mirror of
https://github.com/hashicorp/vault.git
synced 2026-04-06 09:37:09 -04:00
b8c81b84c8
* vault: lazily materialize external tokens Implement stub-first auth flow to avoid token-store writes on read-only requests, materialize only on lease registration, cache materialized token IDs by fingerprint, and add coverage for standby/leader materialization behavior. * vault: align lazy JWT materialization with main Adjust standby materialization behavior to main branch APIs, keep lease-time forwarding conversion, and update enterprise tests to match current standby error paths. * vault: align jwt lazy materialization follow-ups Apply naming and test-practice follow-ups, document cache-size rationale, simplify stub-use gating, and add external JWT e2e/benchmark coverage that measures raft writes for passthrough vs leased flows. * vault: sanitize jwt lazy materialization logs * vault: move jwt stub audit labels to ent * vault: keep ent token type in audit logs Remove audit token_type override and jwt_stub audit labeling so enterprise JWT tokens are consistently reported as ent while preserving existing request handling behavior. * vault: rename unpersisted JWT token state Rename IsStub/JwtStub to IsUnpersisted/JwtUnpersisted and switch serialized key to jwt_unpersisted for clearer storage semantics. * vault: use storage-backed JWT token naming Rename JWT token persistence marker to IsStorageBacked/JwtStorageBacked and clarify docs that passthrough JWT requests may never write token state to storage. * vault: address jwt token materialization regressions Fix storage-backed checks for non-ent tokens, materialize JWTs for lookup endpoints, and add lookup-self regression coverage. * vault: thread perf standby state into jwt materialization Pass perf standby state through materializeEnterpriseTokenForLease call sites to avoid unsynchronized state reads in request handling paths. * test: harden flaky enterprise timing checks Increase timing tolerance in flaky CI tests without changing runtime behavior. * test: document CI timing tolerance in flaky tests Add comments clarifying widened waits are for CI scheduling jitter and asynchronous convergence, not behavior changes. * vault: remove sensitive token logging Drop clear-text token value from SSC token MAC mismatch debug logging and keep census test unchanged per request. * vault: tighten request logging for security scan Remove remaining error-derived logging fields in request handling token/JWT revoke paths to satisfy clear-text sensitive logging findings. * vault: use typed no-rpc-client errors Replace string-based no-rpc-client error matching with a dedicated error type and update perf-standby callsites to return it. * test: harden perf-standby billing race assertions Allow early active-node counts up to the number of standby operations before the eventual RPC delivery assertion, to avoid race-only CI flakes without changing behavior. * revert: undo billing test race assertion changes Revert the prior billing test hardening commit per user request to keep billing tests unchanged in PR #12909. * vault: restore fetchCeilingPolicies after rebase Re-add the enterprise fetchCeilingPolicies method from main that was dropped during rebase conflict resolution, fixing build failure in request_handling.go. * vault: materialize JWT tokens for cubbyhole requests Ensure enterprise JWT tokens are materialized for cubbyhole paths in addition to token lookup endpoints, preserving expected persisted token-entry behavior for cubbyhole-backed request flows and token-entry JWT tests. * vault: restore JWT token headers on perf-standby forward * tests: fix jwt passthrough profile setup * vault: clarify forwarding helper docs * vault: cover jwt standby token endpoint behavior * vault: remove enterprise JWT wording in comments * vault: preserve materialized token request identity * vault: stabilize external JWT readonly raft assertion * vault: address PR 12909 review feedback * tests: remove redundant NewTestCluster lifecycle calls * vault: sanitize request handling token error logs * vault: remove sensitive error fields in ent token cleanup logs * vault: restore IsJWT wording * vault: migrate jwt materialization tests to NewTestCluster * tests: skip external jwt benchmark in CI * Run make fmt * Address PR review feedback * Remove benchmark CI skip * Move JWT materialization tests to external suite --------- Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| config | ||
| exec | ||
| internal/ctmanager | ||
| pkiexternalca | ||
| template | ||
| test-fixtures/reload | ||
| agent_auto_auth_self_heal_test.go | ||
| alicloud_end_to_end_test.go | ||
| approle_end_to_end_test.go | ||
| auto_auth_preload_token_end_to_end_test.go | ||
| aws_end_to_end_test.go | ||
| cache_end_to_end_test.go | ||
| cert_end_to_end_test.go | ||
| cf_end_to_end_test.go | ||
| doc.go | ||
| jwt_end_to_end_test.go | ||
| oci_end_to_end_test.go | ||
| README.md | ||
| testing.go | ||
| token_file_end_to_end_test.go | ||
Vault Agent
Vault Agent is a client daemon that provides Auth-Auth, Caching, and Template features.
Vault Agent provides a number of different helper features, specifically addressing the following challenges:
- Automatic authentication
- Secure delivery/storage of tokens
- Lifecycle management of these tokens (renewal & re-authentication)
See the usage documentation on the Vault website here: