Commit graph

22856 commits

Author SHA1 Message Date
Vault Automation
3f31ff60f3
feat(automation-snippets): add new tfSnippet arg to component and tests (#16026) (#16027)
Co-authored-by: Nina Bucholtz <nina.balachandranmary@gmail.com>
2026-07-01 19:11:52 +00:00
Vault Automation
8df0f4b8de
feat(tcg): TF block type definitions, helper methods and corresponding tests (#15981) (#15994)
Co-authored-by: Nina Bucholtz <nina.balachandranmary@gmail.com>
2026-07-01 10:01:22 -05:00
Vault Automation
620873c6fa
Add Cert, SPIFFE, and SCEP Auth Metrics (#15726) (#16010)
* auth role struct + helper

* schema update

* gauge writer

* helper func

* added test

* changelog

* auth role counts never returns nil, removed check

* capitalized metric name

* capitalization continued & comment update

* added write for spiffe enabled metric

* schema update

* update test

* changelog update

* renamed roleUsageMetrics

* aligned function with existing standard

* metric name updated

* moved combineAuthRoleCounts to core_metrics_ent

* count metric functions renamed

* schema + hash update

* function renaming

Co-authored-by: Gaurav Mitra <gauravmitra@ibm.com>
2026-07-01 00:11:29 +00:00
Vault Automation
3318557dda
add api snippets to automation snippets (#16005) (#16008)
Co-authored-by: claire bontempo <clairebontempo@gmail.com>
2026-06-30 22:11:08 +00:00
Vault Automation
42dd5ede91
serviceregistration: get a read lock in checkDuration() (#15949) (#15982)
Fixes a race condition between checkDuration() and merge().

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2026-06-30 18:59:40 +00:00
Vault Automation
4590652ffd
VAULT-43730: Adding billing start date sdk test (#15798) (#15989)
* fixing conflicts

* VAULT-44278: Add Min Vault Version to Blackbox Tests

* testing pipeline

* testing pipeline

* testing pipeline

* adding timeout to go test

* testing pipeline

* fixing lint

* testing pipeline

* testing pipeline

* adding bob skill

* updating bob skills

* updating bob skills

* testing pipeline'

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* updating blackbox steps

* VAULT-43634: Adding sdk performance replication test

* updating test

* testing pipeline

* testing pipeline

* testing pipeline

* adding ibm license go test

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* fixing conflicts

* testing pipeline

* VAULT-43730: Adding billing start date sdk test

* undo VERSION

* testing pipeline

* updating test comments

* fixing conflicts

* VAULT-43734: Fixing replication blackbox sdk test (#15817)

* VAULT-43734: Fixing replication blackbox sdk test

* testing pipeline

* VAULT-43634: Adding sdk performance replication test

* fixing conflicts

* testing pipeline

* updating edition in test

* testing pipeline

* testing pipeline

* debugging test

* testing pipeline'

* testing pipeline

* fixing license_update test

* fixing conflicts

* undo version

* undo version

* undo workflow changes

* undo uneeded changes

* updating enos test automation

* testing pipeline

* testing pipeline

* testing glibc-common error

* undo dockerfile

* fixing microdnf issue

* undo cloud-ent test

* undo Dockerfile

Co-authored-by: Tin Vo <tintvo08@gmail.com>
2026-06-30 10:34:49 -07:00
Vault Automation
a0783e1243
lock mount test table mutations (#15930) (#15966)
Changes:
Lock direct mount table replacement in TestCore_Mount_Local
Hold mountsLock while mutating a mount entry and calling persistMounts in TestCore_Mount_Local
Lock the direct mount entry slice rebuild in TestCore_Mount_Local
Lock direct mount table replacement in TestCore_FindOps
Lock direct mount table replacement in TestCore_MountInitialize

Co-authored-by: Jorge Aquino <jaquino.usmc@gmail.com>
2026-06-29 23:29:48 -05:00
Vault Automation
66070ef40b
Backport Initial route setup for external/public PKI work into ce/main (#15971)
* Initial route setup for external/public PKI work (#15947)

* update readme

* add external pki routes

* hide public pki from prod

* update route headers to display engine path

* add tabs, add navigation acceptance tests

* sentence case tabs

* filter from CE runs (#15972)

---------

Co-authored-by: claire bontempo <clairebontempo@gmail.com>
2026-06-29 13:42:27 -07:00
Vault Automation
eb8b43eaa1
Backport Add enterprise build tag to ent files lacking it. Add cedev Makefile target into ce/main (#15877)
* Add enterprise build tag to ent files lacking it. Add cedev Makefile target (#10934)

* Revert everything except the ce stub

---------

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2026-06-29 17:09:09 +00:00
Vault Automation
8477338069
aws: increase rules per security group
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-29 09:44:16 -06:00
Vault Automation
78151c8eee
VAULT-46299 update state checking on performance secondary clusters (#15679) (#15941)
* update state checking on performance secondary clusters

* add token test

* add changelog

* update changelog

* add and modify test

* drop test - covered in external testing

* Update changelog/_15679.txt



* Update changelog/_15679.txt



* adjust test

* update token wal test

* adjust test

* add t.Parallel to tests

---------

Co-authored-by: Catalina Martinez <107933424+catamtz@users.noreply.github.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2026-06-29 15:25:21 +00:00
Vault Automation
8688045bea
adding team to codeowners (#15956) (#15959)
Co-authored-by: JMGoldsmith <spartanaudio@gmail.com>
2026-06-29 10:43:42 -04:00
Vault Automation
d7ec233a8a
Add managed key support to CSR sign and set certificate chain endpoints (#15908) (#15933)
* Add managed key support to CSR sign and set certificate chain endpoints
2026-06-26 15:33:40 -05:00
Vault Automation
25fde555c9
auto: bumps vault-client-typescript version (#15927) (#15931) 2026-06-26 18:39:24 +00:00
Vault Automation
153366f1c0
Backport pipeline: enable us-east-2 region when running scenarios into ce/main
* pipeline: enable us-east-2 region when running scenarios (#15869)

Due to the frequent runner disconnects leaving orphaned infra, we're now
commonly seeing more VPC limit issues in the intervals between when the
infra sweeper runs. Instead of increasing our limits more, we'll instead
enable `us-east-2`. There will be a marginal cost impact as `us-east-2`
is ever so slightly more expensive than `us-west-2` and `us-east-1`, but
it's worth it so as to not have failing CI runs.

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-26 13:58:24 -04:00
Vault Automation
fd0a367b1d
UI API Client Dependency Update Workflow (#12771) (#12907)
* adds github actions workflow to bump ui api client version on repository dispatch event

* Update .github/workflows/ui-client-update.yml



* Update .github/workflows/ui-client-update.yml



* Update .github/workflows/ui-client-update.yml



* fixes missing uses key

* Update .github/workflows/ui-client-update.yml



---------

Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-26 12:44:19 -04:00
Vault Automation
6135543f81
VAULT-43733: Adding IBM License Update SDK Test (#15563) (#15910)
* fixing conflicts

* VAULT-44278: Add Min Vault Version to Blackbox Tests

* testing pipeline

* testing pipeline

* testing pipeline

* adding timeout to go test

* testing pipeline

* fixing lint

* testing pipeline

* testing pipeline

* adding bob skill

* updating bob skills

* updating bob skills

* testing pipeline'

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* updating blackbox steps

* updating test

* testing pipeline

* testing pipeline

* testing pipeline

* adding ibm license go test

* testing pipeline

* testing pipeline

* testing pipeline

* updating edition in test

* testing pipeline

* testing pipeline

* testing pipeline

* fixing tests

* debugging test

* testing ibm license update

* testing pipeline'

* testing pipeline

* testing pipeline

* fixing test errors

* fixing conflicts

* testing pipeline

* testing pipeline

* testing pipeline

* fixing conflicts

* testing isolated/verify

* testing pipeline

* fixing TestVaultUndoLogsMetric issue and adding TestVaultUndoLogsMetricAllFollowers

* fixing TestVaultUndoLogsMetric issue

* testing pipeline

Co-authored-by: Tin Vo <tintvo08@gmail.com>
2026-06-26 09:41:55 -07:00
Vault Automation
7d46f59626
auto: bumps vault-client-typescript version (#15844) (#15904) 2026-06-26 09:20:52 -07:00
Vault Automation
e5cddbc4f9
VAULT-45737 remove all failures, add relevant test results (#15182) (#15897)
* remove all failures, add relevant test results

* adding code change for test.

