* upgrade to 3.1.0
* VAULT-22471 upgrade to latest version
* fix other selectors
* fix pki tests
* fix copy dropdown
* rename selectors to be consistent
* add replicationRedacted attribute to cluster model
* disallow access to replication pages if repl endpoints are redacted
* hide replicatio nav item
* Hide replication card on dashboard
- Noticed that our documentation was out of date, we allow 8192
bit RSA keys to be used as an argument to the various PKI
issuer/key creation APIs.
- Augument some unit tests to verify this continues to work
* Create app-footer component with tests
* glimmerize vault route + controller
* Add dev mode badge to new footer
* Fix version on dashboard
* update app-footer tests
* update version title component
* Handle case for chroot namespace fail on health check
* cleanup
* fix ent tests
* add missing headers
* extra version fetch on login success, clear version on logout and seal
* Add coverage for clearing version on seal
* rename isOSS to isCommunity
* remove is-version helper
* test version in footer on unseal flow
* fix enterprise test
* VAULT-21399 test coverage
* VAULT-21400 test coverage
@mitchellh suggested we fork `cli` and switch to that.
Since we primarily use the interfaces in `cli`, and the new
fork has not changed those, this is (mostly) a drop-in replacement.
A small fix will be necessary for Vault Enterprise, I believe.
Update requests to /sys/identity/entity/merge perform merges on perfStandby nodes in memory and skip the persist call.
This commit changes the behavior for the merge endpoint, forcing it to be forwarded from the standby to the active node. This change is specifically scoped to manual merges, as automatic merges are not isolated to a specific endpoint and require careful consideration for all callers.
* fix -log-file so that it uses the correct name and only adds timestamps on rotation
* added some tests for naming/rotation
* changelog
* revert to previous way of getting created time
* remove unused stat
* comment shuffle
* Update changelog/24297.txt
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Update website/content/docs/agent-and-proxy/agent/index.mdx
Update 'agent' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/agent-and-proxy/proxy/index.mdx
Update 'proxy' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/server.mdx
Update 'server' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* fix typos
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* replace paddingTop with clas
* use hds alert for AlertInline component
* remve isSmall arg
* add test selector back
* remove mimicRefresh arg
* update assertion for alert inline component
* update string-list
* use alert inline for string-list
* add changelog
* update block instances of alert inline
* remove p tags from test selectors
* minor cleanup
* reload seals on SIGHUP
* add lock in SetSeals
* move lock
* use stubmaker and change wrapper finalize call
* change finalize logic so that old seals will be finalized after new seals are configured
* add changelog
* run make fmt
* fix fmt
* fix panic when reloading seals errors out
This adds a very basic implementation of a list of namespace+eventType
combinations that each node is interested in by just running the
glob operations in for-loops. Some parallelization is possible, but
not enabled by default.
It only wires up keeping track of what the local event bus is interested
in for now (but doesn't use it yet to filter messages).
Also updates the cloudevents source URL to indicate the Vault node that generated the event.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Fix non-JSON log messages when using -log-format JSON
Removed the call to consul-template's logging.Setup inside the created of config for the Runner. Instead we call it when we assign the logger to the Agent command.
* The elusive extra line
* Adjust the approach
* changelog
* Infer levels *with* timestamp prefix
* InferLeveslWithTimestamp required InferLevels
* Test to show -log-format and -log-file working in consul-template generated messages
* classic typo
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Remove duplicate function NewToggleableTestSeal.
NewToggleableTestSeal is almost the same as NewTestSeal, so remove it and adapt
the callers to use the duplicated function.
* Remove unnecessary function CreateTestSealWrappers.
The only caller of CreateTestSealWrappers can use NewTestSeal instead and
obtain the wrappers from the seal Access object instead.
* Ensure NewTestSeal does not generate "duplicate" wrappers.
NewTestSeal uses TestWrappers to create multi-seal Access objects. However, the
default behaviour for TestWrapper is to reverse the byte slice, which means that
two different wrappers will be identical, which is a problem for testing since
one wrapper will be able do "decrypt" another wrapper's encryption.
To fix this problem, NewTestSeal now creates TestWrappers with a different
secret for each one.
* Make NewTestSeal give unique Key IDs to its test wrappers.
* Fix some typos.
* Detect multi-seal wrappers producing duplicate Key IDs.
The Access object relies on all the encryption wrappers generating distinct key
IDs, so guard against this happening.
If a duplicate key ID is detected, do not use the encrypted value produced by
the wrappers that generated it. Return an error instead.
* Stop supporting vault plugin info and deregister without a type argument
* Make a best-effort attempt to report whether a plugin was actually deregistered and give more descriptive errors
* Fix error message for vault plugin reload
* Pulls in github.com/go-secure-stdlib/plugincontainer@v0.3.0 which exposes a new `Config.Rootless` option to opt in to extra container configuration options that allow establishing communication with a non-root plugin within a rootless container runtime.
* Adds a new "rootless" option for plugin runtimes, so Vault needs to be explicitly told whether the container runtime on the machine is rootless or not. It defaults to false as rootless installs are not the default.
* Updates `run_config.go` to use the new option when the plugin runtime is rootless.
* Adds new `-rootless` flag to `vault plugin runtime register`, and `rootless` API option to the register API.
* Adds rootless Docker installation to CI to support tests for the new functionality.
* Minor test refactor to minimise the number of test Vault cores that need to be made for the external plugin container tests.
* Documentation for the new rootless configuration and the new (reduced) set of restrictions for plugin containers.
* As well as adding rootless support, we've decided to drop explicit support for podman for now, but there's no barrier other than support burden to adding it back again in future so it will depend on demand.
