Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

identity: skip oidc default key generation on read-only storage error for local mounts #25265

Merged
merged 4 commits into from
Feb 7, 2024
Merged

identity: skip oidc default key generation on read-only storage error for local mounts #25265

merged 4 commits into from
Feb 7, 2024

Conversation

austingebauer
Copy link
Contributor

This PR fixes enterprise tests that were encountering read-only storage errors for local-only mounts. The local-only mounts were trying to generate the OIDC default key which involves a storage write. We will simply log a warning and allow the local-only mount to be created for now.

This approach has an edge case where plugin workload identity would not work if:

  • The local-only mount was the first mount ever enabled in Vault
  • No identity token roles have been created
  • No OIDC provider clients have been created

I'm going to think on a better solution for this. In the meantime, this PR fixes the tests.

@austingebauer austingebauer added this to the 1.16.0-rc1 milestone Feb 7, 2024
@austingebauer austingebauer requested review from tomhjp and a team February 7, 2024 18:27
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Feb 7, 2024
ncabatoff
ncabatoff reviewed Feb 7, 2024
View reviewed changes
vault/logical_system.go Outdated Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 7, 2024
edited
Loading

CI Results:
Failures:

Test Type Package Test Logs
race vault TestOIDC_PeriodicFunc view test results
race vault TestOIDC_PeriodicFunc/test-key view test results

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 7, 2024
edited
Loading

Build Results:
All builds succeeded! ✅

@austingebauer austingebauer changed the title identity: skip oidc default key generation on read-only storage error identity: skip oidc default key generation on read-only storage error for local mounts Feb 7, 2024
@austingebauer austingebauer merged commit c27e1d3 into main Feb 7, 2024
81 of 83 checks passed
@austingebauer austingebauer deleted the warn-default-keygen-local-mount branch February 7, 2024 21:01
@tomhjp
Copy link
Contributor

tomhjp commented Feb 8, 2024

Thanks for the fix. For my 2c, that edge case is obscure enough and we can detect it well enough to simply tell the user they need to go and do something on the primary cluster before they can continue. Ideally it would be nice to have a dedicated endpoint to tell them to hit for that purpose so that they can do something with no additional side effects.

Monkeychip pushed a commit that referenced this pull request Feb 12, 2024
@austingebauer @Monkeychip
identity: skip oidc default key generation on read-only storage error…
1f9281f 
… for local mounts (#25265)

* identity: skip oidc default key generation on read-only storage error

* fix logic error

* only log warning if local mount

* handle ErrReadOnly immediately
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncabatoff ncabatoff ncabatoff approved these changes

@tomhjp tomhjp Awaiting requested review from tomhjp

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed pr/no-changelog
Projects
None yet
Milestone
1.16.0-rc1
Development

Successfully merging this pull request may close these issues.
3 participants
@austingebauer @tomhjp @ncabatoff