a26d4fe1e5
docs: -vault-namespace, VAULT_NAMESPACE, and config
...
agent: added VAULT_NAMESPACE env-based configuration
2019-04-10 10:34:10 -05:00
d3041cdb17
wip: added config parsing support, CLI flag, still need more testing, VAULT_ var, documentation
2019-04-10 10:34:10 -05:00
0eaeef872f
config/docs: added `namespace` to vault config
...
server/client: process `namespace` config, setting on the instantiated vault client
2019-04-10 10:34:10 -05:00
f9164dae67
Merge pull request #5228 from hashicorp/f-vault-err-tweaks
...
server/vault: tweak error messages
2019-01-25 11:17:31 -05:00
f4560d8a2a
server/vault: tweak error messages
...
Closes #5139
2019-01-25 10:33:54 -05:00
4bdccab550
goimports
2019-01-22 15:44:31 -08:00
50e38104a5
server/nomad: Lock Vault expiration tracking
...
`currentExpiration` field is accessed in multiple goroutines: Stats and
renewal, so needs locking.
I don't anticipate high contention, so simple mutex suffices.
2018-12-04 09:29:48 -05:00
0a2611e41f
vault: protect against empty Vault secret response
...
Also, fix a case where a successful second attempt of loading token can
cause a panic.
2018-11-29 09:34:17 -05:00
2e6133fd33
nil secrets as recoverable to keep renew attempts
2018-11-20 17:11:55 -05:00
5827438983
Renew past recorded expiry till unrecoverable error
...
Keep attempting to renew Vault token past locally recorded expiry, just
in case the token was renewed out of band, e.g. on another Nomad server,
until Vault returns an unrecoverable error.
2018-11-20 17:10:55 -05:00
5836a341dd
fix typo
2018-11-20 17:10:55 -05:00
93add67e04
round ttl duration for users
2018-11-20 17:10:55 -05:00
4a0544b369
Track renewal expiration properly
2018-11-20 17:10:55 -05:00
6efea6d8fc
Populate agent-info with vault
...
Return Vault TTL info to /agent/self API and `nomad agent-info` command.
2018-11-20 17:10:55 -05:00
6034af5084
Avoid explicit precomputed stats field
...
Seems like the stats field is a micro-optimization that doesn't justify
the complexity it introduces. Removing it and computing the stats from
revoking field directly.
2018-11-20 17:10:54 -05:00
14842200ec
More metrics for Server vault
...
Add a gauge to track remaining time-to-live, duration of renewal request API call.
2018-11-20 17:10:54 -05:00
e1994e59bd
address review comments
2018-11-20 17:10:54 -05:00
35179c9655
Wrap Vault API api errors for easing debugging
2018-11-20 17:10:54 -05:00
55456fc823
Set a 1s floor for Vault renew operation backoff
2018-11-20 17:10:54 -05:00
56ed4f01be
vault: fix panic by checking for nil secret
...
Vault's RenewSelf(...) API may return (nil, nil). We failed to check if
secret was nil before attempting to use it.
RenewSelf:
e3eee5b4fb/api/auth_token.go (L138-L155)e3eee5b4fb/api/secret.go (L309-L311)
2018-11-19 17:07:59 -08:00
3c19d01d7a
server
2018-09-15 16:23:13 -07:00
9f6bd7bf3a
move logic for testing equality for vault config
2018-06-07 16:23:50 -04:00
ba88f00ccb
Changed "til" to "until"
...
Should be "till" or "until"; chose "until" because it is unambiguous as to meaning.
2018-04-11 12:36:28 -05:00
58a3ec3fb2
Improve Vault error handling
2018-04-03 14:29:22 -07:00
c152774997
Allow and recommend Orphaned Vault tokens
...
This PR removes enforcement that the Vault token role disallows orphaned
tokens and recommends orphaned tokens to simplify the
bootstrapping/upgrading of Nomad clusters. The requirement that Nomad's
Vault token never expire and be shared by all instances of Nomad servers
is not operationally friendly.
2018-03-15 15:32:08 -07:00
f78d5685ee
spelling: routines
2018-03-11 18:52:35 +00:00
d9ce1f7882
spelling: deregister
2018-03-11 17:53:22 +00:00
d0a76b328d
spelling: captures
2018-03-11 17:46:35 +00:00
f1c2a37f57
Update error message
2018-03-09 14:25:53 -06:00
9d3980b253
update comment
2018-03-09 08:56:54 -06:00
c6b975428b
Always retry on token validation instead of special casing vault sealing
2018-03-08 20:27:49 -06:00
4421025372
Retry when vault is sealed
2018-03-08 16:53:54 -06:00
4173834231
Enable more linters
2017-09-26 15:26:33 -07:00
f0ced87b95
fixed all spelling mistakes for goreport
2017-08-07 17:13:05 -04:00
d3012f1447
Fix Vault Client panic when given nonexistant role
...
The Vault API returns a nil secret and nil error when reading an object
that doesn't exist. The old code assumed an error would be returned and
thus will panic when trying to validate a non-existant role.
2017-05-16 12:59:58 -04:00
e21792091a
remove leading slash on vault path
2017-02-28 14:03:18 -08:00
8bfc4255eb
Add server metrics
2017-02-14 16:02:18 -08:00
15ffdff497
Vault Client on Server handles SIGHUP
...
This PR allows the Vault client on the server to handle a SIGHUP. This
allows updating the Vault token and any other configuration without
downtime.
2017-02-01 14:24:10 -08:00
94ed50aa59
Prefer looking up using self path and remove checking for default policy
2017-01-23 11:46:27 -08:00
442d775fb2
Test new functionality
2017-01-21 17:33:35 -08:00
76dbc4aee1
verify we can renew ourselves
2017-01-20 14:23:50 -08:00
faa50b851e
Cleanup errors/comments
2017-01-20 10:26:25 -08:00
7d1ec25d09
Test pass
2017-01-20 10:06:47 -08:00
ace50cfa19
closer on the tests
2017-01-19 17:21:46 -08:00
fb86904902
Check capabilities, allow creation against role
...
Check the capabilities of the Vault token to ensure it is valid and also
allow targetting of a role that the token is not from.
2017-01-19 13:40:32 -08:00
822e32de6d
Fix error checking
2016-11-08 11:04:11 -08:00
fde7a24865
Consul-template fixes + PreviousAlloc in api
2016-10-28 15:50:35 -07:00
d3649f5d98
check period
2016-10-25 14:37:54 -07:00
3d04efb21f
Validate the Vault role being used
2016-10-24 16:53:47 -07:00
ede3a814ba
Small fixes
2016-10-22 18:20:50 -07:00
Chris Baker