Reworded disable_mlock to remove confusion regarding what is acceptable for production deployments. Disabling mlock is alright for production given the additional security recommendations are implemented. Disabling mlock is also recommended for integrated storage
* strip redundant field type declarations
* root credential rotation for aws creds plugin
* Change location of mocks awsutil and update methods that no longer exist
* Update website/pages/docs/auth/aws.mdx
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
* Update sdk version to get the awsutil mock file
* Re-vendor modules to pass CI
* Use write lock for the entirety of AWS root cred rotation
* Update docs for AWS root cred rotation for clarity
Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
* docs: add a plugins directory page
* docs: remove divs on the plugins directory page
* add columns
* tag component
* docs: use tags on plugins directory
* docs: revert tags on plugins directory for now
* fix header for official plugins
* add note on submission for community plugins
* s/plugins directory/plugin portal/
* move portal page into docs section
* tag oracle db as external, fix kerberos misspelling
* include gh issue template as submission form
Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
Adding more detail about connectivity requirements, noting that
masters sometimes need to connect to workers on :8080, and
considerations when Vault is running outside of Kubernetes.
* TLS Cert Authentication example updates
- Updated the Cert Auth example description to clarify which CA
should issue the certificate.
- Removed `-ca-cert` parameter from examples as this caused
confusion. Is this the auth CA or the CA of the listener?
* Return CA parameter to examples, add Note
- Returned CA parameter to login examples
- Added note above examples to explain which CA is being used in CLI
- Updated examples in API doc to use httpS
- Added note above login example to explain wich CA is being used
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
* Bring over PSIRT-37 changes from ENT
* Add additional allowed headers
* Already had this one
* Change to string slice comma separated parsing
* Add allowed_sts_header_values to read output
* Only validate AWS related request headers
* one per line
* Import ordering
* Update test
* Add X-Amz-Credential
* Reorder imports
* Update documentation for MySQL Secrets Engine
Update documentation for MySQL Database Secrets Engine to reflect changes introduced with https://github.com/hashicorp/vault/pull/9181
* Empty Commit to re-trigger tests
Co-authored-by: Lauren Voswinkel <lvoswinkel@hashicorp.com>
* TOB-018 remediation
* Make key derivation an optional config flag, off by default, for backwards compatibility
* Fix unit tests
* Address some feedback
* Set config on unit test
* Fix another test failure
* One more conf fail
* Switch one of the test cases to not use a derive dkey
* wip
* comments
* Add new page documenting limits.
* Add some identity metrics not previously documented.
* Updated limits based on compression experiments.
* Add Transit key rotation limits, and link to Transform size limit.
* Add cross-referencing link to learn
* Fix grammar
* Update website/pages/docs/concepts/password-policies.mdx
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
* docs: adds documentation for JWT/OIDC google provider specific handling
* use may instead of will for identity group alias association
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* adds missed parentheses
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* adds missed parentheses
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* reword sentence referring to key file for Google service account
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* add styles to emphasize security step
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Create nav for release notes
* Update 1.5.0.mdx
Initial release notes
* Update 1.5.0.mdx
Minor edits
* Update 1.5.0.mdx
Made a small grammatical edit
* Update 1.5.0.mdx
Changed a period to a colon
* Update 1.5.0.mdx
Some minor formatting changes
* Update 1.5.0.mdx
Changes to the Splunk app description
* Update 1.5.0.mdx
Small change to the vault monitor command description
* Update 1.5.0.mdx
Small change to the description of the vault monitor command
* Update 1.5.0.mdx
Added link to the Splunk app for Monitoring Vault
* Updating version
* Capitalization consistency
Co-authored-by: Andy Manoske <andy@hashicorp.com>
Co-authored-by: Darshana Sivakumar <darshana10@gmail.com>
* update the seal migration docs
* Update website/pages/docs/concepts/seal.mdx
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
* Adding notes about ingress and route requirements
Specifically that they require vault 1.4 with service_registration
enabled. Also removed a stray block about extraVolumes.
Make the names of WAL metrics exactly match their implementation.
Add `vault` prefix to be consistent everywhere.
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
* another round of maintenance
- apply stylelint
- run eslint across all files
- remove unneeded font import
- add jsconfig and import from absolute pahts
- remove unneeded experimental nextjs config
- update all dependencies
* refreshing with the latest dep updates
* Update install docs to mention Linux packages
We now build packages for Debian, Ubuntu, CentOS, etc. This removes language
about "we have no plans to build packages" and adds links to step by step guides
for adding a GPG key and the official repository.
* Fix URL to Learn Vault install page
A Linux section previously existed but now it is in the general install section.
* Fix Markdown for multi-step compile from source
The steps were previously marked up as an ordered list but the numbers didn't
display correctly. This outdents the code so it's a series of paragraphs instead
of an ordered list.
* request.connection.remote_addr only has IP
The request.connection.remote_addr property exposed to Sentinel only has an IP.
It does not include a port.
I tested this in a policy with `print("remote address:", request.connection.remote_addr)` and got back 150.10.0.26.
* Update website/pages/docs/enterprise/sentinel/properties.mdx
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
* raft: initial work on raft ha storage support
* add note on join
* add todo note
* raft: add support for bootstrapping and joining existing nodes
* raft: gate bootstrap join by reading leader api address from storage
* raft: properly check for raft-only for certain conditionals
* raft: add bootstrap to api and cli
* raft: fix bootstrap cli command
* raft: add test for setting up new cluster with raft HA
* raft: extend TestRaft_HA_NewCluster to include inmem and consul backends
* raft: add test for updating an existing cluster to use raft HA
* raft: remove debug log lines, clean up verifyRaftPeers
* raft: minor cleanup
* raft: minor cleanup
* Update physical/raft/raft.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update vault/ha.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update vault/ha.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update vault/logical_system_raft.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update vault/raft.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update vault/raft.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* address feedback comments
* address feedback comments
* raft: refactor tls keyring logic
* address feedback comments
* Update vault/raft.go
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
* Update vault/raft.go
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
* address feedback comments
* testing: fix import ordering
* raft: rename var, cleanup comment line
* docs: remove ha_storage restriction note on raft
* docs: more raft HA interaction updates with migration and recovery mode
* docs: update the raft join command
* raft: update comments
* raft: add missing isRaftHAOnly check for clearing out state set earlier
* raft: update a few ha_storage config checks
* Update command/operator_raft_bootstrap.go
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
* raft: address feedback comments
* raft: fix panic when checking for config.HAStorage.Type
* Update vault/raft.go
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
* Update website/pages/docs/commands/operator/raft.mdx
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
* raft: remove bootstrap cli command
* Update vault/raft.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update vault/raft.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* raft: address review feedback
* raft: revert vendored sdk
* raft: don't send applied index and node ID info if we're HA-only
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
* Add password_policy field
* Updated vault-plugin-secrets-azure to v0.6.1
* A bunch of other libraries also got updated at the same time because of the plugin update
* Add new Telemetry config options
Add cluster_name, maximum_gauge_cardinality, and usage_gauge_period
configuration options to the config stanza.
Update unit tests.
Document.
Co-authored-by: Mark Gritter <mgritter@hashicorp.com>
* docs/vault-k8s: add overview for consul template fetches
* Add dynamic role link
* move to agent documentation, add link
* fix typo in certificate doc
* fix note about leased secrets
* update secret vs token, add note to pki
* add more secret vs token notes
* add note about caching
Since the context of this page is transit and encryption keys, the use of the word "key" to mean effectively common seems ill advised. Proposing an alternative wording.
Allows vault roles to be associated with IAM groups in the AWS
secrets engine, since IAM groups are a recommended way to manage
IAM user policies. IAM users generated against a vault role will
be added to the IAM Groups. For a credential type of
`assumed_role` or `federation_token`, the policies sent to the
corresponding AWS call (sts:AssumeRole or sts:GetFederation) will
be the policies from each group in `iam_groups` combined with the
`policy_document` and `policy_arns` parameters.
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* docs: document raft and mlock interaction
* docs: expand on mlock issue when raft is used
* Update website/pages/docs/configuration/index.mdx
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
For situations where you want the Vault agent to handle one or more templates but do not require the acquired credentials elsewhere.