* adding back in deleted code

* changing to testonly

* adding links to tests

* update to tree, not ref

* removing test

* adding script for first test manifest

Co-authored-by: JMGoldsmith <spartanaudio@gmail.com>
2026-06-26 17:22:18 +02:00
Vault Automation
2e37e340c5
Backport [VAULT-46498]: Do not redirect all snapshot operations into ce/main (#15842)
* [VAULT-46498]: Do not redirect all snapshot operations (#15769)

* only redirect snapshot loads. all other snapshot operations should be handled normally

* changelog

* fix comment, add additional test cases

* VAULT-46498: Snapshot redirect test should be ent only (#15861)

---------

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
2026-06-26 09:30:20 -05:00
Vault Automation
be91719837
Fix Instana test tracing configuration and add package documentation (#15529) (#15783)
* updated files for proper Instana test recording

* updates

* Update upload-test-results-to-instana.sh

* Update upload-test-results-to-instana.sh

* updates

* changes

* changes

* upfate

* update instana.go:

* Update instana.go

* updates

* Update instana.go

* Update instana.go

* Update tools/instana-uploader/main.go



* fixes

* Update release-procedure-ent.yml

---------

Co-authored-by: Jaired Jawed <jaired.jawed@hashicorp.com>
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
2026-06-26 09:50:01 -04:00
Vault Automation
7dc338bc02
fixing parsing error for 64 bit slot id (#15666) (#15849)
* fixing parsing error for 64 bit slot id

* adding this changes in changelog

* Revert "adding this changes in changelog"

This reverts commit 6b61c0c934161d9fbce2b16cf06a5dc60dc8db45.

        reverting previous commit for chaneglog

* adding new changelog file

* adding new changelog file

Co-authored-by: sandeep-ibm2026 <sandeep.kumar.srivastava@ibm.com>
2026-06-26 11:50:16 +05:30
Vault Automation
fb7b470284
Backport go: upgrade software.sslmate.com/src/go-pkcs12 to v0.7.2 to resolve GO-2026-5052 into ce/main
Update software.sslmate.com/src/go-pkcs12 to v0.7.2 to fix security vulnerability GO-2026-5052

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-25 22:01:26 +00:00
Vault Automation
7b103fd204
fix tsl host mismatch by changing the serverName to match what is given on the dynamic leaf cert (#15813) (#15854)
Co-authored-by: Cole Heinbaugh <cole.heinbaugh@ibm.com>
2026-06-25 13:08:40 -07:00
Vault Automation
1a7385ab0f
Backport Turn opts.Raw into WithoutEnvelope for Policy Encrypt into ce/main (#15867)
* no-op commit

* Turn opts.Raw into WithoutEnvelope instead of a mismatching raw parameter in encryptWithManagedKey (#15862)

---------

Co-authored-by: Scott Miller <smiller@hashicorp.com>
2026-06-25 19:15:46 +00:00
Vault Automation
bcf55d4816
Backport [UI] VAULT-45954 - Secrets sync database static roles support into ce/main (#15834)
* no-op commit

* Refactor sync UI to support multiple secret types with configuration-based architecture

* remove radio-cards and add mount-based secret type auto-detection for sync destinations

Co-authored-by: Copilot <copilot@github.com>

* enhance suggestion input component with placeholder and no matches message support from parent

* refactor secrets component methods for improved readability and consistency

* refactor sync components and update empty state messages for clarity

* updated ui as per figma design

* Refactor secret handling and introduce SecretTypeBadge component for improved UI representation

