backport of commit e4c19ac0af902c83e67c301b6d104d9f1a621750 (#20938)

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-06-01 15:14:17 -04:00 committed by GitHub
parent 07ca320b6d
commit ca57012072
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 64 additions and 9 deletions

3
changelog/20934.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
agent: Fix bug with 'cache' stanza validation
```

View File

@ -646,7 +646,7 @@ func LoadConfigFile(path string) (*Config, error) {
return nil, fmt.Errorf("error parsing 'env_template': %w", err)
}
if result.Cache != nil && result.APIProxy == nil {
if result.Cache != nil && result.APIProxy == nil && (result.Cache.UseAutoAuthToken || result.Cache.ForceAutoAuthToken) {
result.APIProxy = &APIProxy{
UseAutoAuthToken: result.Cache.UseAutoAuthToken,
ForceAutoAuthToken: result.Cache.ForceAutoAuthToken,

View File

@ -617,7 +617,6 @@ func TestLoadConfigFile_AgentCache_NoAutoAuth(t *testing.T) {
}
expected := &Config{
APIProxy: &APIProxy{},
Cache: &Cache{},
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
@ -935,10 +934,6 @@ func TestLoadConfigFile_AgentCache_AutoAuth_False(t *testing.T) {
},
},
},
APIProxy: &APIProxy{
UseAutoAuthToken: false,
ForceAutoAuthToken: false,
},
Cache: &Cache{
UseAutoAuthToken: false,
UseAutoAuthTokenRaw: "false",
@ -959,7 +954,6 @@ func TestLoadConfigFile_AgentCache_Persist(t *testing.T) {
}
expected := &Config{
APIProxy: &APIProxy{},
Cache: &Cache{
Persist: &agentproxyshared.PersistConfig{
Type: "kubernetes",
@ -1252,6 +1246,43 @@ func TestLoadConfigFile_Template_NoSinks(t *testing.T) {
}
}
// TestLoadConfigFile_Template_WithCache tests ensures that cache {} stanza is
// permitted in vault agent configuration with template(s)
func TestLoadConfigFile_Template_WithCache(t *testing.T) {
config, err := LoadConfigFile("./test-fixtures/config-template-with-cache.hcl")
if err != nil {
t.Fatalf("err: %s", err)
}
expected := &Config{
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
AutoAuth: &AutoAuth{
Method: &Method{
Type: "aws",
MountPath: "auth/aws",
Namespace: "my-namespace/",
Config: map[string]interface{}{
"role": "foobar",
},
},
},
Cache: &Cache{},
Templates: []*ctconfig.TemplateConfig{
{
Source: pointerutil.StringPtr("/path/on/disk/to/template.ctmpl"),
Destination: pointerutil.StringPtr("/path/on/disk/where/template/will/render.txt"),
},
},
}
config.Prune()
if diff := deep.Equal(config, expected); diff != nil {
t.Fatal(diff)
}
}
func TestLoadConfigFile_Vault_Retry(t *testing.T) {
config, err := LoadConfigFile("./test-fixtures/config-vault-retry.hcl")
if err != nil {
@ -1359,7 +1390,6 @@ func TestLoadConfigFile_EnforceConsistency(t *testing.T) {
},
PidFile: "",
},
APIProxy: &APIProxy{},
Cache: &Cache{
EnforceConsistency: "always",
WhenInconsistent: "retry",

View File

@ -0,0 +1,22 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
pid_file = "./pidfile"
auto_auth {
method {
type = "aws"
namespace = "/my-namespace"
config = {
role = "foobar"
}
}
}
cache {}
template {
source = "/path/on/disk/to/template.ctmpl"
destination = "/path/on/disk/where/template/will/render.txt"
}