Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle deprecated builtins #17005

Merged
merged 7 commits into from
Sep 6, 2022
Merged

Handle deprecated builtins #17005

merged 7 commits into from
Sep 6, 2022

Conversation

mpalmi
Copy link
Contributor

@mpalmi mpalmi commented Sep 2, 2022

This PR introduces the handling logic for deprecated builtins as outlined in RFC VLT-200. The deprecation statuses are handled as follows:

  • Supported - do nothing
  • Deprecated - log a warning about builtin deprecation
  • PendingRemoval - log an error about builtin deprecation and return an error if VAULT_ALLOW_PENDING_REMOVAL_MOUNTS is unset
  • Removed - log an error about builtin deprecation and return an error

This logic has two net effects:

  1. When attempting to unseal a Vault core containing a PendingRemoval or Removed mount, the core will log Errors, seal itself, and shutdown immediately.
  2. When attempting to enable a new mount for builtins with PendingRemoval or Removed Deprecation Status, the Vault server will return an error and disallow the mount.

The PendingRemoval functionality described above may be overridden using the VAULT_ALLOW_PENDING_REMOVAL_MOUNTS environment variable upon Vault server startup. This causes the mounts to behave as if they are Deprecated, with a log level of Error instead of Warn.

@mpalmi mpalmi requested review from a team September 2, 2022 20:49
@mpalmi mpalmi requested a review from taoism4504 as a code owner September 2, 2022 20:49
Copy link
Contributor

@ccapurso ccapurso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one small note about changelog entries but looks good!

changelog/17005.txt Outdated Show resolved Hide resolved
@mpalmi mpalmi merged commit 13077ba into main Sep 6, 2022
@mpalmi mpalmi deleted the handle-deprecated-builtins branch September 6, 2022 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants