Collect event subscriber filters on the active node of a cluster as
"cluster wide" filters, and send them from the secondary active to the
primary active node (`SendSecondaryFilters rpc`). The primary active
node forwards events downstream to the secondary active node if the
events match the secondary cluster's subscriber filters
(`RecvPrimaryEvents rpc`). Then the events are further distributed
around the secondary cluster via the existing `RecvActiveNodeEvents`
and `SendStandbyFilters` rpc's.
Events are forwarded downstream to the secondary cluster if the mount
exists on the secondary cluster, i.e. events from mounts with
`local=true` aren't forwarded, and events from mounts that are not
replicated via paths-filter aren't forwarded.
(This is the CE portion of the above^^)
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* [VAULT-33083] UI: support builtin plugins as external plugins
* address copilot review comments
* add changelog
* remove unused id property
* address some nits & add test coverage
* should use utils instead of mixins
* update comments
* move/consolidate logic for 'transform' engine type into ENGINE_TYPE_TO_MODEL_TYPE_MAP, added/updated test coverage
* cleanup: extract transform engine model type logic into helper functions
* address pr comment
* separation of concerns - move relevant vars/fns from all engines metadata to external plugin helpers & secret engine model helpers files
* add TODO; remove unnecessary exports
* rename secret-engine-model-helpers to secret-engine-helpers
* update unknown engine metadata from var to fn to handle a methodType param
* remove unnecessary test
* update changelog; return methodType for unknown engine metadata, simplify code for readability
* add optional chaining for fail-safe
* address kvv1 edge case - on exit configuration, kvv1 should redirect to list-root while kvv2 should redirect to the engineRoute defined in all-engines-metadata
* add ibm header
* fix test failure after updating unknown engine type
Co-authored-by: Shannon Roberts (Beagin) <beagins@users.noreply.github.com>
A few smaller changes to `pipeline`:
- Change the regions that we use back to us-east-1 and us-west-2
- Don't backport anything to inactive branches. This behavior was a
relic of prior behavior and is no longer necessary.
- Fix the go mod tests that rely on a strangely formatted mod file
- Ignore the module fixtures when running `make go-mod-tidy`
- Run `make go-mod-tidy`
Signed-off-by: Ryan Cragun <me@ryan.ec>
* converts quick-actions-card component to ts
* updates dashboard quick-actions-card to use hds super select component
* removes searchField from params search
* fixes kvv2 workflow test
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* converts kubernetes overview page component to ts
* converts kubernetes role index controller to ts
* updates kubernetes overview to use api service
* removes store service from kubernetes engine
* removes kubernetes models, adapters and serializers
* removes unused types
* updates removed type references
* removes fetch-secrets-config decorator
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* enables typescript in kubernetes engine
* adds api service to kubernetes engine
* removes mounts handler from kubernetes mirage handler
* adds kubernetes application route to handle withConfig decorator check
* updates usage of application model in kubernetes engine
* updates kubernetes configuration route to use api service fetched config
* adds kubernetes config form class
* updates error route backend references to secretsEngine
* updates kubernetes configure workflow to use api service and form class
* fixes tests
* converts kubernetes index route to ts
* adds capabilities service to kubernetes engine
* updates kubernetes roles view to use api service
* converts kubernetes role details component to ts
* updates kubernetes role details route to use api service
* reverts kubernetes mirage handler change
* converts kubernetes role index route to ts
* updates kubernetes generate credentials workflow to use api service
* converts kubernetes role edit and create routes to ts
* converts kubernetes create-and-edit component to ts
* adds form class for kubernetes role
* updates kubernetes create and edit routes to use api service and form class
* fixes tests
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* enables typescript in kubernetes engine
* adds api service to kubernetes engine
* removes mounts handler from kubernetes mirage handler
* adds kubernetes application route to handle withConfig decorator check
* updates usage of application model in kubernetes engine
* updates kubernetes configuration route to use api service fetched config
* adds kubernetes config form class
* updates error route backend references to secretsEngine
* updates kubernetes configure workflow to use api service and form class
* fixes tests
* reverts kubernetes mirage handler change
* updates type for inferredState in kubernetes config page component
* removes commented out form field in kubernetes config form
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
Fix an incompatibility where we check out the repository with
checkout@v6 and then attempt to check it out again at checkout@v5 in the
set-product-version action.
