As part of the process of becoming a leader node, check to see if the seal
configuration needs to be reloaded. Reloading may be necessary if the seal
generation information computed during start up is outdated. For example, a new
node that has just joined the cluster will have incorrect seal generation
information in memory, even if it has the correct seal configuration, since it
did not have access to the stored seal generation information.
* Add a configuration flag for enabling multiseal (Seal HA), CE side
* imports
* no quotes
* get rid of dep on ent config
* Abstract enableMultiSeal for a build time switch
* license headers
* wip
* gate physical seal gen fetch by a param
* docs tweak, remove core flag
* updates from the ent pr
* update stub
* update test fixtures for enable_multiseal
* use accessor
* add a test fixture for non-multiseal diagnose
* remove debugging crtuch
* Do handle phys seal gen info even if multiseal is off, in order to facilitate enable/disable safeties
* more enabled flag handling
* Accept seal gen info if we were previously disabled, and persist it
* update unit test
* Validation happens postUnseal, so this test is invalid
* Dont continue setting conf if seal loading fails during SIGHUP
* Update website/content/docs/configuration/seal/seal-ha.mdx
Thanks, that does sound much clearer
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* use validation if previous gen was enabled
* unit test update
* stub SetMultisealEnabled
* bring over more changes from ent
* this was an unfix
---------
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Validate OCSP response is signed by expected issuer and serial number matches request
- There was a bug in the OCSP response signature logic, it properly
verified but kept around the ocspRes object around so we ignored
the errors found and passed the response object back up the stack.
- Now extract the verification logic into a dedicated function, if
it returns an error, blank the ocspRes response as we can't trust it.
- Address an issue that the OCSP requests from multiple servers were
clobbering each others responses as the index loop variable was not
properly captured.
- Add a missing validation that the response was for the serial number
we requested
* Add cl
* VAULT-24469 use sys/seal-status instead of internal version endpoint
* Update tests and mirage handlers
* Revert "VAULT-20669: Add New Authenticated Endpoint for Version (#23740)"
This reverts commit 550c99ae3b.
* Readded version_test.go
* Reverted any old changes on versionlgo
---------
Co-authored-by: divyaac <divyaac@berkeley.edu>
* Remove CE-only warning from shared tests
* Add tests for all warnings emitted during raft config parsing
* Unmark warnings as CE only that are universal
* Update audited headers to provide a mechanism for invalidation
* Extra tests for AuditedHeadersConfig
* Make sure we clear headers on invalidation if we cannot reload
Changed the wording of "For integrated storage users, Vault needs to be upgraded to 1.13 will enable this feature by default." to be more clear and concise to "For integrated storage users, upgrading Vault to 1.13 will enable this feature by default."
* CE parts for mount-namespace entry limit
* Remove redundant code from refactor
* Add doc comment note about ent-only use of interface
* Add CHANGELOG
* Revert "Don't panic on unknown raft ops (#17732)"
This reverts commit c9b4300897.
* add test for panic
* add back changelog
* add godoc for test
* log -> l
* changelog
* Apply suggestions from code review
Co-authored-by: Josh Black <raskchanky@gmail.com>
---------
Co-authored-by: Josh Black <raskchanky@gmail.com>
Use vault auth enable instead of vault write, because I think it is more appropriate or the "new way"
Co-authored-by: Marc Boudreau <marc.boudreau@hashicorp.com>
* Support OCSP responses without a NextUpdate value set
- Validate that the ThisUpdate value is
properly prior to our current time and
if NextUpdate is set that, ThisUpdate is
before NextUpdate.
- If we don't have a value for NextUpdate just compare against ThisUpdate.
* Add ocsp_this_update_max_ttl support to cert auth
- Allow configuring a maximum TTL of the OCSP response based on the
ThisUpdate time like OpenSSL does
- Add test to validate that we don't cache OCSP responses with no NextUpdate
* Add cl
* Add missing ` in docs
* Rename ocsp_this_update_max_ttl to ocsp_this_update_max_age
* Missed a few TTL references
* Fix error message
* Address OCSP client caching issue
- The OCSP cache built into the client that is used by cert-auth
would cache the responses but when pulling out a cached value the
response wasn't validating properly and was then thrown away.
- The issue was around a confusion of the client's internal status
vs the Go SDK OCSP status integer values.
- Add a test that validates the cache is now used
* Add cl
* Fix PKI test failing now due to the OCSP cache working
- Remove the previous lookup before revocation as now the OCSP
cache works so we don't see the new revocation as we are actually
leveraging the cache
* chore: update hds and flight-icons
* fix: add missing deps and use .css from HDS
* update HDS components to new syntax
* database-connection-edit: add @waitFor to fix rotate-related acceeptance tests
* use stub to fix confirm-modal-test
---------
Co-authored-by: Alexey Kulakov <uni_que@me.com>
* bump ember-cli version 4.12.2
* Revert "bump ember-cli version 4.12.2"
This reverts commit 977323750729daaf0658e280d8723d476ec11652.
* add socket-io version to resolutions
* Bump github.com/jackc/pgproto3/v2 from 2.3.2 to 2.3.3 in /sdk
Bumps [github.com/jackc/pgproto3/v2](https://github.com/jackc/pgproto3) from 2.3.2 to 2.3.3.
- [Commits](https://github.com/jackc/pgproto3/compare/v2.3.2...v2.3.3)
---
updated-dependencies:
- dependency-name: github.com/jackc/pgproto3/v2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
* go mod tidy
* go mod tidy
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
* fix issue of checkbox value not disabling after canceling the modal
* add component test coverage in overview
* add acceptance test to see flow show banner to not show banner
* comment change
* remove unecessary hash and add settled because ci is funny
* circle ci play nice
* forgot to add my changes 🙃
* blah
* that was a lot for delinating the errors properly—😵💫
* pr review comments, thank you for the catches team
* Update CHANGELOG.md
* Fix formatting
I fixed the formatting with one correction that I got from an engineer where the backporting of a changelog correction got tripped up with the branch cutting.
I deleted other lines that didn't follow the existing pattern for new features. Note that these will be regenerated when we do the GA changelog, so that will happen again.
