Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sys: adds identity_token_key to mounts/auth for enable/tune #24962

Merged
merged 10 commits into from
Jan 22, 2024
Merged

sys: adds identity_token_key to mounts/auth for enable/tune #24962

merged 10 commits into from
Jan 22, 2024

Conversation

austingebauer
Copy link
Contributor

@austingebauer austingebauer commented Jan 19, 2024
edited
Loading

This PR adds the identity_token_key configuration parameter to the sys/mounts and sys/auth APIs. This enables the plugin mounts to specify which identity token key will be used to sign their plugin identity tokens at enable and tune time.

I decided to make an empty string the default instead of auto-populating the default key in all mount configs. This means the identity_token_key config value will be omitted from the mount config unless explicitly specified at enable/tune time. I made this decision in order to not needlessly add another key/value pair to the mount config (required updating of many tests). If the field is unset/empty, we'll always use the default key. This behavior will be documented.

A separate PR will add the parameter to the Vault CLI.

@austingebauer austingebauer added this to the 1.16.0-rc1 milestone Jan 19, 2024
@austingebauer austingebauer requested a review from tomhjp January 19, 2024 18:06
@austingebauer austingebauer requested a review from a team as a code owner January 19, 2024 18:06
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jan 19, 2024
austingebauer
austingebauer commented Jan 19, 2024
View reviewed changes
http/sys_mount_test.go Outdated Show resolved Hide resolved
austingebauer
austingebauer commented Jan 19, 2024
View reviewed changes
vault/router_access.go Outdated Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 19, 2024
edited
Loading

Build Results:
All builds succeeded! ✅

@github-actions GitHub Actions
Copy link

CI Results:
All Go tests succeeded! ✅

vinay-gopalan
vinay-gopalan approved these changes Jan 19, 2024
View reviewed changes
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Had a thought on refactoring some repeated bits, but should be good otherwise!

vault/logical_system.go Outdated Show resolved Hide resolved
vault/logical_system.go Show resolved Hide resolved
@austingebauer austingebauer mentioned this pull request Jan 22, 2024
Merged
@austingebauer austingebauer merged commit 76a62d5 into main Jan 22, 2024
110 checks passed
@austingebauer austingebauer deleted the mounts/identity-token-key branch January 22, 2024 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

@tomhjp tomhjp Awaiting requested review from tomhjp

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.16.0-rc1
Development

Successfully merging this pull request may close these issues.
2 participants
@austingebauer @vinay-gopalan