upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-09 08:55:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
23092 commits 2878 branches 481 tags 595 MiB
Commit graph

20 commits

Author SHA1 Message Date
Vault Automation
98a1522357
Backport Check in checkout part 2 into ce/main (#13316) 
* Check in checkout part 2 (#12001)

* Check in checkout part 2

* Linter error fix

* Linter error fix

* error fix

* Error fix

* Error fix

* PR review changes

* Linter bug fix

* Linter bug fix

* Bug fix

* Bug fix

* Bug fix

* PR review changes

* Enabling audit trail

* Enabling audit trail

* Enabling audit trail

* Enabling audit trail

* Enabling audit trail

* Enabling audit trail

* Code review changes

* Code review changes

* Code review changes

* Code review changes

* Code review changes

* ci: retrigger

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* CI bug fix

* Code merge changes

* CI fix

* CI fix

* CI fix

* conflict issue

* Default for audit log

* Reverting ENOS_VAR_verify_ldap_secrets_engine to false

* Fix Merge conflict

* Upload-Issuer Compliance with Common Criteria. (#12101)

* Upload-Issuer Compliance with Common Criteria.

* Add Changelog.

* Update changelog/_12101.txt

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Update builtin/logical/pki/storage_validate_imports_ent.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* PR-Review, add trap for deletion errors.

* Add test-doc referencing NIAP requirement.

---------

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* hooks(pre-push): handle ssh protocol prefix in git URLs (#12492)

* hooks(pre-push): handle ssh protocol prefix in git URLs

Handle optional URL prefix and suffixes when checking for enterprise.

Signed-off-by: Ryan Cragun <me@ryan.ec>

* Duplicate fix

* PR feedback changes

* Code Review changes

* Code Review changes

* PR review changes

* ttl Fix

* Removing all static role code frpm PR

* Removing spaces

---------

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Kajal Kusum <kajal.kusum@ibm.com>
Co-authored-by: Kit Haines <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>

* temporarily disable flaky enos tests (#13045)

* temporarily disable ldap enos tests

* remove smoke_sdk from samples

---------

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: KajalKusum <kajal.kusum@hashicorp.com>
Co-authored-by: Kajal Kusum <kajal.kusum@ibm.com>
Co-authored-by: Kit Haines <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
 2026-03-23 20:20:59 +00:00
Vault Automation
6ff81f5a57
Configuring Dynamic Credentials Workflows (#11791) (#12476) 
* Positive Test Coverage:
Positive Tests:
- Request Dynamic Credentials
- Renew Dynamic Credentials
- Audit Trail for All Operations
- Automatic Cleanup When Lease Expires

Negative Tests:
- Default TTL to Limit Credential Lifespan
- Max TTL Enforcement - Prevent Indefinite Renewal
- Revoke Dynamic Credentials (Lease Expiration)
- Invalid OU/DN Configuration
- Rollback on Creation Failure
- LDAP Server Unreachable During Dynamic Credentials Request"

* refactored the code and updated code for detailed error logs

* fixed the lint issue

* Fix shell script formatting for lint/shfmt compliance

* refactored the code,modularised the code with focused functions

* lint fixes and added abspath of files

* lint issue fixing

* fixing lint issues

* fixing lint issues

* lint issue fixing

* added individual tf configuarations

* fixing lint

* reverted the configuration for testing ldap [ci skip]

* ENOS_VAR_verify_ldap_secrets_engine variable to true

* verify_ldap_secrets_engine set true

* reverted the configuration for testing ldap

* optimized the code with Better error handling and exit code checking

* added the audit trail test

* fixing lint

* reverted the configuration for testing ldap

* conflicts resolved

* reverted the configuration for testing ldap

* Improved error handling in LDAP verification scripts

* audit log path added

* vault audit path

* Revert "vault audit path"

This reverts commit d878e333c813e76b8ce4180bb27d00ac22d7d4e1.

* error handling improved

* increased time out

* fixing audit trail

* fixed audit trail script

* fixing lint issues

* audit path issue fixed

* revert vars hcl changes

* lint issues

* Enhanced timeout and error messages

* removed audit logs checks for revoke and renew

* fixed the review comments

* echoing error with warning

* resolved conflicts

* verify_ldap_secrets_engine set to false

* fixing lint issues

* fixing build issue

* build issues fixing

* ttl to 60s

* Revert Dynamic-roles and static-roles.sh to main branch versions

* added ldif to dyanmic roles

* fixing build issue

* fixing static role

* static-role cahgnes revert

* fixing build issue

* static role fix

* fixing  build

* fixing lint issue

* password policy change

* Fix LDAP password quality and ACL permissions

- Increase DEFAULT_MIN_CHARS from 1 to 2 to meet OpenLDAP pwdCheckQuality requirements
- Configure ACL to grant admin write access to ou=users for credential deletion
- Add fallback ACL testing to verify permissions

Fixes: LDAP Result Code 19 (Password quality constraint)
Fixes: LDAP Result Code 50 (Insufficient access rights)

* Revert "Fix LDAP password quality and ACL permissions"

This reverts commit a56ba604b465e22b62825af645ebe43810ab3922.

* fxing access issue

* revert acl changes

* fixing build

* fixing build

* fixing build

* revert static role change

* Update test-run-enos-scenario-matrix.yml reverted

---------

Co-authored-by: Naresh-Nani-byte <naresh.pentala@hashicorp.com>
Co-authored-by: Naresh Pentala <naresh.pentala@ibm.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
 2026-02-24 05:00:22 +00:00
Vault Automation
ccceb19d02
committed dynamic-roles.sh (#11833) (#12356) 
* Dynamic-roles:updated with review comments

* Fix enos formatting: align variable assignments in scenario files

* Fix terraform formatting in LDAP modules

* Fix shell script formatting: add newlines and fix indentation

* Fix shellcheck warnings: quote variables to prevent globbing

* Change LDAP secrets engine verification to true

* Add variable for LDAP static role verification

* Configure SSH transport for LDAP dynamic roles

Added SSH transport configuration for LDAP dynamic roles.

* Fix formatting in ldap.tf

* Change LDAP secrets engine verification to false

---------

Co-authored-by: Amala Mathew <amala.mathew@hashicorp.com>
Co-authored-by: mathew-amala <amala.mathew1@ibm.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
 2026-02-18 08:36:34 -05:00
Vault Automation
7b470708ac
[VAULT-41521] enos(ec2_infor): update scenario base images (#11508) (#11533) 
Update the base images for all scenarios:

- RHEL: upgrade base image for 10 to 10.1
- RHEL: upgrade base image for 9 to 9.7
- SLES: upgrade base image for 15 to 15.7
- SLES: add SLES 16.0 to the matrix
- OpenSUSE: remove OpenSUSE Leap from the matrix

I ended up removing OpenSUSE because the images that we were on were rarely updated and that resulted in very slow scenarios because of package upgrades. Also, despite the latest release being in October I didn't find any public cloud images produced for the new version of Leap. We can consider adding it back later but I'm comfortable just leaving SLES 15 and 16 in there for that test coverage.

I also ended up fixing a bug in our integration host setup where we'd provision three nodes instead of one. That ought to result in many fewer instance provisions per scenario. I also had to make a few small tweaks in how we detected whether or not SELinux is enabled, as the prior implementation did not work for SLES 16.

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
 2025-12-22 14:17:51 -07:00
Vault Automation
0c6c13dd38
license: update headers to IBM Corp. (#10229) (#10233) 
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
 2025-10-21 15:20:20 -06:00
Vault Automation
8d2cb89704
VAULT-38463: Addressing ldap pipeline failure (#8817) (#8911) 
* VAULT-38463: Addressing ldap pipeline failure

* testing ldap tests

* testing ldap tests

* debugging ldap issue

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* debugging ldap failure

* debugging ldap failure

* debugging pipeline

* adding dependency for verify secrets

* removing extra code

* undo changes

* undo changes

Co-authored-by: Tin Vo <tintvo08@gmail.com>
 2025-08-26 12:46:36 -07:00
Charles Nwokotubo
0187338dd8
[Enos] VAULT-30196: SSH Secrets Engine (#29534) 2025-08-06 19:22:06 -04:00
Luis (LT) Carbonell
4036485739
(enos) Add KMIP Enos Test Suite (#31378) 
* (enos) Add KMIP Enos Test Suite

* skip KMIP for CE runs

* reads...

* cleanup variables

* fix
 2025-07-29 14:13:28 -04:00
kelly
f0201408b4
VAULT-31185 & 31186/use identity token auth for Artifactory in Vault CE & Ent (#31255) 
* removed artifactory_username

* updated artifactory token

* ran enos fmt

* ran terraform fmt

* debugging/ testing - pinned enos version, added null username

* byyyyy
 2025-07-28 12:16:25 -04:00
Tin Vo
857e66b3e2
VAULT-35602: Adding Enos OpenLDAP test (#30801) 
* VAULT-35602: adding Enos LDAP Tests

* adding godaddy tests

* updating external integration target module name
 2025-07-23 13:11:12 -07:00
Luis (LT) Carbonell
403720c1fd
Add non-leader test for enos (#30657) 
* Add non-leader test for enos

* Make clearer comments
 2025-05-22 11:25:19 -04:00
Luis (LT) Carbonell
ed52371b10
Upgrade FIPS 1402 -> 1403 (#30576) 
* Upgrade FIPS 1402 -> 1403

* Clean up

* changelog
 2025-05-12 15:01:30 -05:00
Tin Vo
4c36d90281
VAULT-30187: Create Enos AWS Engine tests (#29566) 
* Testing Enos AWS Engine tests

