Commit Graph

1677 Commits

Author SHA1 Message Date
akshya96 8f115a9904
Parse ha_storage in config (#15900)
* parsing values in config ha_storage

* adding changelog

* adding test to parse storage
2022-06-09 15:55:49 -07:00
Chris Capurso 75aa55eb57
add OSS noop check for valid ent storage (#15894) 2022-06-08 17:15:28 -04:00
Alexander Scheel 8d8a95cbf6
Add missing nil check to FIPS EA verification (#15883)
This was causing failures when running `vault server -dev`:

> panic: runtime error: invalid memory address or nil pointer dereference
> [signal SIGSEGV: segmentation violation code=0x2 addr=0x20 pc=0x105c41c1c]
>
> goroutine 1 [running]:
> github.com/hashicorp/vault/command.(*ServerCommand).parseConfig(0x140005a2180)
> 	.../vault/command/server.go:429 +0x5c

Interestingly, we do not have a test case for running the dev
sever.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-08 15:45:46 -04:00
Alexander Scheel dd6c339440
Add warning about EA in FIPS mode (#15858)
* Add warning about EA in FIPS mode

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-08 08:57:48 -04:00
davidadeleon 0026788d4b
api/monitor: Adding log format to monitor command and debug (#15536)
* Correct handling of "unspecified" log level

* Setting log-format default on monitor path

* Create changelog file

* Update website/content/api-docs/system/monitor.mdx

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2022-05-24 13:10:53 -04:00
Josh Black 416504d8c3
Add autopilot automated upgrades and redundancy zones (#15521) 2022-05-20 16:49:11 -04:00
VAL c789fe3c8d
Set special output flags whether single or double hyphen (#15528) 2022-05-19 17:56:30 -07:00
Christopher Swenson e6fb16be9c
Remove spurious fmt.Printf calls including one of a key (#15344)
And add a semgrep for fmt.Printf/Println.
2022-05-19 12:27:02 -07:00
Alexander Scheel 9a3f34a41e
Vault CLI: show detailed information with ListResponseWithInfo (#15417)
* CLI: Add ability to display ListResponseWithInfos

The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).

Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:

    $ vault list -detailed pki/issuers
    Keys                                    issuer_name
    ----                                    -----------
    0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7    n/a
    35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0    n/a
    382fad1e-e99c-9c54-e147-bb1faa8033d3    n/a
    8bb4a793-2ad9-460c-9fa8-574c84a981f7    n/a
    8bd231d7-20e2-f21f-ae1a-7aa3319715e7    n/a
    9425d51f-cb81-426d-d6ad-5147d092094e    n/a
    ae679732-b497-ab0d-3220-806a2b9d81ed    n/a
    c5a44a1f-2ae4-2140-3acf-74b2609448cc    utf8
    d41d2419-efce-0e36-c96b-e91179a24dc1    something

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow detailed printing of LIST responses in JSON

When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.

This returns something like the following:

    {
      "request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
      "lease_id": "",
      "lease_duration": 0,
      "renewable": false,
      "data": {
        "key_info": {
          "0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
            "issuer_name": ""
          },
          "35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
            "issuer_name": ""
          },
          "382fad1e-e99c-9c54-e147-bb1faa8033d3": {
            "issuer_name": ""
          },
          "8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
            "issuer_name": ""
          },
          "8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
            "issuer_name": ""
          },
          "9425d51f-cb81-426d-d6ad-5147d092094e": {
            "issuer_name": ""
          },
          "ae679732-b497-ab0d-3220-806a2b9d81ed": {
            "issuer_name": ""
          },
          "c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
            "issuer_name": "utf8"
          },
          "d41d2419-efce-0e36-c96b-e91179a24dc1": {
            "issuer_name": "something"
          }
        },
        "keys": [
          "0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
          "35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
          "382fad1e-e99c-9c54-e147-bb1faa8033d3",
          "8bb4a793-2ad9-460c-9fa8-574c84a981f7",
          "8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
          "9425d51f-cb81-426d-d6ad-5147d092094e",
          "ae679732-b497-ab0d-3220-806a2b9d81ed",
          "c5a44a1f-2ae4-2140-3acf-74b2609448cc",
          "d41d2419-efce-0e36-c96b-e91179a24dc1"
        ]
      },
      "warnings": null
    }

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use field on UI rather than secret.Data

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Only include headers from visitable key_infos

Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use setupEnv sourced detailed info

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix changelog environment variable

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix broken tests using setupEnv

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 13:00:50 -04:00
Hridoy Roy 679ccc81a5
Query and Precompute Non-Contiguous Segments in the Activity Log (#15352)
* query and precompute non-contiguous segments in the activity log

* changelog

* newline formatting

* make fmt

* report listener and storage types as found keys

* report listener and storage types as found keys

* Update vault/activity_log_test.go

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

* review comments

* merge conflict

* merge conflict

* merge conflict

* fix unchecked merge conflict

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2022-05-17 12:17:32 -07:00
akshya96 4e9e9b7eda
Vault-6037 making filesystem permissions check opt-in (#15452)
* adding env var changes

* adding changelog

* adding strcov.ParseBool
2022-05-17 11:34:31 -07:00
Violet Hynes 2c6bcbdeb5
VAULT-5885: Fix erroneous success message in case of two-phase MFA, and provide MFA information in table format (#15428)
* VAULT-5885: Fix erroneous success message in case of two-phase MFA, and provide MFA information in table format

* VAULT-5885 Add changelog

* VAULT-5885 Update changelog as per PR comments

* VAULT-5885 Update changelog category to just 'auth'

* VAULT-5885 Hide useless token info in two-phase MFA case

* VAULT-5885 Update changelog to reflect token info now no longer present

* VAULT-5885 split up changelog into three blocks
2022-05-17 14:03:02 -04:00
Alexander Scheel 8750512f9f
Fix integer overflows with new parseutil (#15437)
* Use new parseutil helper: Safe variants

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update parseutil to v0.1.5

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix additional integer overflow in command/server

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-16 13:57:19 -04:00
Peter Wilson 2939159a4b
Added optional -log-level flag to 'operator migrate' command (#15405) 2022-05-12 15:56:25 -04:00
Christopher Swenson 0af0543bbe
VAULT-5935 agent: redact renew-self if using auto auth (#15380)
Vault agent redacts the token and accessor for `/auth/token/lookup-self` (and `lookup`)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from `renew-self`
and `renew`, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.
2022-05-12 09:25:55 -07:00
Hridoy Roy 0c955eb743
report listener and storage types as found keys (#15383)
* report listener and storage types as found keys

* changelog
2022-05-12 09:04:56 -07:00
AnPucel ba88b1da16
[VAULT-14990] Support retrieving kv secret paths with trailing spaces (#15188) 2022-05-10 14:07:45 -07:00
davidadeleon 9e869c52fa
Add DR Metric scraping capability to debug command (#15316)
* Add server information as well as ability to collect metrics from DR secondary

* Update debug docs

Adding additional information around ability to gather metrics from DR secondary

* Fix broken link in updated doc

* Create 15316.txt

Create changelog entry

* Fix Formatting

* Update website/content/docs/commands/debug.mdx

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update changelog/15316.txt

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Trigger Build

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
2022-05-06 16:04:08 -04:00
Christopher Swenson 0affe226ad
Update deps for consul-template 0.29.0 (#15293)
This requires bumping https://github.com/mitchellh/go-testing-interface.
For this new version, we have to create a wrapper to convert
the stdlib `testing.TB` interface to the
`mitchellh/go-testing-interface` `T` interface, since it uses
`Parallel()` now, which is not supported by `testing.TB`. This had to be
added to a new package, `benchhelpers`, to avoid a circular dependency
in `testhelpers`.

