mirror of
https://github.com/hashicorp/vault-action.git
synced 2026-05-13 13:25:54 +00:00
Upgrade Node.js to 24 and update dependencies (#604)
Some checks failed
Some checks failed
* chore: upgrade Node.js to 24 and update dependencies - Upgrade Node.js from 20 to 24.15.0 across all CI jobs and workflows - Run npm audit fix to resolve CVEs in dependencies - Generate TLS certs dynamically via scripts/gen-tls-certs.sh instead of using static certs - Add Makefile targets for running each integration test suite locally * add GOPATH/bin to PATH before running gen-tls-certs.sh * Add changelog entry * refactor makefile * Refine e2e-enterprise pipeline and scripts
This commit is contained in:
Srikrishna Iyer
GitHub
parent
79632e33d6
commit
7e48e563b6
17 changed files with 589 additions and 709 deletions
67
.github/workflows/build.yml
vendored
67
.github/workflows/build.yml
vendored
|
|
@ -10,7 +10,7 @@ jobs:
|
|||
|
||||
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
||||
with:
|
||||
node-version: "20.9.0"
|
||||
node-version: "24.15.0"
|
||||
|
||||
- name: Setup NPM Cache
|
||||
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
|
||||
|
|
@ -36,11 +36,11 @@ jobs:
|
|||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Run docker compose
|
||||
run: docker compose up -d vault
|
||||
run: docker compose up -d --wait vault
|
||||
|
||||
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
||||
with:
|
||||
node-version: "20.9.0"
|
||||
node-version: "24.15.0"
|
||||
|
||||
- name: Setup NPM Cache
|
||||
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
|
||||
|
|
@ -59,7 +59,7 @@ jobs:
|
|||
- name: NPM Run test;integration:basic
|
||||
run: npm run test:integration:basic
|
||||
env:
|
||||
VAULT_HOST: localhost
|
||||
VAULT_HOST: 127.0.0.1
|
||||
VAULT_PORT: 8200
|
||||
CI: true
|
||||
|
||||
|
|
@ -70,13 +70,14 @@ jobs:
|
|||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Run docker compose
|
||||
run: docker compose up -d vault-enterprise
|
||||
if: ${{ !env.ACT }}
|
||||
run: docker compose up -d --wait vault-enterprise
|
||||
env:
|
||||
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
|
||||
|
||||
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
||||
with:
|
||||
node-version: "20.9.0"
|
||||
node-version: "24.15.0"
|
||||
|
||||
- name: Setup NPM Cache
|
||||
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
|
||||
|
|
@ -95,7 +96,7 @@ jobs:
|
|||
- name: NPM Run test:integration:enterprise
|
||||
run: npm run test:integration:enterprise
|
||||
env:
|
||||
VAULT_HOST: localhost
|
||||
VAULT_HOST: 127.0.0.1
|
||||
VAULT_PORT: 8200
|
||||
CI: true
|
||||
|
||||
|
|
@ -106,11 +107,12 @@ jobs:
|
|||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Run docker compose
|
||||
run: docker compose up -d vault
|
||||
if: ${{ !env.ACT }}
|
||||
run: docker compose up -d --wait vault
|
||||
|
||||
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
||||
with:
|
||||
node-version: "20.9.0"
|
||||
node-version: "24.15.0"
|
||||
|
||||
- name: Setup NPM Cache
|
||||
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
|
||||
|
|
@ -201,12 +203,27 @@ jobs:
|
|||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
|
||||
- name: Generate TLS Certificates
|
||||
if: ${{ !env.ACT }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
GH_GET_RETRIES: 3
|
||||
run: |
|
||||
# Source the getGH function for authenticated GitHub downloads with retries
|
||||
source ./scripts/.functions
|
||||
getGH https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64 /usr/local/bin/cfssl
|
||||
