Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plugins: Handle mount/enable for shadowed builtins #17879

Merged
merged 42 commits into from
Dec 14, 2022
Merged

plugins: Handle mount/enable for shadowed builtins #17879

merged 42 commits into from
Dec 14, 2022

Conversation

mpalmi
Copy link
Contributor

@mpalmi mpalmi commented Nov 10, 2022
edited
Loading

This PR adds some handling for shadowed builtins (external plugins with the same name/type as a builtin plugin). Also includes some test improvements and a more official coreConfig for the PendingRemoval environment variable.

In an effort to address concerns around post-upgrade unseals, this PR also introduces a more forgiving deprecation handling framework. In the event that Vault is unsealing for the first time (or has never successfully unsealed in the past), we shutdown to prevent drift from the pre-upgrade state. If Vault has already been unsealed with the deprecated entry, we continue to mount the data, but skip the backend initialization. This allows the data to be preserved and gives the operator a chance to remediate any issues on the newer version of Vault.

This resolves VAULT-9372 and VAULT-11863.

Base automatically changed from set-deprecation-status-on-mount to main November 11, 2022 19:51
@mpalmi mpalmi force-pushed the handle-shadowed-builtins branch 4 times, most recently from 6b18d0a to fc7419d Compare November 16, 2022 22:09
@mpalmi mpalmi marked this pull request as ready for review November 16, 2022 22:11
@mpalmi mpalmi requested review from a team November 16, 2022 22:11
@mpalmi mpalmi force-pushed the handle-shadowed-builtins branch 2 times, most recently from 5d67bae to a92ff97 Compare November 18, 2022 14:58
ncabatoff
ncabatoff reviewed Nov 21, 2022
View reviewed changes
sdk/logical/request.go Outdated Show resolved Hide resolved
command/path_map_upgrade_api_test.go Outdated Show resolved Hide resolved
command/path_map_upgrade_api_test.go Outdated Show resolved Hide resolved
command/secrets_enable_test.go Outdated Show resolved Hide resolved
vault/mount.go Outdated Show resolved Hide resolved
tomhjp
tomhjp reviewed Nov 21, 2022
View reviewed changes
Copy link
Contributor

@tomhjp tomhjp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a full review, just spotted one thing though that looked odd to me

vault/mount.go Outdated Show resolved Hide resolved
@mpalmi mpalmi changed the title Handle shadowed builtins Handle mount/enable for shadowed builtins Nov 29, 2022
@mpalmi mpalmi changed the title Handle mount/enable for shadowed builtins plugins: Handle mount/enable for shadowed builtins Nov 29, 2022
@mpalmi mpalmi force-pushed the handle-shadowed-builtins branch 2 times, most recently from a43dc69 to 3dea37d Compare November 29, 2022 17:09
fairclothjm
fairclothjm reviewed Nov 29, 2022
View reviewed changes
sdk/helper/consts/deprecation_status.go Outdated Show resolved Hide resolved
vault/external_plugin_test.go Outdated Show resolved Hide resolved
vault/testing.go Outdated Show resolved Hide resolved
tomhjp
tomhjp reviewed Dec 1, 2022
View reviewed changes
Copy link
Contributor

@tomhjp tomhjp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One of my comments poses some questions and isn't really actionable feedback. I need to do a bit of hacking around/research, or happy to pair on that bit whenever you're available.

sdk/helper/consts/deprecation_status.go Outdated Show resolved Hide resolved
vault/core.go Show resolved Hide resolved
command/server.go Show resolved Hide resolved
vault/auth.go Outdated Show resolved Hide resolved
vault/logical_system.go Outdated Show resolved Hide resolved
raskchanky
raskchanky reviewed Dec 1, 2022
View reviewed changes
Copy link
Contributor

@raskchanky raskchanky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know enough about plugins to be able to leave a review that's worth much.

@mpalmi mpalmi force-pushed the handle-shadowed-builtins branch 2 times, most recently from 73da5df to d5a5e45 Compare December 6, 2022 17:23
@vercel
Copy link

vercel bot commented Dec 6, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Updated
vault ⬜️ Ignored (Inspect) Dec 6, 2022 at 6:21PM (UTC)

mpalmi
mpalmi commented Dec 6, 2022
View reviewed changes
vault/core.go Outdated Show resolved Hide resolved
@mpalmi mpalmi merged commit 82f998f into main Dec 14, 2022
@mpalmi mpalmi deleted the handle-shadowed-builtins branch December 14, 2022 18:06
Merged
divyaac pushed a commit that referenced this pull request Dec 14, 2022
@mpalmi @divyaac
plugins: Handle mount/enable for shadowed builtins (#17879)
86411f9 
* Allow mounting external plugins with same name/type as deprecated builtins
* Add some go tests for deprecation status handling
* Move timestamp storage to post-unseal
* Add upgrade-aware deprecation shutdown and tests
AnPucel pushed a commit that referenced this pull request Jan 14, 2023
@mpalmi @AnPucel
plugins: Handle mount/enable for shadowed builtins (#17879)
0a12a40 
* Allow mounting external plugins with same name/type as deprecated builtins
* Add some go tests for deprecation status handling
* Move timestamp storage to post-unseal
* Add upgrade-aware deprecation shutdown and tests
AnPucel pushed a commit that referenced this pull request Jan 25, 2023
@mpalmi @AnPucel
plugins: Handle mount/enable for shadowed builtins (#17879)
9b5c964 
* Allow mounting external plugins with same name/type as deprecated builtins
* Add some go tests for deprecation status handling
* Move timestamp storage to post-unseal
* Add upgrade-aware deprecation shutdown and tests
AnPucel pushed a commit that referenced this pull request Feb 3, 2023
@mpalmi @AnPucel
plugins: Handle mount/enable for shadowed builtins (#17879)
17e5070 
* Allow mounting external plugins with same name/type as deprecated builtins
* Add some go tests for deprecation status handling
* Move timestamp storage to post-unseal
* Add upgrade-aware deprecation shutdown and tests
jayant07-yb pushed a commit to jayant07-yb/hashicorp-vault-integrations that referenced this pull request Mar 15, 2023
@mpalmi
plugins: Handle mount/enable for shadowed builtins (hashicorp#17879)
35e88ae 
* Allow mounting external plugins with same name/type as deprecated builtins
* Add some go tests for deprecation status handling
* Move timestamp storage to post-unseal
* Add upgrade-aware deprecation shutdown and tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raskchanky raskchanky raskchanky left review comments

@tomhjp tomhjp tomhjp left review comments

@fairclothjm fairclothjm fairclothjm left review comments

@ncabatoff ncabatoff ncabatoff approved these changes

@akshya96 akshya96 Awaiting requested review from akshya96

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mpalmi @raskchanky @tomhjp @ncabatoff @fairclothjm