Commit graph

10908 commits

Author SHA1 Message Date
Michael Gaffney 9da6460f4d
Add docs for Vault Agent Auto-auth Certificate Method (#7344)
Closes #7343
2019-08-21 10:34:26 -04:00
Michael Gaffney b1d249a42b
changelog - add missing 1.2 improvement 2019-08-21 10:13:13 -04:00
Chris Hoffman f6a58fc812
changelog++ 2019-08-20 18:14:53 -04:00
Tommy Murphy fc3f1896ad telemetry: add stackdriver metrics sink (#6957)
* telemetry: add stackdriver metrics sink

* telemetry: stackdriver go mod tidy
2019-08-20 14:47:08 -07:00
Joel Thompson ac18a44fae secret/aws: Pass policy ARNs to AssumedRole and FederationToken roles (#6789)
* secret/aws: Pass policy ARNs to AssumedRole and FederationToken roles

AWS now allows you to pass policy ARNs as well as, and in addition to,
policy documents for AssumeRole and GetFederationToken (see
https://aws.amazon.com/about-aws/whats-new/2019/05/session-permissions/).
Vault already collects policy ARNs for iam_user credential types; now it
will allow policy ARNs for assumed_role and federation_token credential
types and plumb them through to the appropriate AWS calls.

This brings along a minor breaking change. Vault roles of the
federation_token credential type are now required to have either a
policy_document or a policy_arns specified. This was implicit
previously; a missing policy_document would result in a validation error
from the AWS SDK when retrieving credentials. However, it would still
allow creating a role that didn't have a policy_document specified and
then later specifying it, after which retrieving the AWS credentials
would work. Similar workflows in which the Vault role didn't have a
policy_document specified for some period of time, such as deleting the
policy_document and then later adding it back, would also have worked
previously but will now be broken.

The reason for this breaking change is because a credential_type of
federation_token without either a policy_document or policy_arns
specified will return credentials that have equivalent permissions to
the credentials the Vault server itself is using. This is quite
dangerous (e.g., it could allow Vault clients access to retrieve
credentials that could modify Vault's underlying storage) and so should
be discouraged. This scenario is still possible when passing in an
appropriate policy_document or policy_arns parameter, but clients should
be explicitly aware of what they are doing and opt in to it by passing
in the appropriate role parameters.

* Error out on dangerous federation token retrieval

The AWS secrets role code now disallows creation of a dangerous role
configuration; however, pre-existing roles could have existed that would
trigger this now-dangerous code path, so also adding a check for this
configuration at credential retrieval time.

* Run makefmt

* Fix tests

* Fix comments/docs
2019-08-20 12:34:41 -07:00
Matthew Irish 9182b0590a
ci install ui deps (#7340)
* don't ignore-optional on yarn install for the ui dep ci job

* update circle yaml
2019-08-20 10:22:55 -05:00
Noelle Daley 44e7bd040c
Update CHANGELOG.md 2019-08-19 14:41:07 -07:00
Noelle Daley 1e58c46ca9
Ui/dismiss status menu click (#7337)
* dismiss status menu on click instead of hover

* allow redirect on 204
2019-08-19 14:36:22 -07:00
Noelle Daley b11a2e3136
README: add command for building enterprise binary (#7336)
* README: add command for building enterprise binary

* README: add warning about built-in license
2019-08-19 14:21:05 -07:00
Matthew Irish 4a1013e915
Update ui dependencies (#7244)
* be more specific about node version, and specify a yarn version

* update ember, ember-cli, ember-data, ember-data-model-fragments

* use router handlers to access transition information

* fix shadowing of component helper

* update ivy-codemirror, ember-cli-inject-live-reload

* remove custom router service

* don't use transition.queryParams

* update ember-cli-deprecation-workflow

* refactor kv v1 to use 'path' instead of 'id' on creation

* fix auth-jwt-test and toolbar-link-test

* update ember composable helpers

* remove Ember.copy from test file

* no more deprecations in the workflow

* fix more secret tests

* fix remaining failed tests

* move select component to core because it's used by ttl-picker

* generate new model class for each test instead of reusing an existing one

* fix selectors on kmip tests

* refactor how control groups construct urls from the new transition objects

* add router service override back in, and have it be evented so that we can trigger router events on it

* move stories and markdown files to core if the component lives in core

* update ember-cli, ember-cli-babel, ember-auto-import

* update base64js, date-fns, deepmerge, codemirror, broccoli-asset-rev

* update linting rules

* fix test selectors

* update ember-api-actions, ember-concurrency, ember-load-initializers, escape-string-regexp, normalize.css, prettier-eslint-cli, jsdoc-to-markdown