* updated button text as per Figma design

* Enable external link support for database static roles in SECRET_TYPE_CONFIGS

* Update document and improve tests for database roles

* Add release note for Secrets Sync UI feature to support syncing Database static roles

* fixed changelog name and updated link to remove trailing space

* resolved copilot review comments

---------

Co-authored-by: Mohit Ojha <mohit.ojha@hashicorp.com>
Co-authored-by: Copilot <copilot@github.com>
2026-06-25 23:41:21 +05:30
Vault Automation
9736087703
Add Transform and KMIP secret engine resource metrics (#15704) (#15863)
* bumped schema version and added metrics to schema

* Added struct and helper func

* Updated per mount collection function

* helper function combineCounts

* guage writer

* snapshot test

* schema hash update 1

* PR Changelog

* Changelog update

* Updated comment

* Added helper to get baseline counts

* schema hash version update 2

* added helper() to test

* passed pointer to testing interface instead of interface itself

* expanded struct definition

Co-authored-by: Gaurav Mitra <gauravmitra@ibm.com>
2026-06-25 18:01:53 +00:00
Vault Automation
b20d199312
Add metric for # of transform engine roles (#15401) (#15699)
* added struct for transform roles

* added transform roles to mount traversal functions

* added combine util function

* getter function

* reporting function

* fix API list path

* comment adjustment

* add schema entry

* add writer to big writer function

* updated schema

* test function for collection

* getter test

* changed function to test transform role counts

* return to originial test, moving test into ent file

* fixed comment

* added new ent file for testing per mount metric collection for ent-only features

* capture range variable in table-driven subtest

* remove redundant outer mountsLock in metrics test

CountMetricsFromMounts already acquires mountsLock internally; the outer
RLock was a recursive read-lock with deadlock potential.

* File name changes

* Fold transform roles into roleCounts and renamed TransitKey to writeManagedKeyMetrics

* Finished folding transform role counts into existing roleCounts infra

* Added changelog

* Updated naming for ent and added transit key metric changelog as well

* moved Transform role count test to external_test cluster

* Will add transit key changelog to different pr

* Moved all tests to external package

* Deleted redudant tests

* Replace sleep with EventuallyWithT

* Update vault/census_manager_schema_ent.go



---------

Co-authored-by: Gaurav Mitra <gauravmitra@ibm.com>
Co-authored-by: claire bontempo <clairebontempo@gmail.com>
2026-06-25 10:05:21 -07:00
Vault Automation
e73cf5a295
Backport identity: add "deny_slash_in_templated_path" config option into ce/main (#15788)
Adds a global option to deny slashes in templated policy path output,
defaults to false:

- hcl config `deny_slash_in_templated_paths = true/false`
- env var `VAULT_DENY_SLASH_IN_TEMPLATED_PATHS=true/false`

* fix changelog and init deny option correctly for CE

---------

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Violet Hynes <a.xenasis@gmail.com>
2026-06-25 09:29:15 -07:00
Vault Automation
10752b266b
Backport Add new identity tpm type/endpoints into ce/main (#15840) 2026-06-25 11:22:49 -05:00
Vault Automation
97a03c532e
adds ui as codeowner for gen-diff-spec workflow (#15816) (#15819)
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
2026-06-25 11:39:54 -04:00
Vault Automation
1ef7bb27a5
auto: bumps vault-client-typescript version (#15745) (#15785) 2026-06-25 07:15:22 -07:00
Vault Automation
8dcf8a3edf
VAULT-45511: Add VAULT_EVENT_NOTIFICATIONS_BOUNDED_QUEUE_SIZE to close slow event subscribers (#15549) (#15779)
* close slow subscribers with bounded queue on event subs

* chanelog

* Add ErrSlowConsumer as valid test path

* Add VAULT_BOUNDED_EVENT_QUEUE env var to gate bounded event queue feature

* cleanup comments

* Update changelog/_15549.txt



* Update vault/eventbus/bus.go



* Add VAULT_BOUNDED_EVENT_QUEUE env var to gate bounded event queue feature

Gate bounded event queue implementation with VAULT_BOUNDED_EVENT_QUEUE
environment variable for gradual rollout. Set to a positive integer (e.g., 16)
to enable buffered subscriber channels of that size. Defaults to 0 (unbuffered)
for backward compatibility.

