
  • nautobot-secrets-providers version: na

Expected Behavior

The documentation should accurately reflect the version requirements of the plugin to prevent confusion and installation issues.

Observed Behavior

The documentation and README for the nautobot-plugin-secrets-providers do not reflect the newer 2.x version requirements. The documentation mentions compatibility with Nautobot 1.4.0 or higher, but the actual plugin installation requires version 2.x. This inconsistency is causing confusion among users.
(refer screenshoot)
image

Steps to Reproduce

  1. Follow the documentation at https://github.com/nautobot/nautobot-plugin-secrets-providerst .
  2. Attempt to install the plugin with Nautobot 1.6.0
  3. Encounter version compatibility issues.

1Password secrets Provider

Environment

  • Nautobot version: 1.5.19
  • secrets version: 1.4.0

Proposed Functionality

We should look at using 1Password as a secrets provider.

Use Case

Some people store secrets in 1password

Change Links on Homepage to Reference Delinea

Environment

  • Python version: 3.9
  • Nautobot version: 1.4.10
  • secrets version: 1.3

Expected Behavior

All former Thycotic links should reference Delinea

Observed Behavior

Thycotic Links still active

Steps to Reproduce

  1. Open Plugin Homepage
    2.Click on Delinea/Thycotic Links

Plugin `home_view_name` view is out of date

Environment

  • Python version: 3.10
  • Nautobot version: 1.4.5
  • secrets version: 1.3.0

Expected Behavior

When visiting the page /plugins/secrets/ which is the plugin's home_view_name the page should be up to date.

Observed Behavior

The view is outdated based on the README in this repo.

Steps to Reproduce

  1. Go to /plugin/secrets/

CI is failing

Environment

  • Python version:
  • Nautobot version:
  • secrets version:

Expected Behavior

CI to be passing

Observed Behavior

CI is failing:

$ INVOKE_NAUTOBOT_SECRETS_PROVIDERS_PYTHON_VER=$TRAVIS_PYTHON_VERSION invoke build --no-cache
Building Nautobot with Python 3.6...
Running docker-compose command "build --no-cache"
postgres uses an image, skipping
docs uses an image, skipping
vault uses an image, skipping
redis uses an image, skipping
worker uses an image, skipping
Building nautobot
Sending build context to Docker daemon  228.4kB
Step 1/14 : ARG NAUTOBOT_VER="1.0.1"
Step 2/14 : ARG PYTHON_VER=3.8
Step 3/14 : FROM ghcr.io/nautobot/nautobot-dev:${NAUTOBOT_VER}-py${PYTHON_VER}
manifest unknown
Service 'nautobot' failed to build : Build failed
The command "INVOKE_NAUTOBOT_SECRETS_PROVIDERS_PYTHON_VER=$TRAVIS_PYTHON_VERSION invoke build --no-cache" exited with 1.

Steps to Reproduce

Delinea - Returns HTTP403 for Rate Limited Users/Keys, Need to Add Workaround

Environment

  • Python version: Not applicable
  • Nautobot version: Not applicable
  • secrets version: 1.4.1

Expected Behavior

Expected to get a secret from Secret Server

Observed Behavior

Getting HTTP403 messages after a rate limiting happens. This should be a HTTP429 that we can then act on. However, that is not the behavior of the product.

Would like to see a rate limiting backoff applied to the Delinea plugin, although I'm not quite sure where we have a response code. It doesn't look like we currently check the response code.

Steps to Reproduce

Add Support for Vault Engine Mountpoints (path)

HVAC defaults to the mountpoint "secret" so without specifying the path we cannot access secrets from any path other than "secret"

This could be added as another Parameter under the secret called mountpoint and passed through to hvac when reading the secret

read_secret_version(path, version=None, mount_point='secret')
Documentation Ref

Add AWS SSM Parameter Store

Environment

  • Nautobot version: 1.2.11
  • secrets version: 1.3.0

Hello team, thank you in advance for your time.

Proposed Functionality

Add support for AWS Parameter Store.
Parameter store is very cheap compared to Secret manager (by 8times) and offers the same encryption and versioning capabilities.
Parameter store is not by default key / value oriented but it can be.
In order to use it as any ordinary key/value storage, we just need to set a json in the parameter value.
I have a working branch based on v1.3.0 with tests ready covering 91% : see https://github.com/kacem-expereo/nautobot-plugin-secrets-providers/tree/aws_ssm_parameter_store
(was not able to use the develop branch, I have a similar issue as :#49) .

Use Case

We have two nautobot secrets with parameters Name / Region / Key (the first one has "username" as key the second one "password")
We have a Parameter in AWS SSM which is a SecureString containing the following Value : {"username":"MyUser","password":"MyPassword"}
"username" and "password" refers here as nautobot secret key.
AWS parameter store is now used as a Key / Value secret backend.
A function "get_value_for_secret(secret)" allows other plugins to fetch the secret from SSM.

Kindly,

Allow changing Hashicorp Default mount point in config

Environment

  • Nautobot version: 1.3.9
  • secrets version: latest

Proposed Functionality

Allow changing the Hashicorp DEFAULT_MOUNT_POINT as part of the PLUGIN_CONFIG.

Use Case

If a user has a non default mount for kv secrets in vault such as secrets instead of secret every time they create a new secret they need to remember to change secret to secrets which is painful. We should allow them to overide this value.

Delinea login error misleading

Environment

  • Python version: n/a
  • Nautobot version: 1.5.24
  • secrets version: 1.4.1

Expected Behavior

If the server is returning an error, the error should be shown. The actual error is obscured by a 'Secret Not Found' which is a symptom of an issue reaching the server.

Observed Behavior

'Secret Not found'
Screenshot 2023-08-22 at 11 44 28

Steps to Reproduce

  1. Configure access to delinea
  2. With an allowed list, do not add the Nautobot server
  3. Attempt to retrieve a secret
  4. See error

Traceback when installing nautobot-secrets-providers[thycotic]

Environment

  • Python version: 3.9
  • Nautobot version: 1.3.5
  • secrets version: 1.2.0

Expected Behavior

Nautobot will start

Observed Behavior

Traceback on start

$ invoke post-upgrade
Running docker-compose command "ps --services --filter status=running"
Running docker-compose command "run --entrypoint 'nautobot-server post_upgrade' nautobot"
Creating nautobot_livedata_nautobot_run ... done
Traceback (most recent call last):
  File "/usr/local/bin/nautobot-server", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/nautobot/core/cli.py", line 54, in main
    run_app(
  File "/usr/local/lib/python3.9/site-packages/nautobot/core/runner/runner.py", line 266, in run_app
    management.execute_from_command_line([runner_name, command] + command_args)
  File "/usr/local/lib/python3.9/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.9/site-packages/django/core/management/__init__.py", line 395, in execute
    django.setup()
  File "/usr/local/lib/python3.9/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/usr/local/lib/python3.9/site-packages/django/apps/registry.py", line 122, in populate
    app_config.ready()
  File "/usr/local/lib/python3.9/site-packages/nautobot/extras/plugins/__init__.py", line 104, in ready
    urlpatterns = import_object(f"{self.__module__}.urls.urlpatterns")
  File "/usr/local/lib/python3.9/site-packages/nautobot/extras/plugins/utils.py", line 45, in import_object
    spec.loader.exec_module(module)
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/nautobot_secrets_providers/urls.py", line 4, in <module>
    from nautobot_secrets_providers import views
  File "/usr/local/lib/python3.9/site-packages/nautobot_secrets_providers/views.py", line 5, in <module>
    from nautobot_secrets_providers import secrets
  File "/usr/local/lib/python3.9/site-packages/nautobot_secrets_providers/secrets.py", line 8, in <module>
    from nautobot_secrets_providers import providers
  File "/usr/local/lib/python3.9/site-packages/nautobot_secrets_providers/providers/__init__.py", line 4, in <module>
    from .hashicorp import HashiCorpVaultSecretsProvider
  File "/usr/local/lib/python3.9/site-packages/nautobot_secrets_providers/providers/hashicorp.py", line 19, in <module>
    class HashiCorpVaultSecretsProvider(SecretsProvider):
  File "/usr/local/lib/python3.9/site-packages/nautobot_secrets_providers/providers/hashicorp.py", line 26, in HashiCorpVaultSecretsProvider
    class ParametersForm(BootstrapMixin, forms.Form):
  File "/usr/local/lib/python3.9/site-packages/nautobot_secrets_providers/providers/hashicorp.py", line 39, in ParametersForm
    help_text=f"The path where the secret engine was mounted on (Default: <code>{DEFAULT_MOUNT_POINT}</code>)",
NameError: name 'DEFAULT_MOUNT_POINT' is not defined

Workaround: pip install nautobot-secrets-providers[thycotic,hashicorp]

Steps to Reproduce

  1. install Nautobot with Secrets plugin
  2. nautobot-secrets-providers[thycotic]
  3. invoke post_upgrade

`inv build` results in errors

Environment

  • Python version: 3.7
  • Nautobot version: 1.2.1 (default by inventory/poetry)
  • secrets version: 1.3.0
  • poetry version: 1.2.1

Expected Behavior

Containers should build successfully and I can launch the dev environment with inv debug/start.

Observed Behavior

The build fails. After working through these dependency issues, docker-compose cannot pull the Vault image.

Steps to Reproduce

  1. Pull down latest repo, make sure the develop branch is active
  2. execute poetry shell then poetry install
  3. execute inv build

View build error, which appears to be downstream dependency conflict issue:

Updating dependencies
#10 147.5 Resolving dependencies...
#10 298.4 
#10 298.4   SolverProblemError
#10 298.4 
#10 298.4       Because no versions of black match <22.1.0 || >22.1.0,<22.3.0 || >22.3.0,<22.6.0 || >22.6.0,<22.8.0 || >22.8.0
#10 298.4    and black (22.1.0) depends on click (>=8.0.0), black (<22.3.0 || >22.3.0,<22.6.0 || >22.6.0,<22.8.0 || >22.8.0) requires click (>=8.0.0).
#10 298.4       And because black (22.3.0) depends on click (>=8.0.0), black (<22.6.0 || >22.6.0,<22.8.0 || >22.8.0) requires click (>=8.0.0).
#10 298.4   (1) So, because black (22.6.0) depends on click (>=8.0.0)
#10 298.4    and black (22.8.0) depends on click (>=8.0.0), every version of black requires click (>=8.0.0).
#10 298.4   
#10 298.4       Because no versions of celery match >5.1.0,<5.1.1 || >5.1.1,<5.1.2 || >5.1.2,<5.2.0
#10 298.4    and celery (5.1.0) depends on click (>=7.0,<8.0), celery (>=5.1.0,<5.1.1 || >5.1.1,<5.1.2 || >5.1.2,<5.2.0) requires click (>=7.0,<8.0).
#10 298.4       And because celery (5.1.1) depends on click (>=7.0,<8.0)
#10 298.4    and celery (5.1.2) depends on click (>=7.0,<8.0), celery (>=5.1.0,<5.2.0) requires click (>=7.0,<8.0).
#10 298.4       And because every version of black requires click (>=8.0.0) (1), black is incompatible with celery (>=5.1.0,<5.2.0)
#10 298.4       And because nautobot (1.2.1) depends on celery (>=5.1.0,<5.2.0), black is incompatible with nautobot (1.2.1).
#10 298.4       So, because nautobot-secrets-providers depends on both nautobot (1.2.1) and black (*), version solving failed.
#10 298.4 
#10 298.4   at ~/.local/share/pypoetry/venv/lib/python3.7/site-packages/poetry/puzzle/solver.py:241 in _solve
#10 298.4       237│             packages = result.packages
#10 298.4       238│         except OverrideNeeded as e:
#10 298.4       239│             return self.solve_in_compatibility_mode(e.overrides, use_latest=use_latest)
#10 298.4       240│         except SolveFailure as e:
#10 298.4     → 241│             raise SolverProblemError(e)
#10 298.4       242│ 
#10 298.4       243│         results = dict(
#10 298.4       244│             depth_first_search(
#10 298.4       245│                 PackageNode(self._package, packages), aggregate_package_nodes
#10 ERROR: executor failed running [/bin/sh -c poetry self update &&     poetry add nautobot=$NAUTOBOT_VER &&     poetry update --lock &&     poetry install --no-interaction --no-ansi --no-root]: exit code: 1
------
 > [ 6/10] RUN poetry self update &&     poetry add nautobot=1.2.1 &&     poetry update --lock &&     poetry install --no-interaction --no-ansi --no-root:
#10 298.4   at ~/.local/share/pypoetry/venv/lib/python3.7/site-packages/poetry/puzzle/solver.py:241 in _solve
#10 298.4       237│             packages = result.packages
#10 298.4       238│         except OverrideNeeded as e:
#10 298.4       239│             return self.solve_in_compatibility_mode(e.overrides, use_latest=use_latest)
#10 298.4       240│         except SolveFailure as e:
#10 298.4     → 241│             raise SolverProblemError(e)
#10 298.4       242│ 
#10 298.4       243│         results = dict(
#10 298.4       244│             depth_first_search(
#10 298.4       245│                 failed to solve: executor failed running [/bin/sh -c poetry self update &&     poetry add nautobot=$NAUTOBOT_VER &&     poetry update --lock &&     poetry install --no-interaction --no-ansi --no-root]: exit code: 1
PackageNode(self._package, packages), aggregate_package_nodes