We also have to *unbump* https://github.com/armon/go-metrics since
updating it breaks our usage of
https://github.com/google/go-metrics-stackdriver

I verified that the new `pkiCert` template function works with agent
injection using annotations like:

```yaml
vault.hashicorp.com/agent-inject-secret-sample.crt: "pki/issue/example-dot-com"
vault.hashicorp.com/agent-inject-template-sample.crt: |
  {{ pkiCert "pki/issue/example-dot-com" "common_name=foo.example.com" "ttl=1h" }}
```
2022-05-05 10:30:40 -07:00
Chris Capurso 5f3d63a03a
clone vault agent client with headers (#15274) 2022-05-03 16:27:53 -04:00
Alexander Tischenko b89fc5af96
When running under systemd, send ready when server completed reloading config #7028 (#15041) 2022-05-03 08:34:11 -04:00
Jason O'Donnell e9535bda2f
agent/auto-auth: Add `min_backoff` to set first backoff value (#15204)
* Add initial_backoff to auto-auth method

* Disable retries in client

* Fix bug

* Thread initial backoff to CT

* Add comment

* Change to min_backoff

* changelog

* remove initial references, review

* fix test

* Thread max_backoff through

* Add doc note for max_backoff/templating
2022-04-29 12:31:32 -04:00
VAL 0ef529b710
Global flag that outputs minimum policy HCL required for an operation (#14899)
* WIP: output policy

* Outputs example policy HCL for given request

* Simplify conditional

* Add PATCH capability

* Use OpenAPI spec and regex patterns to determine if path is sudo

* Add test for isSudoPath

* Add changelog

* Fix broken CLI tests

* Add output-policy to client cloning code

* Smaller fixes from PR comments

* Clone client instead of saving and restoring custom values

* Fix test

* Address comments

* Don't unset output-policy flag on KV requests otherwise the preflight request will fail and not populate LastOutputPolicyError

* Print errors saved in buffer from preflight KV requests

* Unescape characters in request URL

* Rename methods and properties to improve readability

* Put KV-specificness at front of KV-specific error

* Simplify logic by doing more direct returns of strings and errors

* Use precompiled regexes and move OpenAPI call to tests

* Remove commented out code

* Remove legacy MFA paths

* Remove unnecessary use of client

* Move sudo paths map to plugin helper

* Remove unused error return

* Add explanatory comment

* Remove need to pass in address

* Make {name} regex less greedy

* Use method and path instead of info from retryablerequest

* Add test for IsSudoPaths, use more idiomatic naming

* Use precompiled regexes and move OpenAPI call to tests (#15170)

* Use precompiled regexes and move OpenAPI call to tests

* Remove commented out code

* Remove legacy MFA paths

* Remove unnecessary use of client

* Move sudo paths map to plugin helper

* Remove unused error return

* Add explanatory comment

* Remove need to pass in address

* Make {name} regex less greedy

* Use method and path instead of info from retryablerequest

* Add test for IsSudoPaths, use more idiomatic naming

* Make stderr writing more obvious, fix nil pointer deref
2022-04-27 16:35:18 -07:00
Tom Proctor b30e7d3545
Upgrade hashicorp/consul-template dependency (#15092)
* Includes sprig template functions
* Includes improvements to writeTo template function
* Add sprig functions test, improve failure message
2022-04-19 20:51:11 +01:00
Chris Capurso e69f89c279
Add build date (#14957)
* add BuildDate to version base

* populate BuildDate with ldflags

* include BuildDate in FullVersionNumber

* add BuildDate to seal-status and associated status cmd

* extend core/versions entries to include BuildDate

* include BuildDate in version-history API and CLI

* fix version history tests

* fix sys status tests

* fix TestStatusFormat

* remove extraneous LD_FLAGS from build.sh

* add BuildDate to build.bat

* fix TestSysUnseal_Reset

* attempt to add build-date to release builds

* add branch to github build workflow

* add get-build-date to build-* job needs

* fix release build command vars

* add missing quote in release build command

* Revert "add branch to github build workflow"

This reverts commit b835699ecb7c2c632757fa5fe64b3d5f60d2a886.

* add changelog entry
2022-04-19 14:28:08 -04:00
Vinny Mannello 6116903a37
[Vault-5248] MFA support for api login helpers (#14900)
* Add MFA support to login helpers
2022-04-15 11:13:15 -07:00
akshya96 87a2516e73
Fix nightly tests and debug (#14970)
* adding env var

* add fixes

* fixing debug

* removing umask from tests
2022-04-12 06:08:28 +05:30
akshya96 5e0ed27b87
adding env var (#14958) 2022-04-07 12:15:05 -07:00
Anton Averchenkov 23a3f950e4
Revert the WithContext changes to vault tests (#14947) 2022-04-07 15:12:58 -04:00
Christopher Swenson 0de8e8459e
Agent error log level is mismatched (#14424)
* [VAULT-1618] Agent error log level is mismatched

`logLevelToStringPtr` translates `go-hclog`'s `ERROR` to `"ERROR"` for
Consul Template's runner, but that expects `ERR` and is quite strict
about it.

This will address https://github.com/hashicorp/vault-k8s/issues/223
after it is set as the default image in `vault-k8s`.

I didn't find a simple way to test this other than starting up a full
server and agent and letting them run, which is unfortunately fairly
slow.

I confirmed that this addresses the original issue by modifying the helm
chart with the values in this commit and patching the log level to `err`.

* VAULT-1618 Add changelog/14424.txt

* VAULT-1618 Update changelog/14424.txt based on @kalafut suggestion

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

* VAULT-1618 Move cancel and server stop into defer in tests

* VAULT-1618 Triggering CircleCI tests

* VAULT-1618 Replace ioutil with os functions for agent template tests

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2022-04-07 11:03:38 -07:00
VAL 2113ae1021
Mount flag syntax to mitigate confusion from KV-v2 path discrepancies (#14807)
* Add explanation to help text and flag usage text

* KV get with new mount flag

* Clearer naming

* KV Put, Patch, Metadata Get + corresponding tests

* KV Delete, Destroy, Rollback, Undelete, MetadataDelete, MetadataPatch, MetadataPut

* Update KV-v2 docs to use mount flag syntax

* Add changelog

* Run make fmt

* Clarify deprecation message in help string

* Address style comments
2022-04-06 13:58:06 -07:00
Anton Averchenkov c74feaa6ac
Use WriteWithContext in auth helpers (#14775) 2022-04-06 11:20:34 -04:00
akshya96 796003ddda
Vault 3992 ToB Config and Plugins Permissions (#14817)
* updating changes from ent PR

* adding changelog

* fixing err

* fixing semgrep error
2022-04-04 09:45:41 -07:00
akshya96 9f03f86077
Vault 3999 Change permissions for directory/archive created by debug command (#14846)
* adding debug changes from ent

* adding changelog
2022-04-04 09:44:03 -07:00
hghaf099 9ae2a85700
Fixing excessive unix file permissions (#14791)
* Fixing excessive unix file permissions

* CL

* reduce the permission from 750 to 700
2022-04-01 12:57:38 -04:00
hghaf099 8f6a97b81b
Vault-4279 reporting redundant/unused keys in config (#14752)
* Vault-4279 reporting redundant/unused keys in config

* missing validate step

* CL

* Change the log level
2022-04-01 10:34:27 -04:00
Chris Capurso dbda6e6ec5
add kv write retry logic for TestKVPatchCommand_RWMethodPolicyVariations (#14812) 2022-03-31 17:18:14 -04:00
Chris Capurso 157a655632
Fix CLI panic caused by single backslash values (#14523)
* upgrade go-secure-stdlib/kv-builder to v0.1.2

* add kv test to ensure single backslash values no longer panic

* add changelog entry
2022-03-24 16:40:32 -04:00
VAL f9372145dd
Warn on upper case in policy name (#14670)
* Warn on upper case in policy name

* Rename name variable to be less confusing

* Use more general solution for other string issues

* Clarify changelog

* Remove unnecessary check

* Don't throw CLI warning until after past errors

* Add before and after names with quotes to show spacing changes
2022-03-24 13:29:11 -07:00
Anton Averchenkov 1222375d1a
Add context-aware functions to vault/api (#14388) 2022-03-23 17:47:43 -04:00
Lars Lehtonen 431c40629c
command: fix dropped errors (#14609) 2022-03-21 11:26:38 -06:00
Zach Stone b43ed904f2
Update mholt/archiver to v3.5.1 (#11584)
* Update mholt/archiver to v3.5.0

* Bump archiver to 3.5.1

* Vendor dependencies

* Use newer go

* go mod tidy

* Remove vendor

* Rm vendor

* Revert api and sdk sums

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2022-03-16 09:42:21 -05:00
hghaf099 361646ab26
add MFA validation support to vault login command (#14425)
* add MFA validation support to vault login command

* correctly report new totp code availability period
2022-03-14 15:54:41 -04:00
Alexander Scheel d9c1314552
Fix description of StringSliceVar options (#14439)
These options must be specified multiple times in order to be properly
parsed. However, the present description suggests that a comma-separated
list would work as well, however this isn't the case and results in a
slice containing a single string (with all comma-separated values) in
the API request. Clarify the argument help text to make this clearer.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-03-14 14:11:49 -04:00
VAL 94fcca09e3
Remove unneeded comments (#14423) 2022-03-09 11:37:18 -08:00
VAL 63a2ed296b
Output full secret path in certain kv commands (#14301)
* Full secret path in table output of get and put

* Add path output to KV patch and metadata get

* Add changelog

* Don't print secret path for kv-v1

* Make more readable

* Switch around logic to not swallow error

* Add test for secret path

* Fix metadata test

* Add unit test for padequalsigns

* Remove wonky kv get tests
2022-03-08 13:17:27 -08:00
Rémi Lapeyre e89bbd51d9
Add support for PROXY protocol v2 in TCP listener (#13540)
* Add support for PROXY protocol v2 in TCP listener

I did not find tests for this so I added one trying to cover different
configurations to make sure I did not break something. As far as I know,
the behavior should be exactly the same as before except for one thing
when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized
requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84
but it will now be logged.