* update enos directory to trigger lint
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* replace Hds::Reveal with Hds::Accordion
* adjust spacing to render in Hds::Form component
* fix spacing in policy-example
* cleanup form-section class usage
* implement visual builder in create policy form
* hide visual editor in search select modal
* use general selectors, alphabetize form/field selectors
* update test coverage to check for visual policy editor
* reorganzie tests by module
* add saving functionality for visual editor
* refactor event handling methods
* refactor component so parent manages stanzas
* move snippets to automation-snippets tab component
* polish up policy diff modal
* refactor arg to be isCompact
* update test coverage and export new component
* rearrange methods to make diff easier
* small cleanup, abc vars and remove unneeded change
* add lanuage and update test coverage
* update comment
* fix form hierarchy
* fix modal spacing;
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Add Disable-Time-Check flag, and also respect common criteria when doing so.
* Switch to EnableTimeChecks to not change default behavior.
* Check Common Criteria Flag Before Disabling Verification.
* Add Changelog.
* Update builtin/logical/pki/issuing/cert_verify_ent.go
* Update changelog/_10915.txt
* PR feedback.
* Merge-fix
* Test case requested by PR review.
---------
Co-authored-by: Kit Haines <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Correctly set signature bits.
* All the other places that accidentally conflate issuer and issued key.
* Update builtin/logical/pki/path_roles.go
* PR Feedback.
* Add changelog.
* Test and validate keybits in a single call
* License header.
* Add/combine validate and get default hashbits calls.
* Actually set keyBits on the role.
* Fix storage test, switch to defaultOrValue.
* fix storage test.
* Update error return for linter.
* Look at underlaying key type not type which might include "managedKeyType" for ca-issuer.
* Update expected role values, and convert between PublicAlgorithm and KeyType internally.
* Move the ec to ecdsa transformation to helper functions. More consistant usage.
* Speed improvement to testing - pregenerate CA bundles and CSR.
* Add go test doc.
* Fix issue with web-merge.
* Error wrapping error now warnings aren't errors.
* PR feedback - move ecdsa support to subfunctions.
---------
Co-authored-by: Kit Haines <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Adding logic to run tidy on local secret IDs only for perf secondaries
* Modifying periodic tidy to run on local mounts
* Updating changelog for fix in VAULT-40239
Co-authored-by: Sean Ellefson <sellefson@hashicorp.com>
* sdk/rotation: Prevent rotation attempts on read-only storage
Rotation is a write operation that mutates both Vault's storage
and an external resource. Attempting this on a read-only node
(like in a performance secondary cluster) will fail.
This check preempts the rotation to prevent a split-brain scenario
where the external credential is changed but Vault's storage
cannot be updated.
* changelog
* fix failing test
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
* VAULT-41128 ensure alias name is not logged in observations (#11296)
* VAULT-41128 ensure alias name is not logged in observations
* feedback
* whoops
* removing flags
* small changes
* fixes
* move things back
* utilizing aftermodel w mods, testing aws
* fix ssh tests
* fixing aws and azure
* fix gcp
* fix test and flip kv
* fix kv2 tests
* adding model to fix tests
* updates and removals
* fix tests
* no showing empty state, redirect to plugin settings after config save
* test fixes
* update subtitle to include namepsace, fix test
* removing index, replacing with general settings, updates
* updates and fix tests
* more test fixes
* wif tests
* updates to nav tests
* update tests and cleanup configuration logic
* add todos
* fix remaining tests, add nav test to gcp
* test tweak
* address todos, test update
* Update ui/app/routes/vault/cluster/secrets/backend/configuration/plugin-settings.ts
* I love prettier so much
---------
Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
Co-authored-by: Shannon Roberts (Beagin) <beagins@users.noreply.github.com>
* refactor dependencies and removes disallowed vault imports from builtin Okta auth (#10965)
* move SkipUnlessEnvVarsSet from vault/helper/testhelpers/ to vault/sdk/helper/testhelpers
* use unittest framework from vault-testing-stepwise module in place of sdk/logical
* refactor SkipUnlessEnvVarsSet() and NewAssertAuthPoliciesFunc() to sdk
* bump docker API version to 1.44 matching 2f33549
---------
Co-authored-by: Thy Ton <maithytonn@gmail.com>
