backport of commit 12c0266

.github/workflows/build.yml

@@ -4,8 +4,8 @@ on:
   push:
     # Sequence of patterns matched against refs/heads
     branches:    
-      # Push events on main branch
-      - main
+      # Push events on release/1.10.x branch
+      - release/1.10.x
 
 env:
   PKG_NAME: "vault"

.github/workflows/changelog-checker.yml

@@ -25,18 +25,11 @@ jobs:
       - name: Check for changelog entry in diff
         run: |
           # check if there is a diff in the changelog directory
-          if [ ${{ github.event.repository.name }} == "vault-enterprise" ]; then
-            expected_changelog_file=changelog/_${{ github.event.pull_request.number }}.txt
-          else
-            expected_changelog_file=changelog/${{ github.event.pull_request.number }}.txt
-          fi
-
-          echo "looking for changelog file ${expected_changelog_file}"
-          changelog_files=$(git --no-pager diff --name-only HEAD "$(git merge-base HEAD "origin/${{ github.event.pull_request.base.ref }}")" -- ${expected_changelog_file})
+          changelog_files=$(git --no-pager diff --name-only HEAD "$(git merge-base HEAD "origin/${{ github.event.pull_request.base.ref }}")" -- changelog/${{ github.event.pull_request.number }}.txt)
 
           # If we do not find a file matching the PR # in changelog/, we fail the check
           if [ -z "$changelog_files" ]; then
-            echo "Did not find a changelog entry named ${expected_changelog_file}"
+            echo "Did not find a changelog entry named ${{ github.event.pull_request.number }}.txt"
             echo "If your changelog file is correct, skip this check with the 'pr/no-changelog' label"
             echo "Reference - https://github.com/hashicorp/vault/pull/10363 and https://github.com/hashicorp/vault/pull/11894"
             exit 1

.release/ci.hcl

@@ -8,13 +8,7 @@ project "vault" {
   github {
     organization = "hashicorp"
     repository = "vault"
-    release_branches = [
-      "main",
-      "release/1.7.x",
-      "release/1.8.x",
-      "release/1.9.x",
-      "release/1.10.x",
-    ]
+    release_branches = ["release/1.10.x"]
   }
 }
 

.release/linux/package/usr/lib/systemd/system/vault.service

@@ -8,6 +8,7 @@ StartLimitIntervalSec=60
 StartLimitBurst=3
 
 [Service]
+Type=notify
 EnvironmentFile=/etc/vault.d/vault.env
 User=vault
 Group=vault

api/renewer_test.go

@@ -174,10 +174,8 @@ func TestLifetimeWatcher(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			doneCh := make(chan error, 1)
 			go func() {
-				doneCh <- v.doRenewWithOptions(false, false,
-					tc.leaseDurationSeconds, "myleaseID", tc.renew, time.Second)
+				v.doneCh <- v.doRenewWithOptions(false, false, tc.leaseDurationSeconds, "myleaseID", tc.renew, time.Second)
 			}()
 			defer v.Stop()
 
@@ -191,15 +189,12 @@ func TestLifetimeWatcher(t *testing.T) {
 				if r.Secret != renewedSecret {
 					t.Fatalf("expected secret %v, got %v", renewedSecret, r.Secret)
 				}
-			case err := <-doneCh:
+			case err := <-v.DoneCh():
 				if tc.expectError != nil && !errors.Is(err, tc.expectError) {
 					t.Fatalf("expected error %q, got: %v", tc.expectError, err)
 				}
-				if tc.expectError == nil && err != nil {
-					t.Fatalf("expected no error, got: %v", err)
-				}
 				if tc.expectRenewal {
-					t.Fatalf("expected at least one renewal, got donech result: %v", err)
+					t.Fatal("expected at least one renewal")
 				}
 			}
 		})

builtin/logical/database/backend_test.go

@@ -47,11 +47,8 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
 
 	sys := vault.TestDynamicSystemView(cores[0].Core, nil)
 	vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "")
-	vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin-muxed", consts.PluginTypeDatabase, "TestBackend_PluginMain_PostgresMultiplexed", []string{}, "")
 	vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Mongo", []string{}, "")
-	vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin-muxed", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoMultiplexed", []string{}, "")
 	vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlas", []string{}, "")
-	vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin-muxed", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlasMultiplexed", []string{}, "")
 
 	return cluster, sys
 }
@@ -69,14 +66,6 @@ func TestBackend_PluginMain_Postgres(t *testing.T) {
 	v5.Serve(dbType.(v5.Database))
 }
 