After moving Nautobot to 1.2.11, we run into issues pulling the vault image

inv debug
Starting Nautobot in debug mode...
Running docker-compose command "up"
vault Pulling 
vault Error 
Error response from daemon: Head "https://registry-1.docker.io/v2/library/vault/manifests/latest": unauthorized: incorrect username or password

Add Thycotic Secret Server plugin

Environment

  • Nautobot version: 1.2.4
  • secrets version: 1.0.0

Proposed Functionality

Add a plugin to support Thycotic Secret Server

Use Case

Use Thycotic Secret Server as a plugin to query for usernames, passwords, ...

invoke build --no-cache failed

Environment

  • Python version: 3.7 (tasks.py default)
  • Nautobot version: 1.2.1 (tasks.py default)
  • secrets version: 1.3.0

Expected Behavior

Build would succeed with an unmodified environment

I chross checked ist with git diff upstream/develop

Observed Behavior

Build failed

$ invoke build --no-cache
Building Nautobot with Python 3.7...
Running docker-compose command "build --no-cache"
vault uses an image, skipping
redis uses an image, skipping
docs uses an image, skipping
postgres uses an image, skipping
celery_worker uses an image, skipping
Building nautobot
Sending build context to Docker daemon   9.09MB
Step 1/16 : ARG NAUTOBOT_VER="1.2.1"
Step 2/16 : ARG PYTHON_VER=3.8
Step 3/16 : FROM ghcr.io/nautobot/nautobot-dev:${NAUTOBOT_VER}-py${PYTHON_VER}
 ---> 9a06fdc0c78c
Step 4/16 : ARG NAUTOBOT_VER="1.2.1"
 ---> Running in 1c8a777460d1
Removing intermediate container 1c8a777460d1
 ---> edb749e97d88
Step 5/16 : ENV prometheus_multiproc_dir=/prom_cache
 ---> Running in 57b364476a6f
Removing intermediate container 57b364476a6f
 ---> 3b0e74772824
Step 6/16 : ARG NAUTOBOT_ROOT=/opt/nautobot
 ---> Running in 671480cceea2
Removing intermediate container 671480cceea2
 ---> 46f017e4f31e
Step 7/16 : ENV NAUTOBOT_ROOT ${NAUTOBOT_ROOT}
 ---> Running in 39ae85ec8a1d
Removing intermediate container 39ae85ec8a1d
 ---> a2327f79180e
Step 8/16 : WORKDIR $NAUTOBOT_ROOT
 ---> Running in 2e37d97e9138
Removing intermediate container 2e37d97e9138
 ---> 1719d2f3d744
Step 9/16 : RUN poetry config virtualenvs.create false     && poetry config installer.parallel false
 ---> Running in e9fc6f923678
Removing intermediate container e9fc6f923678
 ---> 6e67a58995d1
Step 10/16 : WORKDIR /tmp
 ---> Running in cee88d07ead6
Removing intermediate container cee88d07ead6
 ---> 792c22dd10c3
Step 11/16 : COPY poetry.lock pyproject.toml /tmp/
 ---> 18ca5f0e6ea4
Step 12/16 : RUN poetry self update &&     poetry add nautobot=$NAUTOBOT_VER &&     poetry update --lock &&     poetry install --no-interaction --no-ansi --no-root
 ---> Running in 6c39d7aab76b
Updating Poetry to 1.3.1