Also fixes https://github.com/hashicorp/vault/issues/9462 by adding
support for `PROXY UNKNOWN` for PROXY protocol v1.

Closes https://github.com/hashicorp/vault/issues/3807

* Add changelog
2022-03-08 12:13:00 -05:00
Hridoy Roy d8155aa7c4
SSCT Optimizations (OSS) (#14323)
* update ci.hcl to remove 1.6.x and add in 1.10.x

* SSCT OSS PR review comments and optimizations

* check errors in populate token entry calls
2022-03-01 12:24:45 -08:00
Tom Proctor 3668275903
Quit agent endpoint with config (#14223)
* Add agent/v1/quit endpoint
  * Closes https://github.com/hashicorp/vault/issues/11089
* Agent quit API behind config setting
* Normalise test config whitespace
* Document config option

Co-authored-by: Rémi Lapeyre <remi.lapeyre@lenstra.fr>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2022-02-25 10:29:05 +00:00
hghaf099 671cdbcadb
interactive CLI for mfa login (#14131)
* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* interactive CLI for mfa login

* minor fixes

* bail if no input was inserted

* change label name

* interactive CLI when single methodID is returned from login request

* minor fix

* adding changelog

* addressing feedback

* a user with a terminal should be able to choose between interactive and non-interactive.  A user without a terminal should not be able to use the interactive mode.

Co-authored-by: Josh Black <raskchanky@gmail.com>
2022-02-24 15:16:15 -05:00
Chris Capurso 45875c7e71
prevent int64 overflow for default_lease_ttl and max_lease_ttl (#14206)
* prevent int64 overflow for default_lease_ttl and max_lease_ttl

* add changelog entry

* wording change in changelog entry
2022-02-23 17:08:52 -05:00
Austin Gebauer 4d94ba8e14
agent/azure: adds ability to use specific user-assigned managed identities for auto auth (#14214)
* agent/azure: adds ability to use specific user assigned managed identity for auto auth

* add changelog

* change wording in error and docs

* Update website/content/docs/agent/autoauth/methods/azure.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/agent/autoauth/methods/azure.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* docs formatting

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-02-23 11:43:36 -08:00
Victor Rodriguez f7f6f937e4
Invalidate the ManagedKeyRegistry cache when Vault config is updated. (#14179)
Add the hook needed to implement this functionality in vault-enterprise.
2022-02-21 09:55:44 -05:00
Pratyoy Mukhopadhyay 212538e9a0
remount cli changes (#14159) 2022-02-18 08:50:05 -08:00
Rémi Lapeyre 98b18ee08e
Add telemetry to Vault agent (#13675)
This patch adds a new /agent/v1/metrics that will return metrics on the
running Vault agent. Configuration is done using the same telemetry
stanza as the Vault server. For now default runtime metrics are
returned with a few additional ones specific to the agent:
  - `vault.agent.auth.failure` and `vault.agent.auth.success` to monitor
  the correct behavior of the auto auth mechanism
  - `vault.agent.proxy.success`, `vault.agent.proxy.client_error` and
  `vault.agent.proxy.error` to check the connection with the Vault server
  - `vault.agent.cache.hit` and `vault.agent.cache.miss` to monitor the
  cache

Closes https://github.com/hashicorp/vault/issues/8649

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-02-17 17:10:26 -08:00
Josh Black e83471d7de
Login MFA (#14025)
* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* PR feedback

* duo to handle preventing passcode reuse

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: hamid ghaf <hamid@hashicorp.com>
2022-02-17 13:08:51 -08:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Hridoy Roy ebf8e5308a
SSCT Tokens Feature [OSS] (#14109)
* port SSCT OSS

* port header hmac key to ent and generate token proto without make command

* remove extra nil check in request handling

* add changelog

* add comment to router.go

* change test var to use length constants

* remove local index is 0 check and extra defer which can be removed after use of ExternalID
2022-02-17 11:43:07 -08:00
Alexander Scheel ec4deb12ef
Add infrastructure for exposing FIPS status (#14127)
In future Vault Enterprise versions, we'll be building Vault with
FIPS-validated cryptography. To help operators understand their
environment, we'll want to expose information about their FIPS status
when they're running a FIPS version of Vault.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-17 13:03:57 -05:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
Pratyoy Mukhopadhyay 0ceccaa51d
oss changes for cross ns remount (#14104) 2022-02-16 11:21:42 -08:00
VAL 772cfcab91
Typo and clarity fixes (#14081) 2022-02-15 10:43:49 -08:00
Chris Capurso dd0a2c15a3
fix fmt (#14062) 2022-02-14 18:06:02 -05:00
Chris Capurso f9e9b4d327
Add sys/version-history endpoint and associated command (#13766)
* store version history as utc; add self-heal logic

* add sys/version-history endpoint

* change version history from GET to LIST, require auth

* add "vault version-history" CLI command

* add vault-version CLI error message for version string parsing

* adding version-history API and CLI docs

* add changelog entry

* some version-history command fixes

* remove extraneous cmd args

* fix version-history command help text

* specify in docs that endpoint was added in 1.10.0

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* enforce UTC within storeVersionTimestamp directly

* fix improper use of %w in logger.Warn

* remove extra err check and erroneous return from loadVersionTimestamps

* add >= 1.10.0 warning to version-history cmd

* move sys/version-history tests

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-02-14 15:26:57 -05:00
Steven Clark 12b0e2a56b
Add documentation for Managed Keys (#13856)
* Add documentation for Managed Keys

 - Add concept, sys/api and pki updates related to managed keys

* Review feedback

 - Reworked quite a bit of the existing documentation based on feedback
   and a re-reading
 - Moved the managed keys out of the concepts section and into the
   enterprise section

* Address broken links and a few grammar tweaks
2022-02-08 14:01:19 -05:00
Josh Black d249fad2df
reformat using 'make fmt' (#13794) 2022-01-27 10:06:34 -08:00
akshya96 0858af2685
Vault3991 Fix lower bound check (#13727)
* code scanning alerts changes

* adding changelog

* fixing lower bound check
2022-01-20 12:05:22 -08:00
Pratyoy Mukhopadhyay 85725ba3ec
OSS changes for ent pr (#13696) 2022-01-19 09:43:12 -08:00
Nick Cabatoff 21be98ee7a
Support go-sockaddr templates in top-level cluster_addr config (#13678)
In doing some testing I found that the listener clusteraddr isn't really used, or at least isn't as important as the top-level clusteraddr setting.  As such, go-sockaddr templating needs to be implemented for the top-level `cluster_addr` setting or it's unusable for HA.

Also fix a nil pointer panic I discovered at the same time.
2022-01-19 10:56:04 -05:00
akshya96 319a76d8d1
Vault-3991 Code Scanning Alerts Changes (#13667)
* code scanning alerts changes

* adding changelog
2022-01-14 15:35:27 -08:00
Chris Capurso d52d69e4bb
Add HTTP PATCH support for KV key metadata (#13215)
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata

* add kv metadata patch command

* add changelog entry

* success tests for kv metadata patch flags

* add more kv metadata patch flags tests

* add kv metadata patch cas warning test

* add kv-v2 key metadata patch API docs

* add kv metadata patch to docs

* prevent unintentional field overwriting in kv metadata put cmd

* like create/update ops, prevent patch to paths ending in /

* fix kv metadata patch cmd in docs

* fix flag defaults for kv metadata put

* go get vault-plugin-secrets-kv@vault-4290-patch-metadata

* fix TestKvMetadataPatchCommand_Flags test

* doc fixes

* go get vault-plugin-secrets-kv@master; go mod tidy
2022-01-12 12:05:27 -05:00
Nick Cabatoff 624128896f
If we get a 405 doing an HTTP PATCH, assume the server is pre-1.9 and fall back to old readThenWrite approach (#13615) 2022-01-11 11:52:24 -05:00
Scott Miller 89f617a97c
Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
Scott Miller baec515677
Move KmsLibrary code to the ent side of config parsing (#13463)
* Move KmsLibrary code to the ent side of config parsing

