mirror of https://github.com/hashicorp/vault.git synced 2026-03-28 08:51:47 +01:00

History

Vault Automation b8c81b84c8

External lazy materialization (#12909 ) (#13383 )

* vault: lazily materialize external tokens

Implement stub-first auth flow to avoid token-store writes on read-only requests, materialize only on lease registration, cache materialized token IDs by fingerprint, and add coverage for standby/leader materialization behavior.



* vault: align lazy JWT materialization with main

Adjust standby materialization behavior to main branch APIs, keep lease-time forwarding conversion, and update enterprise tests to match current standby error paths.



* vault: align jwt lazy materialization follow-ups

Apply naming and test-practice follow-ups, document cache-size rationale, simplify stub-use gating, and add external JWT e2e/benchmark coverage that measures raft writes for passthrough vs leased flows.



* vault: sanitize jwt lazy materialization logs



* vault: move jwt stub audit labels to ent



* vault: keep ent token type in audit logs

Remove audit token_type override and jwt_stub audit labeling so enterprise JWT tokens are consistently reported as ent while preserving existing request handling behavior.



* vault: rename unpersisted JWT token state

Rename IsStub/JwtStub to IsUnpersisted/JwtUnpersisted and switch serialized key to jwt_unpersisted for clearer storage semantics.



* vault: use storage-backed JWT token naming

Rename JWT token persistence marker to IsStorageBacked/JwtStorageBacked and clarify docs that passthrough JWT requests may never write token state to storage.



* vault: address jwt token materialization regressions

Fix storage-backed checks for non-ent tokens, materialize JWTs for lookup endpoints, and add lookup-self regression coverage.



* vault: thread perf standby state into jwt materialization

Pass perf standby state through materializeEnterpriseTokenForLease call sites to avoid unsynchronized state reads in request handling paths.



* test: harden flaky enterprise timing checks

Increase timing tolerance in flaky CI tests without changing runtime behavior.



* test: document CI timing tolerance in flaky tests

Add comments clarifying widened waits are for CI scheduling jitter and asynchronous convergence, not behavior changes.



* vault: remove sensitive token logging

Drop clear-text token value from SSC token MAC mismatch debug logging and keep census test unchanged per request.



* vault: tighten request logging for security scan

Remove remaining error-derived logging fields in request handling token/JWT revoke paths to satisfy clear-text sensitive logging findings.



* vault: use typed no-rpc-client errors

Replace string-based no-rpc-client error matching with a dedicated error type and update perf-standby callsites to return it.



* test: harden perf-standby billing race assertions

Allow early active-node counts up to the number of standby operations before the eventual RPC delivery assertion, to avoid race-only CI flakes without changing behavior.



* revert: undo billing test race assertion changes

Revert the prior billing test hardening commit per user request to keep billing tests unchanged in PR #12909.



* vault: restore fetchCeilingPolicies after rebase

Re-add the enterprise fetchCeilingPolicies method from main that was dropped during rebase conflict resolution, fixing build failure in request_handling.go.



* vault: materialize JWT tokens for cubbyhole requests

Ensure enterprise JWT tokens are materialized for cubbyhole paths in addition to token lookup endpoints, preserving expected persisted token-entry behavior for cubbyhole-backed request flows and token-entry JWT tests.



* vault: restore JWT token headers on perf-standby forward



* tests: fix jwt passthrough profile setup



* vault: clarify forwarding helper docs



* vault: cover jwt standby token endpoint behavior



* vault: remove enterprise JWT wording in comments



* vault: preserve materialized token request identity



* vault: stabilize external JWT readonly raft assertion



* vault: address PR 12909 review feedback



* tests: remove redundant NewTestCluster lifecycle calls



* vault: sanitize request handling token error logs



* vault: remove sensitive error fields in ent token cleanup logs



* vault: restore IsJWT wording



* vault: migrate jwt materialization tests to NewTestCluster



* tests: skip external jwt benchmark in CI



* Run make fmt



* Address PR review feedback



* Remove benchmark CI skip



* Move JWT materialization tests to external suite



---------

Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

2026-03-25 14:44:06 +00:00

config

Implement PKIPublicCA config parsing and handling (#12363 ) (#13368 )

2026-03-25 09:43:27 -04:00

exec

license: update headers to IBM Corp. (#10229 ) (#10233 )

2025-10-21 15:20:20 -06:00

internal/ctmanager

license: update headers to IBM Corp. (#10229 ) (#10233 )

2025-10-21 15:20:20 -06:00

pkiexternalca

Implement PKIPublicCA config parsing and handling (#12363 ) (#13368 )