mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-08 15:47:00 +02:00
Code Issues Projects Releases Wiki Activity
8,559 Commits 2,836 Branches 445 Tags 442 MiB
ece7569aca
Commit Graph

197 Commits

Author SHA1 Message Date
Jeff Mitchell
e20eaea59f Force dev on when dev-ha is on 2016-08-19 08:29:34 -04:00
Jeff Mitchell
ed48b008ce Provide base64 keys in addition to hex encoded. (#1734) 
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
 2016-08-15 16:01:15 -04:00
Jeff Mitchell
645540012f Request forwarding (#1721) 
Add request forwarding.
 2016-08-15 09:42:42 -04:00
Jeff Mitchell
32b39e808b Close the shutdown channel instead of sending a value down 2016-08-01 11:58:45 -04:00
vishalnayak
577cd9de35 Address review feedback 2016-08-01 11:15:25 -04:00
vishalnayak
5318130ba2 Make the defer statement of waitgroup to execute last 2016-08-01 10:24:27 -04:00
vishalnayak
461c30969e Sharing shutdown message with physical consul backend 2016-07-31 10:09:16 -04:00
vishalnayak
13c4bbf9d7 Add waitgroup wait to allow physical consul to deregister checks 2016-07-30 13:17:29 -04:00
vishalnayak
e5c61509d6 Remove global name/id. Make only cluster name configurable. 2016-07-26 10:01:35 -04:00
vishalnayak
55cf44bc91 Storing local and global cluster name/id to storage and returning them in health status 2016-07-26 02:32:42 -04:00
matt maier
a1b50427f2 Circonus integration for telemetry metrics 2016-07-22 15:49:23 -04:00
Jeff Mitchell
a347917044 Turn off DynamoDB HA by default. 
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
 2016-07-18 13:19:58 -04:00
Bill Monkman
64d72672ff #1486 : Fixed sealed and leader checks for consul backend 2016-06-03 16:00:31 -07:00
Jeff Mitchell
d32283ba49 Initial Atlas listener implementation 2016-06-02 14:05:47 -04:00
vishalnayak
cbf7ccb73d Prioritize dev flags over its env vars 2016-06-01 12:21:29 -04:00
Jeff Mitchell
17d02aa46e Merge branch 'master-oss' into f-vault-service 2016-05-04 17:20:00 -04:00
Jeff Mitchell
4268158c82 Properly handle sigint/hup 2016-05-03 14:30:58 -04:00
Jeff Mitchell
b5b8ac8686 Ensure seal finalizing happens even when using verify-only 2016-04-28 14:06:05 -04:00
Sean Chittenden
eedd7f0c39 Change the interface of ServiceDiscovery 
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
 2016-04-28 11:05:18 -07:00
Sean Chittenden
455b76828f Add a *log.Logger argument to physical.Factory 
Logging in the backend is a good thing.  This is a noisy interface change but should be a functional noop.
 2016-04-25 20:10:32 -07:00
Sean Chittenden
9647f2e067 Collapse UpdateAdvertiseAddr() into RunServiceDiscovery() 2016-04-25 18:01:13 -07:00
Sean Chittenden
53dd43650e Various refactoring to clean up code organization 
Brought to you by: Dept of 2nd thoughts before pushing enter on `git push`
 2016-04-25 18:01:13 -07:00
Sean Chittenden
c0bbeba5ad Teach Vault how to register with Consul 
Vault will now register itself with Consul.  The active node can be found using `active.vault.service.consul`.  All standby vaults are available via `standby.vault.service.consul`.  All unsealed vaults are considered healthy and available via `vault.service.consul`.  Change in status and registration is event driven and should happen at the speed of a write to Consul (~network RTT + ~1x fsync(2)).

Healthy/active:

```
curl -X GET 'http://127.0.0.1:8500/v1/health/service/vault?pretty' && echo;
[
    {
        "Node": {
            "Node": "vm1",
            "Address": "127.0.0.1",
            "TaggedAddresses": {
                "wan": "127.0.0.1"
            },
            "CreateIndex": 3,
            "ModifyIndex": 20
        },
        "Service": {
            "ID": "vault:127.0.0.1:8200",
            "Service": "vault",
            "Tags": [
                "active"
            ],
            "Address": "127.0.0.1",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm1",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm1",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.1:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Healthy/standby:

```
[snip]
        "Service": {
            "ID": "vault:127.0.0.2:8200",
            "Service": "vault",
            "Tags": [
                "standby"
            ],
            "Address": "127.0.0.2",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Sealed:

```
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "critical",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "Vault Sealed",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 38
            }
        ]
```
 2016-04-25 18:01:13 -07:00
Sean Chittenden
bd5305e470 Stub out service discovery functionality 
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
 2016-04-25 18:00:54 -07:00
Sean Chittenden
f2dc2f636e Comment nits 2016-04-25 18:00:54 -07:00
Sean Chittenden
bc570e74f3 Fix SIGINT handling. 
No signal handler was setup to receive SIGINT.  I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM.  At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
 2016-04-15 10:03:22 -07:00
Jeff Mitchell
94d6b3ce94 Add Finalize method to seal. 2016-04-14 20:37:34 +00:00
Jeff Mitchell
d273a051c7 Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:13:59 +00:00
Sean Chittenden
ffe34bf375 Reinstall the mlockall(2) command 
Requested by: jefferai
 2016-04-05 13:58:26 -07:00
Sean Chittenden
a199547ffc Unconditionally warn on systems w/o mlock support 
If someone begins using Vault on Windows in dev mode, always hint so that this isn't a surprise when they get to production.
 2016-04-05 12:32:53 -07:00
Jeff Mitchell
f59cb0c501 Sync some seal stuff 2016-04-04 13:46:33 -04:00
Jeff Mitchell
ab93e3aa63 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell
16c8f0b5ad Remove config from Meta; it's only used right now with the token helper. 2016-04-01 16:02:18 -04:00
Jeff Mitchell
48da40964c Move token helper out of meta 2016-04-01 14:23:15 -04:00
Jeff Mitchell
33326b30c3 Move meta into its own package 2016-04-01 13:16:05 -04:00
Jeff Mitchell
61a4f4a6a2 Sort infokeys on startup and add more padding 2016-03-30 12:31:47 -04:00
Pradeep Chhetri
f86c98bca8 Fix Typo 2016-03-18 14:06:49 +00:00
Jeff Mitchell
3a878c3dc4 Add test for listener reloading, and update website docs. 2016-03-14 14:05:47 -04:00
Jeff Mitchell
0c56385d59 Properly scope config objects for reloading 2016-03-14 11:18:02 -04:00
Jeff Mitchell
14f538556e Don't generate an ID; use address for the ID. Generally speaking we'll need to sane against what's in the config 2016-03-11 17:28:03 -05:00
Jeff Mitchell
92088f06e4 For not shutdown triggered... 2016-03-11 17:01:26 -05:00
Jeff Mitchell
9f2f5b1c61 Retool to have reloading logic run in command/server 2016-03-11 16:47:03 -05:00
Jeff Mitchell
7e52796aae Add reload capability for Vault listener certs. No tests (other than 
manual) yet, and no documentation yet.
 2016-03-11 14:05:52 -05:00
Jeff Mitchell
67b8eab204 Update help text exporting dev mode listen address. 
Ping #1160
 2016-03-03 18:10:14 -05:00
Jeff Mitchell
00721af2c1 Add the ability to specify dev mode address via CLI flag and envvar. 
Fixes #1160
 2016-03-03 10:48:52 -05:00
Jeff Mitchell
a05ea4720c Add ability to control dev root token id with 
VAULT_DEV_ROOT_TOKEN_ID env var, and change the CLI flag to match.

Ping #1160
 2016-03-03 10:24:44 -05:00
Jeff Mitchell
c19641887d Allow specifying an initial root token ID in dev mode. 
Ping #1160
 2016-03-02 12:03:26 -05:00
Ryan Hileman
a2565836ac don't panic when config directory is empty 2016-02-12 16:40:19 -08:00
Jeff Mitchell
2cf9afe5d6 Add test for HA availability to command/server 2016-02-02 17:47:02 -05:00
Jeff Mitchell
dcb6901593 remove unneeded assignment 2016-02-02 15:11:35 -05:00
Jeff Mitchell
92c276369d Ensure that we fall back to Backend if HABackend is not specified. 2016-02-02 15:09:58 -05:00
James Tancock
6ab184596f Docs typo in server command 2016-01-28 08:26:49 +00:00
Jeff Mitchell
5f49615fc1 Remove some outdated comments 2015-12-30 21:00:27 -05:00
Wim
fb92a7a802 Fix ipv6 address advertisement 2015-12-22 21:40:36 +01:00
Jeff Mitchell
88f05bec4d Move telemetry metrics up to fix one possible race, but deeper problems in go-metrics can't be solved with this 2015-12-17 16:38:17 -05:00
Jeff Mitchell
d7cb3c9f94 Allow setting the advertise address via an environment variable. 
Fixes #581
 2015-12-14 21:22:55 -05:00
Jeff Mitchell
6e46e56b21 Ensure advertise address detection runs without a specified HA backend 
Ping #840
 2015-12-14 21:13:27 -05:00
Jeff Mitchell
b1f815d7f8 Address review feedback 2015-12-14 17:58:30 -05:00
Jeff Mitchell
4f51b6e3c9 Allow separate HA physical backend. 
With no separate backend specified, HA will be attempted on the normal
physical backend.

