From 9708ef88d63fb839ac05c79e2a40345be6893122 Mon Sep 17 00:00:00 2001 From: swayne275 Date: Wed, 6 Apr 2022 14:40:53 -0600 Subject: [PATCH] Vault 5452 resolve ent drift (#14898) * resolve path_config_rotate_root_test - ent uses newer version so update and fix * clean up operator_diagnose import to match ent * add mount_accessor to SentinelKeys to match ent * mysql.go remove trailing space to match ent * update protobuf version to match ent * update vault/cluster.go log message to match ent * update ha from ent - the dr stuff is probably fine? * remove newline to match ent in vault/login_mfa.go * add vaultKubernetesMountPath to doc to match ent --- .../credential/aws/path_config_rotate_root_test.go | 1 - command/operator_diagnose.go | 2 +- go.mod | 2 +- go.sum | 6 ++---- helper/forwarding/types.pb.go | 2 +- helper/identity/mfa/types.pb.go | 2 +- helper/identity/sentinel.go | 1 + helper/identity/types.pb.go | 2 +- helper/storagepacker/types.pb.go | 2 +- physical/raft/types.pb.go | 2 +- plugins/database/mssql/mssql.go | 2 +- sdk/database/dbplugin/database.pb.go | 2 +- sdk/database/dbplugin/v5/proto/database.pb.go | 2 +- sdk/helper/pluginutil/multiplexing.pb.go | 2 +- sdk/logical/identity.pb.go | 2 +- sdk/logical/plugin.pb.go | 2 +- sdk/plugin/pb/backend.pb.go | 2 +- vault/activity/activity_log.pb.go | 12 ++++++------ vault/cluster.go | 3 +-- vault/ha.go | 3 ++- vault/login_mfa.go | 1 - vault/request_forwarding_service.pb.go | 2 +- vault/tokens/token.pb.go | 2 +- .../content/docs/platform/k8s/csi/configurations.mdx | 3 +++ 24 files changed, 31 insertions(+), 31 deletions(-) diff --git a/builtin/credential/aws/path_config_rotate_root_test.go b/builtin/credential/aws/path_config_rotate_root_test.go index 9252ebf77141..940c6d102270 100644 --- a/builtin/credential/aws/path_config_rotate_root_test.go +++ b/builtin/credential/aws/path_config_rotate_root_test.go @@ -21,7 +21,6 @@ func TestPathConfigRotateRoot(t *testing.T) { SecretAccessKey: aws.String("buzz2"), }, }, - DeleteAccessKeyOutput: &iam.DeleteAccessKeyOutput{}, GetUserOutput: &iam.GetUserOutput{ User: &iam.User{ UserName: aws.String("ellen"), diff --git a/command/operator_diagnose.go b/command/operator_diagnose.go index d79328015870..40136d174e86 100644 --- a/command/operator_diagnose.go +++ b/command/operator_diagnose.go @@ -14,7 +14,6 @@ import ( "golang.org/x/term" wrapping "github.com/hashicorp/go-kms-wrapping" - "github.com/hashicorp/vault/helper/constants" "github.com/docker/docker/pkg/ioutils" "github.com/hashicorp/consul/api" @@ -22,6 +21,7 @@ import ( "github.com/hashicorp/go-secure-stdlib/reloadutil" uuid "github.com/hashicorp/go-uuid" cserver "github.com/hashicorp/vault/command/server" + "github.com/hashicorp/vault/helper/constants" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/internalshared/configutil" "github.com/hashicorp/vault/internalshared/listenerutil" diff --git a/go.mod b/go.mod index 1323683f1f2d..e2ebd56b7a39 100644 --- a/go.mod +++ b/go.mod @@ -70,7 +70,7 @@ require ( github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a github.com/hashicorp/go-retryablehttp v0.7.0 github.com/hashicorp/go-rootcerts v1.0.2 - github.com/hashicorp/go-secure-stdlib/awsutil v0.1.5 + github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2 diff --git a/go.sum b/go.sum index 70e0bd57cca7..2ea4f58c6f3f 100644 --- a/go.sum +++ b/go.sum @@ -870,15 +870,13 @@ github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2/go.mod h1:QRJZ7siKie+SZJB9jLbfKrs0Gd0yPWMtbneg0iU1PrY= -github.com/hashicorp/go-secure-stdlib/awsutil v0.1.5 h1:TkCWKqk1psjvUV7WktmZiRoZ1a9vw048AVnk/YbrzgY= -github.com/hashicorp/go-secure-stdlib/awsutil v0.1.5/go.mod h1:MpCPSPGLDILGb4JMm94/mMi3YysIqsXzGCzkEZjcjXg= +github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 h1:W9WN8p6moV1fjKLkeqEgkAMu5rauy9QeYDAmIaPuuiA= +github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6/go.mod h1:MpCPSPGLDILGb4JMm94/mMi3YysIqsXzGCzkEZjcjXg= github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 h1:9um9R8i0+HbRHS9d64kdvWR0/LJvo12sIonvR9zr1+U= github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1/go.mod h1:6RoRTSMDK2H/rKh3P/JIsk1tK8aatKTt3JyvIopi3GQ= -github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.1 h1:IJgULbAXuvWxzKFfu+Au1FUmHIJulS6N4F7Hkn+Kck0= -github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.1/go.mod h1:rf5JPE13wi+NwjgsmGkbg4b2CgHq8v7Htn/F0nDe/hg= github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2 h1:NS6BHieb/pDfx3M9jDdaPpGyyVp+aD4A3DjX3dgRmzs= github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2/go.mod h1:rf5JPE13wi+NwjgsmGkbg4b2CgHq8v7Htn/F0nDe/hg= github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= diff --git a/helper/forwarding/types.pb.go b/helper/forwarding/types.pb.go index 94400fc8a4c9..3a036f4726aa 100644 --- a/helper/forwarding/types.pb.go +++ b/helper/forwarding/types.