* add reloading service configuration
* add changelog entry
* add tests
* fix typo
* check if config.ServiceRegistration is nil before signaling
* add changes for deregistering service on nil config with failing tests
* fix tests by decreasing reconcile_timeout + setting consul agent tokens
* fix races
* add comments in test
---------
Co-authored-by: Marc Boudreau <marc.boudreau@hashicorp.com>
* VAULT-25341 Address issue where having no permissions to renew caused Agent and Proxy auth to attempt to renew with no backoff
* Fiddle with go.mod changes that shouldn't have happened
* VAULT-25341 small cleanup and extra test
* VAULT-25341 backoff only in error case
* VAULT-25341 godocs
* VAULT-25342 changelog
* Update command/agent_test.go
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* VAULT-25341 rename file audit
---------
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* Add missing delegated_auth_accessors config field to /sys/mounts/<path> response
- The field hadn't been properly populated in the JSON struct being returned
through the API response, but had been properly set in the stored structs
in the backend.
- Add missing update to the command tune docs for the -delegated-auth-accessors
option that existed
- Add -delegated-auth-accessors to the secret enable vault command along with
a docs update
* Add cl
* Fix documentation, using a comma separated list does not work
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Drop plural on doc update
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
This PR adds inmem_transactional to the map of available physical
backends for TestServerCommand. This is harmless, as tests need to opt
into the backend.
This is required to test AOP configuration on enterprise.
We have many hand-written String() methods (and similar) for enums.
These require more maintenance and are more error-prone than using
automatically generated methods. In addition, the auto-generated
versions can be more efficient.
Here, we switch to using https://github.com/loggerhead/enumer, itself
a fork of https://github.com/diegostamigni/enumer, no longer maintained,
and a fork of the mostly standard tool
https://pkg.go.dev/golang.org/x/tools/cmd/stringer.
We use this fork of enumer for Go 1.20+ compatibility and because
we require the `-transform` flag to be able to generate
constants that match our current code base.
Some enums were not targeted for this change:
The new vault.namespace config option seems to always be overridden by
the auto-auth namespace, so add an extra check to allow them to be set
separately.
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Auto Auth Healing for Proxy
* Edited changelog
* Fix failing tests and small comment change
* Readded check because proxy cache is initialized with inmem sink
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* add option for decoders to handle different proxies
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* add option for decoders to handle different proxies
* fix tests
* fix typo
---------
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Improve TestAutoAuthSelfHealing_TokenFileAuth_SinkOutput to make it more robust in race test
* Tweak the sensitivity on waiting for template re-renders after triggering
Fix reloading of seal configuration when a node gains leadership.
Verify that the in-memory seal generation information is stale and only reload
seal configuration when that is the case.
When reloading seal configuration, only do it when enable_multiseal is currently
set to true, or the new configuration is attempting to set it to true.
As part of the process of becoming a leader node, check to see if the seal
configuration needs to be reloaded. Reloading may be necessary if the seal
generation information computed during start up is outdated. For example, a new
node that has just joined the cluster will have incorrect seal generation
information in memory, even if it has the correct seal configuration, since it
did not have access to the stored seal generation information.
* Add a configuration flag for enabling multiseal (Seal HA), CE side
* imports
* no quotes
* get rid of dep on ent config
* Abstract enableMultiSeal for a build time switch
* license headers
* wip
* gate physical seal gen fetch by a param
* docs tweak, remove core flag
* updates from the ent pr
* update stub
* update test fixtures for enable_multiseal
* use accessor
* add a test fixture for non-multiseal diagnose
* remove debugging crtuch
* Do handle phys seal gen info even if multiseal is off, in order to facilitate enable/disable safeties
* more enabled flag handling
* Accept seal gen info if we were previously disabled, and persist it
* update unit test
* Validation happens postUnseal, so this test is invalid
* Dont continue setting conf if seal loading fails during SIGHUP
* Update website/content/docs/configuration/seal/seal-ha.mdx
Thanks, that does sound much clearer
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* use validation if previous gen was enabled
* unit test update
* stub SetMultisealEnabled
* bring over more changes from ent
* this was an unfix
---------
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Move command/config + command/token to api/cliconfig + api/tokenhelper
* Remove unused functions and unused import
* Simplify and inline function copied from SDK
* Delete unused duplicated/forwarding config implementation from command package
* Delete unused code, unexport API surface that's only used internally to the package
* Fix up license headers
* Add changelog
* Tweak .gitignore to track hcl files in testdata/ folders
* add secret syncs to vault operator usage
* changelog
* unexport
* add godoc for test and remove t.Run invocation
* move test to separate package
* update comment
This is not going to be enabled in 1.16, so we can
remove it from the default list of backends.
This removes about 600 KB of dead code from the
binary.
We can add this back in when the rest of the
event plugin endpoints are merged.
This PR flips the logic for the Request Limiter, setting it to default
disabled.
We allow users to turn on the global Request Limiter, but leave the
Listener configuration as a "disable per Listener".
* add gosimport to make fmt and run it
* move installation to tools.sh
* correct weird spacing issue
* Update Makefile
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* fix a weird issue
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* VAULT-528 add test reproducing the failure that should pass after the fix
* VAULT-528 Upgrade consul-template to version with the fix
* VAULT-528 changelog
Initial version of an internal plugin interface for event subscription plugins,
and an AWS SQS plugin as an example.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