Changes:
- Add EnvVaultBoundedEventQueue constant and getSubscriberBufferSize() helper
- Cache buffer size at EventBus initialization for performance
- Add subscriberBufferSize field to EventBus and bufferSize to asyncChanNode
- Update newAsyncNode() to accept buffer size parameter
- Update asyncChanNode.Process() to use cached bufferSize for behavior selection
- Add getEventID() helper for safe event ID extraction (prevents panics)
- Update tests to use integer configuration and improve error handling
- Update changelog to document configurable buffer size

This allows operators to opt-in to bounded queue behavior with tunable buffer
sizes, preventing goroutine leaks and providing immediate slow consumer detection,
while maintaining backward compatibility with unbuffered channels as default.

* update env var name

* add max buffer size of 1000

* update changelog

---------

Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Charles Nwokotubo <charles.nwokotubo@hashicorp.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2026-06-24 22:15:33 -04:00
Vault Automation
5e0a77b5c0
VAULT-43734: Fixing replication blackbox sdk test (#15817) (#15825)
* VAULT-43734: Fixing replication blackbox sdk test

* testing pipeline

Co-authored-by: Tin Vo <tintvo08@gmail.com>
2026-06-24 17:00:13 -07:00
Vault Automation
cb87f40d45
pipeline: add more UI related directories to UI changed files and CODEOWNERS
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-24 21:14:19 +00:00
Vault Automation
fe0bb37762
VAULT-43634: Adding Enos sdk performance replication test (#15492) (#15801)
* VAULT-44278: Add Min Vault Version to Blackbox Tests

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* adding timeout to go test

* testing pipeline

* fixing lint

* fixing lint

* testing pipeline

* testing pipeline

* testing pipeline

* adding bob skill

* updating bob skills

* updating bob skills

* testing pipeline'

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* testing pipeline

* updating blackbox steps

* VAULT-43634: Adding sdk performance replication test

* updating test

* testing pipeline

* testing pipeline

* testing pipeline

* Update vault/external_tests/blackbox/isolated/verify/performance_replication_test.go

* fixing conflicts

* fixing conflicts

---------

Co-authored-by: Tin Vo <tintvo08@gmail.com>
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
2026-06-24 13:44:30 -07:00
Tin Vo
53e3710939
Backport VAULT-44278: Add Min Vault Version to Blackbox Tests into ce/main (#15748)
* pulling changes from vault_automation/tin/VAULT-44278

* pulling changes
2026-06-24 12:45:43 -07:00
Vault Automation
824fd4624b
VAULT-45883 send standby spiffe data to active node (#15532) (#15786)
* send over data for spiffe

* add test

* fix bug in tests: do not use hard coded core in the billing handler because it is always set to the active node's core

* add changelog

* address all feedback

Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
2026-06-24 14:37:57 -04:00
Vault Automation
b2c4077109
VAULT-45815: fix all deadlock issues with consumption billing (#15356) (#15746)
* fix all deadlock issues with consumption

* add changelog

Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
2026-06-24 11:36:11 -06:00
Vault Automation
74630cdcc3
Add metric for # of transit keys (#15273) (#15364)
* Added schema definition and updated schema version

* update

* Fix

* Added transitKeys metric counting to existing functions in billing

* test functions written

* census schema version

* test fix

Co-authored-by: Gaurav Mitra <gauravmitra@ibm.com>
2026-06-24 11:35:52 -06:00
Vault Automation
f713bed59a
Skip isolated tests on CE edition (#15714) (#15715)
* Skip isolated tests on CE - require enterprise features

* formatting

Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
2026-06-24 11:35:34 -06:00
Vault Automation
6fd972499f
version: change main to 2.1.0 and update for new 2.0.x release branch
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-24 10:39:45 -06:00
Vault Automation
d9853a8f33
actions: explicitly set permissions on callable worklows
actions: explicitly set permissions on callable worklows

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-23 18:19:23 -06:00
Vault Automation
00281521f0
actions: pin actions to the latest versions
* actions: pin to latest actions

- actions/checkout@9c091bb21b => v7.0.0
  Adds a guardrail to prevent accidentally checking out fork pull
  request code in privileged GitHub Actions contexts
  (pull_request_target and PR-triggered workflow_run), with an
  explicit opt-in escape hatch for advanced workflows.

