* Start import docs
* Use hideClipboard block on output
* Reorganize mappings and source docs
* Change experimental to alpha
* Change list tag to alpha
* Apply suggestions from code review
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
When creating database connections, there is a race
condition when multiple goroutines try to create the
connection at the same time. This happens, for
example, on leadership changes in a cluster.
Normally, the extra database connections are cleaned
up when this is detected. However, some database
implementations, notably Postgres, do not seem to
clean up in a timely manner, and can leak in these
scenarios.
To fix this, we create a global lock when creating
database connections to prevent multiple connections
from being created at the same time.
We also clean up the logic at the end so that
if (somehow) we ended up creating an additional
connection, we use the existing one rather than
the new one. This by itself would solve our
problem long-term, however, would still involve
many transient database connections being created
and immediately killed on leadership changes.
It's not ideal to have a single global lock for
database connection creation. Some potential
alternatives:
* a map of locks from the connection name to the lock.
The biggest downside is the we probably will want to
garbage collect this map so that we don't have an
unbounded number of locks.
* a small pool of locks, where we hash the connection
names to pick the lock. Using such a pool generally
is a good way to introduce deadlock, but since we
will only use it in a specific case, and the purpose
is to improve performance for concurrent connection
creation, this is probably acceptable.
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Move secret write access conditions info to each destination page, reword index to match
* Add condition info for GCP
* Remove unrelated note copied from AWS
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Link to individual access control sections, rename section titles, make tip more specific
* Add image showing where to add IAM Conditions
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* starting on docs
* add docs for raft-wal
* some tweaks
* Apply suggestions from code review
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* Edits for Raft WAL (#26123)
* not just one filename
* update file pattern for wal files
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update add-to-array and remove-from-array helpers
* remove search-select-has-many, moved logic directly into mfa-login-enforcement-form (see #16470)
* Replace add/remove object in MFA files - All MFA tests pass
* Replace in PKI components (pki tests all passing)
* Replace in core addon where applicable
* glimmerize console service -- console tests pass
* more replacements
* update string-list, add comment to vertical-bar-chart
* Refactor CSP Event service
- only used one place (auth-form) so simplified that usage
- glimmerize and refactor so that the tests work
* small updates
* more cleanup
* Fix tests
* Remove objectAt from console-helpers
* Address PR comments
* move commandIndex clearing back
* Remove extra model set
This adds a short doc describing the basic process
of adding event notifications to a plugin as well
as some examples and best practices.
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
* hide sync average stat when sync average is 0
* add bug fix for community users without billing start date
* VAULT-25315 link jira
* add CE stub for sync test
* cleanup template to only calculate average once
* fix comment
* add test
* fix conditional
* add secrets sync feature to version service
* fix syntax for feature in version service
* UI [Sidebranch]: correctly call activation flags endpoints (#26068)
* Show empty state on client count sync page if feature isn't activated (#26024)
* page/sync: show empty state if sync is not activated
* tests: add sync page integration tests
* tests: add secrets sync acceptance tests
* cleanup: remove redundant empty state selector
* chore: rename to isSecretsSyncActivated
* Only make POST request to activation-flags in root namespace (#26081)
* Clean up around opt-in banner on non-secrets-sync views (#26039)
* only show and make request to activated-features if enterprise with secrets sync feature
* waiting for final badge title but hiding banner and network request based on if user has secrets-sync feature.
* final copy for badge
* handle dismiss erorr message, custom messaging in errors, different badge names and upsell if not on license.
* add secrets sync feature to version service
* nope, add to main sidebranch not in this PR
* use version service directly to check for secrets sync feature
* update badges to use version service directly
* do not unnecessarily pass hasSecretsSyncFeature, access from version directly
* last spot to update using the feature getter
* cleanup landing cta logic
* UI [Sidebranch]: correctly call activation flags endpoints (#26068)
* small cleanups after merge
* remove unused type imports
* update tests
* update nav link test
* add test waiter for race condition on test
* add waiter to fetch activation-flags
* remove customer waiters and go for waitFors in test
* worth a try? mirage issues?