* remove test-results dir

* update base64js, ember-cli-clipboard, ember-cli-sass, ember-cli-string-helpers, ember-cli-template-lint, ember-cli-uglify, ember-link-action

* fix linting

* run yarn install without restoring from cache

* refactor how tests are run and handle the vault server subprocess

* update makefile for new test task names

* update circle config to use the new yarn task

* fix writing the seal keys when starting the dev server

* remove optional deps from the lockfile

* don't ignore-optional on yarn install

* remove errant console.log

* update ember-basic-dropdown-hover, jsonlint, yargs-parser

* update ember-cli-flash

* add back optionalDeps

* update @babel/core@7.5.5, ember-basic-dropdown@1.1.3, eslint-plugin-ember@6.8.2

* update storybook to the latest release

* add a babel config with targets so that the ember babel plugin works properly

* update ember-resolver, move ember-cli-storybook to devDependencies

* revert normalize.css upgrade

* silence fetchadapter warning for now

* exclude 3rd party array helper now that ember includes one

* fix switch and entity lookup styling

* only add -root suffix if it's not in versions mode

* make sure drop always has an array on the aws role form

* fix labels like we did with the backport

* update eslintignore

* update the yarn version in the docker build file

* update eslint ignore
2019-08-19 15:45:39 -05:00
Jim Kalafut e4be09ead5
changelog++ 2019-08-19 11:57:36 -07:00
Jack Kleeman 1977305ffa Store less data in Cassandra prefix buckets (#7199)
* Store less data in Cassandra prefix buckets

The Cassandra physical backend relies on storing data for sys/foo/bar
under sys, sys/foo, and sys/foo/bar. This is necessary so that we
can list the sys bucket, get a list of all child keys, and then trim
this down to find child 'folders' eg food. Right now however, we store
the full value of every storage entry in all three buckets. This is
unnecessary as the value will only ever be read out in the leaf bucket
ie sys/foo/bar. We use the intermediary buckets simply for listing keys.

We have seen some issues around compaction where certain buckets,
particularly intermediary buckets that are exclusively for listing,
get really clogged up with data to the point of not being listable.
Buckets like sys/expire/id are huge, combining lease expiry data for
all auth methods, and need to be listed for vault to successfully
become leader. This PR tries to cut down on the amount of data stored
in intermediary buckets.

* Avoid goroutine leak by buffering results channel up to the bucket count
2019-08-19 11:50:00 -07:00
Jeff Mitchell 47024b4753 changelog++ 2019-08-19 12:33:13 -04:00
ncabatoff 8d4d6921ad
changelog++ 2019-08-19 09:21:39 -04:00
Vishal Nayak 9b878b0717 go fmt on aws path role files 2019-08-16 11:25:33 -04:00
Jim Kalafut 3ce3e40db7
Update role parameters in JWT API docs (#7328)
This is a temporary revert related to https://github.com/hashicorp/vault-plugin-auth-jwt/issues/66.
Once that change is in a released Vault, this docs change should be reverted back.
2019-08-16 08:09:15 -07:00
Jim Kalafut eaae12f782
changelog++ 2019-08-15 09:51:06 -07:00
Chris Hoffman 0a23fb8294
changelog++ 2019-08-15 10:32:43 -04:00
ncabatoff fb1dec0b98
changelog++ 2019-08-15 10:11:33 -04:00
ncabatoff fb225428ff
changelog++ 2019-08-15 10:07:43 -04:00
Jeff Mitchell 88e1885c1c Updating plugin deps 2019-08-14 17:23:29 -04:00
Calvin Leung Huang 1eaaea50fb
changelog++ 2019-08-14 14:17:44 -07:00
Jeff Mitchell 8918b2ef76 Use separate env var for Vault commit in plugin update script 2019-08-14 17:02:28 -04:00
Jeff Mitchell 87f649bf99 Prep for 1.2.2 2019-08-14 16:54:16 -04:00
Najib Ben 64936d5038 Remove 512 entity limit for groups (#7317)
* Consul 1.5.3 has configurable value limit for KV storage
* Integrated Raft
2019-08-14 13:47:11 -04:00
Matthew Irish 204383b83a
changelog++ 2019-08-14 10:29:11 -05:00
Jim Kalafut 0331a2a3e1
changelog++ 2019-08-14 08:04:46 -07:00
Matthew Irish effe7320d5
change input to textarea and use autosize on them (#7254)
* change input to textarea and use autosize on them

* fix some tests
2019-08-14 10:02:16 -05:00
Jeff Mitchell ae45997fe3 Use Go 1.12.8 for building 2019-08-14 10:45:19 -04:00
Calvin Leung Huang 67170b378f command/server: fix TestLoadConfigFile_json2 test, fix hcl tags (#7300)
* command/server: fix TestLoadConfigFile_json2 test, fix hcl tags

Fixes test to call the equality check, and add missing values to the expected object. Fixes hcl tags in the Telemetry structs.

