scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

plugin/secrets/auth: enable multiplexing (#19215)

Browse Source 
* plugin/auth: enable multiplexing

- the plugin will be multiplexed when run as an external plugin
  by vault versions that support secrets/auth plugin multiplexing (> 1.12)
- we continue to set the TLSProviderFunc to maintain backwards
  compatibility with vault versions that don't support AutoMTLS (< 1.12)

* enable multiplexing for secrets engines

* add changelog

* revert call to ServeMultiplex for pki and transit

* Revert "revert call to ServeMultiplex for pki and transit"

This reverts commit 755be28d14b4c4c4d884d3cf4d2ec003dda579b9.
This commit is contained in:
John-Michael Faircloth
2023-02-16 16:25:15 -06:00
committed by GitHub
parent c2f86ccd2f
commit 4bfc64992a
17 changed files with 69 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
builtin/credential/approle/cmd/approle/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: approle.Factory, BackendFactoryFunc: approle.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/credential/aws/cmd/aws/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: awsauth.Factory, BackendFactoryFunc: awsauth.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/credential/cert/cmd/cert/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: cert.Factory, BackendFactoryFunc: cert.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/credential/github/cmd/github/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: github.Factory, BackendFactoryFunc: github.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/credential/ldap/cmd/ldap/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: ldap.Factory, BackendFactoryFunc: ldap.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/credential/okta/cmd/okta/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: okta.Factory, BackendFactoryFunc: okta.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/credential/radius/cmd/radius/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: radius.Factory, BackendFactoryFunc: radius.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/credential/userpass/cmd/userpass/main.go
View File

@@ -16,9 +16,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: userpass.Factory, BackendFactoryFunc: userpass.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/logical/aws/cmd/aws/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: aws.Factory, BackendFactoryFunc: aws.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/logical/consul/cmd/consul/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: consul.Factory, BackendFactoryFunc: consul.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/logical/nomad/cmd/nomad/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: nomad.Factory, BackendFactoryFunc: nomad.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/logical/pki/cmd/pki/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: pki.Factory, BackendFactoryFunc: pki.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/logical/rabbitmq/cmd/rabbitmq/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: rabbitmq.Factory, BackendFactoryFunc: rabbitmq.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/logical/ssh/cmd/ssh/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: ssh.Factory, BackendFactoryFunc: ssh.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/logical/totp/cmd/totp/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: totp.Factory, BackendFactoryFunc: totp.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

6
builtin/logical/transit/cmd/transit/main.go
View File

@@ -17,9 +17,11 @@ func main() {
tlsConfig := apiClientMeta.GetTLSConfig() tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
if err := plugin.Serve(&plugin.ServeOpts{ if err := plugin.ServeMultiplex(&plugin.ServeOpts{
BackendFactoryFunc: transit.Factory, BackendFactoryFunc: transit.Factory,
TLSProviderFunc: tlsProviderFunc, // set the TLSProviderFunc so that the plugin maintains backwards
// compatibility with Vault versions that dont support plugin AutoMTLS
TLSProviderFunc: tlsProviderFunc,
}); err != nil { }); err != nil {
logger := hclog.New(&hclog.LoggerOptions{}) logger := hclog.New(&hclog.LoggerOptions{})

5
changelog/19215.txt Normal file
View File

@@ -0,0 +1,5 @@
```release-note:feature
**Secrets/Auth Plugin Multiplexing**: The plugin will be multiplexed when run
as an external plugin by vault versions that support secrets/auth plugin
multiplexing (> 1.12)
```