mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-18 12:37:02 +02:00
2db2a9fb5d
* Track the last PKI auto-tidy time ran for use across nodes - If the interval time for auto-tidy is longer then say a regularly scheduled restart of Vault, auto-tidy is never run. This is due to the time of the last run of tidy is only kept in memory and initialized on startup to the current time - Store the last run of any tidy, to maintain previous behavior, to a cluster local file, which is read in/initialized upon a mount initialization. * Add auto-tidy configuration fields for backing off at startup * Add new auto-tidy fields to UI * Update api docs for auto-tidy * Add cl * Update field description text * Apply Claire's suggestions from code review Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> * Implementing PR feedback from the UI team * remove explicit defaults and types so we retrieve from backend, decouple enabling auto tidy from duration, move params to auto settings section --------- Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
201 lines
5.9 KiB
JavaScript
201 lines
5.9 KiB
JavaScript
/**
|
|
* Copyright (c) HashiCorp, Inc.
|
|
* SPDX-License-Identifier: BUSL-1.1
|
|
*/
|
|
|
|
import Model, { attr } from '@ember-data/model';
|
|
import { service } from '@ember/service';
|
|
import { withExpandedAttributes } from 'vault/decorators/model-expanded-attributes';
|
|
|
|
@withExpandedAttributes()
|
|
export default class PkiTidyModel extends Model {
|
|
// the backend mount is the model id, only one pki/tidy model will ever persist (the auto-tidy config)
|
|
@service version;
|
|
|
|
@attr({
|
|
label: 'Tidy ACME enabled',
|
|
labelDisabled: 'Tidy ACME disabled',
|
|
mapToBoolean: 'tidyAcme',
|
|
helperTextDisabled: 'Tidying of ACME accounts, orders and authorizations is disabled.',
|
|
helperTextEnabled:
|
|
'The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated.',
|
|
detailsLabel: 'ACME account safety buffer',
|
|
formatTtl: true,
|
|
defaultValue: '720h',
|
|
})
|
|
acmeAccountSafetyBuffer;
|
|
|
|
@attr('boolean', {
|
|
label: 'Tidy ACME',
|
|
defaultValue: false,
|
|
})
|
|
tidyAcme;
|
|
|
|
// * auto tidy only fields
|
|
@attr('boolean', {
|
|
label: 'Automatic tidy enabled',
|
|
labelDisabled: 'Automatic tidy disabled',
|
|
helperTextDisabled: 'Automatic tidy operations will not run.',
|
|
})
|
|
enabled; // renders outside FormField loop as a toggle, auto tidy fields only render if enabled
|
|
|
|
@attr({
|
|
editType: 'ttl',
|
|
helperTextEnabled:
|
|
'Sets the interval_duration between automatic tidy operations; note that this is from the end of one operation to the start of the next.',
|
|
hideToggle: true,
|
|
formatTtl: true,
|
|
})
|
|
intervalDuration;
|
|
|
|
@attr({
|
|
label: 'Minimum startup backoff duration',
|
|
editType: 'ttl',
|
|
helperTextEnabled:
|
|
'Sets the min_startup_backoff_duration field which forces the minimum delay after Vault startup auto-tidy can run.',
|
|
hideToggle: true,
|
|
formatTtl: true,
|
|
})
|
|
minStartupBackoffDuration;
|
|
|
|
@attr({
|
|
label: 'Maximum startup backoff duration',
|
|
editType: 'ttl',
|
|
helperTextEnabled:
|
|
'Sets the max_startup_backoff_duration field which forces the maximum delay after Vault startup auto-tidy can run.',
|
|
hideToggle: true,
|
|
formatTtl: true,
|
|
})
|
|
maxStartupBackoffDuration;
|
|
// * end of auto-tidy only fields
|
|
|
|
@attr({
|
|
editType: 'ttl',
|
|
helperTextEnabled:
|
|
'Specifies a duration that issuers should be kept for, past their NotAfter validity period. Defaults to 365 days (8760 hours).',
|
|
hideToggle: true,
|
|