* closer?
* fix issue with inconsistent asserts
* adding back in in case this is the issue
* revert cluster.hbs change
* skip test
* delete test
---------
Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* Hide sync for managed vault (#26084)
* [secrets sync] hide sync content from client overview (#26078)
* clients/overview: hide secrets sync content if not in license
* clients: remove sync tab if not in license
* routes: fetch isSecretsSyncActivated at clients/counts route level
* wip - hide secrets sync from overview page
* tests: fix usage-stats test
* more wip hiding from overview page
* hide secrets sync on attribution component/modal
* hide secrets sync content on running total component
* fix RunningTotal class name
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* controllers: fix type
* tests: usage tests
* tests: running totals tests
* add s to secrets-sync
* tests: running-total test cleanup
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com>
* cleanup unused version service
* return extra line
* wip - sync tests
* wip -- clients overview acceptance tests
* test coverage for sync in license, activated
* tests: add more robust sync-related overview tests
* hide sync client charts if feature not in license
---------
Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Co-authored-by: Noelle Daley <noelledaley@users.noreply.github.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Chelsea Shaw <cshaw@hashicorp.com>
As part of the process of becoming a leader node, check to see if the seal
configuration needs to be reloaded. Reloading may be necessary if the seal
generation information computed during start up is outdated. For example, a new
node that has just joined the cluster will have incorrect seal generation
information in memory, even if it has the correct seal configuration, since it
did not have access to the stored seal generation information.
* Add a configuration flag for enabling multiseal (Seal HA), CE side
* imports
* no quotes
* get rid of dep on ent config
* Abstract enableMultiSeal for a build time switch
* license headers
* wip
* gate physical seal gen fetch by a param
* docs tweak, remove core flag
* updates from the ent pr
* update stub
* update test fixtures for enable_multiseal
* use accessor
* add a test fixture for non-multiseal diagnose
* remove debugging crtuch
* Do handle phys seal gen info even if multiseal is off, in order to facilitate enable/disable safeties
* more enabled flag handling
* Accept seal gen info if we were previously disabled, and persist it
* update unit test
* Validation happens postUnseal, so this test is invalid
* Dont continue setting conf if seal loading fails during SIGHUP
* Update website/content/docs/configuration/seal/seal-ha.mdx
Thanks, that does sound much clearer
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* use validation if previous gen was enabled
* unit test update
* stub SetMultisealEnabled
* bring over more changes from ent
* this was an unfix
---------
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Validate OCSP response is signed by expected issuer and serial number matches request
- There was a bug in the OCSP response signature logic, it properly
verified but kept around the ocspRes object around so we ignored
the errors found and passed the response object back up the stack.
- Now extract the verification logic into a dedicated function, if
it returns an error, blank the ocspRes response as we can't trust it.
- Address an issue that the OCSP requests from multiple servers were
clobbering each others responses as the index loop variable was not
properly captured.
- Add a missing validation that the response was for the serial number
we requested
* Add cl
* VAULT-24469 use sys/seal-status instead of internal version endpoint
* Update tests and mirage handlers
* Revert "VAULT-20669: Add New Authenticated Endpoint for Version (#23740)"
This reverts commit 550c99ae3b.
* Readded version_test.go
* Reverted any old changes on versionlgo
---------
Co-authored-by: divyaac <divyaac@berkeley.edu>
* Remove CE-only warning from shared tests
* Add tests for all warnings emitted during raft config parsing
* Unmark warnings as CE only that are universal
* Update audited headers to provide a mechanism for invalidation
* Extra tests for AuditedHeadersConfig
* Make sure we clear headers on invalidation if we cannot reload
Changed the wording of "For integrated storage users, Vault needs to be upgraded to 1.13 will enable this feature by default." to be more clear and concise to "For integrated storage users, upgrading Vault to 1.13 will enable this feature by default."
* CE parts for mount-namespace entry limit
* Remove redundant code from refactor
* Add doc comment note about ent-only use of interface
* Add CHANGELOG