- pnpm/action-setup@0ebf47130e => v6.0.9
  Update pnpm to v11.7.0

- Add .github/actions/build-ui to ui changed files group

- Add .github/actions/build-ui to ui/frontend CODEOWNERS

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-23 10:21:26 -06:00
Vault Automation
13b16c1519
no-op commit (#15728) 2026-06-23 09:11:43 -07:00
Vault Automation
c00eab81a7
Backport Reorganize vault blackbox tests into isolated/scenario/system structure into ce/main (#15705)
* Reorganize vault blackbox tests into isolated/scenario/system structure (#14919)

* Reorganize vault blackbox tests into isolated/scenario/system structure

- Move 38 test files from flat structure to organized directories:
  * isolated/: namespace-scoped, concurrent-safe tests (auth, secrets, plugins, verify)
  * scenario/: state-changing tests (raft, ha)
  * system/: system-level config tests (billing, license)
- Add build tags (isolated, scenario, system) to all test files
- Update enos scenarios to use new test paths (./vault/external_tests/blackbox/isolated/verify)
- Add isolated build tag to undo_logs_test.go for consistency
- Remove empty directories and duplicate test files
- All tests compile successfully with respective build tags

Updated enos scenarios: autopilot, agent, dr-replication, plugin, pr-replication, proxy, seal-ha, smoke, upgrade

* Fix test failures: skip postgres without env vars, handle userpass login failure

* Add HSM-specific build tags for test compilation

* Add metadata path permissions for KV v2 delete/undelete operations

* Fix KV tests: use user session for all write operations

* Fix KV tests: remove userpass, use root session

* Incorporate new AWS and LDAP test functions from main branch

- Add TestAWS_SecretsCreate() and TestAWS_SecretsRead() to isolated/plugins/aws/secrets_aws_test.go
  * Tests basic AWS secrets engine configuration and role creation
  * Tests reading AWS role and root configuration
  * Complements existing TestAWS_GenerateNewUser() with simpler test cases

- Add TestLDAP_StaticRoleCreate(), TestLDAP_LibrarySetRead(), and TestLDAP_LibrarySetDelete() to isolated/plugins/ldap/secrets_ldap_test.go
  * Tests LDAP static role creation for password rotation
  * Tests LDAP library set operations for service account management
  * Tests library set deletion
  * Adds requireLDAPAvailable() helper for connectivity verification
  * Complements existing dynamic credential tests

- All new test functions include:
  * Build tag: //go:build isolated
  * t.Parallel() for concurrent execution
  * Proper environment variable checks with skip logic
  * Consistent error handling and assertions

- Cleanup:
  * Removed stray .git directories from test folders
  * Removed empty vault/external_tests/blackbox/plugins directory

These changes ensure the PR includes all test coverage from main while maintaining
the new isolated/scenario/system organization structure.

* Fix pr-replication scenario to use correct test path and name

- Update test_package from ./vault/external_tests/blackbox/verify to isolated/verify
- Update test_names from TestVaultUIAvailability to TestUIAssets
- Fixes test failures caused by incomplete migration in blackbox test reorganization

* Fix all Enos scenarios: isolated/verify path and correct test names

* Skip isolated tests on CE - require enterprise features

---------

Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
Co-authored-by: hashigator <lt.carbonell@ibm.com>
2026-06-23 11:29:48 -04:00
Vault Automation
8cf1370eb8
[UI]: Ember Data Migration Identity (#15194) (#15683)
* [UI]: Ember Data Migration Identity List and Details (#15157)

* Update identity views edm

* Use model directly

* Code cleanup!

