mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-30 18:17:55 +00:00
Add -dev-auto-seal option (#5629)
* adding a -dev-auto-seal option * adding logger to TestSeal
This commit is contained in:
Chris Hoffman
@@ -108,7 +108,7 @@ func TestSealMigration(t *testing.T) {
|
||||
|
||||
core := cluster.Cores[0].Core
|
||||
|
||||
newSeal := vault.NewAutoSeal(&seal.TestSeal{})
|
||||
newSeal := vault.NewAutoSeal(seal.NeweTestSeal(logger))
|
||||
newSeal.SetCore(core)
|
||||
autoSeal = newSeal
|
||||
if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, newSeal, &server.Config{
|
||||
|
||||
@@ -47,6 +47,7 @@ import (
|
||||
"github.com/hashicorp/vault/logical"
|
||||
"github.com/hashicorp/vault/physical"
|
||||
"github.com/hashicorp/vault/vault"
|
||||
vaultseal "github.com/hashicorp/vault/vault/seal"
|
||||
"github.com/hashicorp/vault/version"
|
||||
)
|
||||
|
||||
@@ -96,6 +97,7 @@ type ServerCommand struct {
|
||||
flagDevThreeNode bool
|
||||
flagDevFourCluster bool
|
||||
flagDevTransactional bool
|
||||
flagDevAutoSeal bool
|
||||
flagTestVerifyOnly bool
|
||||
flagCombineLogs bool
|
||||
}
|
||||
@@ -247,6 +249,13 @@ func (c *ServerCommand) Flags() *FlagSets {
|
||||
Hidden: true,
|
||||
})
|
||||
|
||||
f.BoolVar(&BoolVar{
|
||||
Name: "dev-auto-seal",
|
||||
Target: &c.flagDevAutoSeal,
|
||||
Default: false,
|
||||
Hidden: true,
|
||||
})
|
||||
|
||||
f.BoolVar(&BoolVar{
|
||||
Name: "dev-skip-init",
|
||||
Target: &c.flagDevSkipInit,
|
||||
@@ -346,7 +355,7 @@ func (c *ServerCommand) Run(args []string) int {
|
||||
allLoggers := []log.Logger{c.logger}
|
||||
|
||||
// Automatically enable dev mode if other dev flags are provided.
|
||||
if c.flagDevHA || c.flagDevTransactional || c.flagDevLeasedKV || c.flagDevThreeNode || c.flagDevFourCluster {
|
||||
if c.flagDevHA || c.flagDevTransactional || c.flagDevLeasedKV || c.flagDevThreeNode || c.flagDevFourCluster || c.flagDevAutoSeal {
|
||||
c.flagDev = true
|
||||
}
|
||||
|
||||
@@ -473,7 +482,7 @@ func (c *ServerCommand) Run(args []string) int {
|
||||
info["log level"] = c.flagLogLevel
|
||||
infoKeys = append(infoKeys, "log level")
|
||||
|
||||
sealType := "shamir"
|
||||
sealType := vaultseal.Shamir
|
||||
if config.Seal != nil || os.Getenv("VAULT_SEAL_TYPE") != "" {
|
||||
if config.Seal == nil {
|
||||
sealType = os.Getenv("VAULT_SEAL_TYPE")
|
||||
@@ -482,14 +491,21 @@ func (c *ServerCommand) Run(args []string) int {
|
||||
}
|
||||
}
|
||||
|
||||
sealLogger := c.logger.Named(sealType)
|
||||
allLoggers = append(allLoggers, sealLogger)
|
||||
seal, sealConfigError := serverseal.ConfigureSeal(config, &infoKeys, &info, sealLogger, vault.NewDefaultSeal())
|
||||
if sealConfigError != nil {
|
||||
if !errwrap.ContainsType(sealConfigError, new(logical.KeyNotFoundError)) {
|
||||
c.UI.Error(fmt.Sprintf(
|
||||
"Error parsing Seal configuration: %s", sealConfigError))
|
||||
return 1
|
||||
var seal vault.Seal
|
||||
var sealConfigError error
|
||||
if c.flagDevAutoSeal {
|
||||
sealLogger := c.logger.Named(vaultseal.Test)
|
||||
seal = vault.NewAutoSeal(vaultseal.NewTestSeal(sealLogger))
|
||||
} else {
|
||||
sealLogger := c.logger.Named(sealType)
|
||||
allLoggers = append(allLoggers, sealLogger)
|
||||
seal, sealConfigError = serverseal.ConfigureSeal(config, &infoKeys, &info, sealLogger, vault.NewDefaultSeal())
|
||||
if sealConfigError != nil {
|
||||
if !errwrap.ContainsType(sealConfigError, new(logical.KeyNotFoundError)) {
|
||||
c.UI.Error(fmt.Sprintf(
|
||||
"Error parsing Seal configuration: %s", sealConfigError))
|
||||
return 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1007,7 +1023,7 @@ CLUSTER_SYNTHESIS_COMPLETE:
|
||||
"The recovery key and root token are displayed below in case you want " +
|
||||
"to seal/unseal the Vault or re-authenticate."))