-func TestBackend_PluginMain_PostgresMultiplexed(t *testing.T) {
-	if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
-		return
-	}
-
-	v5.ServeMultiplex(postgresql.New)
-}
-
 func TestBackend_PluginMain_Mongo(t *testing.T) {
 	if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
 		return
@@ -90,14 +79,6 @@ func TestBackend_PluginMain_Mongo(t *testing.T) {
 	v5.Serve(dbType.(v5.Database))
 }
 
-func TestBackend_PluginMain_MongoMultiplexed(t *testing.T) {
-	if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
-		return
-	}
-
-	v5.ServeMultiplex(mongodb.New)
-}
-
 func TestBackend_PluginMain_MongoAtlas(t *testing.T) {
 	if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" {
 		return
@@ -111,14 +92,6 @@ func TestBackend_PluginMain_MongoAtlas(t *testing.T) {
 	v5.Serve(dbType.(v5.Database))
 }
 
-func TestBackend_PluginMain_MongoAtlasMultiplexed(t *testing.T) {
-	if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" {
-		return
-	}
-
-	v5.ServeMultiplex(mongodbatlas.New)
-}
-
 func TestBackend_RoleUpgrade(t *testing.T) {
 	storage := &logical.InmemStorage{}
 	backend := &databaseBackend{}

builtin/logical/database/mockv5.go

@@ -36,13 +36,6 @@ func RunV5() error {
 	return nil
 }
 
-// Run instantiates a MongoDB object, and runs the RPC server for the plugin
-func RunV6Multiplexed() error {
-	v5.ServeMultiplex(New)
-
-	return nil
-}
-
 func (m MockDatabaseV5) Initialize(ctx context.Context, req v5.InitializeRequest) (v5.InitializeResponse, error) {
 	log.Default().Info("Initialize called",
 		"req", req)

builtin/logical/database/versioning_large_test.go

@@ -24,7 +24,6 @@ func TestPlugin_lifecycle(t *testing.T) {
 
 	vault.TestAddTestPlugin(t, cluster.Cores[0].Core, "mock-v4-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MockV4", []string{}, "")
 	vault.TestAddTestPlugin(t, cluster.Cores[0].Core, "mock-v5-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MockV5", []string{}, "")
-	vault.TestAddTestPlugin(t, cluster.Cores[0].Core, "mock-v6-database-plugin-muxed", consts.PluginTypeDatabase, "TestBackend_PluginMain_MockV6Multiplexed", []string{}, "")
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -262,14 +261,6 @@ func TestBackend_PluginMain_MockV5(t *testing.T) {
 	RunV5()
 }
 
-func TestBackend_PluginMain_MockV6Multiplexed(t *testing.T) {
-	if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
-		return
-	}
-
-	RunV6Multiplexed()
-}
-
 func assertNoRespData(t *testing.T, resp *logical.Response) {
 	t.Helper()
 	if resp != nil && len(resp.Data) > 0 {

builtin/logical/pki/path_roles.go

@@ -583,7 +583,6 @@ func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *fra
 
 func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	var err error
-	var resp *logical.Response
 	name := data.Get("name").(string)
 
 	entry := &roleEntry{
@@ -645,10 +644,6 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 	// no_store implies generate_lease := false
 	if entry.NoStore {
 		*entry.GenerateLease = false
-		if data.Get("generate_lease").(bool) {
-			resp = &logical.Response{}
-			resp.AddWarning("mutually exclusive values no_store=true and generate_lease=true were both specified; no_store=true takes priority")
-		}
 	} else {
 		*entry.GenerateLease = data.Get("generate_lease").(bool)
 	}
@@ -699,7 +694,7 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 		return nil, err
 	}
 
