Storage convertor + Hashicorp Vault - Not decrypting

[Karl Austin]

Hi,

I opened a Git Issue for this a while back now, but as it's had no traction I thought I'd ask in here instead and see if anyone has been able to work around the issue.

The issue we are seeing is that when using the jasypt-encryption storage convertor in conjunction with Hashicorp Vault for secrets storage, the data is not being decrypted when accessed.  It gets encrypted on the way in to Vault, but then stays that way.

We can see from enabling debug logging for operations, that the SSH keys we are storing are not being decrypted before the executor tries to use them.  If we disable encryption then it's all fine.  If we switch back to the default secrets storage mechanism then data is decrypted fine.

I'd love to get Rundeck running, as it fits what we need to do right now in terms of running a mix of job types and not needing to run K8S just to bootstrap it, so any help would be much appreciated.

Ref: https://github.com/rundeck-plugins/vault-storage/issues/48

Someone else with the same issue: https://github.com/rundeck/rundeck/issues/8205

Thanks,

Karl

[rac...@rundeck.com]

Hello, Karl.

The plugin currently does not work with a Rundeck Storage Converter layer (I tried the same configuration and saw the same behavior). I recommend that you remove that configuration and let Vault handle key encryption in this manner.

Thank you for bringing this up; I believe it could be a valid reason for an enhacement.

Regards!

[Karl Austin]

Ah, that'd explain it. Might be worth adding a note into the docs to that effect?  As I'm not the only one caught out on this.  I tend to go for belt & braces where it's presented, just in case the worst happens.

Thanks,

Karl