Updating dependencies
Resolving dependencies...

Package operations: 31 installs, 15 updates, 0 removals

  - Updating cffi (1.15.0 -> 1.15.1)
  - Updating typing-extensions (4.0.1 -> 4.4.0)
  - Updating zipp (3.6.0 -> 3.11.0)
  - Updating certifi (2021.10.8 -> 2022.12.7)
  - Installing charset-normalizer (2.1.1)
  - Updating cryptography (36.0.1 -> 38.0.4)
  - Updating idna (2.10 -> 3.4)
  - Updating importlib-metadata (4.4.0 -> 4.13.0)
  - Installing jeepney (0.8.0)
  - Installing more-itertools (9.0.0)
  - Updating urllib3 (1.26.7 -> 1.26.13)
  - Updating attrs (21.2.0 -> 22.1.0)
  - Installing crashtest (0.4.1)
  - Installing distlib (0.3.6)
  - Installing filelock (3.8.2)
  - Installing importlib-resources (5.10.1)
  - Installing jaraco.classes (3.2.3)
  - Installing msgpack (1.0.4)
  - Installing pkgutil-resolve-name (1.3.10)
  - Updating platformdirs (2.4.0 -> 2.6.0)
  - Installing poetry-core (1.4.0)
  - Installing ptyprocess (0.7.0)
  - Updating pyrsistent (0.18.0 -> 0.19.2)
  - Installing rapidfuzz (2.13.6)
  - Updating requests (2.25.1 -> 2.28.1)
  - Installing secretstorage (3.3.3)
  - Installing webencodings (0.5.1)
  - Installing backports.cached-property (1.0.2)
  - Installing cachecontrol (0.12.12)
  - Installing cleo (2.0.1)
  - Installing dulwich (0.20.50)
  - Installing html5lib (1.1)
  - Updating jsonschema (3.2.0 -> 4.17.3)
  - Installing keyring (23.11.0)
  - Installing lockfile (0.12.2)
  - Updating packaging (21.3 -> 22.0)
  - Installing pexpect (4.8.0)
  - Installing pkginfo (1.9.2)
  - Installing poetry-plugin-export (1.2.0)
  - Installing requests-toolbelt (0.10.1)
  - Installing shellingham (1.5.0)
  - Updating tomli (1.2.3 -> 2.0.1)
  - Installing tomlkit (0.11.6)
  - Installing trove-classifiers (2022.12.1)
  - Installing virtualenv (20.17.1)
  - Installing poetry (1.3.1)

Updating the poetry script

Poetry (1.3.1) is installed now. Great!
Skipping virtualenv creation, as specified in config file.

Updating dependencies
Resolving dependencies...