Modify the logic in SyncServer so that if there are no sinks, ignore any new credentials. Since SyncServer is responsible for shutting down the agent, make sure it still properly shuts down in this new situation.
Solves #7988
* Adds a safety switch to configuration files.
This requires a user to either use TLS, or acknowledge that they are sending
credentials over plaintext.
* Warn if plaintext credentials will be passed
* Add true/false support to the plaintext transmission ack
* Updated website docs and ensured ToLower is used for true comparison
* Fix formatting of the Vault Agent docs
* Fix up the param definitions with <code> rather than <tt>
* Use <code> only where there is a link embedded, otherwise ticks
* raft: use file paths for TLS info in the retry_join stanza
* raft: maintain backward compat for existing tls params
* docs: update raft docs with new file-based TLS params
* Update godoc comment, fix docs
* Adds a summary to the top of each plugin's page showing the capabilities that the plugin has.
* Fixed sidebar sorting (they weren't quite alpabetical)
* Improved instructions for using the Oracle plugin
* Added note about using the pluggable database rather than the container database
* Replaced admin/root usernames with super-user ones to encourage users to not use the root user in Vault
* Included suggestions to rotate the root user's password when the plugin is capable
* Improve documentation around rotating the root user's password
* Fixed various typos
* raft: check for nil on concrete type in SetupCluster
* raft: move check to its own func
* raft: func cleanup
* raft: disallow disable_clustering = true when raft storage is used
* docs: update disable_clustering to mention new behavior
* add aws auth info to upgrade guide
* elaborate on who is effected and add more versions
* use partials for repeated doc text
* add new pages to side nav
* fixed some grammar issue
The sentence did read clearly so I added a change to make it read a little cleaner
* Update website/pages/docs/secrets/index.mdx
Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
* Updates the k8s helm platform docs
- Updates to talk about the external mode
- Updates the helm install overview to show that the releases can also
be the way to install
- Rewrites the how-to to include showing how to start in each mode
- Each mode that has a guide links off to a guide
- Re-organizes the Unseal and Init to a section and places all the
various other unseals underneath it
- Moves updating below the unseal and init
- Shows some basic usage of the helm CLI with a value and file override
* Adds learn links for k8s index pages
* Adds helm dev and external vault examples
While the dev one may seem obvious I think that it's incredibly useful
to cover our bases if this is to be reference documentation. I thought
maybe the example could have ingress support for UI but do not have the
experience to recommend it.
* Adds helm docs example dev and external
- places the development first as it feels like the starting point for
some.
- places the external after HA
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
* Fix grammer error in deploy.html.md
Changed "Initialization is the process configuring the Vault." to
"Initialization is the process of configuring the Vault."
* Fix grammer error in deploy.html.md
Change "Initialization is the process configuring the Vault."
to "Initialization is the process of configuring the Vault."
* Remove the versus section on the website.
We don't keep it maintained, it's very out of date, and we don't really
like comparing ourselves to other software anyways; it's not fair to
describe other software or solutions in ways that may not align with
how they want to be described.
Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
* Pin HTTP Host header for all client requests
* Drop port map scheme
* Add SRV Lookup environment var
* Lookup SRV records only when env var is specified
* Add docs
Co-Authored-By: Michel Vocks <michelvocks@gmail.com>
Updated docs for vault-helm 0.4.0 configuration changes, and helm 3
support (dropping helm 2). Also some spelling changes, and shortened
page titles for the k8s helm examples.
* RSA3072 implementation in transit secrets engine
* moved new KeyType at the end of the list
So already stored keys still work properly
Co-authored-by: Jim Kalafut <jim@kalafut.net>
* adding support for TLS 1.3 for TCP listeners
* removed test as CI uses go 1.12
* removed Cassandra support, added deprecation notice
* re-added TestTCPListener_tls13
* rename UseAutoAuthForce to ForceAutoAuth, because I think it reads better
* Document 'ForceAuthAuthToken' option for Agent Cache
* Update website/pages/docs/agent/caching/index.mdx
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* Add additional tests around use_auto_auth=force and add documentation
* remove note, it's no longer correct
Co-authored-by: Jim Kalafut <jim@kalafut.net>
* Guard against using Raft as a seperate HA Storage
* Document that Raft cannot be used as a seperate ha_storage backend at this time
* remove duplicate imports from updating with master
* Mark deprecated plugins as deprecated
* Add redaction capability to database plugins
* Add x509 client auth
* Update vendored files
* Add integration test for x509 client auth
* Remove redaction logic pending further discussion
* Update vendored files
* Minor updates from code review
* Updated docs with x509 client auth
* Roles are required
* Disable x509 test because it doesn't work in CircleCI
* Add timeouts for container lifetime
* Fix typos
* Update Oracle DB secrets docs to show support for Static Roles
* Add warning about username case sensitivity
* Remove warning about casing
* Fix typo
Co-Authored-By: Becca Petrin <beccapetrin@gmail.com>
Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
* Adding a new replication metric (WAL GC counter)
Adding a new line about the vault.replication.wal.gc metric
* Update website/pages/docs/internals/telemetry.mdx
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Add specification about AWS IAM Unique Identifiers
We experienced an issue where IAM roles resources were re-provisioned with the same ARNs and no change had been made to our vault role configuration but users lost access with `-method=aws`. It wasn't immediately clear to us how IAM Unique Identifiers where being used to avoid the same situations outlined in the AWS documentation. We eventually concluded that re-provisioning the roles in our auth/aws/auth would fetch the new IAM Unique Identifiers.
I hope that this small amendment helps people avoid this problem in the future.
Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case.
Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
* Improve standalone with TLS example
- Documented creating a key & cert for serving Vault endpoints
- Removed unneeded configuration in custom values.yaml
- Updated examples to 1.3.0
* Add 127.0.0.1 to CSR
* Grammar & minor formatting
* Add additional DNS entry for CSR
* Split examples into individual pages
* Add Kubernetes Auth Method example
* Remove old examples file
* Fix rebase fail
* Remove global section of yaml files that aren't needed
* Fix minor typos
* Fix typos that didn't get carried over from previous PR
* Re-copy from previous examples file to resolve rebase issues
* update dependencies
Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
* add secrets/postgresql redirect
* change name of old path
* ensure deprecated pages are not indexed by search engines
* remove deprecated page from navigation
* Improve standalone with TLS example
- Documented creating a key & cert for serving Vault endpoints
- Removed unneeded configuration in custom values.yaml
- Updated examples to 1.3.0
* Add 127.0.0.1 to CSR
* Grammar & minor formatting
* Add additional DNS entry for CSR
* Fix typos, formatting, and other minor issues
* Use correct header depth for Helm Configuration
Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Add note about needing to do this on each node
Specifically calling this out will heed off operators doing this on a single node and thinking it is a bug that it didn't propagate to the other nodes, secondaries, etc.
* Updated to reflect not needing to do registration on each
* Add example of field output
Ordering matters here and its a constant question both from customers and new folks. This will help to show the right syntax.
* minor update to spelling and force unit test rerun
* Update example actually in example area
* Clarify last example is only unix example
* removing Unix specific example
* index.html.md
Vault Integration Program Refresh for CY 2020, major updates edits from Vault PM and Alliance
* fixing formatting and links
* a few more formatting updates
* Patch- Fix Typo
* Hashicorp -> HashiCorp
* embedding images
* remove checkboxes since they do not render correctly
Co-authored-by: Chris Hoffman <99742+chrishoffman@users.noreply.github.com>
Co-authored-by: Chris Griggs <cgriggs@hashicorp.com>
* Split helm docs to multiple pages under Helm Chart
- Fixed some minor formatting typos
- Added a note at the beginning of most of the pages indicating
incompatibility with helm 3
* Remove duplicate examples
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.
Allow single star in allowed_other_sans to match any OtherName. Update documentation to clarify globbing behaviour.
* move ServiceDiscovery into methods
* add ServiceDiscoveryFactory
* add serviceDiscovery field to vault.Core
* refactor ConsulServiceDiscovery into separate struct
* cleanup
* revert accidental change to go.mod
* cleanup
* get rid of un-needed struct tags in vault.CoreConfig
* add service_discovery parser
* add ServiceDiscovery to config
* cleanup
* cleanup
* add test for ConfigServiceDiscovery to Core
* unit testing for config service_discovery stanza
* cleanup
* get rid of un-needed redirect_addr stuff in service_discovery stanza
* improve test suite
* cleanup
* clean up test a bit
* create docs for service_discovery
* check if service_discovery is configured, but storage does not support HA
* tinker with test
* tinker with test
* tweak docs
* move ServiceDiscovery into its own package
* tweak a variable name
* fix comment
* rename service_discovery to service_registration
* tweak service_registration config
* Revert "tweak service_registration config"
This reverts commit 5509920a8ab4c5a216468f262fc07c98121dce35.
* simplify naming
* refactor into ./serviceregistration/consul
* physical/posgresql: add ability to use CONNECTION_URL environment variable instead of requiring it to be configured in the Vault config file.
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* storage/postgresql: update configuration documentation for postgresql storage backend to include connection_url configuration via the PG_CONNECTION_URL environment variable
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: add a configuration file and tests for getting the connection_url from the config file or environment
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: update postgresql backend to pull the required connection_url from the PG_CONNECTION_URL environment variable if it exists, otherwise, fallback to using the config file
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: remove configure*.go files and prefer the postgresql*.go files
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: move and simplify connectionURL function
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: update connectionURL test to use an unordered map instead of slice to avoid test flakiness
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: update config env to be prefixed with VAULT_ - VAULT_PG_CONNECTION_URL
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* docs/web: update postgresql backend docs to use updated, VAULT_ prefixed config env
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
Continues https://github.com/hashicorp/vault/pull/6459 and cleans up
some spots that should have been deleted, but due to markdown
formatting, weren't rendering anyway.
> Remove response code info from non-overview API docs as it can be
> misinterpreted and is always the same anyways.
* link to template docs from Agent docs
* fix docs link
* fix metadata in template index page
* fix formatting that caused template index to render blank
* Update parameter names to match URL placeholders
* Fix incorrect parameter quoting
Without the separated quoting, the entire `ec2_alias (string: "role_id")` string becomes an anchor link.
* Fix default value for userattr
vault/sdk/helper/ldaputil/config.go shows userattr has a default value of "cn"
* Fix default value for url
Documentation says it's required, but vault/sdk/helper/ldaputil/config.go shows that url has a default value.
* Fix default value for url
Documentation says it's required, but vault/sdk/helper/ldaputil/config.go shows that url has a default value.
* website: various updates
* Expose /docs and /intro views using documentation-style
layout for index pages
* Add [Use Case] Secrets Management page
* Add [Use Case] Data Encryption page
* Add [Use Case] Identity Based Access page
* Update redirects file removing `/intro` routes redirecting to
`learn.hashicorp`
* Hide MegaNav on mobile
* website: route /api straight to documentation
* Bybass index page and jump straight to content
* Fix unordered imports
* Allow Raft node ID to be set via the environment variable `VAULT_RAFT_NODE_ID`
* Allow Raft path to be set via the environment variable `VAULT_RAFT_PATH`
* Prioritize the environment when fetching the Raft configuration values
Values in environment variables should override the config as per the
documentation as well as common sense.
The example request for "Generate Intermediate" was type "internal", but the example response contained the private key, which "internal" doesn't do. This patch fixes the example request to be type "exported" to match the example response.
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
This typo is related to https://github.com/hashicorp/vault/issues/7603 . The typo was causing issues with getting this working correctly when following the guide. I imagine any other newbie to this plugin will have the same struggle. I had to delve into the source code to figure it out
* document the require_request_header option in Agent
* document the require_request_header option in Agent
* document the require_request_header option in Agent
* document the require_request_header option in Agent
* minor tweaks to docs
Currently whenever we start a new C* session in the database plugin, we
run `LIST ALL` to determine whether we are a superuser, or otherwise
have permissions on roles. This is a fairly sensible way of checking
this, except it can be really slow when you have a lot of roles (C*
isn't so good at listing things). It's also really intensive to C* and
leads to a lot of data transfer. We've seen timeout issues when doing
this query, and can of course raise the timeout, but we'd probably
prefer to be able to switch it off.
Martin Baillie