-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix plugin reload mounts #15579
Fix plugin reload mounts #15579
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me 👍
if ns.ID != entry.Namespace().ID { | ||
continue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like it would also be returning a fake success here when in fact the reload fails. Would changing this too also be an improvement?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good thinking! I wasn't sure so I tested it and we get the following error when using namespaces
Error reloading plugin/mounts: Error making API request.
Namespace: ns2/
URL: PUT http://127.0.0.1:8200/v1/sys/plugins/reload/backend
Code: 500. Errors:
* 3 errors occurred:
* cannot fetch mount entry on "auth/userpass-single-sdk-1_9-1/"
* cannot fetch mount entry on "auth/userpass-single-sdk-1_9-2/"
* cannot fetch mount entry on "auth/userpass-single-sdk-1_9-3/"
The call to c.router.MatchingMountEntry above will ensure the namespace is applied before searching for the mount. So I think this check may be redundant?
* fix plugin reload mounts * do not require sys/ prefix * update plugin reload docs with examples * fix unit test credential read path * update docs to reflect correct cli usage * allow sys/auth/foo or auth/foo * append trailing slash if it doesn't exist in request * add changelog * use correct changelog number
Fix a bug where the command
vault plugin reload -mounts <plugin-mount-path>
silently fails for auth plugins. This bug results in the plugin process is not actually getting killed/cleaned up but reports that the reload was successful.This change allows the
-mounts
flag to except any ofsys/auth/foo/
sys/auth/foo
auth/foo/
auth/foo
for an auth plugin mounted with
vault auth enable -path=foo my-foo-auth-plugin
; orbar/
bar
for a secrets plugin mounted with
vault secrets enable -path=bar my-bar-secrets-plugin
Additionally, we add some docs examples for the unintuitive
vault plugin reload ...
commands.