* Normalize config.go

* Nope, needs to be result
2021-12-16 14:57:18 -06:00
divyapola5 3488948ccd
CLI changes for new mount tune config parameter allowed_managed_keys (#13255)
* CLI changes for new mount tune config parameter allowed_managed_keys

* Correct allowed_managed_keys description in auth and secrets

* Documentation update for secrets and removed changes for auth

* Add changelog and remove documentation changes for auth

* removed changelog

* Correct the field description
2021-12-10 11:08:28 -06:00
hghaf099 65845c7531
VAULT-1564 report in-flight requests (#13024)
* VAULT-1564 report in-flight requests

* adding a changelog

* Changing some variable names and fixing comments

* minor style change

* adding unauthenticated support for in-flight-req

* adding documentation for the listener.profiling stanza

* adding an atomic counter for the inflight requests
addressing comments

* addressing comments

* logging completed requests

* fixing a test

* providing log_requests_info as a config option to determine at which level requests should be logged

* removing a member and a method from the StatusHeaderResponseWriter struct

* adding api docks

* revert changes in NewHTTPResponseWriter

* Fix logging invalid log_requests_info value

* Addressing comments

* Fixing a test

* use an tomic value for logRequestsInfo, and moving the CreateClientID function to Core

* fixing go.sum

* minor refactoring

* protecting InFlightRequests from data race

* another try on fixing a data race

* another try to fix a data race

* addressing comments

* fixing couple of tests

* changing log_requests_info to log_requests_level

* minor style change

* fixing a test

* removing the lock in InFlightRequests

* use single-argument form for interface assertion

* adding doc for the new configuration paramter

* adding the new doc to the nav data file

* minor fix
2021-12-08 17:34:42 -05:00
Theron Voran bfa008d78f
agent/cache: differentiate open log messages (#13362)
Changes the error output for the second open of the persistent cache
file, to differentiate it from the c.UI.Error message for the initial
open of the cache file, just to make it easier to tell where a problem
occurred.
2021-12-08 10:32:49 -08:00
Steven Clark 94e6a688ff
Add kms_library configuration stanza (#13352)
- Add the kms_library configuration stanza to Vault's command/server
 - Provide validation of keys and general configuration.
 - Add initial kms_library configuration documentation
 - Attempt at startup to verify we can read the configured HSM Library
 - Hook in KmsLibrary config into the Validate to detect typo/unused keys
2021-12-07 09:58:23 -05:00
Jim Kalafut 22c4ae5933
Rename master key to root key (#13324)
* See what it looks like to replace "master key" with "root key".  There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.)

* Restore accidentally deleted line

* Add changelog

* Update root->recovery

* Fix test

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-06 17:12:20 -08:00
Pavlos Tzianos 0abc8f43fa
Add helper for encoding/decoding root tokens and OTP generation in SDK module (#10504) (#10505) 2021-12-01 08:05:49 -05:00
Nick Cabatoff a47a2c9fc4
Add "operator members" command to list nodes in the cluster. (#13292) 2021-11-30 14:49:58 -05:00
Daniel Nathan Gray 26711ab017
Documentation consistency GPG keys are PGP keys. (#13073)
* Consistency: GPG keys are PGP keys

* Consistency: GPG keys are PGP keys

* Consistency: GPG keys are PGP keys

* Consistency: GPG keys are PGP keys

* Consistency: GPG keys are PGP keys

* Consistency: s/GPG/PGP keys, use GPG's proper name

* Use GPG's proper name GnuPG

* Use GPG's proper name GnuPG

* Consistency: GPG keys are PGP keys

* Fix typo
2021-11-08 10:04:59 -08:00
John-Michael Faircloth 792400a24c
ensure errors are checked (#12989) 2021-11-01 13:34:51 -05:00
Theron Voran 4585bdda6b
Update TestServer error string (#12954)
Update the error string expected from parsing unknown units in a
duration.
2021-10-28 11:01:18 -07:00
Yannick Lorenzati e8f14b451b
CLI: add new -header option to be able to add headers to all cli requests #8754 (#12508) 2021-10-27 11:04:04 -04:00
Tom Proctor 119474e7a2
agent/cache: Store leases in-order in persistent cache so that restore respects dependencies (#12843) 2021-10-27 11:36:48 +01:00
VAL a44505dd06
Native Login method for Go client (#12796)
* Native Login method, userpass and approle interfaces to implement it

* Add AWS auth interface for Login, unexported struct fields for now

* Add Kubernetes client login

* Add changelog

* Add a test for approle client login

* Return errors from LoginOptions, use limited reader for secret ID

* Fix auth comment length

* Return actual type not interface, check for client token in tests

* Require specification of secret ID location using SecretID struct as AppRole arg

* Allow password from env, file, or plaintext

* Add flexibility in how to fetch k8s service token, but still with default

* Avoid passing strings that need to be validated by just having different login options

* Try a couple real tests with approle and userpass login

* Fix method name in comment

* Add context to Login methods, remove comments about certain sources being inherently insecure

* Perform read of secret ID at login time

* Read password from file at login time

* Pass context in integ tests

* Read env var values in at login time, add extra tests

* Update api version

* Revert "Update api version"

This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679.

* Update api version in all go.mod files
2021-10-26 16:48:48 -07:00
Chris Capurso a6b1cbad12
Extend kv metadata to get, put, and patch (#12907)
* go get vault-plugin-secrets-kv@extend-kv-metadata-to-get-and-put

* test for custom_metadata in kv get, put, patch command output

* remove flagFormat-specific check from TestKVMetadataGetCommand

* rewrite custom metadata changelog entry

* go get vault-plugin-secrets-kv@master

* go mod tidy
2021-10-26 15:38:56 -04:00
swayne275 559816254b
API Lock CLI OSS port (#12925)
* api lock in oss

* add namespace lock/unlock help
2021-10-26 10:52:29 -06:00
hghaf099 c79cd1c744
fixing a bug for cli when namespace is in both arg and path (#12911)
* fixing a bug for cli when namespace is in both arg and path

* Add a changelog
2021-10-22 17:47:16 -04:00
swayne275 fe9da20d67
oss components of vault-3372 (#12898) 2021-10-22 14:22:49 -06:00
Nick Cabatoff de0a56bd44
Fix TestParseSockaddrTemplate to take into account CustomResponseHeaders. (#12902) 2021-10-22 08:50:12 -04:00
hghaf099 b472d7ed3f
CLI request when namespace is in argument and part of the path (#12720)
* CLI makes request to incorrect URL when namespace is both provided as argument and part of the path
fixes #12675

* adding change log

* removing a switch and addressing a possibility of out of bound index
2021-10-21 22:35:13 -04:00
Nick Cabatoff d66fd98d4a
Add support for go-sockaddr templated addresses in config. (#9109) 2021-10-21 10:10:48 -04:00
Scott Miller 9f62768cc7
Diagnose partial/missing telemetry configuration (#12802)
* Diagnose partial/missing telemetry configuration

* changelog

* fixup

* not sure which component?
2021-10-20 16:47:59 -05:00
Dave Du Cros ceac6e913d
operator generate-root -decode: allow token from stdin (#12881)
* operator generate-root -decode: allow token from stdin

Allow passing "-" as the value for -decode, causing the encoded token to
be read from stdin. This is intended to prevent leaking the encoded
token + otp into process logs in enterprise environments.

* add changelog entry for PR12881

* add check/test for empty decode value passed via stdin
2021-10-20 12:29:17 -04:00
Chris Capurso eb6df00992
add retry logic when kv is upgrading in handler test (#12864)
* add retry logic when kv is upgrading in handler test

* make retry func for kv cli test more generic

* use ticker for kv retry logic in tests
2021-10-20 08:44:56 -04:00
Brian Kassouf c705adc79c
Fix some linting errors (#12860) 2021-10-18 17:29:47 -07:00
Theron Voran ae79afdd26
agent: Use an in-process listener with cache (#12762)
Uses a bufconn listener between consul-template and vault-agent when
caching is enabled and either templates or a listener is defined. This
means no listeners need to be defined in vault-agent for just
templating. Always routes consul-template through the vault-agent
cache (instead of only when persistent cache is enabled).

Uses a local transportDialer interface in config.Cache{}. 

