Skip to content

Vault 34905 support register ce plugin with extracted artifact #30673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 22, 2025
Merged

Vault 34905 support register ce plugin with extracted artifact #30673

merged 4 commits into from
May 22, 2025

Conversation

helenfufu
Copy link
Contributor

@helenfufu helenfufu commented May 19, 2025
edited
Loading

Description

This PR contains the subset of CE changes from https://github.com/hashicorp/vault-enterprise/pull/8071. It primarily refactors variable, function, and file organization such that artifact verification, and registration functionality is shared across Vault CE and ENT going forward. This artifact functionality was previously ENT-only.

PR description copied below:

Before this change, the UX for registering CE vs. ENT plugins diverges undesirably: to register a CE plugin, you must provide sha256, and to register an ENT plugin, you must provide version and omit sha256. This change brings a unified UX for registering CE vs. ENT plugins: for both cases*, an operator can provide version only (no sha256) to register with an extracted artifact.

This PR primarily refactors variable, function, and file organization such that plugin verification and registration functionality is shared across Vault CE and ENT going forward. This allows Vault (both CE and ENT) to support registering CE plugins with an extracted artifact directory when only version and no sha256 is provided, the same way that ENT plugins are registered. We will continue to support registering CE plugins with binary when sha256 is provided to maintain a backwards-compatible UX.

* Note: CE plugins will support artifact packaging on releases.hashicorp.com going forward starting with the Vault 1.20 release (after https://github.com/hashicorp/vault-plugin-release/pull/55), so the registration experience is unified on artifacts only for new versions of CE plugins. Old versions of CE plugins still need to be registered with binary.

Ticket: VAULT-34905

Local Testing

Test results: [link]

Vault CE

Auth/secrets

Database

TODO only if you're a HashiCorp employee

  • Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
    • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label May 19, 2025
@helenfufu helenfufu mentioned this pull request May 19, 2025
Closed
10 tasks
@helenfufu helenfufu added this to the 1.20.0-rc milestone May 19, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented May 19, 2025
edited
Loading

CI Results:
All Go tests succeeded! ✅

@helenfufu helenfufu marked this pull request as ready for review May 19, 2025 21:47
@helenfufu helenfufu requested a review from a team as a code owner May 19, 2025 21:47
@helenfufu helenfufu requested a review from armon May 19, 2025 21:47
@github-actions GitHub Actions
Copy link

Build Results:
All builds succeeded! ✅

@helenfufu helenfufu removed the request for review from armon May 19, 2025 22:36
@helenfufu helenfufu marked this pull request as draft May 19, 2025 22:36
@helenfufu helenfufu requested a review from thyton May 20, 2025 00:00
@helenfufu helenfufu marked this pull request as ready for review May 20, 2025 00:00
thyton
thyton approved these changes May 20, 2025
View reviewed changes
Copy link
Contributor

@thyton thyton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent work and test coverages @helenfufu!

fairclothjm
fairclothjm reviewed May 21, 2025
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @helenfufu! I did some testing with vault-plugin-database-snowflake to test the backwards compatibility. I just left one question on the pgp key.

vault/plugincatalog/plugin_artifact.go

// hashiCorpPGPPubKey is HashiCorp's PGP public key at https://www.hashicorp.com/.well-known/pgp-key.txt.
// This key is used to verify the authenticity of HashiCorp plugins.
const hashiCorpPGPPubKey = `
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should vault fetch this from the well-known endpoint and cache it? What happens if this ever needs to change? Ideally that would not happen, but it has happened in the past.

Copy link
Contributor Author

@helenfufu helenfufu May 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followed up on Slack about this question after chatting with Thy.

Thanks btw for testing with the Snowflake plugin!

@helenfufu helenfufu merged commit 71edba2 into main May 22, 2025
251 checks passed
@helenfufu helenfufu deleted the vault-34905-support-register-ce-plugin-with-extracted-artifact branch May 22, 2025 15:39
Merged
16 tasks
miagilepner pushed a commit that referenced this pull request May 23, 2025
@helenfufu @miagilepner
Vault 34905 support register ce plugin with extracted artifact (#30673)
c2c637c 
* apply oss changes from hashicorp/vault-enterprise#8071

* handle oss file deletions

* go mod tidy

* add changelog
erentantekin pushed a commit that referenced this pull request May 23, 2025
@helenfufu @erentantekin
Vault 34905 support register ce plugin with extracted artifact (#30673)
f1f1186 
* apply oss changes from hashicorp/vault-enterprise#8071

* handle oss file deletions

* go mod tidy

* add changelog
This was referenced May 29, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm left review comments

@thyton thyton thyton approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.20.0-rc
Development

Successfully merging this pull request may close these issues.
3 participants
@helenfufu @fairclothjm @thyton