Commit graph

13648 commits

Author SHA1 Message Date
Vishal Nayak 158803d656
Add autopilot to CL (#11104) 2021-03-12 17:14:01 -05:00
Mark Gritter 8bbf92ef70
Fix typo in limits.mdx (#11103) 2021-03-12 15:46:41 -06:00
Nick Cabatoff 66e10f64bc
Fix a bug in Agent's handling of consistency headers: they should be ignored when computing cache ID. (#11099) 2021-03-12 12:42:06 -05:00
Scott Miller 47570ca490
Add transform upgrade bug fix changelog (#11090) 2021-03-12 09:52:41 -06:00
Mike Wickett 933aa782bc
Update alert banner (#11083)
* Update alert banner

* Update website/data/alert-banner.js

Co-authored-by: Zachary Shilton <4624598+zchsh@users.noreply.github.com>

Co-authored-by: Zachary Shilton <4624598+zchsh@users.noreply.github.com>
2021-03-11 15:46:34 -05:00
Chelsea Shaw 994d48c892
UI: Add null check before getting userRootNamespace from storage (#11094)
* Add null check before getting userRootNamespace from storage

* Add changelog
2021-03-11 13:09:43 -06:00
Vishal Nayak fb2df6ca73
Fix autopilot fsm race (#11091)
* Fix autopilot fsm race

* No need to grab backend's lock
2021-03-11 13:14:11 -05:00
Scott Miller c4e8d51c9d
Add upgrade notes for the Transform storage upgrade bug (#11075)
* Add upgrade notes for the Transform storage upgrade bug

* sidenav
2021-03-11 11:23:19 -06:00
Nick Cabatoff 79b4b0f58c
changelog++ (#11086) 2021-03-11 10:29:31 -05:00
Nick Cabatoff 5a2f0cbe51
OSS changes from ent fix for openbsd memory lookups. (#11088) 2021-03-11 10:25:15 -05:00
Meggie 39ff8b071f
Make 1.7.0-rc1 the latest version (#11082) 2021-03-10 20:03:55 -05:00
Meggie 0a60534b24
changelog++ 2021-03-10 19:34:44 -05:00
Lauren Voswinkel 809d127488
Add changelog entry for Snowflake DB support being added (#11078) 2021-03-10 16:09:13 -08:00
Lauren Voswinkel 30b9f5d379
Add changelog entry for #10953 (#11077) 2021-03-10 15:54:15 -08:00
Vishal Nayak 9839e76192
Remove unneeded fields from state output (#11073) 2021-03-10 12:08:12 -05:00
Liwei Fu 170a0800e6
Make cert domain name validation case insensitive (#10959)
* make cert domain name validation case insensitive

* reafctor TestPki_PermitFQDNs mutliple cases

* TestPki_PermitFQDNS: fail uppercase alt_name

* add change log

* fix tests

* use EqualFold for potential utf-8 string comparison

Co-authored-by: Freyert <Freyert@users.noreply.github.com>
2021-03-09 21:28:27 -08:00
Vishal Nayak 586a5a73f0
Fix diff (#11057) 2021-03-08 13:20:01 -05:00
Brian Kassouf aa00b53ba1
Make sure we sanitize the rotation config on each clone (#11050)
* Make sure we sanitize the rotation config on each clone

* Add regression test for missing rotation config

* use Equals

* simplify

Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
2021-03-08 10:59:21 -06:00
Vishal Nayak e5b6ec4d05
Reset IsDead upon each heartbeat (#11049) 2021-03-05 19:50:36 -05:00
Calvin Leung Huang 0a6e7ab94b
mod: update plugin versions for 1.7.0 (#11046)
* mod: update plugin versions for 1.7.0

* command/agent: fix TestCFEndToEnd test
2021-03-04 18:32:51 -08:00
Jacob Friedman 5305c439d4
Update init.mdx (#11044)
* Update init.mdx

Updated operator init documentation to try to avoid steering customers towards running Auto Unseal seals with recovery-shares=1 and recovery-threshold=1. This is a bad security posture, as it can allow a single user with access to that recovery share to create root tokens and do other very sensitive tasks.

Also rewrote parts of the HSM/KMS Options section to indicate that recovery-related options are not solely for HSM-mode Vault but are for ANY Auto Unseal seal.

