Draft
Conversation
Co-authored-by: Niklas Rosencrantz <niklasr@protonmail.com>
…rp#22945) Signed-off-by: Ryan Cragun <me@ryan.ec>
…corp#22948) (hashicorp#22951) Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: xka5h <74259424+xka5h@users.noreply.github.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
…release/1.14.x (hashicorp#23005) Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
Co-authored-by: Andreas Gruhler <andreas.gruhler@adfinis.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
…mary data loss issue (hashicorp#22182) (hashicorp#23043)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
* Manual backport of missing partial
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Meggie <meggie@hashicorp.com>
…corp#23096) * Add known issues around transit managed keys - Document known issue around managed key encryption failure with Cloud KMS backed keys and the failure to sign with managed keys * Fix filename typos * Update website/content/partials/known-issues/transit-managed-keys-sign-fails.mdx * Update website/content/partials/known-issues/transit-managed-keys-panics.mdx * Apply PR feedback * Missed new line to force error on new-line. --------- Co-authored-by: Steven Clark <steven.clark@hashicorp.com> Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
[VAULT-14497] Ensure Role Governing Policies are only applied down the namespace hierarchy (hashicorp#23090) --------- Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
Co-authored-by: soly-hashicorp <106975916+soly-hashicorp@users.noreply.github.com>
…3116) Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Backport of UI: add SSH role attribute allowed_domains_template Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
… engines into release/1.14.x (hashicorp#23130) Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
Co-authored-by: Nicola Kabar <nicolaka@gmail.com>
…23142) (hashicorp#23150) Rather than assuming a short sleep will work, we instead wait until netcat is listening of the socket. We've also configured the netcat listener to persist after the first connection, which allows Vault and us to check the connection without the process closing. As we implemented this we also ran into AWS issues in us-east-1 and us-west-2, so we've changed our deploy regions until those issues are resolved. Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
…rp#25139) * Revert "Revert manual license reporting changes from 1.14.x" * cherry pick api changes * manual reporting cli oss changes (hashicorp#25109) * fix cmd changes * revert go.mod and go.sum * remove extra change from logical_system.go --------- Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: aphorise <aphorise@gmail.com>
…icorp#25199) Git doesn’t allow hooks to be in-repo which prevents branch specific hooks. To get around this we’ve historically copied our hooks from .hooks into .git/hooks when running make prep in vault and vault-enterprise. That sort of works but has the following issues: * If you hooks call into files in-repo and they are modified between branches you have to re-sync to resolve it * Remembering to sync the hooks is cumbersome We can’t exactly get around the first issue. It’s always possible that if you change branches and don’t update your hooks you could run into this problem if you try to commit without updating them. But we can make it less likely to fail by: * Always syncing the hooks whenever make is called * Updating the files in the hooks on all maintained branches to be consistent -- To improve compatibility with later branches we also migrate the our hooks more closely resemble those in >= 1.15.x. Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
…p#25335) (hashicorp#25345) * Redirect after logging in from token expiry. Fixes hashicorp#10963 * Add changelog
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
hashicorp#25241) * [QT-637] Streamline our build pipeline (hashicorp#24892) Context ------- Building and testing Vault artifacts on pull requests and merges is responsible for about 1/3rd of our overall spend on Vault CI. Of the artifacts that we ship as part of a release, we do Enos testing scenarios on the `linux/amd64` and `linux/arm64` binaries and their derivative artifacts. The extended build artifacts for non-Linux platforms or less common machine architectures are not tested at this time. They are built, notarized, and signed as part of every pull request update and merge. As we don't actually test these artifacts, the only gain we get from this rather expensive behavior is that we wont merge a change that would prevent Vault from building on one of the extended targets. Extended platform or architecture changes are quite rare, so performing this work as frequently as we do is costly in both monetary and developer time for little relative safety benefit. Goals ----- Rethink and implement how and when we build binaries and artifacts of Vault so that we can spend less money on repetitive work and while also reducing the time it takes for the build and test pipelines to complete. Solution -------- Instead of building all release artifacts on every push, we'll opt to build only our testable (core) artifacts. With this change we are introducing a bit of risk. We could merge a change that breaks an extended platform and only find out after the fact when we trigger a complete build for a release. We'll hedge against that risk by building all of the release targets on a scheduled cadence to ensure that they are still buildable. We'll make building all of the targets optional on any pull request by use of a `build/all` label on the pull request. Further considerations ---------------------- * We want to reduce the total number of workflows and runners for all of our pipelines if possible. As each workflow runner has infrastructure cost and runner time penalties, using a single runner over many is often preferred. * Many of our jobs runners have been optimized for cost and performance. We should simplify the choices of which runners to use. * CRT requires us to use the same build workflow in both CE and Ent. Historically that meant that modifying `build.yml` in CE would result in a merge conflict with `build.yml` in Ent, and break our merge workflows. * Workflow flow control in both `build.yml` and `ci.yml` can be quite complicated, as each needs to maintain compatibility whether executed as CE or Ent, and when triggered with various Github events like pull_request, push, and workflow_call, each with their own requirements. * Many jobs utilize similar patterns of flow control and metadata but are not reusable. * Workflow call depth has a maximum of four, so we need to be quite considerate when calling other workflows. * Called workflows can only have 10 inputs. Implementation -------------- * Refactor the `build.yml` workflow to be agnostic to whether or not it is executing in CE or Ent. That makes future updates to the build much easier as we won't have to worry about merge conflicts when the change is merged downstream. * Extract common steps in workflows into composite actions that we can reuse. * Fix bugs where some but not all workflows would use different Git references when building and testing a pull request. * We rewrite the application, docs, and UI change helpers as a composite action. This allows us to re-use this logic to make consistent behavior choices across build and CI. * We combine several `build.yml` and `ci.yml` jobs into our final job. This reduces the number of workflows required for the same behavior while saving time overall. * Update most of our action pins. Results ------- | Metric | Before | After | Diff | |-------------------|----------|---------|-------| | Duration: | ~14-18m | ~15-18m | ~ = | | Workflows: | 43 | 18 | - 58% | | Billable time: | ~1h15m | 16m | - 79% | | Saved artifacts: | 34 | 12 | - 65% | Infra costs should map closely to billable time. Network I/O costs should map closely to the workflow count. Storage costs should map directly with saved artifacts. We could probably get parity with duration by getting more clever with our UBI container build, as that's where we're seeing the increase. I'm not yet concerned as it takes roughly the same time for this job to complete as it did before. While the CI workflow was not the focus on the PR, some shared refactoring does show some marginal improvements there. | Metric | Before | After | Diff | |-------------------|----------|----------|--------| | Duration: | ~24m | ~12.75m | - 15% | | Workflows: | 55 | 47 | - 8% | | Billable time: | ~4h20m | ~3h36m | - 7% | Further focus on streamlining the CI workflows would likely result in a few more marginal improvements, but nothing on the order like we've seen with the build workflow. [0] https://github.com/hashicorp/vault-enterprise/actions/runs/7875954928/job/21490054433?pr=5411#step:3:39 Signed-off-by: Ryan Cragun <me@ryan.ec>
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ellie <ellie.sterner@hashicorp.com>
Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
…to release/1.14.x (hashicorp#25456) Co-authored-by: Mark Collao <106274486+mcollao-hc@users.noreply.github.com>
* Add test waiter for namespace fetch * Add waitfor, unskip test * remove comment
…orp#25421) (hashicorp#25464) * Cache trusted cert values, invalidating when anything changes * rename to something more indicative * defer * changelog * Use an LRU cache rather than a static map so we can't use too much memory. Add docs, unit tests * Don't add to cache if disabled. But this races if just a bool, so make the disabled an atomic
Co-authored-by: Scott Miller <smiller@hashicorp.com>
* prevent deadlock * rollbacks not done for sync invalidate * add check for the path before deleting * revert sync invalidation doesn't do rollbacks * add known issue * changelog * fix formatting issue Co-authored-by: miagilepner <mia.epner@hashicorp.com>
…1.14.x (hashicorp#25541) Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Josh Black <raskchanky@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
What does this PR do?
TODO only if you're a HashiCorp employee
getting backported to N-2, use the new style
backport/ent/x.x.x+entlabelsinstead of the old style
backport/x.x.xlabels.the normal
backport/x.x.xlabel (there should be only 1).of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.