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2021-10-15 17:22:19 -07:00
Hridoy Roy 1c427d3286
Port: add client ID to TWEs in activity log [vault-3136] (#12820)
* port for tracking twes as clients

* comment clean up

* changelog

* change changelog entry phrasing
2021-10-14 09:10:59 -07:00
Chris Capurso bbb4ab4a41
Add HTTP PATCH support to KV (#12687)
* handle HTTP PATCH requests as logical.PatchOperation

* update go.mod, go.sum

* a nil response for logical.PatchOperation should result in 404

* respond with 415 for incorrect MIME type in PATCH Content-Type header

* add abstraction to handle PatchOperation requests

* add ACLs for patch

* Adding JSON Merge support to the API client

* add HTTP PATCH tests to check high level response logic

* add permission-based 'kv patch' tests in prep to add HTTP PATCH

* adding more 'kv patch' CLI command tests

* fix TestHandler_Patch_NotFound

* Fix TestKvPatchCommand_StdinValue

* add audit log test for HTTP PATCH

* patch CLI changes

* add patch CLI tests

* change JSONMergePatch func to accept a ctx

* fix TestKVPatchCommand_RWMethodNotExists and TestKVPatchCommand_RWMethodSucceeds to specify -method flag

* go fmt

* add a test to verify patching works by default with the root token

* add changelog entry

* get vault-plugin-secrets-kv@add-patch-support

* PR feedback

* reorder some imports; go fmt

* add doc comment for HandlePatchOperation

* add json-patch@v5.5.0 to go.mod

* remove unnecessary cancelFunc for WriteBytes

* remove default for -method

* use stable version of json-patch; go mod tidy

* more PR feedback

* temp go get vault-plugin-secrets-kv@master until official release

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2021-10-13 15:24:31 -04:00
hghaf099 ad2ef412cc
Customizing HTTP headers in the config file (#12485)
* Customizing HTTP headers in the config file

* Add changelog, fix bad imports

* fixing some bugs

* fixing interaction of custom headers and /ui

* Defining a member in core to set custom response headers

* missing additional file

* Some refactoring

* Adding automated tests for the feature

* Changing some error messages based on some recommendations

* Incorporating custom response headers struct into the request context

* removing some unused references

* fixing a test

* changing some error messages, removing a default header value from /ui

* fixing a test

* wrapping ResponseWriter to set the custom headers

* adding a new test

* some cleanup

* removing some extra lines

* Addressing comments

* fixing some agent tests

* skipping custom headers from agent listener config,
removing two of the default headers as they cause issues with Vault in UI mode
Adding X-Content-Type-Options to the ui default headers
Let Content-Type be set as before

* Removing default custom headers, and renaming some function varibles

* some refacotring

* Refactoring and addressing comments

* removing a function and fixing comments
2021-10-13 11:06:33 -04:00
contrun e292bc1b5d
remove trailing comma in json file (#12640)
Signed-off-by: YI <uuuuuu@protonmail.com>
2021-10-12 12:03:01 -04:00
Tom Proctor 0180ba2984
agent: tolerate partial restore failure from persistent cache (#12718)
* agent: tolerate partial restore failure from persistent cache

* Review comments: improved consistency, test robustness, comments, assertions
2021-10-08 11:30:04 +01:00
vinay-gopalan 458927c2ed
[VAULT-3157] Move `mergeStates` utils from Agent to api module (#12731)
* move merge and compare states to vault core

* move MergeState, CompareStates and ParseRequiredStates to api package

* fix merge state reference in API Proxy

* move mergeStates test to api package

* add changelog

* ghost commit to trigger CI

* rename CompareStates to CompareReplicationStates

* rename MergeStates and make compareStates and parseStates private methods

* improved error messaging in parseReplicationState

* export ParseReplicationState for enterprise files
2021-10-06 10:57:06 -07:00
Mayo 0bd0339c0b
cleanup unused code and fix t.Fatal usage in goroutine in testing (#11694) 2021-09-30 07:33:14 -04:00
hghaf099 8b29493e76
fix writing back the Filename into unusedKeys in ParseConfig (#12615) 2021-09-23 09:30:44 -04:00
Rachel Culpepper 9ff3fd39a2
fix build tag (#12588) 2021-09-20 17:10:54 -04:00
Pratyoy Mukhopadhyay 0819eac6a8
Update token renew docs (#12572)
* Update docs for token renew api and cli

* Clarify api docs for renew/renew-self

* Update wording around periodic tokens
2021-09-16 16:54:46 -07:00
Theron Voran ae0bda77b3
vault-agent: copy values retrieved from bolt (#12534)
Byte slices returned from Bolt are only valid during a transaction, so
this makes a copy.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2021-09-13 11:06:08 -07:00
Rachel Culpepper c0ada31a99
Vault-2840 Add no-op check for HTTP listener validity (#12421)
* fips tag and no-op code

* tls check

* change to error

* add tests

* add test file

* cleanup

* add changelog

* fix file difference

* remove changelog
2021-09-07 18:36:58 -04:00
Lars Lehtonen fe1cf762fd
command: fix dropped test error (#12474) 2021-09-01 16:05:14 -07:00
Chris Capurso 3f4a381f1b
Add kv custom key metadata (#12218)
* add custom-metdata flag to "kv metadata put" command

* add kv metadata put command test for custom-metadata flag

* add custom_metadata to kv-v2 api docs

* add custom_metadata to kv-v2 cli docs

* update go.mod

* Add custom metadata limits to docs

* add changelog entry

* update vault-plugin-secrets-kv to @master
2021-08-23 15:49:09 -04:00
hghaf099 f885d97774
VAULT-2285 adding capability to accept comma separated entries for au… (#12126)
* VAULT-2285 adding capability to accept comma separated entries for auth enable/tune

* Adding changelog

* Adding logic to detect invalid input parameter for auth enable config

* Updating tune.mdx

* Updating secret enable/tune for comma separated parameters

* Adding further parameter checks for auth/secret tests
Fixing changelog
using builtin type for a switch statement
Fixing a possible panic scenario

* Changing a function name, using deep.Equal instead of what reflect package provides

* Fixing auth/secret enable/tune mdx files

* One more mdx file fix

* Only when users provide a single comma separated string in a curl command, split the entries by commas

* Fixing API docs for auth/mount enable/tune for comma separated entries

* updating docs, removing an unnecessary switch case
2021-08-09 15:37:03 -04:00
Hridoy Roy a3fefdca35
oss part of license diagnose test fix (#12234)
* oss part of license diagnose test fix

* cl
2021-08-02 10:50:49 -07:00
Nick Cabatoff 6016e86115
Fix `vault debug` so that captured logs include newlines. (#12175) 2021-07-27 09:15:24 -04:00
Jeff Mitchell 33ff878946
Move awsutil over to the go-secure-stdlib version (#12128)
Unlike the other libraries that were migrated, there are no usages of
this lib in any of our plugins, and the only other known usage was in
go-kms-wrapping, which has been updated. Aliasing it like the other libs
would still keep the aws-sdk-go dep in the sdk module because of the
function signatures. So I've simply removed it entirely here.
2021-07-20 20:42:00 -04:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Scott Miller 555eb2ae0b
Add advice as a trace option to spot checks (#12105)
* Add advice as a trace option to spot checks

* typo

* Collect advice when forming the tree
2021-07-15 18:01:51 -05:00
Scott Miller 3f01d92d3b
Suppress logging during a diagnose run (#12101)
* Suppress logging during a diagnose run

* remove debugging
2021-07-15 16:54:59 -05:00
Scott Miller 1aa98e81f7
Make any section skippable via string contains skip checking. (#12055)
* Make any section skippable via string contains skip checking

* Fix unit test
2021-07-13 18:25:04 -05:00
Scott Miller 5ec576a810
Wire up remaining sections for config validation (#12048)
* wip

* Add validation to storage, serviceregistration

* Wire up remaining sections except Storage which is generic
2021-07-12 16:33:17 -05:00
Hridoy Roy 3c3555d6b4
skip seal check for manual sealing (#12046)
* skip seal check for manual sealing

* language
2021-07-12 13:22:56 -07:00
Hridoy Roy d3034f2851
Diagnose Language Pass (#11909)
* save

* save

* save

* first round of the diagnose language pass

* capitalization

* first round of feedback

* fix bug in advise

* a few more nouns to verbs
2021-07-11 15:44:19 -07:00
Pratyoy Mukhopadhyay 9b5e89bd34
[VAULT-2776] Add prefix_filter option to Vault (#12025)
* [VAULT-2776] Add prefix_filter support to vault

* [VAULT-2776] Add filter_default config, update docs

* [VAULT-2776] Add changelog file

* [VAULT-2776] Update telemetry tests and error handling

* [VAULT-2776] Add test fixtures, update test

* [VAULT-2776] Update gitignore hcl filter
2021-07-09 14:49:53 -05:00
Nick Cabatoff 518944c599
Make the `list` and `kv list` commands work with wrapping, e.g. for controlgroups (#12031) 2021-07-09 12:08:58 -04:00
hghaf099 fedc31e905
Diagnose warns if HTTPS is not used for ha-storage-tls-consul [VAULT-2773] (#11967)
* Diagnose warns if HTTPS is not used for ha-storage-tls-consul

