From 4bfc64992afa667757fb40aa58b0662fea8694e5 Mon Sep 17 00:00:00 2001 From: John-Michael Faircloth Date: Thu, 16 Feb 2023 16:25:15 -0600 Subject: [PATCH] plugin/secrets/auth: enable multiplexing (#19215) * plugin/auth: enable multiplexing - the plugin will be multiplexed when run as an external plugin by vault versions that support secrets/auth plugin multiplexing (> 1.12) - we continue to set the TLSProviderFunc to maintain backwards compatibility with vault versions that don't support AutoMTLS (< 1.12) * enable multiplexing for secrets engines * add changelog * revert call to ServeMultiplex for pki and transit * Revert "revert call to ServeMultiplex for pki and transit" This reverts commit 755be28d14b4c4c4d884d3cf4d2ec003dda579b9. --- builtin/credential/approle/cmd/approle/main.go | 6 ++++-- builtin/credential/aws/cmd/aws/main.go | 6 ++++-- builtin/credential/cert/cmd/cert/main.go | 6 ++++-- builtin/credential/github/cmd/github/main.go | 6 ++++-- builtin/credential/ldap/cmd/ldap/main.go | 6 ++++-- builtin/credential/okta/cmd/okta/main.go | 6 ++++-- builtin/credential/radius/cmd/radius/main.go | 6 ++++-- builtin/credential/userpass/cmd/userpass/main.go | 6 ++++-- builtin/logical/aws/cmd/aws/main.go | 6 ++++-- builtin/logical/consul/cmd/consul/main.go | 6 ++++-- builtin/logical/nomad/cmd/nomad/main.go | 6 ++++-- builtin/logical/pki/cmd/pki/main.go | 6 ++++-- builtin/logical/rabbitmq/cmd/rabbitmq/main.go | 6 ++++-- builtin/logical/ssh/cmd/ssh/main.go | 6 ++++-- builtin/logical/totp/cmd/totp/main.go | 6 ++++-- builtin/logical/transit/cmd/transit/main.go | 6 ++++-- changelog/19215.txt | 5 +++++ 17 files changed, 69 insertions(+), 32 deletions(-) create mode 100644 changelog/19215.txt diff --git a/builtin/credential/approle/cmd/approle/main.go b/builtin/credential/approle/cmd/approle/main.go index 22fa242fa6..5a2903d415 100644 --- a/builtin/credential/approle/cmd/approle/main.go +++ b/builtin/credential/approle/cmd/approle/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: approle.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/credential/aws/cmd/aws/main.go b/builtin/credential/aws/cmd/aws/main.go index 6de96d02d1..a0d5520322 100644 --- a/builtin/credential/aws/cmd/aws/main.go +++ b/builtin/credential/aws/cmd/aws/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: awsauth.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/credential/cert/cmd/cert/main.go b/builtin/credential/cert/cmd/cert/main.go index 09018ec3f0..e73241559a 100644 --- a/builtin/credential/cert/cmd/cert/main.go +++ b/builtin/credential/cert/cmd/cert/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: cert.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/credential/github/cmd/github/main.go b/builtin/credential/github/cmd/github/main.go index be4fbb64ca..4ed6700323 100644 --- a/builtin/credential/github/cmd/github/main.go +++ b/builtin/credential/github/cmd/github/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: github.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/credential/ldap/cmd/ldap/main.go b/builtin/credential/ldap/cmd/ldap/main.go index b632c011ce..416de6bf18 100644 --- a/builtin/credential/ldap/cmd/ldap/main.go +++ b/builtin/credential/ldap/cmd/ldap/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: ldap.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/credential/okta/cmd/okta/main.go b/builtin/credential/okta/cmd/okta/main.go index e2452ba4b8..384449212b 100644 --- a/builtin/credential/okta/cmd/okta/main.go +++ b/builtin/credential/okta/cmd/okta/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: okta.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/credential/radius/cmd/radius/main.go b/builtin/credential/radius/cmd/radius/main.go index 9ab5a63694..99a03a4272 100644 --- a/builtin/credential/radius/cmd/radius/main.go +++ b/builtin/credential/radius/cmd/radius/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: radius.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/credential/userpass/cmd/userpass/main.go b/builtin/credential/userpass/cmd/userpass/main.go index 5ea1894d21..21be7d05e5 100644 --- a/builtin/credential/userpass/cmd/userpass/main.go +++ b/builtin/credential/userpass/cmd/userpass/main.go @@ -16,9 +16,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: userpass.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/logical/aws/cmd/aws/main.go b/builtin/logical/aws/cmd/aws/main.go index 74f7d97a7b..1d4e8a04bf 100644 --- a/builtin/logical/aws/cmd/aws/main.go +++ b/builtin/logical/aws/cmd/aws/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: aws.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/logical/consul/cmd/consul/main.go b/builtin/logical/consul/cmd/consul/main.go index 3b884ddf85..669d61d95c 100644 --- a/builtin/logical/consul/cmd/consul/main.go +++ b/builtin/logical/consul/cmd/consul/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: consul.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/logical/nomad/cmd/nomad/main.go b/builtin/logical/nomad/cmd/nomad/main.go index 31b1c93500..5874b9c94f 100644 --- a/builtin/logical/nomad/cmd/nomad/main.go +++ b/builtin/logical/nomad/cmd/nomad/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: nomad.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/logical/pki/cmd/pki/main.go b/builtin/logical/pki/cmd/pki/main.go index ffcb4521c8..5d28f8543e 100644 --- a/builtin/logical/pki/cmd/pki/main.go +++ b/builtin/logical/pki/cmd/pki/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: pki.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/logical/rabbitmq/cmd/rabbitmq/main.go b/builtin/logical/rabbitmq/cmd/rabbitmq/main.go index 516f699eae..90a8c56799 100644 --- a/builtin/logical/rabbitmq/cmd/rabbitmq/main.go +++ b/builtin/logical/rabbitmq/cmd/rabbitmq/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: rabbitmq.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/logical/ssh/cmd/ssh/main.go b/builtin/logical/ssh/cmd/ssh/main.go index d04bd30af6..fbeeacda71 100644 --- a/builtin/logical/ssh/cmd/ssh/main.go +++ b/builtin/logical/ssh/cmd/ssh/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: ssh.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/logical/totp/cmd/totp/main.go b/builtin/logical/totp/cmd/totp/main.go index 4c96df7f31..c85728810b 100644 --- a/builtin/logical/totp/cmd/totp/main.go +++ b/builtin/logical/totp/cmd/totp/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: totp.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/builtin/logical/transit/cmd/transit/main.go b/builtin/logical/transit/cmd/transit/main.go index 25d4675b90..72eeda828d 100644 --- a/builtin/logical/transit/cmd/transit/main.go +++ b/builtin/logical/transit/cmd/transit/main.go @@ -17,9 +17,11 @@ func main() { tlsConfig := apiClientMeta.GetTLSConfig() tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) - if err := plugin.Serve(&plugin.ServeOpts{ + if err := plugin.ServeMultiplex(&plugin.ServeOpts{ BackendFactoryFunc: transit.Factory, - TLSProviderFunc: tlsProviderFunc, + // set the TLSProviderFunc so that the plugin maintains backwards + // compatibility with Vault versions that don’t support plugin AutoMTLS + TLSProviderFunc: tlsProviderFunc, }); err != nil { logger := hclog.New(&hclog.LoggerOptions{}) diff --git a/changelog/19215.txt b/changelog/19215.txt new file mode 100644 index 0000000000..33fea94666 --- /dev/null +++ b/changelog/19215.txt @@ -0,0 +1,5 @@ +```release-note:feature +**Secrets/Auth Plugin Multiplexing**: The plugin will be multiplexed when run +as an external plugin by vault versions that support secrets/auth plugin +multiplexing (> 1.12) +```