Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of UI: remove default setting for max_versions in kv metadata into release/1.14.x #22405

Merged
merged 1 commit into from
Aug 17, 2023
Merged

Backport of UI: remove default setting for max_versions in kv metadata into release/1.14.x #22405

merged 1 commit into from
Aug 17, 2023

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #22394 to be assessed for backporting due to the inclusion of the label backport/1.14.x.

The below text is copied from the body of the original PR.

The default value of a secret's metadata was incorrectly setting max_versions to 10 which caused unintended side effects. This PR fixes #8656. Instead of setting the metadata's max_versions from the engine's config, leaving unset has the same result without manipulating any values under the hood.

The greater number takes precedence if both the engine and secret metadata have max_versions configured. Otherwise, 0 means unset and if neither have a max_versions value, Vault will keep the 10 latest versions.

global (engine) secret metadata *versions kept - why?!
0 0 But are unset so Vault keeps 10 versions
0 2* The engine has no global max_versions so the metadata value is used
8* 0 Metadata max_versions is unset so the engine's value is used
3 5* Metadata has a higher max_versions number
9* 2 Yep, you guessed it! The engine config is higher

Both metadata READ responses below have the same kv engine config:

# curl kv/config
=> "data": {
    "cas_required": false,
    "delete_version_after": "0s",
    "max_versions": 3
  }
# curl  kv/metadata/max-2
 => "data": {
    "cas_required": false,
    "created_time": "2023-08-17T03:29:14.58914Z",
    "current_version": 4,
    "custom_metadata": null,
    "delete_version_after": "0s",
    "max_versions": 2, # max_versions is 2 but below 3 are kept because that's the engine config
    "oldest_version": 2,
    "updated_time": "2023-08-17T03:31:09.852191Z",
    "versions": {
      "2": {
        "created_time": "2023-08-17T03:29:23.621884Z",
        "deletion_time": "",
        "destroyed": false
      },
      "3": {
        "created_time": "2023-08-17T03:30:58.966954Z",
        "deletion_time": "",
        "destroyed": false
      },
      "4": {
        "created_time": "2023-08-17T03:31:09.852191Z",
        "deletion_time": "",
        "destroyed": false
      }
    }
  }

# curl kv/metadata/max-5
 => "data": {
    "cas_required": false,
    "created_time": "2023-08-17T03:35:15.076621Z",
    "current_version": 6,
    "custom_metadata": null,
    "delete_version_after": "0s",
    "max_versions": 5, # even though the engine max_versions is 3, the metadata max is used because it's greater
    "oldest_version": 2,
    "updated_time": "2023-08-17T03:35:26.416381Z",
    "versions": {
      "2": {
        "created_time": "2023-08-17T03:35:17.780665Z",
        "deletion_time": "",
        "destroyed": false
      },
      "3": {
        "created_time": "2023-08-17T03:35:20.729444Z",
        "deletion_time": "",
        "destroyed": false
      },
      "4": {
        "created_time": "2023-08-17T03:35:22.889623Z",
        "deletion_time": "",
        "destroyed": false
      },
      "5": {
        "created_time": "2023-08-17T03:35:24.658798Z",
        "deletion_time": "",
        "destroyed": false
      },
      "6": {
        "created_time": "2023-08-17T03:35:26.416381Z",
        "deletion_time": "",
        "destroyed": false
      }
    }

Docs for engine max_versions

Overview of commits

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/ui/VAULT-16815/fix-max-versions-default/seemingly-eminent-bobcat branch 2 times, most recently from c78e663 to 4f339dc Compare August 17, 2023 16:48
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Aug 17, 2023
@hellobontempo hellobontempo added this to the 1.14.2 milestone Aug 17, 2023
@hellobontempo hellobontempo enabled auto-merge (squash) August 17, 2023 17:05
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@hellobontempo hellobontempo merged commit 8113c29 into release/1.14.x Aug 17, 2023
@hellobontempo hellobontempo deleted the backport/ui/VAULT-16815/fix-max-versions-default/seemingly-eminent-bobcat branch August 17, 2023 17:18
@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hellobontempo hellobontempo hellobontempo approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed ui
Projects
None yet
Milestone
1.14.2
Development

Successfully merging this pull request may close these issues.
2 participants
@hc-github-team-secure-vault-core @hellobontempo