* Skipping TLS verification if https is not used in ha storage tls consul

* Adding diagnose skip message for consul service registration
2021-07-07 14:35:25 -04:00
Nick Cabatoff a2dcb131ee
`vault delete` should allow the same output options as `vault write`,… (#11992)
* `vault delete` and `vault kv delete` should allow the same output options as `vault write`, as delete operations can similarly return data.  This is needed if you want to use control groups with deletion.
2021-07-06 10:36:07 -04:00
Hridoy Roy f3895f7cce
oss part of license diagnose (#11939) 2021-06-25 14:18:34 -07:00
hghaf099 6d7dbc85b5
diagnose: Add seal transit tls check (#11922)
* diagnose: Add seal transit tls check

* Fixing the path to the config file and the path to the cert files

* Addressing comment

* Addressing seal transit tls check comments
2021-06-24 18:30:42 -04:00
Jason O'Donnell b2b25be0ce
agent/template: add static_secret_render_interval configurable (#11934)
* agent/template: add default_lease_duration config

* go mod tidy

* Add changelog

* Fix panic

* Add documentation

* Change to static_secret_render_interval

* Update doc

* Update command/agent/template/template.go

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update changelog/11934.txt

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2021-06-24 15:40:31 -04:00
Hridoy Roy a8cc5e4557
TLS Verification Bugfixes (#11910)
* tls verification bugfix

* tls verification bugfix

* allow diagnose fail to report status when there are also warnings

* allow diagnose fail to report status when there are also warnings

* Update vault/diagnose/helpers_test.go

Co-authored-by: swayne275 <swayne275@gmail.com>

* comments

Co-authored-by: swayne275 <swayne275@gmail.com>
2021-06-24 10:43:49 -07:00
Hridoy Roy e2614979f7
Diagnose Storage Panic Bugfixes (#11923)
* partial

* fix raft panics and ensure checks are skipped if storage isnt initialized

* cleanup directories

* newline

* typo in nil check

* another nil check
2021-06-24 09:56:38 -07:00
hghaf099 4495b932d8
Fix diagnose panic when configuration file does not exist (#11932)
* Fix diagnose panic when configuration file does not exist

* Addressing comments

* Update command/operator_diagnose.go

Co-authored-by: Hridoy Roy <roy@hashicorp.com>

Co-authored-by: Hridoy Roy <roy@hashicorp.com>
2021-06-23 18:35:52 -04:00
Calvin Leung Huang c1a2a939f9
agent: restart template runner on retry for unlimited retries (#11775)
* agent: restart template runner on retry for unlimited retries

* template: log error message early

* template: delegate retries back to template if param is set to true

* agent: add and use the new template config stanza

* agent: fix panic, fix existing tests

* changelog: add changelog entry

* agent: add tests for exit_on_retry_failure

* agent: properly check on agent exit cases, add separate tests for missing key vs missing secrets

* agent: add note on difference between missing key vs missing secret

* docs: add docs for template_config

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* docs: fix exit_on_retry_failure, fix Functionality section

* docs: update interaction title

* template: add internal note on behavior for persist case

* docs: update agent, template, and template-config docs

* docs: update agent docs on retry stanza

* Apply suggestions from code review

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update changelog/11775.txt

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* agent/test: rename expectExit to expectExitFromError

* agent/test: add check on early exits on the happy path

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-06-21 16:10:15 -07:00
hghaf099 38b753046b
Tls check client certs [VAULT-2117] (#11860)
* add expiration warning to certificate checking for diagnose

* Adding TLS Client CA checks to diagnose
Adding checks for tls_disable_client_certs and tls_require_and_verify_client_cert flags

* Check validity of TLSClientCAFile
Adding related tests

* Addressing comments

* Fixing some tls tests

* Addressing comments

Co-authored-by: HridoyRoy <roy@hashicorp.com>
2021-06-18 19:35:38 -04:00
Brian Kassouf 9dbdc4050d
Diagnose: Skip test-access-storage on raft storage (#11889) 2021-06-17 12:15:19 -07:00
Scott Miller ee0d6603f3
Wire configuration checks into diagnose and fix resulting bugs. (#11854)
* Actually call config.Validate in diagnose

* Wire configuration checks into diagnose and fix resulting bugs.

* go mod vendor

* Merge to vendorless version

* Remove sentinel section to allow diagnose_ok to pass

* Fix unit tests
2021-06-17 13:09:37 -05:00
Hridoy Roy e38f991054
Diagnose checks for raft quorum status and file backend permissions (#11771)
* raft file and quorum checks

* raft checks

* backup

* raft file checks test

* address comments and add more raft and file and process checks

* syntax issues

* modularize functions to compile differently on different os

* compile raft checks everywhere

* more build tag issues

* raft-diagnose

* correct file permission checks

* upgrade tests and add a getConfigOffline test that currently does not work

* comment

* update file checks method signature on windows

* Update physical/raft/raft_test.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* raft tests

* add todo comment for windows root ownership

* voter count message

* raft checks test fixes

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-06-17 10:04:21 -07:00
Hridoy Roy e58c39033b
Add expiration warning to certificate checking for diagnose [VAULT-1018] (#11850)
* add expiration warning to certificate checking for diagnose

* Update serviceregistration/consul/consul_service_registration.go

Co-authored-by: swayne275 <swayne275@gmail.com>

* review comments

Co-authored-by: swayne275 <swayne275@gmail.com>
2021-06-15 09:53:29 -07:00
Josh Black 3189526cc4
OSS parts of sighup license reload test (#11816) 2021-06-11 09:08:19 -07:00
Hridoy Roy 65e3489c45
Diagnose resource creation checks (#11627)
* initial refactoring of unseal step in run

* remove waitgroup

* remove waitgroup

* backup work

* backup

* backup

* completely modularize run and move into diagnose

* add diagnose errors for incorrect number of unseal keys

* comment tests back in

* backup

* first subspan

* finished subspanning but running into error with timeouts

* remove runtime checks

* merge main branch

* meeting updates

* remove telemetry block

* roy comment

* subspans for seal finalization and wrapping diagnose latency checks

* backup while I fix something else

* fix storage latency test errors

* runtime checks

* diagnose with timeout on seal
2021-06-10 12:29:32 -07:00
Shanker Naik 35593978ed
fix typo in vault operator init cmd (#11792) 2021-06-10 10:39:53 -04:00
Nick Cabatoff bfae4e610b
Pull out license commands, and make the OSS changes needed for the license inspect PR in ent. (#11783) 2021-06-07 14:44:20 -04:00
Scott Miller 69d0242db9
Add Advice and Advise functions for adding an advice section to any span. (#11760)
* wip

* wip

* Finish implementing advice handling and word wrapping

* Properly word wrap messages and warnings

* Remove debugging

* Remove debugging

* Remove unnecessary test

* unit test bug

* go vendor
2021-06-07 11:29:36 -05:00
Josh Black c8cfcd9514
OSS parts of sighup license reload (#11767) 2021-06-04 10:24:35 -07:00
Scott Miller 5e55f1b3fe
Return different exit codes for different diagnose results (#11758)
This allows operators to run diagnose in scripts and detect the difference between success, warning, and failure.

Exit codes are now:
0: Success (no warnings)
1: Failure (some test failed)
2: Warning (some test warned)
3: User input failure such as a bad flag
4: Other error
2021-06-04 11:52:49 -05:00
Hridoy Roy 991f9eba56
remove operating system stanza from tests on account of disk usage being different across ci for different runs (#11764) 2021-06-03 14:11:31 -07:00
Scott Miller 9db384e0f7
Edge cases in the skipping gathering and output logic (#11752)
* Edge cases in the skipping gathering and output logic

* Fix unit test
2021-06-03 11:01:14 -05:00
Scott Miller dc0774731d
Remove duplicate children test (#11751) 2021-06-02 15:10:43 -05:00
Scott Miller d151b0b55b
Segment out disk checks to disable on openbsd/arm (#11749)
* Segment out disk checks to disable on openbsd/arm

Also add a spot skipped helper.

