luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
13,256 Commits 1 Branch 0 Tags 311 MiB
Commit Graph

45 Commits

Author SHA1 Message Date
Michael Schurter 56ed4f01be vault: fix panic by checking for nil secret 
Vault's RenewSelf(...) API may return (nil, nil). We failed to check if
secret was nil before attempting to use it.

RenewSelf:
e3eee5b4fb/api/auth_token.go (L138-L155)

Calls ParseSecret:
e3eee5b4fb/api/secret.go (L309-L311)

If anyone has an idea on how to test this I didn't see any options. We
use a real Vault service, so there's no opportunity to mock the
response.
 2018-11-19 17:07:59 -08:00
Alex Dadgar 3c19d01d7a server 2018-09-15 16:23:13 -07:00
Chelsea Holland Komlo 9f6bd7bf3a move logic for testing equality for vault config 2018-06-07 16:23:50 -04:00
Charlie Voiselle ba88f00ccb Changed "til" to "until" 
Should be "till" or "until"; chose "until" because it is unambiguous as to meaning.
 2018-04-11 12:36:28 -05:00
Alex Dadgar 58a3ec3fb2 Improve Vault error handling 2018-04-03 14:29:22 -07:00
Alex Dadgar c152774997 Allow and recommend Orphaned Vault tokens 
This PR removes enforcement that the Vault token role disallows orphaned
tokens and recommends orphaned tokens to simplify the
bootstrapping/upgrading of Nomad clusters. The requirement that Nomad's
Vault token never expire and be shared by all instances of Nomad servers
is not operationally friendly.
 2018-03-15 15:32:08 -07:00
Josh Soref f78d5685ee spelling: routines 2018-03-11 18:52:35 +00:00
Josh Soref d9ce1f7882 spelling: deregister 2018-03-11 17:53:22 +00:00
Josh Soref d0a76b328d spelling: captures 2018-03-11 17:46:35 +00:00
Preetha Appan f1c2a37f57
Update error message 2018-03-09 14:25:53 -06:00
Preetha Appan 9d3980b253
update comment 2018-03-09 08:56:54 -06:00
Preetha Appan c6b975428b
Always retry on token validation instead of special casing vault sealing 2018-03-08 20:27:49 -06:00
Preetha Appan 4421025372
Retry when vault is sealed 2018-03-08 16:53:54 -06:00
Alex Dadgar 4173834231 Enable more linters 2017-09-26 15:26:33 -07:00
Luke Farnell f0ced87b95 fixed all spelling mistakes for goreport 2017-08-07 17:13:05 -04:00
Alex Dadgar d3012f1447 Fix Vault Client panic when given nonexistant role 
The Vault API returns a nil secret and nil error when reading an object
that doesn't exist. The old code assumed an error would be returned and
thus will panic when trying to validate a non-existant role.
 2017-05-16 12:59:58 -04:00
Alex Dadgar e21792091a remove leading slash on vault path 2017-02-28 14:03:18 -08:00
Alex Dadgar 8bfc4255eb Add server metrics 2017-02-14 16:02:18 -08:00
Alex Dadgar 15ffdff497 Vault Client on Server handles SIGHUP 
This PR allows the Vault client on the server to handle a SIGHUP. This
allows updating the Vault token and any other configuration without
downtime.
 2017-02-01 14:24:10 -08:00
Alex Dadgar 94ed50aa59 Prefer looking up using self path and remove checking for default policy 2017-01-23 11:46:27 -08:00
Alex Dadgar 442d775fb2 Test new functionality 2017-01-21 17:33:35 -08:00
Alex Dadgar 76dbc4aee1 verify we can renew ourselves 2017-01-20 14:23:50 -08:00
Alex Dadgar faa50b851e Cleanup errors/comments 2017-01-20 10:26:25 -08:00
Alex Dadgar 7d1ec25d09 Test pass 2017-01-20 10:06:47 -08:00
Alex Dadgar ace50cfa19 closer on the tests 2017-01-19 17:21:46 -08:00
Alex Dadgar fb86904902 Check capabilities, allow creation against role 
Check the capabilities of the Vault token to ensure it is valid and also
allow targetting of a role that the token is not from.
 2017-01-19 13:40:32 -08:00
Alex Dadgar 822e32de6d Fix error checking 2016-11-08 11:04:11 -08:00
Alex Dadgar fde7a24865 Consul-template fixes + PreviousAlloc in api 2016-10-28 15:50:35 -07:00
Alex Dadgar d3649f5d98 check period 2016-10-25 14:37:54 -07:00
Alex Dadgar 3d04efb21f Validate the Vault role being used 2016-10-24 16:53:47 -07:00
Alex Dadgar ede3a814ba Small fixes 2016-10-22 18:20:50 -07:00
Alex Dadgar 0070178741 Thread through whether DeriveToken error is recoverable or not 2016-10-22 18:08:30 -07:00
Alex Dadgar 751aa114bf Fix Vault parsing of booleans 2016-10-10 18:04:39 -07:00
Alex Dadgar d64ef28c39 Handle the various valid root cases 2016-09-21 17:30:57 -07:00
Alex Dadgar f99d84d2c3 Renew root tokens where applicable 2016-09-21 16:49:15 -07:00
Alex Dadgar 6702a29071 Vault token threaded 2016-09-14 13:30:01 -07:00
Alex Dadgar 6047414fb9 address comments 2016-08-31 14:10:33 -07:00
Alex Dadgar 48696ba0cc Use tomb to shutdown 
Token revocation

Remove from the statestore

Revoke tokens

Don't error when Vault is disabled as this could cause issue if the operator ever goes from enabled to disabled

update server interface to allow enable/disable and config loading

test the new functions

Leader revoke

Use active
 2016-08-28 14:06:25 -07:00
Alex Dadgar 19be6b57b2 fixes 2016-08-19 20:02:32 -07:00
Alex Dadgar 123a26ffea Rate limiting 2016-08-19 16:40:37 -07:00
Alex Dadgar 94b870a58b Start 2016-08-19 16:40:37 -07:00
Alex Dadgar f9f019fa62 LookupToken 2016-08-17 16:25:38 -07:00
Alex Dadgar a8efce874f Token renewal and beginning of tests 2016-08-17 16:25:38 -07:00
Alex Dadgar 713e310670 Renew loop 2016-08-17 16:25:38 -07:00
Alex Dadgar 750a44b2c0 Create a Vault interface for the server 2016-08-17 16:25:38 -07:00