Fixes #395.
 2015-12-14 07:59:58 -05:00
Jeff Mitchell
904e1ee600 Print version on startup. 
Fixes #765
 2015-11-09 13:52:55 -05:00
Jeff Mitchell
40486da446 Fix cache disabling 2015-10-28 13:05:56 -04:00
voutasaurus
fbf21b5f2d Modifies documentation in output of vault server -dev 
Environment variable setting is different in windows
 2015-10-22 00:48:46 -07:00
hendrenj
2925912b6b improve documentation for available log levels 2015-09-16 11:01:33 -06:00
Jeff Mitchell
4c5c82e6f7 Rename config lease_duration parameters to lease_ttl in line with current standardization efforts 2015-08-27 07:50:24 -07:00
Karl Gutwin
1a673ddc0a PR review updates 2015-07-30 13:21:41 -04:00
Karl Gutwin
a87af4e863 Add configuration options for default lease duration and max lease duration. 2015-07-30 09:42:49 -04:00
Nate Brown
8f666b8e60 Telemetry object in config 2015-07-14 15:36:28 -07:00
Nate Brown
693f529ae7 Disable hostname prefix for runtime telemetry 2015-07-13 13:17:57 -07:00
Armon Dadgar
57d1230e6c command/server: fixing output weirdness 2015-06-18 13:48:18 -07:00
Armon Dadgar
70ee1866ca server: graceful shutdown for fast failover. Fixes #308 2015-06-17 18:24:56 -07:00
Seth Vargo
669686f654 Merge pull request #270 from sheldonh/no_export_vault_token 
Don't recommend exporting VAULT_TOKEN
 2015-06-01 11:52:40 -04:00
Steven De Coeyer
fc2400698a Add help info for -dev flag 2015-05-31 18:05:15 +02:00
Sheldon Hearn
c2390f2a29 Don't recommend exporting VAULT_TOKEN 
It's not needed by the dev server (which writes ~/.vault-token),
and breaks the Getting Started guide (e.g. #267).
 2015-05-28 14:39:35 +02:00
Armon Dadgar
b474fa6dc5 server: Minor copy change 2015-05-20 17:49:16 -07:00
David Wittman
792e3a26f4 Fail gracefully if a phys backend is not supplied 2015-05-18 22:55:12 -05:00
Seth Vargo
c47ecbc9d3 Use strconv.ParseBool 2015-05-15 16:41:30 -04:00
Seth Vargo
5c93047642 Explicitly check if tls_disable == 1 2015-05-15 16:39:30 -04:00
Seth Vargo
f916e112c9 Make the VAULT_TOKEN and VAULT_ADDR copy-pastable in dev mode 
This allows someone to quickly start a dev mode server and hit the ground
running without the need to copy-paste twice.
 2015-05-07 18:32:40 -04:00
Armon Dadgar
942e0ecf7d command/server: Attempt advertise address detection 2015-05-02 15:57:40 -07:00
Mitchell Hashimoto
a0376a20f0 command/server: disable mlock in dev mode 2015-04-28 15:11:39 -07:00
Mitchell Hashimoto
4d51d0f0f4 command/server: allow disabling mlock 2015-04-28 15:09:30 -07:00
Mitchell Hashimoto
e3c9a4cf4c command/server: warning if no mlock 2015-04-28 15:04:40 -07:00
Matt Haggard
6185fe119a Update server.go 
Did you mean "talking?"  Or something else?
 2015-04-28 14:01:45 -06:00
Armon Dadgar
0bf96348dc command/server: Catch error from core initialization. Fixes #42 2015-04-27 21:29:40 -07:00
Mitchell Hashimoto
bac7049996 command/server: can set advertise addr 2015-04-17 12:56:31 -07:00
Mitchell Hashimoto
b5fbc293b3 command/server: not HA possibilities when starting 2015-04-17 12:56:31 -07:00
Armon Dadgar
b25125f167 command/server: Enable telemetry. cc: @mitchellh 2015-04-14 18:44:09 -07:00
Mitchell Hashimoto
8f85830497 command/server: env var for dev mode 2015-04-06 10:28:17 -07:00
Mitchell Hashimoto
2b12d51d70 builtin/audit: add file audit 2015-04-04 18:10:25 -07:00
Mitchell Hashimoto
d446659956 command/server: log levels 2015-04-04 12:11:10 -07:00
Mitchell Hashimoto
a196d194a1 command/server: cleaner output 2015-04-04 12:06:41 -07:00
Mitchell Hashimoto
515bd7b75b command/server: support CredentialBackends 2015-04-01 15:48:13 -07:00
Mitchell Hashimoto
9198a6687a command/server: dev mode 2015-03-31 16:44:47 -07:00
Mitchell Hashimoto
ac8570c809 main: enable AWS backend 2015-03-20 19:32:18 +01:00
Mitchell Hashimoto
fcc6646a19 command/server: initial working 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto
279a1b13d6 command/server: load config from flags 2015-03-12 15:30:07 -07:00
Mitchell Hashimoto
2bbd5fa66e command/server: add config loading 2015-03-12 15:21:11 -07:00