* fix PrometheusRetentionTime tag
2019-08-14 10:32:11 -04:00
ncabatoff be7b9c2dc5 Since we run plenty of dockerized tests without requiring an env var to (#7291)
be set, let's make the Radius tests behave that way too.
2019-08-14 10:31:23 -04:00
skarsol 073ff32900 Add section for consul 1.4+ (#6366) 2019-08-14 10:19:14 -04:00
Didi Kohen a14b44ee8b Add some more detail for the root generation process (#5720)
* Add some more detail for the root generation process

* Remove mention of old OTP and OTP provided on the start request
2019-08-14 10:16:10 -04:00
IPv4v6 8fe861ec04 add examples for ECC key sizes in documentation (#2952)
* add examples for ECC key sizes in documentation

Signed-off-by: Stefan Pietsch <mail.ipv4v6+gh@gmail.com>

* remove links to Go documentation
2019-08-14 10:08:41 -04:00
Calvin Leung Huang 522fa83568 sdk/logical: handle empty token type string values as TokenTypeDefault (#7273)
* sdk/logical: handle empty token type string values as TokenTypeDefault

* add test case for missing token_type value
2019-08-14 09:45:40 -04:00
Calvin Leung Huang 675593bd18 docs: add 1.2.1 upgrade guide (#7274) 2019-08-14 09:45:09 -04:00
Jim Kalafut 3e7a2211bf Update PCF Auth plugin (#7306) 2019-08-14 09:43:04 -04:00
Jim Kalafut 38e2815d1a
changelog++ 2019-08-13 21:43:21 -07:00
ncabatoff fab0f3298c Fix regression that causes panic when logging in via Radius. (#7290) 2019-08-13 17:11:24 -07:00
Matthew Irish a4b6bb8626
kv v2 display bugs (#7307)
* fix switch css

* allow breadcrumbs container to grow if it's overflowed so that it's still usable

* close the dropdowns on destructive actions that cause a route refresh

* use new attachCapabilities for context menus on auth methods to get rid of an error
2019-08-13 16:54:51 -05:00
Madalyn d3bc388b31
remove double slash from generated api endopints in generated adapter (#7299)
remove double slash from generated api endopints
2019-08-12 14:27:37 -04:00
Jim Kalafut 4653861333
Fix PCF API docs field names (#7302) 2019-08-12 10:55:23 -07:00
Michel Boucey badb089ffb Add gothic, a Haskell KVv2 engine API client (#7301) 2019-08-12 13:30:25 -04:00
Jason O'Donnell ac16dec5c4
docs: update k8s helm doc (#7279) 2019-08-08 17:05:01 -04:00
Joel Thompson e4b9efd37f logical/aws: Refactor role validation (#7276)
This refactors role validation for the AWS secrets engine to be in a
separate method. Previously, all validation was interspersed with the
parsing of parameters when creating/updating a role, which led to a high
degree of complexity. Now, all validation is centralized which makes it
easier to understand and also easier to test (and so a number of test
cases have been added).
2019-08-08 11:53:06 -07:00
Brian Kassouf baed23d816
changelog++ 2019-08-07 14:53:46 -07:00
Jim Kalafut 72a15422d5
Fix identity store 'key not found' response (#7267)
The existing custom response results in a 400 instead of the typical
404 which confuses the Terraform provider (and is inconsistent).
2019-08-07 09:46:45 -07:00
ncabatoff e1f8a82d81
Create test cores with an error injector. (#7243)
It's created with a 0% error rate, which means it's a no-op, but tests can opt-in to errors when
needed via core.underlyingPhysical.
2019-08-06 15:21:23 -04:00
Jeff Mitchell 9aadecb074 changelog++ 2019-08-05 22:13:19 -04:00
ncabatoff c1d557144c
Eliminate a race stemming from each core's monitoring goroutine sharing the client for the active node. (#7255) 2019-08-05 21:39:38 -04:00