* Testing Enos AWS Engine tests

* Testing Enos AWS Engine tests

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine test

* testing enos aws engine

* testing enos aws engine

* updating test for enterprise

* updating test for enterprise

* updating test for enterprise

* removing testing output

* removing testing output

* removing testing github action

* fixing lint

* removing sensitive flag

* including sensitive flag due to terraform errors

* removing testing action workflow
 2025-04-21 10:30:43 -07:00
Tin Vo
ac3bb7b2d4
VAULT-32188: Enos test for PKI certificates (#29007) 
* updating pki test

* updating pki test

* updating pki test

* updating pki script

* resolving conflicts

* adding pki cert verifications

* resolving conflicts

* updating test

* removing comments

* addressing bash formatting

* updating test

* adding description

* fixing lint error

* fixing lint error

* fixing lint issue

* removing unneeded scenario

* resolving conflicts

* debugging pipeline error

* fixing pipeline tests'

* fixing pipeline tests'

* testing smoke test

* fixing pipeline error

* debugging pipeline error

* debugging pipeline error

* debugging pipeline error

* debugging agent test ci failure

* fixing ci errors

* uncomment token

* updating script

* updating hosts

* fixing lint

* fixing lint

* fixing lint

* adding revoked certificate

* undo kv.tf change

* updating cert issuing

* updating issuing certs to include issuer

* updating pki cert verification

* addressing comments

* fixing lint

* fixing lint

* fixing lint

* fixing lint

* updating verify_secrets_engine_read module

* fixing lint

* fixing lint

* fixing lint

* debugging lint

* testing pipeline

* adding verify variables for autopilot

* adding pki read variable for autopilot

* updating vault engine read variables

* addressing comments

* fixing lint

* update test for enterprise

* update pki tests to adapt to enterprise
 2025-01-23 11:30:20 -08:00
Rebecca Willett
8cee664204
Add 'how to run' instructions to each Enos scenario (#29299) 
* Add 'how to run' instructions for each scenario
 2025-01-10 21:17:09 +00:00
Ryan Cragun
c8c51b1b9d
VAULT-30819: verify DR secondary leader before unsealing followers (#28459) 
* VAULT-30819: verify DR secondary leader before unsealing followers

After we've enabled DR replication on the secondary leader the existing
cluster followers will be resealed with the primary clusters encryption
keys. We have to unseal the followers to make them available. To ensure
that we absolutely take every precaution before attempting to unseal the
followers we now verify that the secondary leader is the cluster leader,
has a valid merkle tree, and is streaming wals from the primary cluster
before we attempt to unseal the secondary followers.

Signed-off-by: Ryan Cragun <me@ryan.ec>
 2024-09-24 09:13:40 -06:00
Ryan Cragun
b977fac936
VAULT-30819: DR replicatio: wait for seal rewrap before enabling DR (#28425) 
Ensure that both clusters have completed their seal rewrap before
enabling DR on the secondary. We don't want the secondary to come back
up in an in-between state.

Signed-off-by: Ryan Cragun <me@ryan.ec>
 2024-09-18 10:29:03 -06:00
Ryan Cragun
1082629d1f
VAULT-30819: Fix two potential flakes in DR replication (#28409) 
Fix two occasional flakes in the DR replication scenario:
* Always verify that all nodes in the cluster are unsealed before
  verifying test data. Previously we only verified seal status on
  followers.
* Fix an occasional timeout when waiting for the cluster to unseal by
  rewriting the module to retry for a set duration instead of
  exponential backoff.

Signed-off-by: Ryan Cragun <me@ryan.ec>
 2024-09-17 12:32:15 -06:00
Ryan Cragun
392412829b
[VAULT-30189] enos: verify identity and OIDC tokens (#28274) 
* [VAULT-30189] enos: verify identity and OIDC tokens

Expand our baseline API and data verification by including the identity
and identity OIDC tokens secrets engines. We now create a test entity,
entity-alias, identity group, various policies, and associate them with
the entity. For the OIDC side, we now configure the OIDC issuer, create
and rotate named keys, create and associate roles with the named key,
and issue and introspect tokens.

During a second phase we also verify that the those some entities,
groups, keys, roles, config, etc all exist with the expected values.
This is useful to test durability after upgrades, migrations, etc.

This change also includes new updates our prior `auth/userpass` and `kv`
verification. We had two modules that were loosely coupled and
interdependent. This restructures those both into a singular module with
child modules and fixes the assumed values by requiring the read module
to verify against the created state.

Going forward we can continue to extend this secrets engine verification
module with additional create and read checks for new secrets engines.

Signed-off-by: Ryan Cragun <me@ryan.ec>
 2024-09-09 14:29:11 -06:00
Luis (LT) Carbonell
cdf3da4066
Add DR failover scenario to Enos (#28256) 
* Add DR failover scenario to Enos

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-qualities.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-qualities.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-pr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* remove superuser

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

* Update enos/enos-scenario-dr-replication.hcl

Co-authored-by: Ryan Cragun <me@ryan.ec>

---------

Co-authored-by: Ryan Cragun <me@ryan.ec>
 2024-09-05 21:33:53 +00:00