* embed yarn binary using yarn policies set-version and loosen the restriction on yarn in the dockerfile and the package.json
* don't lint the embedded yarn package
* rename mount-filter-config models, components, serializer, adapters to path-filter-config
* move search-select component to core addon
* add js class for search-select-placeholder and sort out power-select deps for moving to the core component
* expose oninput from powerselect through search-select
* don't fetch mounts in the replication routes
* remove toggle from add template
* start cross-namespace fetching
* group options and set up for namespace fetch via power-select search prop
* add and style up radio-card CSS component
* add xlm size for icons between l and xl
* copy defaults so they're not getting mutated
* finalize cross-namespace fetching and getting that to work with power-select
* when passing options but no models, format the options in search select so that they render properly in the list
* tint the background of a selected radio card
* default to null mode and uniq options in search-select
* finish styling radio-card
* format inputValues when first rendering the component if options are being passed from outside
* treat mode:null as deleting existing config which simplifies save logic
* correctly prune the auto complete list since path-filter-config-list handles all of that and finish styling
* remove old component
* add search debounce and fix linting
* update search-select docs
* updating tests
* support grouped options for when to show the create prompt
* update and add tests for path-filter-config-list
* fix tests for search-select and path-filter-config-list
* the new api uses allow/deny instead of whitelist/blacklist
The example request for "Generate Intermediate" was type "internal", but the example response contained the private key, which "internal" doesn't do. This patch fixes the example request to be type "exported" to match the example response.
* Abstract generate-root authentication into the strategy interface
* Generate root strategy ncabatoff (#7700)
* Adapt to new shamir-as-kek reality.
* Don't try to verify the master key when we might still be sealed (in
recovery mode). Instead, verify it in the authenticate methods.
because when unsealing it wouldn't wait for core 0 to come up and become
the active node. Much of our testing code assumes that core0 is the
active node.
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
Shamir seals now come in two varieties: legacy and new-style. Legacy
Shamir is automatically converted to new-style when a rekey operation
is performed. All new Vault initializations using Shamir are new-style.
New-style Shamir writes an encrypted master key to storage, just like
AutoUnseal. The stored master key is encrypted using the shared key that
is split via Shamir's algorithm. Thus when unsealing, we take the key
fragments given, combine them into a Key-Encryption-Key, and use that
to decrypt the master key on disk. Then the master key is used to read
the keyring that decrypts the barrier.