formatTtl: true,
|
|
})
|
|
issuerSafetyBuffer;
|
|
|
|
@attr('string', {
|
|
editType: 'ttl',
|
|
helperTextEnabled:
|
|
'Specifies the duration to pause between tidying individual certificates. This releases the revocation lock and allows other operations to continue while tidy is running.',
|
|
hideToggle: true,
|
|
formatTtl: true,
|
|
})
|
|
pauseDuration;
|
|
|
|
@attr('string', {
|
|
editType: 'ttl',
|
|
helperTextEnabled:
|
|
'Specifies a duration after which cross-cluster revocation requests will be removed as expired.',
|
|
hideToggle: true,
|
|
formatTtl: true,
|
|
})
|
|
revocationQueueSafetyBuffer; // enterprise only
|
|
|
|
@attr({
|
|
editType: 'ttl',
|
|
helperTextEnabled:
|
|
'For a certificate to be expunged, the time must be after the expiration time of the certificate (according to the local clock) plus the safety buffer. Defaults to 72 hours.',
|
|
hideToggle: true,
|
|
formatTtl: true,
|
|
})
|
|
safetyBuffer;
|
|
|
|
@attr('boolean', { label: 'Tidy the certificate store' })
|
|
tidyCertStore;
|
|
|
|
@attr('boolean')
|
|
tidyCertMetadata;
|
|
|
|
@attr('boolean', {
|
|
label: 'Tidy cross-cluster revoked certificates',
|
|
subText: 'Remove expired, cross-cluster revocation entries.',
|
|
})
|
|
tidyCrossClusterRevokedCerts; // enterprise only
|
|
|
|
@attr('boolean', {
|
|
label: 'Tidy CMPv2 nonce store',
|
|
})
|
|
tidyCmpv2NonceStore; // enterprise only
|
|
|
|
@attr('boolean', {
|
|
subText: 'Automatically remove expired issuers after the issuer safety buffer duration has elapsed.',
|
|
})
|
|
tidyExpiredIssuers;
|
|
|
|
@attr('boolean', {
|
|
label: 'Tidy legacy CA bundle',
|
|
subText:
|
|
'Backup any legacy CA/issuers bundle (from Vault versions earlier than 1.11) to config/ca_bundle.bak. Migration will only occur after issuer safety buffer has passed.',
|
|
})
|
|
tidyMoveLegacyCaBundle;
|
|
|
|
@attr('boolean', {
|
|
label: 'Tidy cross-cluster revocation requests',
|
|
})
|
|
tidyRevocationQueue; // enterprise only
|
|
|
|
@attr('boolean', {
|
|
label: 'Tidy revoked certificate issuer associations',
|
|
})
|
|
tidyRevokedCertIssuerAssociations;
|
|
|
|
@attr('boolean', {
|
|
label: 'Tidy revoked certificates',
|
|
subText: 'Remove all invalid and expired certificates from storage.',
|
|
})
|
|
tidyRevokedCerts;
|
|
|
|
get allGroups() {
|
|
const groups = [{ autoTidy: ['enabled', ...this.autoTidyConfigFields] }, ...this.sharedFields];
|
|
return this._expandGroups(groups);
|
|
}
|
|
|
|
// fields that are specific to auto-tidy
|
|
get autoTidyConfigFields() {
|
|
// 'enabled' is not included here because it is responsible for hiding/showing these params and renders separately in the form
|
|
return ['intervalDuration', 'minStartupBackoffDuration', 'maxStartupBackoffDuration'];
|
|
}
|
|
|
|
// shared between auto and manual tidy operations
|
|
get sharedFields() {
|
|
const groups = [
|
|
{
|
|
'Universal operations': [
|
|
'tidyCertStore',
|
|
'tidyCertMetadata',
|
|
'tidyRevokedCerts',
|
|
'tidyRevokedCertIssuerAssociations',
|
|
'safetyBuffer',
|
|
'pauseDuration',
|
|
],
|
|
},
|
|
{
|
|
'ACME operations': ['tidyAcme', 'acmeAccountSafetyBuffer'],
|
|
},
|
|
{
|
|
'Issuer operations': ['tidyExpiredIssuers', 'tidyMoveLegacyCaBundle', 'issuerSafetyBuffer'],
|
|
},
|
|
];
|
|
if (this.version.isEnterprise) {
|
|
groups.push({
|
|
'Cross-cluster operations': [
|
|
'tidyRevocationQueue',
|
|
'tidyCrossClusterRevokedCerts',
|
|
'tidyCmpv2NonceStore',
|
|
'revocationQueueSafetyBuffer',
|
|
],
|
|
});
|
|
}
|
|
return groups;
|
|
}
|
|
|
|
get formFieldGroups() {
|
|
return this._expandGroups(this.sharedFields);
|
|
}
|
|
}
|