|
||||
c.UI.Warn("")
|
||||
c.UI.Warn(fmt.Sprintf("Unseal Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0])))
|
||||
c.UI.Warn(fmt.Sprintf("Recovery Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0])))
|
||||
}
|
||||
|
||||
c.UI.Warn(fmt.Sprintf("Root Token: %s", init.RootToken))
|
||||
|
||||
@@ -747,17 +747,6 @@ func parseSeal(result *Config, list *ast.ObjectList, blockName string) error {
|
||||
key = item.Keys[0].Token.Value().(string)
|
||||
}
|
||||
|
||||
// Valid parameter for the Seal types
|
||||
switch key {
|
||||
case "pkcs11":
|
||||
case "alicloudkms":
|
||||
case "awskms":
|
||||
case "gcpckms":
|
||||
case "azurekeyvault":
|
||||
default:
|
||||
return fmt.Errorf("invalid seal type %q", key)
|
||||
}
|
||||
|
||||
var m map[string]string
|
||||
if err := hcl.DecodeObject(&m, item.Val); err != nil {
|
||||
return multierror.Prefix(err, fmt.Sprintf("%s.%s:", blockName, key))
|
||||
|
||||
@@ -7,13 +7,14 @@ import (
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
"github.com/hashicorp/vault/command/server"
|
||||
"github.com/hashicorp/vault/vault"
|
||||
"github.com/hashicorp/vault/vault/seal"
|
||||
)
|
||||
|
||||
var (
|
||||
ConfigureSeal func(*server.Config, *[]string, *map[string]string, log.Logger, vault.Seal) (vault.Seal, error) = configureSeal
|
||||
)
|
||||
|
||||
func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (seal vault.Seal, err error) {
|
||||
func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (outseal vault.Seal, err error) {
|
||||
if config.Seal != nil || os.Getenv("VAULT_SEAL_TYPE") != "" {
|
||||
if config.Seal == nil {
|
||||
config.Seal = &server.Seal{
|
||||
@@ -21,19 +22,19 @@ func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]s
|
||||
}
|
||||
}
|
||||
switch config.Seal.Type {
|
||||
case "alicloudkms":
|
||||
case seal.AliCloudKMS:
|
||||
return configureAliCloudKMSSeal(config, infoKeys, info, logger, inseal)
|
||||
|
||||
case "awskms":
|
||||
case seal.AWSKMS:
|
||||
return configureAWSKMSSeal(config, infoKeys, info, logger, inseal)
|
||||
|
||||
case "gcpckms":
|
||||
case seal.GCPCKMS:
|
||||
return configureGCPCKMSSeal(config, infoKeys, info, logger, inseal)
|
||||
|
||||
case "azurekeyvault":
|
||||
case seal.AzureKeyVault:
|
||||
return configureAzureKeyVaultSeal(config, infoKeys, info, logger, inseal)
|
||||
|
||||
case "pkcs11":
|
||||
case seal.PKCS11:
|
||||
return nil, fmt.Errorf("Seal type 'pkcs11' requires the Vault Enterprise HSM binary")
|
||||
|
||||
default:
|
||||
|
||||
@@ -3,13 +3,22 @@ package seal
|
||||
import (
|
||||
"context"
|
||||
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
"github.com/hashicorp/vault/physical"
|
||||
)
|
||||
|
||||
type TestSeal struct{}
|
||||
type TestSeal struct {
|
||||
logger log.Logger
|
||||
}
|
||||
|
||||
var _ Access = (*TestSeal)(nil)
|
||||
|
||||
func NewTestSeal(logger log.Logger) *TestSeal {
|
||||
return &TestSeal{
|
||||
logger: logger,
|
||||
}
|
||||
}
|
||||
|
||||
func (s *TestSeal) Init(_ context.Context) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user