* Refresh list view if deleted

* Update identity detail page

* Identity show..

* Have different method types

* Update delete...

* [UI] Ember Data Migration: Identity forms, show, edit, create and list routes (#15291)

* Identity forms...

* Fetch entities and groups in route

* Update forms to have edit

* Fix breadcrumbs

* Update save to use api service method

* Merge entities form...

* Update aliases

* Entity and group show routes

* Fix create / save action

* Add alias form.

* Fix some tests!

* Fix tests and update capability check

* WIP fixing tests...

* Fixes some details page bugs

* Edit form delete actions..

* Passing all tests!!

* Refactor some utils

* Update to class based syntax

* Form label updates

* Remove unused onSuccess

* [UI] Identity EDM code cleanup (#15608)

* Fix cancelLink action

* Update tests to have the correct args

* Ensure add alias button shows when alias does not exist

* Fix lookup input

* Fix other tabs and pages..

* Address comments

Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
2026-06-23 07:12:28 -07:00
Vault Automation
ad4d228f1f
Backport Sgm/without envelope wireup into ce/main (#15700)
* no-op commit

* Sgm/without envelope wireup (#15441)

* Changes needed to allow encryption/decryption with gcpckms in managed keys

* wip

* wip

* wip

* Normalize key purposes across implementations

* update kmse

* Update kms wrapper deps to those that support WithoutEnvelope

* crucially, supply the option in the wrapper managed key impl

* restore the kmse update

* no, thats done via the encryptWithManagedKey in Policy, not needed here

* changelog

* remove replace

* Update sdk's go-kms-wrapping

* mod tidy

* Switch to using the main wrapper even for testing.

* update test cluster usage

* Update go.mod

Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>

* Update go.mod

Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>

* more go.sum update

* PR feedback

* GCPC KMS needed some more config massaging to work w/ encryption

---------

Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>

---------

Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
2026-06-22 18:40:49 +00:00
Vault Automation
45dbaade93
Exclude .agents dirs from CE sync in pipeline config (#15600) (#15654)
Mark `.agents` and `ui/.agents` as enterprise-only in the pipeline
changed-files grouping config. These directories contain internal
developer tooling (agent skills and configurations) that must not
be synced to CE branches or included in CE backports.

Update both the live config and the test fixture to keep them in
sync.

Co-authored-by: Angelo Cordon <angelo.cordon@hashicorp.com>
Co-authored-by: OpenCode (claude-sonnet-4.6) <opencode.noreply@hashicorp.com>
2026-06-22 16:55:41 +00:00
Vault Automation
ad9a5b1e0a
[VAULT-34888] enos: backport changes for Fyre scenarios for testing on linux/s390x
Add support for running enos on Fyre with support for linux/s390x,
linux/amd64, and linux/ppc64le. The enterprise version of this PR
has enterprise only scenarios. The changes reflected here are on
shared modules.

We now have three new fyre modules that are can swap in-place of
create_vpc, ec2_info, and target_ec2_instances:
create_vpc_fyre_shim, fyre_os_info and target_fyre_vms. This pass
doesn't make them adhered 1:1 as module interfaces but that can come
later when the base scenarios are merged.

The only major change we had to make to long existing modules was
supporting leader_api_addr for discovery. Historically we've always used
cloud based node discovery but that's obviously not available in Fyre.
Nowyou can set the retry_join variable to either local_api_addr or
aws.

We also modify our integration containers to use those available from
the HashiCorp docker mirror. We do this because we pull those images
unauthenticated and thus share the same external address as the larger
network, which makes the likelihood of throttling very high.

To maintain the goal of the Fyre scenarios not requiring AWS credentials, I
had to move the AWS secrets verification into it's own module. That allows
us now to simply not include it, but later if/when we include it we can have
scenarios with the Fyre backend compile them out by skipping.

This PR is massive and covers the following tickets:

    VAULT-40635
    VAULT-40636
    VAULT-44591
    VAULT-34888
    VAULT-34887
    VAULT-34886
    VAULT-34885
    VAULT-34884

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-22 10:21:47 -06:00