  SolverProblemError

      Because no versions of black match <22.1.0 || >22.1.0,<22.3.0 || >22.3.0,<22.6.0 || >22.6.0,<22.8.0 || >22.8.0,<22.10.0 || >22.10.0,<22.12.0 || >22.12.0
   and black (22.1.0) depends on click (>=8.0.0), black (<22.3.0 || >22.3.0,<22.6.0 || >22.6.0,<22.8.0 || >22.8.0,<22.10.0 || >22.10.0,<22.12.0 || >22.12.0) requires click (>=8.0.0).
      And because black (22.3.0) depends on click (>=8.0.0), black (<22.6.0 || >22.6.0,<22.8.0 || >22.8.0,<22.10.0 || >22.10.0,<22.12.0 || >22.12.0) requires click (>=8.0.0).
      And because black (22.6.0) depends on click (>=8.0.0)
   and black (22.10.0) depends on click (>=8.0.0), black (<22.8.0 || >22.8.0,<22.12.0 || >22.12.0) requires click (>=8.0.0).
  (1) So, because black (22.12.0) depends on click (>=8.0.0)
   and black (22.8.0) depends on click (>=8.0.0), every version of black requires click (>=8.0.0).
  
      Because no versions of celery match >5.1.0,<5.1.1 || >5.1.1,<5.1.2 || >5.1.2,<5.2.0
   and celery (5.1.0) depends on click (>=7.0,<8.0), celery (>=5.1.0,<5.1.1 || >5.1.1,<5.1.2 || >5.1.2,<5.2.0) requires click (>=7.0,<8.0).
      And because celery (5.1.1) depends on click (>=7.0,<8.0)
   and celery (5.1.2) depends on click (>=7.0,<8.0), celery (>=5.1.0,<5.2.0) requires click (>=7.0,<8.0).
      And because every version of black requires click (>=8.0.0) (1), black is incompatible with celery (>=5.1.0,<5.2.0)
      And because nautobot (1.2.1) depends on celery (>=5.1.0,<5.2.0), black is incompatible with nautobot (1.2.1).
      So, because nautobot-secrets-providers depends on both nautobot (1.2.1) and black (*), version solving failed.

  at ~/.local/share/pypoetry/venv/lib/python3.7/site-packages/poetry/puzzle/solver.py:241 in _solve
      237│             packages = result.packages
      238│         except OverrideNeeded as e:
      239│             return self.solve_in_compatibility_mode(e.overrides, use_latest=use_latest)
      240│         except SolveFailure as e:
    → 241│             raise SolverProblemError(e)
      242│ 
      243│         results = dict(
      244│             depth_first_search(
      245│                 PackageNode(self._package, packages), aggregate_package_nodes
The command '/bin/sh -c poetry self update &&     poetry add nautobot=$NAUTOBOT_VER &&     poetry update --lock &&     poetry install --no-interaction --no-ansi --no-root' returned a non-zero code: 1
Service 'nautobot' failed to build : Build failed

Steps to Reproduce

  1. invoke build --no-cache

Allow multiple configurations of the same provider

Environment

  • Nautobot version: 1.5.8
  • secrets version: 1.3.0

Proposed Functionality

Allow multiple configurations for the same secrets provider.

Use Case

In our environment we have multiple hashicorp vault deployments, one for our department and one corporate/enterprise one. I would like to be able to get secrets from both vault deployments.

Thycotic/Delinea doesn't support Token secret type choice

Environment

  • Python version: 3.8
  • Nautobot version: 1.4.2
  • secrets version: 1.3.0

Expected Behavior

Token to be a selectable secret type choice.

Observed Behavior

Token is not one of the available choices.

Steps to Reproduce

  1. Configure a Thycotic secret choosing one of the two Thycotic Prodivder options.
  2. Under Parameters, in Return Value, Token is not an option.

This may also be a feature, but seems like a missing secret type from Thycotic.

Prepare package for public release

  • Update Dockerfile and invoke versions for v1.2.0 when it is released.
  • Update GH actions to use v1.2.0
  • Implement a CHANGELOG.md if we aren't gonna do docs
  • Perform a poetry update prior to final release

Allow AWS/K8s Authentication methods for Vault

Environment

  • Nautobot version: 1.3.7
  • secrets version: 1.2.0

Proposed Functionality

Hashicorp Vault has several other authentication methods which can be used to authenticate against Vault. The 2 I am proposing here are AWS and Kubernetes. It is possible Nautobot running on an EC2 instance could inherit an IAM role and use that to authenticate to Vault. Similarly it's possible if Nautobot is running in Kubernetes it could use the service account associated with the pod to authenticate.