getGH https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64 /usr/local/bin/cfssljson
|
||||
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
|
||||
./scripts/gen-tls-certs.sh
|
||||
cat .build/e2e-tls.env >> "$GITHUB_ENV"
|
||||
|
||||
- name: Run docker compose
|
||||
run: docker compose up -d vault-tls
|
||||
if: ${{ !env.ACT }}
|
||||
run: docker compose up -d --wait vault-tls
|
||||
|
||||
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
||||
with:
|
||||
node-version: "20.9.0"
|
||||
node-version: "24.15.0"
|
||||
|
||||
- name: Setup NPM Cache
|
||||
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
|
||||
|
|
@ -227,9 +244,9 @@ jobs:
|
|||
env:
|
||||
VAULT_HOST: localhost
|
||||
VAULT_PORT: 8200
|
||||
VAULTCA: ${{ secrets.VAULTCA }}
|
||||
VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
|
||||
VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
|
||||
VAULTCA: ${{ env.VAULTCA }}
|
||||
VAULT_CLIENT_CERT: ${{ env.VAULT_CLIENT_CERT }}
|
||||
VAULT_CLIENT_KEY: ${{ env.VAULT_CLIENT_KEY }}
|
||||
|
||||
- name: Test Vault Action (default KV V2)
|
||||
uses: ./
|
||||
|
|
@ -237,9 +254,9 @@ jobs:
|
|||
with:
|
||||
url: https://localhost:8200
|
||||
token: ${{ env.VAULT_TOKEN }}
|
||||
caCertificate: ${{ secrets.VAULTCA }}
|
||||
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
|
||||
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
|
||||
caCertificate: ${{ env.VAULTCA }}
|
||||
clientCertificate: ${{ env.VAULT_CLIENT_CERT }}
|
||||
clientKey: ${{ env.VAULT_CLIENT_KEY }}
|
||||
secrets: |
|
||||
secret/data/test secret ;
|
||||
secret/data/test secret | NAMED_SECRET ;
|
||||
|
|
@ -251,8 +268,8 @@ jobs:
|
|||
url: https://localhost:8200
|
||||
token: ${{ env.VAULT_TOKEN }}
|
||||
tlsSkipVerify: true
|
||||
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
|
||||
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
|
||||
clientCertificate: ${{ env.VAULT_CLIENT_CERT }}
|
||||
clientKey: ${{ env.VAULT_CLIENT_KEY }}
|
||||
secrets: |
|
||||
secret/data/tlsSkipVerify skip ;
|
||||
|
||||
|
|
@ -261,9 +278,9 @@ jobs:
|
|||
with:
|
||||
url: https://localhost:8200
|
||||
token: ${{ env.VAULT_TOKEN }}
|
||||
caCertificate: ${{ secrets.VAULTCA }}
|
||||
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
|
||||
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
|
||||
caCertificate: ${{ env.VAULTCA }}
|
||||
clientCertificate: ${{ env.VAULT_CLIENT_CERT }}
|
||||
clientKey: ${{ env.VAULT_CLIENT_KEY }}
|
||||
secrets: |
|
||||
my-secret/test altSecret ;
|
||||
my-secret/test altSecret | NAMED_ALTSECRET ;
|
||||
|
|
@ -277,9 +294,9 @@ jobs:
|
|||
secrets: |
|
||||
/cubbyhole/test foo ;
|
||||
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
|
||||
caCertificate: ${{ secrets.VAULTCA }}
|
||||
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
|
||||
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
|
||||
caCertificate: ${{ env.VAULTCA }}
|
||||
clientCertificate: ${{ env.VAULT_CLIENT_CERT }}
|
||||
clientKey: ${{ env.VAULT_CLIENT_KEY }}
|
||||
|
||||
- name: Verify Vault Action Outputs
|
||||
run: npm run test:integration:e2e-tls
|
||||
|
|
|
|||
6
.github/workflows/local-test.yaml
vendored
6
.github/workflows/local-test.yaml
vendored
|
|
@ -22,7 +22,7 @@ jobs:
|
|||
|
||||
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
||||
with:
|
||||
node-version: '20.9.0'
|
||||
node-version: '24.15.0'
|
||||
|
||||
- name: NPM Install
|
||||
run: npm ci
|
||||
|
|
@ -33,7 +33,7 @@ jobs:
|
|||
- name: Setup Vault
|
||||
run: node ./integrationTests/e2e/setup.js
|
||||
env:
|
||||