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: helper/forwarding/types.proto package forwarding diff --git a/helper/identity/mfa/types.pb.go b/helper/identity/mfa/types.pb.go index 0cfa12fa29a5..f82ccb46b3dd 100644 --- a/helper/identity/mfa/types.pb.go +++ b/helper/identity/mfa/types.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: helper/identity/mfa/types.proto package mfa diff --git a/helper/identity/sentinel.go b/helper/identity/sentinel.go index bf3cfff552e2..2c2bc4b940f2 100644 --- a/helper/identity/sentinel.go +++ b/helper/identity/sentinel.go @@ -74,6 +74,7 @@ func (a *Alias) SentinelKeys() []string { return []string{ "id", "mount_type", + "mount_accessor", "mount_path", "meta", "metadata", diff --git a/helper/identity/types.pb.go b/helper/identity/types.pb.go index 81b29b29ed4b..a392d24bc313 100644 --- a/helper/identity/types.pb.go +++ b/helper/identity/types.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: helper/identity/types.proto package identity diff --git a/helper/storagepacker/types.pb.go b/helper/storagepacker/types.pb.go index 670576acbb9f..bd7b780cd5a9 100644 --- a/helper/storagepacker/types.pb.go +++ b/helper/storagepacker/types.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: helper/storagepacker/types.proto package storagepacker diff --git a/physical/raft/types.pb.go b/physical/raft/types.pb.go index fbc03c7aeebf..5fca8f6c3e81 100644 --- a/physical/raft/types.pb.go +++ b/physical/raft/types.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: physical/raft/types.proto package raft diff --git a/plugins/database/mssql/mssql.go b/plugins/database/mssql/mssql.go index 00f1773a1e79..b951857afa09 100644 --- a/plugins/database/mssql/mssql.go +++ b/plugins/database/mssql/mssql.go @@ -427,5 +427,5 @@ SET @stmt = 'IF EXISTS (SELECT name FROM [master].[sys].[server_principals] WHER EXEC (@stmt)` const alterLoginSQL = ` -ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}' +ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}' ` diff --git a/sdk/database/dbplugin/database.pb.go b/sdk/database/dbplugin/database.pb.go index 8af3951e68c9..7c9e08a9b03e 100644 --- a/sdk/database/dbplugin/database.pb.go +++ b/sdk/database/dbplugin/database.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: sdk/database/dbplugin/database.proto package dbplugin diff --git a/sdk/database/dbplugin/v5/proto/database.pb.go b/sdk/database/dbplugin/v5/proto/database.pb.go index fbf0c1245fd3..3699a9d662ff 100644 --- a/sdk/database/dbplugin/v5/proto/database.pb.go +++ b/sdk/database/dbplugin/v5/proto/database.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: sdk/database/dbplugin/v5/proto/database.proto package proto diff --git a/sdk/helper/pluginutil/multiplexing.pb.go b/sdk/helper/pluginutil/multiplexing.pb.go index fa3357d49045..d0ff51e57b24 100644 --- a/sdk/helper/pluginutil/multiplexing.pb.go +++ b/sdk/helper/pluginutil/multiplexing.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: sdk/helper/pluginutil/multiplexing.proto package pluginutil diff --git a/sdk/logical/identity.pb.go b/sdk/logical/identity.pb.go index c472b68a099e..4b1a36b39826 100644 --- a/sdk/logical/identity.pb.go +++ b/sdk/logical/identity.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: sdk/logical/identity.proto package logical diff --git a/sdk/logical/plugin.pb.go b/sdk/logical/plugin.pb.go index d4722ce09761..b16f0a75af97 100644 --- a/sdk/logical/plugin.pb.go +++ b/sdk/logical/plugin.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: sdk/logical/plugin.proto package logical diff --git a/sdk/plugin/pb/backend.pb.go b/sdk/plugin/pb/backend.pb.go index 184717a97540..dbad4da977ce 100644 --- a/sdk/plugin/pb/backend.pb.go +++ b/sdk/plugin/pb/backend.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: sdk/plugin/pb/backend.proto package pb diff --git a/vault/activity/activity_log.pb.go b/vault/activity/activity_log.pb.go index 4c4f36aa89e6..21c58e5675f3 100644 --- a/vault/activity/activity_log.pb.go +++ b/vault/activity/activity_log.