Use Case

As an SRE I would like to leverage some other authentication methods built in to Vault which do not require a token or an app id.

Hashicorp Vault AWS Authentication broken

Environment

  • Python version: 3.10.6
  • Nautobot version: 1.5.20
  • secrets version: 1.4.0
  • hvac version: 1.1.0
  • boto3 version 1.26.148

Expected Behavior

Nautobot secrets plugin should authenticate to hashicorp vault using AWS credentials

Observed Behavior

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/nautobot/extras/models/secrets.py", line 94, in get_value
    return provider.get_value_for_secret(self, obj=obj)
  File "/usr/local/lib/python3.10/site-packages/nautobot_secrets_providers/providers/hashicorp.py", line 187, in get_value_for_secret
    client = cls.get_client(secret)
  File "/usr/local/lib/python3.10/site-packages/nautobot_secrets_providers/providers/hashicorp.py", line 154, in get_client
    client.auth.aws.iam_login(
  File "/usr/local/lib/python3.10/site-packages/hvac/api/auth_methods/aws.py", line 754, in iam_login
    auth.add_auth(request)
  File "/usr/local/lib/python3.10/site-packages/hvac/aws_utils.py", line 33, in add_auth
    credential_scope = "/".join(
TypeError: sequence item 1: expected str instance, NoneType found

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/nautobot/extras/jobs.py", line 1233, in _run_job
    output = job.run(data=data, commit=commit)
  File "/usr/local/lib/python3.10/site-packages/nautobot_golden_config/jobs.py", line 50, in inner
    return method(obj, data, commit)
  File "/usr/local/lib/python3.10/site-packages/nautobot_golden_config/jobs.py", line 199, in run
    backup_repos = get_refreshed_repos(job_obj=self, repo_type="backup_repository", data=data)
  File "/usr/local/lib/python3.10/site-packages/nautobot_golden_config/jobs.py", line 35, in get_refreshed_repos
    ensure_git_repository(repo, job_obj.job_result)
  File "/usr/local/lib/python3.10/site-packages/nautobot/extras/datasources/git.py", line 276, in ensure_git_repository
    from_url, to_path, from_branch = get_repo_from_url_to_path_and_from_branch(repository_record)
  File "/usr/local/lib/python3.10/site-packages/nautobot/extras/datasources/git.py", line 227, in get_repo_from_url_to_path_and_from_branch
    token = repository_record.secrets_group.get_secret_value(
  File "/usr/local/lib/python3.10/site-packages/nautobot/extras/models/secrets.py", line 146, in get_secret_value
    return secret.get_value(obj=obj, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/nautobot/extras/models/secrets.py", line 98, in get_value
    raise SecretError(self, provider, str(exc)) from exc
nautobot.extras.secrets.exceptions.SecretError: SecretError: Secret "gitlab_credentials_token" (provider "HashiCorpVaultSecretsProvider"): sequence item 1: expected str instance, NoneType found

I manually walked through the code to figure out what is None it turns out session.region_name specifically from https://github.com/nautobot/nautobot-plugin-secrets-providers/blob/develop/nautobot_secrets_providers/providers/hashicorp.py#L158 is sometimes None from boto3. This argument is not required for a successful login with AWS credentials.

Configuration values as secrets slugs

The potential need has arisen to use secrets' slugs for configuration values instead of/as well as hardcoded values for settings such as HashiCorp Vault role_id and/or secret_id

Support a setting to disable certificate verification

Environment

  • Nautobot version: 1.3.3
  • secrets version: 1.2.0

Proposed Functionality

Implement a setting to allow for disabling of certificate verification. There used to be a workaround on the requests side to set the environment variable CURL_CA_BUNDLE to an empty value, but this is no longer possible as of requests version 2.28.0.

Use Case

In testing environments or during buildout of new environments there might be the need to disable certificate verification because self signed certificates are used.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.