* Expected results may be fewer than actual because of variable length tests like disk usage

* Move to os_common and build on windows
2021-06-02 12:17:52 -05:00
Lars Lehtonen 42759b5a5f
command: deprecate errwrap.Wrapf() (#11744) 2021-06-02 09:22:31 -04:00
Scott Miller 59bea5f6fd
Add ulimit check, and tidy unit test cases (#11678)
* Add ulimit check, and tidy unit test cases to avoid needing to have all results and perfect ordering

* Make order independent check recursive

* Fix unit tests

* Try a 5s request timeout
2021-06-01 12:43:51 -05:00
Nick Cabatoff 62ba5c39ca
Restore server license config lost in #11573 (#11730) 2021-06-01 08:42:30 -04:00
Nick Cabatoff 56c0a67a53
OSS parts of #1903: we'd disabled these tests on enterprise temporarily, but now we're ready to make them run there again. (#11729)
Vault cares about the VAULT_LICENSE env var, but we don't want to set that in CI because it would change behaviour of tests that don't intend for it to be set.  Instead, we use VAULT_LICENSE_CI so that only packages/tests that opt-in will use it.
2021-05-31 12:08:10 -04:00
Scott Miller 46da8ebae6
Diagnose Disk usage checks (#11673)
* Disk usage checks

* Move disk free earlier

* Move logic to helpers

* Bring over test logic from the ulimit PR

* imports

* Report error

* Get unit tests working
2021-05-27 10:17:52 -07:00
Jason O'Donnell 5ed63d4ce1
logical/aw: move sts signing request to awsutil (#11704) 2021-05-26 13:30:46 -04:00
Hridoy Roy b6e1d62d33
Modularize Run Command (#11573)
* initial refactoring of unseal step in run

* remove waitgroup

* remove waitgroup

* backup work

* backup

* backup

* completely modularize run and move into diagnose

* add diagnose errors for incorrect number of unseal keys

* comment tests back in

* backup

* first subspan

* finished subspanning but running into error with timeouts

* remove runtime checks

* meeting updates

* remove telemetry block

* roy comment

* subspans for seal finalization and wrapping diagnose latency checks

* fix storage latency test errors

* review comments

* use random uuid for latency checks instead of static id
2021-05-25 15:23:20 -07:00
Scott Miller 941d01eee3
Initial Diagnose CLI output (#11583)
* Create helpers which integrate with OpenTelemetry for diagnose collection

* Go mod vendor

* Comments

* Update vault/diagnose/helpers.go

Co-authored-by: swayne275 <swayne275@gmail.com>

* Add unit test/example

* tweak output

* More comments

* add spot check concept

* Get unit tests working on Result structs

* wip

* Fix unit test

* Get unit tests working, and make diagnose sessions local rather than global

* Comments

* Last comments

* No need for init

* :|

* Fix helpers_test

* wip

* wip

* wip

* Revendor otel

* Fix merge related problems

* imports

* Fix unit tests

Co-authored-by: swayne275 <swayne275@gmail.com>
2021-05-21 19:21:11 -07:00
Nick Cabatoff e212ec5d8e
OSS parts of ent PR #1857: license autoloading init changes. (#11623) 2021-05-17 14:10:26 -04:00
Pierce Bartine e56982f782
Add ServerName to Vault Agent template config (#11288)
* Add ServerName to Vault Agent template config

* Remove newline

* Add changelog for 11288

* Update changelog/11288.txt

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
2021-05-13 07:18:15 -07:00
Calvin Leung Huang 8b7cd1bff7
agent/cert: properly return the cached client on AuthClient (#11576)
* agent/cert: properly return the cached client on AuthClient

* test: pass in nil client config, check on pointer values directly

* test: pass in nil client config

* changelog: add changelog entry
2021-05-12 14:59:07 -07:00
Josh Black 641a81b74b
Provide a new API endpoint for retrieving signed licenses (#11543) 2021-05-12 12:19:25 -07:00
Scott Miller 9dbf1a7dba
Add infrastructure and helpers for skipping diagnose checks (#11593)
* Add infrastructure for skipping tests

* Add infrastructure for skipping tests

* Set it

* Update vault/diagnose/helpers.go

Co-authored-by: swayne275 <swayne275@gmail.com>

* Implement type alias for test functions

Co-authored-by: swayne275 <swayne275@gmail.com>
2021-05-12 12:54:40 -05:00
Scott Miller 4b87b7257e
Move config validation code to it's own, non ENT specific file (#11579)
* Move config validation code to it's own, non ENT specific file

* Fix imports

* import order
2021-05-11 11:59:08 -05:00
Nick Cabatoff 53c7d1de7d
config for autoloading license (oss parts) 2021-05-07 08:55:41 -04:00
Tom Proctor 3ebe16d7c1
Allow Agent auto auth to read symlinked JWT files (#11502) 2021-05-06 14:11:57 +01:00
Josh Black ab1710a9ea
Introduce a "vault license get" command (#11526) 2021-05-04 12:55:48 -07:00
Scott Miller 7d9524be2f
Expose unknown fields and duplicate sections as diagnose warnings (#11455)
* Expose unknown fields and duplicate sections as diagnose warnings

* section counts not needed, already handled

* Address PR feedback

* Prune more of the new fields before tests call deep.Equals

* Update go.mod
2021-05-04 14:47:56 -05:00
Scott Miller 52930c5614
When running under systemd, send notifications about server startup, shutdown, and config reload (#11517) 2021-05-04 14:47:16 -05:00
Hridoy Roy 28aa9b9175
Diagnoses Consul Direct Access Check (#11505)
* Create helpers which integrate with OpenTelemetry for diagnose collection

* Go mod vendor

* consul tls checks

* draft for storage end to end check

* Comments

* Update vault/diagnose/helpers.go

Co-authored-by: swayne275 <swayne275@gmail.com>

* Add unit test/example

* tweak output

* More comments

* add spot check concept

* Get unit tests working on Result structs

* Fix unit test

* Get unit tests working, and make diagnose sessions local rather than global

* Comments

* Last comments

* No need for init

* :|

* Fix helpers_test

* cleaned up chan logic. Tests next.

* fix tests

* remove a comment

* tests

* remove a comment

* run direct access checks in diagnose command

* review comments

Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
Co-authored-by: swayne275 <swayne275@gmail.com>
2021-05-02 16:21:06 -07:00
Hridoy Roy 5b63066c2c
Diagnose V0: Storage End to End Checks (#11468)
* Create helpers which integrate with OpenTelemetry for diagnose collection

* Go mod vendor

* consul tls checks

* draft for storage end to end check

* Comments

* Update vault/diagnose/helpers.go

Co-authored-by: swayne275 <swayne275@gmail.com>

* Add unit test/example

* tweak output

* More comments

* add spot check concept

* Get unit tests working on Result structs

* Fix unit test

* Get unit tests working, and make diagnose sessions local rather than global

* Comments

* Last comments

* No need for init

* :|

* Fix helpers_test

* cleaned up chan logic. Tests next.

* fix tests

* remove a comment

* tests

* remove a comment

* cosmetic changes

Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
Co-authored-by: swayne275 <swayne275@gmail.com>
2021-05-02 13:33:13 -07:00
Clint 59870ee0d3
Update Agent Auth with GCP to use new SignJWT endpoint (#11473)
* Update Agent Auth with GCP to use new SignJWT endpoint

* use iamcredentials name instead of renaming the package on import

* add changelog

* Update changelog/11473.txt

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2021-04-30 15:45:06 -05:00
Scott Miller 85fbd45e1c
Create helpers which integrate with OpenTelemetry for diagnose collection (#11454)
* Create helpers which integrate with OpenTelemetry for diagnose collection

* Go mod vendor

* Comments

* Update vault/diagnose/helpers.go

Co-authored-by: swayne275 <swayne275@gmail.com>

* Add unit test/example

* tweak output

* More comments

* add spot check concept

* Get unit tests working on Result structs

* Fix unit test

* Get unit tests working, and make diagnose sessions local rather than global

* Comments

* Last comments

* No need for init

* :|

* Fix helpers_test

Co-authored-by: swayne275 <swayne275@gmail.com>
2021-04-29 13:32:41 -05:00
Hridoy Roy 36ae22c07a
Consul TLS Checks for Diagnose [draft] (#11467)
* consul tls checks

* fix some tests

* complete physical and service registration tls checks
2021-04-28 08:55:18 -07:00
Nick Cabatoff a21e7139ff
Update tests to reflect new HC public pgp keys. (#11446) 2021-04-23 12:32:46 -04:00
Josh Black 06809930a3
Add HTTP response headers for hostname and raft node ID (if applicable) (#11289) 2021-04-20 15:25:04 -07:00
Nick Cabatoff a8023e0fdb
Add support for unauthenticated pprof access on a per-listener basis,… (#11324)
* Add support for unauthenticated pprof access on a per-listener basis, as we do for metrics.

* Add missing pprof sub-targets like 'allocs' and 'block'.  Capture the goroutine subtarget a second time in text form.  This is mostly a convenience, but also I think the pprof format might be a bit lossy?
2021-04-19 14:30:59 -04:00
Nick Cabatoff 684ebf0928
Don't cut off stack traces at 32MB. (#11364) 2021-04-16 15:55:05 -04:00
Brian Kassouf 49489da596
Fix flakey TestAgent_Template_Retry test (#11332) 2021-04-09 12:11:01 -07:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Brian Kassouf de0253056c
Fix a few static analysis findings (#11307) 2021-04-07 16:48:40 -07:00
Hridoy Roy 049f2513e6
Initial Diagnose Command for TLS and Listener [VAULT-1896, VAULT-1899] (#11249)
* sanity checks for tls config in diagnose

* backup

* backup

* backup

* added necessary tests

* remove comment

* remove parallels causing test flakiness

* comments

* small fix

* separate out config hcl test case into new hcl file

* newline

* addressed comments

* addressed comments

* addressed comments

* addressed comments

* addressed comments

* reload funcs should be allowed to be nil
2021-04-06 16:40:43 -07:00
Hridoy Roy 4c569d0fc6
Diagnose Stub Command Tests (#11180)
* a few tests to the operator diagnose stub command

* a few tests to the operator diagnose stub command

* a few tests to the operator diagnose stub command

* empty commit to fix circle ci permissions issue

* empty commit to fix circle ci permissions issue
2021-03-29 14:22:32 -07:00
Nick Cabatoff 72a172bce9
Add support for tls_max_version in listener config. (#11226) 2021-03-29 14:39:14 -04:00
Nick Cabatoff 62c1f25140
Use a 15s instead of 10s timeout on this test. The `default` subtest takes 9s on my laptop, so pad that for CI. (#11221) 2021-03-29 09:51:19 -04:00
Theron Voran 6ea82f6d1a
agent: drop dockertest dep in cacheboltdb test (#11145)
ioutils --> ioutil
2021-03-18 17:46:40 -07:00
Nick Cabatoff 9c5f018938
Rework agent retry config, extend it to cover proxy cache as well (#11113)
Remove template_retry config section.  Add new vault.retry section which only has num_retries field; if num_retries is 0 or absent, default it to 12 for backwards compat with pre-1.7 template retrying.  Setting num_retries=-1 disables retries.

Configured retries are used for both templating and api proxy, though if template requests go through proxy (currently requires persistence enabled) we'll only configure retries for the latter to avoid duplicate retrying.  Though there is some duplicate retrying already because whenever the template server does a retry when not going through the proxy, the Vault client it uses allows for 2 behind-the-scenes retries for some 400/500 http error codes.
2021-03-18 14:14:09 -04:00
Clint 5353279e75
Add command to look up a lease by ID (#11129)
* snapshot

* basic test

* update command and add documentation

* update help text

* typo

* add changelog for lease lookup command

* run go mod vendor

* remove tabs from help output
2021-03-18 11:11:09 -05:00
Nick Cabatoff 66e10f64bc
Fix a bug in Agent's handling of consistency headers: they should be ignored when computing cache ID. (#11099) 2021-03-12 12:42:06 -05:00
Vishal Nayak 9839e76192
Remove unneeded fields from state output (#11073) 2021-03-10 12:08:12 -05:00
Calvin Leung Huang 0a6e7ab94b
mod: update plugin versions for 1.7.0 (#11046)
* mod: update plugin versions for 1.7.0

* command/agent: fix TestCFEndToEnd test
2021-03-04 18:32:51 -08:00
Jim Kalafut 4ef8d66318
Reset agent backoff on successful auth (#11033)
The existing code would retain the previous backoff value even after the
system had recovered. This PR fixes that issue and improves the
structure of the backoff code.
2021-03-03 14:15:18 -08:00
Theron Voran 1fdf08b149
agent: persistent caching support (#10938)
Adds the option of a write-through cache, backed by boltdb

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2021-03-03 14:01:33 -08:00
Vishal Nayak 3e55e79a3f
Autopilot: Server Stabilization, State and Dead Server Cleanup (#10856)
* k8s doc: update for 0.9.1 and 0.8.0 releases (#10825)

* k8s doc: update for 0.9.1 and 0.8.0 releases

* Update website/content/docs/platform/k8s/helm/configuration.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Autopilot initial commit

* Move autopilot related backend implementations to its own file

* Abstract promoter creation

* Add nil check for health

* Add server state oss no-ops

* Config ext stub for oss

* Make way for non-voters

* s/health/state

* s/ReadReplica/NonVoter

* Add synopsis and description

* Remove struct tags from AutopilotConfig

* Use var for config storage path

* Handle nin-config when reading

* Enable testing autopilot by using inmem cluster

* First passing test

* Only report the server as known if it is present in raft config

* Autopilot defaults to on for all existing and new clusters

* Add locking to some functions

* Persist initial config

* Clarify the command usage doc

* Add health metric for each node

* Fix audit logging issue

* Don't set DisablePerformanceStandby to true in test

* Use node id label for health metric

* Log updates to autopilot config

* Less aggressively consume config loading failures

* Return a mutable config

* Return early from known servers if raft config is unable to be pulled

* Update metrics name

* Reduce log level for potentially noisy log

* Add knob to disable autopilot

* Don't persist if default config is in use

* Autopilot: Dead server cleanup (#10857)

* Dead server cleanup

* Initialize channel in any case

* Fix a bunch of tests

* Fix panic

* Add follower locking in heartbeat tracker

* Add LastContactFailureThreshold to config

* Add log when marking node as dead

* Update follower state locking in heartbeat tracker

* Avoid follower states being nil

* Pull test to its own file

* Add execution status to state response

* Optionally enable autopilot in some tests

* Updates

* Added API function to fetch autopilot configuration

* Add test for default autopilot configuration

* Configuration tests

* Add State API test

* Update test

* Added TestClusterOptions.PhysicalFactoryConfig

* Update locking

* Adjust locking in heartbeat tracker

* s/last_contact_failure_threshold/left_server_last_contact_threshold

* Add disabling autopilot as a core config option

* Disable autopilot in some tests

* s/left_server_last_contact_threshold/dead_server_last_contact_threshold

* Set the lastheartbeat of followers to now when setting up active node

* Don't use config defaults from CLI command

* Remove config file support

* Remove HCL test as well

* Persist only supplied config; merge supplied config with default to operate

* Use pointer to structs for storing follower information

* Test update

* Retrieve non voter status from configbucket and set it up when a node comes up

* Manage desired suffrage

* Consider bucket being created already

* Move desired suffrage to its own entry

* s/DesiredSuffrageKey/LocalNodeConfigKey

* s/witnessSuffrage/recordSuffrage

* Fix test compilation

* Handle local node config post a snapshot install

* Commit to storage first; then record suffrage in fsm

* No need of local node config being nili case, post snapshot restore

* Reconcile autopilot config when a new leader takes over duty

* Grab fsm lock when recording suffrage

* s/Suffrage/DesiredSuffrage in FollowerState

* Instantiate autopilot only in leader

* Default to old ways in more scenarios

* Make API gracefully handle 404

* Address some feedback

* Make IsDead an atomic.Value

* Simplify follower hearbeat tracking

* Use uber.atomic

* Don't have multiple causes for having autopilot disabled

* Don't remove node from follower states if we fail to remove the dead server

* Autopilot server removals map (#11019)

* Don't remove node from follower states if we fail to remove the dead server

* Use map to track dead server removals

* Use lock and map

* Use delegate lock

* Adjust when to remove entry from map

* Only hold the lock while accessing map

* Fix race

* Don't set default min_quorum

* Fix test

* Ensure follower states is not nil before starting autopilot

* Fix race

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2021-03-03 13:59:50 -05:00
Scott Miller a7b372b447
Two minor changes not reflected OSS side (#11020) 2021-02-26 14:23:56 -06:00
Nick Cabatoff c9ae15bd95
Make metrics access unauthenticated when in dev mode. (#10992) 2021-02-24 14:04:23 -05:00
Vishal Nayak 565568f7fa
Bool pointer flag (#10988)
* Bool pointer flag

* Add default handling

* Support Hidden and EnvVar

* Adjust error handling

* Add test steps; Fix hidden
2021-02-24 10:45:03 -05:00
Nick Cabatoff c1ddfbb538
OSS parts of the new client controlled consistency feature (#10974) 2021-02-24 06:58:10 -05:00
Jason O'Donnell 5502d43f6e
agent: add caching encryption package (#10986)
* agent: add caching encryption package

* Fix documentation

* Add GetKey, GetPersistentKey

* Remove chan from interface

* Add error to interface

* Fix tests
2021-02-23 19:48:39 -05:00