Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugins: Auto version selection for auth/secrets + tune version #17167

Merged
merged 5 commits into from
Sep 22, 2022
Merged

Plugins: Auto version selection for auth/secrets + tune version #17167

merged 5 commits into from
Sep 22, 2022

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Sep 16, 2022
edited
Loading

Two main features:

  • Auto version selection for auth/secret engines when versioned plugins are registered
  • Add the ability to tune plugin version for auth/secret engines so that in-place upgrades can be performed

Other changes:

  • external_plugin_test.go moves the calling code a level up the stack, using the system backend's HandleRequest instead of directly calling the implementation functions for each route. Moves the tests slightly closer to production call stacks.

There's still some more follow-up work to do in future PRs, including:

  • Website documentation
  • Add -plugin-version flag to vault auth tune and vault secrets tune
  • Replace version with plugin_version everywhere (I excluded that from this PR to avoid diff noise) Done in Plugins: Consistently use plugin_version #17171
  • Take a holistic look at the changelogs for this set of features

tvoran
tvoran approved these changes Sep 17, 2022
View reviewed changes
Copy link
Member

@tvoran tvoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Seems to work for me when I tested with multiple versions of a secret engine! Just left a couple stray observations.

I also noticed that vault read sys/mounts/<mount> always shows running_sha as n/a even with an external plugin mounted (though I'm not sure what that's actually used for).

And another side note, I also tried mounting a builtin plugin, then registering a version of the same plugin, and tuning the mount for the version, then reloading, and vault read sys/mounts/<mount> still showed running_version as the builtin version. I think the versioned plugin started up since I see the process running, but I didn't verify anything else beyond that.

vault/logical_system.go
switch version {
case "":
var err error
version, err = selectPluginVersion(ctx, b.System(), logicalType, consts.PluginTypeSecrets)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like selectPluginVersion() only returns plugins that aren't builtin, so I'm curious if it's possible to mount a builtin plugin if there's also a versioned instance of it registered.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently no, registering a versioned plugin with the same name overrides the built-in in the same way that registering an unversioned plugin of the same name does. However, I'm wondering whether it might be nice to also allow specifying -plugin-version=builtin or -plugin-version=1.12.0+builtin to explicitly select the builtin.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, it just seemed strange to me that I could see the built-in plugin in vault plugin list -detailed, but couldn't mount it. And I'd vote for using the version listed in the catalog (-plugin-version=1.12.0+builtin) if we end up going that way.

vault/external_plugin_test.go Show resolved Hide resolved
@tomhjp tomhjp enabled auto-merge (squash) September 22, 2022 12:32
@tomhjp tomhjp added this to the 1.12 milestone Sep 22, 2022
@tomhjp tomhjp merged commit e63bf37 into main Sep 22, 2022
@tomhjp tomhjp deleted the plugin-auto-version-and-upgrade branch September 22, 2022 12:53
Merged
@tomhjp
Copy link
Contributor Author

tomhjp commented Sep 22, 2022

@tvoran sorry I realised just after I merged I forgot to respond to the main review comment. I think it came up in another PR, but the empty running_sha was expected, but should now be fixed from #17217.

vault read sys/mounts/<mount> still showed running_version as the builtin version.

Thanks for testing that, sounds like a bug. I'll take a look and follow up on it in another PR.

@tomhjp tomhjp mentioned this pull request Sep 27, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvoran tvoran tvoran approved these changes

@swenson swenson Awaiting requested review from swenson

@benashz benashz Awaiting requested review from benashz

Assignees
No one assigned
Labels
core/plugin pr/no-changelog
Projects
None yet
Milestone
1.12
Development

Successfully merging this pull request may close these issues.
2 participants
@tomhjp @tvoran