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.17.3 +// protoc v3.19.4 // source: vault/activity/activity_log.proto package activity @@ -20,10 +20,9 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) -// EntityRecord is generated the first time an client is active -// each month. This can store clients associated with entities -// or nonEntity clients, and really is a ClientRecord, not -// specifically an EntityRecord +// EntityRecord is generated the first time a client is active each month. This +// can store clients associated with entities or nonEntity clients, and really +// is a ClientRecord, not specifically an EntityRecord. type EntityRecord struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -37,7 +36,8 @@ type EntityRecord struct { // non_entity records whether the given EntityRecord is // for a TWE or an entity-bound token. NonEntity bool `protobuf:"varint,4,opt,name=non_entity,json=nonEntity,proto3" json:"non_entity,omitempty"` - // MountAccessor is the path used by client to perform login + // MountAccessor is the auth mount accessor of the token used to perform the + // activity. MountAccessor string `protobuf:"bytes,5,opt,name=mount_accessor,json=mountAccessor,proto3" json:"mount_accessor,omitempty"` } diff --git a/vault/cluster.go b/vault/cluster.go index c114e09bdd1a..a1d037907cd2 100644 --- a/vault/cluster.go +++ b/vault/cluster.go @@ -218,13 +218,12 @@ func (c *Core) setupCluster(ctx context.Context) error { // Create a certificate if c.localClusterCert.Load().([]byte) == nil { - c.logger.Debug("generating local cluster certificate") - host, err := uuid.GenerateUUID() if err != nil { return err } host = fmt.Sprintf("fw-%s", host) + c.logger.Debug("generating local cluster certificate", "host", host) template := &x509.Certificate{ Subject: pkix.Name{ CommonName: host, diff --git a/vault/ha.go b/vault/ha.go index 12f9d6d7458c..8a535655e55c 100644 --- a/vault/ha.go +++ b/vault/ha.go @@ -770,7 +770,8 @@ func (c *Core) periodicCheckKeyUpgrades(ctx context.Context, stopCh chan struct{ // keys (e.g. from replication being activated) and we need to seal to // be unsealed again. entry, _ := c.barrier.Get(ctx, poisonPillPath) - if entry != nil && len(entry.Value) > 0 { + entryDR, _ := c.barrier.Get(ctx, poisonPillDRPath) + if (entry != nil && len(entry.Value) > 0) || (entryDR != nil && len(entryDR.Value) > 0) { c.logger.Warn("encryption keys have changed out from underneath us (possibly due to replication enabling), must be unsealed again") // If we are using raft storage we do not want to shut down // raft during replication secondary enablement. This will diff --git a/vault/login_mfa.go b/vault/login_mfa.go index 8b77c5015391..88c7bd8b2209 100644 --- a/vault/login_mfa.go +++ b/vault/login_mfa.go @@ -2283,7 +2283,6 @@ func (b *LoginMFABackend) deleteMFALoginEnforcementConfigByNameAndNamespace(ctx } entryIndex := mfaLoginEnforcementPrefix + eConfig.ID - barrierView, err := b.Core.barrierViewForNamespace(eConfig.NamespaceID) if err != nil { return err diff --git a/vault/request_forwarding_service.pb.go b/vault/request_forwarding_service.pb.go index dc558d5caabe..d16aa5d07155 100644 --- a/vault/request_forwarding_service.pb.go +++ b/vault/request_forwarding_service.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.19.3 +// protoc v3.19.4 // source: vault/request_forwarding_service.proto package vault diff --git a/vault/tokens/token.pb.go b/vault/tokens/token.pb.go index 4604ab3c5999..0f4515bc9f7e 100644 --- a/vault/tokens/token.pb.go +++ b/vault/tokens/token.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.17.3 +// protoc v3.19.4 // source: vault/tokens/token.proto package tokens diff --git a/website/content/docs/platform/k8s/csi/configurations.mdx b/website/content/docs/platform/k8s/csi/configurations.mdx index 7088e1469a9b..a3f58c1466bb 100644 --- a/website/content/docs/platform/k8s/csi/configurations.mdx +++ b/website/content/docs/platform/k8s/csi/configurations.mdx @@ -47,6 +47,9 @@ The following parameters are supported by the Vault provider: - `vaultNamespace` `(string: "")` - The Vault [namespace](/docs/enterprise/namespaces) to use. +- `vaultKubernetesMountPath` `(string: "kubernetes")` - The mount path of the Kubernetes authentication + method in Vault. + - `vaultSkipTLSVerify` `(string: "false")` - When set to true, skips verification of the Vault server certificate. Setting this to true is not recommended for production.