-	return resp, nil
+	return nil, nil
 }
 
 func parseKeyUsages(input []string) int {

changelog/13540.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+core: Vault now supports the PROXY protocol v2. Support for UNKNOWN connections
+has also been added to the PROXY protocol v1.
+```

changelog/14301.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/kv: add full secret path output to table-formatted responses
+```

changelog/14385.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+core: Systemd unit file included with the Linux packages now sets the service type to notify.
+```

changelog/14422.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Redirects to managed namespace if incorrect namespace in URL param
+```

changelog/14426.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+identity/oidc: Fixes potential write to readonly storage on performance secondary clusters during key rotation
+```

command/kv_get.go

@@ -158,6 +158,10 @@ func (c *KVGetCommand) Run(args []string) int {
 		tf.printWarnings(c.UI, secret)
 	}
 
+	if v2 {
+		outputPath(c.UI, path, "Secret Path")
+	}
+
 	if metadata, ok := secret.Data["metadata"]; ok && metadata != nil {
 		c.UI.Info(getHeaderForMap("Metadata", metadata.(map[string]interface{})))
 		OutputData(c.UI, metadata)

command/kv_helpers.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/api"
+	"github.com/mitchellh/cli"
 )
 
 func kvReadRequest(client *api.Client, path string, params map[string]string) (*api.Secret, error) {
@@ -141,6 +142,26 @@ func getHeaderForMap(header string, data map[string]interface{}) string {
 	// 4 for the column spaces and 5 for the len("value")
 	totalLen := maxKey + 4 + 5
 
+	return padEqualSigns(header, totalLen)
+}
+
+func kvParseVersionsFlags(versions []string) []string {
+	versionsOut := make([]string, 0, len(versions))
+	for _, v := range versions {
+		versionsOut = append(versionsOut, strutil.ParseStringSlice(v, ",")...)
+	}
+
+	return versionsOut
+}
+
+func outputPath(ui cli.Ui, path string, title string) {
+	ui.Info(padEqualSigns(title, len(path)))
+	ui.Info(path)
+	ui.Info("")
+}
+
+// Pad the table header with equal signs on each side
+func padEqualSigns(header string, totalLen int) string {
 	equalSigns := totalLen - (len(header) + 2)
 
 	// If we have zero or fewer equal signs bump it back up to two on either
@@ -156,12 +177,3 @@ func getHeaderForMap(header string, data map[string]interface{}) string {
 
 	return fmt.Sprintf("%s %s %s", strings.Repeat("=", equalSigns/2), header, strings.Repeat("=", equalSigns/2))
 }
-
-func kvParseVersionsFlags(versions []string) []string {
-	versionsOut := make([]string, 0, len(versions))
-	for _, v := range versions {
-		versionsOut = append(versionsOut, strutil.ParseStringSlice(v, ",")...)
-	}
-
-	return versionsOut
-}

command/kv_metadata_get.go

@@ -117,6 +117,8 @@ func (c *KVMetadataGetCommand) Run(args []string) int {
 
 	delete(secret.Data, "versions")
 
+	outputPath(c.UI, path, "Metadata Path")
+
 	c.UI.Info(getHeaderForMap("Metadata", secret.Data))
 	OutputSecret(c.UI, secret)
 

command/kv_patch.go

@@ -185,6 +185,13 @@ func (c *KVPatchCommand) Run(args []string) int {
 		return code
 	}
 
+	if Format(c.UI) == "table" {
+		outputPath(c.UI, path, "Secret Path")
+		metadata := secret.Data
+		c.UI.Info(getHeaderForMap("Metadata", metadata))
+		return OutputData(c.UI, metadata)
+	}
+
 	return OutputSecret(c.UI, secret)
 }
 

command/kv_put.go

@@ -161,5 +161,12 @@ func (c *KVPutCommand) Run(args []string) int {
 		return PrintRawField(c.UI, secret, c.flagField)
 	}
 
+	if Format(c.UI) == "table" {
+		outputPath(c.UI, path, "Secret Path")
+		metadata := secret.Data
+		c.UI.Info(getHeaderForMap("Metadata", metadata))
+		return OutputData(c.UI, metadata)
+	}
+
 	return OutputSecret(c.UI, secret)
 }