* Update website/content/docs/commands/operator/init.mdx

Adding an appropriate number of recovery-pgp-keys

Co-authored-by: Yoko <yoko@hashicorp.com>

Co-authored-by: Yoko <yoko@hashicorp.com>
2021-03-04 15:57:47 -08:00
Angel Garbarino 990850b094
change rotation from 5s to 24hr and remove console log (#11043) 2021-03-04 11:31:49 -07:00
Brian Kassouf 3bb29e0584 go mod vendor 2021-03-03 15:07:58 -08:00
Jim Kalafut 4ef8d66318
Reset agent backoff on successful auth (#11033)
The existing code would retain the previous backoff value even after the
system had recovered. This PR fixes that issue and improves the
structure of the backoff code.
2021-03-03 14:15:18 -08:00
Theron Voran 1fdf08b149
agent: persistent caching support (#10938)
Adds the option of a write-through cache, backed by boltdb

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2021-03-03 14:01:33 -08:00
Vishal Nayak 910b45413b
Handle error (#11039) 2021-03-03 15:55:50 -05:00
Vishal Nayak 3e55e79a3f
Autopilot: Server Stabilization, State and Dead Server Cleanup (#10856)
* k8s doc: update for 0.9.1 and 0.8.0 releases (#10825)

* k8s doc: update for 0.9.1 and 0.8.0 releases

* Update website/content/docs/platform/k8s/helm/configuration.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Autopilot initial commit

* Move autopilot related backend implementations to its own file

* Abstract promoter creation

* Add nil check for health

* Add server state oss no-ops

* Config ext stub for oss

* Make way for non-voters

* s/health/state

* s/ReadReplica/NonVoter

* Add synopsis and description

* Remove struct tags from AutopilotConfig

* Use var for config storage path

* Handle nin-config when reading

* Enable testing autopilot by using inmem cluster

* First passing test

* Only report the server as known if it is present in raft config

* Autopilot defaults to on for all existing and new clusters

* Add locking to some functions

* Persist initial config

* Clarify the command usage doc

* Add health metric for each node

* Fix audit logging issue

* Don't set DisablePerformanceStandby to true in test

* Use node id label for health metric

* Log updates to autopilot config

* Less aggressively consume config loading failures

* Return a mutable config

* Return early from known servers if raft config is unable to be pulled

* Update metrics name

* Reduce log level for potentially noisy log

* Add knob to disable autopilot

* Don't persist if default config is in use

* Autopilot: Dead server cleanup (#10857)

* Dead server cleanup

* Initialize channel in any case

* Fix a bunch of tests

* Fix panic

* Add follower locking in heartbeat tracker

* Add LastContactFailureThreshold to config

* Add log when marking node as dead

* Update follower state locking in heartbeat tracker

* Avoid follower states being nil

* Pull test to its own file

* Add execution status to state response

* Optionally enable autopilot in some tests

* Updates

* Added API function to fetch autopilot configuration

* Add test for default autopilot configuration

* Configuration tests

* Add State API test

* Update test

* Added TestClusterOptions.PhysicalFactoryConfig

* Update locking

* Adjust locking in heartbeat tracker

* s/last_contact_failure_threshold/left_server_last_contact_threshold

* Add disabling autopilot as a core config option

* Disable autopilot in some tests

* s/left_server_last_contact_threshold/dead_server_last_contact_threshold

* Set the lastheartbeat of followers to now when setting up active node

* Don't use config defaults from CLI command

* Remove config file support

* Remove HCL test as well

* Persist only supplied config; merge supplied config with default to operate

* Use pointer to structs for storing follower information

* Test update

* Retrieve non voter status from configbucket and set it up when a node comes up

* Manage desired suffrage

* Consider bucket being created already

* Move desired suffrage to its own entry

* s/DesiredSuffrageKey/LocalNodeConfigKey

* s/witnessSuffrage/recordSuffrage

* Fix test compilation

* Handle local node config post a snapshot install

* Commit to storage first; then record suffrage in fsm

* No need of local node config being nili case, post snapshot restore

* Reconcile autopilot config when a new leader takes over duty

* Grab fsm lock when recording suffrage

* s/Suffrage/DesiredSuffrage in FollowerState

* Instantiate autopilot only in leader

* Default to old ways in more scenarios

* Make API gracefully handle 404

* Address some feedback

* Make IsDead an atomic.Value

* Simplify follower hearbeat tracking

* Use uber.atomic

* Don't have multiple causes for having autopilot disabled

* Don't remove node from follower states if we fail to remove the dead server

* Autopilot server removals map (#11019)

* Don't remove node from follower states if we fail to remove the dead server

* Use map to track dead server removals

* Use lock and map

* Use delegate lock

* Adjust when to remove entry from map

* Only hold the lock while accessing map

* Fix race

* Don't set default min_quorum

* Fix test

* Ensure follower states is not nil before starting autopilot

* Fix race

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2021-03-03 13:59:50 -05:00
Michele Degges 9741f51bee
Removing broken link (#11029) 2021-03-02 12:02:59 -08:00
Andrej van der Zee df159d7622
Respect VAULT_MAX_RETRIES from environment in DefaultConfig() (#10883) 2021-03-02 10:39:20 -08:00
swayne275 d74f82346b
Add Partial Month Client Count API for Activity Log (#11022)
* sketch out partial month activity log client API

* unit test partialMonthClientCount

* cleanup api

* add api doc, fix test, update api nomenclature to match existing

* cleanup

* add PR changelog file

* integration test for API

* report entities and tokens separately
2021-03-01 16:15:59 -07:00
Hridoy Roy 2da7de2fec
Minimal changes to solve Dependency CVEs [VAULT-871] (#11015)
* minimal changes to solve most of the cves

* cleanup

* finished go mod vendor upgrades
2021-03-01 14:35:40 -08:00
Scott Miller 08d8f65e01
Take the state lock in checkBarrierRotate, and don't save on seal (#11028)
* Use the state lock, and don't bother a last minute check on seal

* defer
2021-03-01 16:32:17 -06:00
Brian Kassouf 90ee789afe Merge branch 'master' of https://github.com/hashicorp/vault 2021-03-01 12:29:24 -08:00
Brian Kassouf cbb8b21520 Fix test build 2021-03-01 12:29:12 -08:00
Chelsea Shaw 7e35bd56b0
Add test for db role setting form component (#11018)
* Add test for db role setting form component

* fix test, add changelog
2021-03-01 12:52:46 -06:00
Brian Kassouf 1bc410783d OSS/ENT Drift 2021-03-01 10:51:04 -08:00
Scott Miller 1e1f7eff46
Documentation for barrier autorotation (#11027)
* Documentation for barrier autorotation

* changelog

* 1.7 upgrade notes
2021-03-01 10:45:22 -06:00
Brian Kassouf a112161f60
expiration: Add a few metrics to measure revoke queue lengths (#10955)
* expiration: Add a few metrics to measure revoke queue lengths

* Update the metric names

* Add appropriate cluster labels

* Add metrics to docs

* Update jobmanager.go
2021-02-26 16:00:39 -08:00
Michael Golowka 302cc4870e
Add Username Templating Concepts page (#10935) 2021-02-26 16:04:12 -07:00
Meggie de8c06eb31
Update latest to 1.6.3 (#11010) 2021-02-26 17:08:27 -05:00
Tom Proctor 45d9efd0c2
Add notice about MongoDB Atlas whitelist deprecation (#10967) 2021-02-26 20:38:27 +00:00
Scott Miller a7b372b447
Two minor changes not reflected OSS side (#11020) 2021-02-26 14:23:56 -06:00
Angel Garbarino 016ed8dd5e
PKI flaky test (#11017)
* undo skip

* add back settled
2021-02-26 12:01:31 -07:00
Jim Kalafut 1785b1bd00
Replace deprecated terms in AWS Auth (#10997)
* Replace deprecated terms in AWS Auth

This PR is part of an effort to remove non-inclusive language throughout
Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term
extensively, and these are the focus of the PR:

* Add new API endpoints that use the preferred terminology, while
  deprecating the old endpoints. These endpoints offer identical
  functionality and are basically aliases. This is the only functional
  change in the PR except for terms in error messages.
* Replace "whitelist" -> "access list", "blacklist" -> "deny list" in
  variable names, comments, etc.

Note that storage locations were *not* changed at this time, as that is
a more complex process involving versioning that we may tackle in a future
revision. We have reduced the occurrences of non-inclusive language,
however.

Reviewers should be sure to "Ignore Whitespace" in diffs, especially for
the tests, which were basically indented one level as part of looping
over the tests with both the old and new names.
2021-02-25 23:23:34 -08:00
Chelsea Shaw 9b3f5c2386
UI/db tests (#11013)
* Add tests for connection create and edit

* Cleanup old tests, add role create form test

* Fix linter/selector
2021-02-25 18:41:04 -06:00
Brian Kassouf 878d768839
changelog++ 2021-02-25 16:07:38 -08:00
Brian Kassouf 987de2e0f1
changelog++ 2021-02-25 16:04:31 -08:00
Lauren Voswinkel 075898cf73
Add IAM tagging support for iam_user roles in AWS secret engine (#10953)
* Added support for iam_tags for AWS secret roles

This change allows iam_users generated by the secrets engine
to add custom tags in the form of key-value pairs to users
that are created.
2021-02-25 16:03:24 -08:00
Angel Garbarino efd3677c58
UI: fix KMIP bug and test (#11011)
* fix KMIP test that was failing and clean modal on configuration page.

* add changelog

* remove uncessary unload

* remove async
2021-02-25 15:13:00 -07:00
swayne275 fe9e6e3d89
Make fairsharing stop function async (#11012)
* stop fairsharing layer async

* update function doc
2021-02-25 14:33:02 -07:00