VAULT_HOST: localhost
|
||||
VAULT_HOST: 127.0.0.1
|
||||
VAULT_PORT: 8200
|
||||
|
||||
- name: Import Secrets
|
||||
|
|
@ -43,7 +43,7 @@ jobs:
|
|||
# run against a specific version of vault-action
|
||||
# uses: hashicorp/vault-action@v2.1.2
|
||||
with:
|
||||
url: http://localhost:8200
|
||||
url: http://127.0.0.1:8200
|
||||
method: token
|
||||
token: testtoken
|
||||
secrets: |
|
||||
|
|
|
|||
3
.gitignore
vendored
3
.gitignore
vendored
|
|
@ -5,6 +5,9 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# Build artifacts
|
||||
.build/
|
||||
|
||||
# Runtime data
|
||||
pids
|
||||
*.pid
|
||||
|
|
|
|||
11
CHANGELOG.md
11
CHANGELOG.md
|
|
@ -1,5 +1,16 @@
|
|||
## Unreleased
|
||||
|
||||
Improvements:
|
||||
|
||||
* Bump node runtime from node20 to node24 [GH-604](https://github.com/hashicorp/vault-action/pull/604)
|
||||
* Fix leading slash in secret paths causing HTTP 400 errors (e.g. `/cubbyhole/test` → `v1/cubbyhole/test` instead of `v1//cubbyhole/test`)
|
||||
* bump jsrsasign from 11.1.0 to 11.1.3
|
||||
* bump body-parser from 1.20.3 to 1.20.5
|
||||
* bump qs from 6.13.0 to 6.15.1
|
||||
* bump http-errors from 2.0.0 to 2.0.1
|
||||
* bump minimatch from 3.1.2 to 3.1.5
|
||||
* bump underscore from 1.13.4 to 1.13.8
|
||||
|
||||
## 3.4.0 (June 13, 2025)
|
||||
|
||||
Bugs:
|
||||
|
|
|
|||
41
Makefile
41
Makefile
|
|
@ -1,3 +1,40 @@
|
|||
.PHONY: clean
|
||||
clean:
|
||||
rm -rf .build
|
||||
|
||||
.PHONY: local-test
|
||||
local-test:
|
||||
docker compose down; docker compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml
|
||||
local-test: clean
|
||||
docker compose down --volumes; docker compose up --wait vault && \
|
||||
act workflow_dispatch --job local-test --workflows .github/workflows/local-test.yaml
|
||||
|
||||
.PHONY: test-npm
|
||||
test-npm:
|
||||
npm ci && npm run build && npm run test
|
||||
|
||||
.PHONY: test-basic
|
||||
test-basic: clean
|
||||
docker compose down --volumes; docker compose up --wait vault && \
|
||||
npm run test:integration:basic
|
||||
|
||||
.PHONY: test-e2e
|
||||
test-e2e: clean
|
||||
docker compose down --volumes; docker compose up --wait vault && \
|
||||
act workflow_dispatch --job e2e --workflows .github/workflows/build.yml
|
||||
|
||||
.PHONY: test-e2e-tls
|
||||
test-e2e-tls: clean
|
||||
./scripts/gen-tls-certs.sh
|
||||
docker compose down --volumes; docker compose up --wait vault-tls && \
|
||||
act workflow_dispatch --job e2e-tls --workflows .github/workflows/build.yml --env-file .build/e2e-tls.env
|
||||
|
||||
.PHONY: test-enterprise
|
||||
test-enterprise: clean
|
||||
@if [ -z "$(VAULT_LICENSE_CI)" ]; then \
|
||||
echo "Skipping enterprise tests: VAULT_LICENSE_CI not set"; \
|
||||
else \
|
||||
docker compose down --volumes; docker compose up --wait vault-enterprise && \
|
||||
act workflow_dispatch --job integrationEnterprise --workflows .github/workflows/build.yml; \
|
||||
fi
|
||||
|
||||
.PHONY: test-all
|
||||
test-all: clean test-npm test-basic test-e2e test-e2e-tls test-enterprise
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ inputs:
|
|||
required: false
|
||||
default: 'false'
|
||||
runs:
|
||||
using: 'node20'
|
||||
using: 'node24'
|
||||
main: 'dist/index.js'
|
||||
branding:
|
||||
icon: 'unlock'
|
||||
|
|
|
|||
72
dist/index.js
vendored
72
dist/index.js
vendored
File diff suppressed because one or more lines are too long
|
|
@ -5,32 +5,59 @@
|
|||
version: "3.0"
|
||||
services:
|
||||
vault:
|
||||
image: hashicorp/vault:latest
|
||||
image: hashicorp/vault:2.0.0
|
||||
environment:
|
||||
VAULT_DEV_ROOT_TOKEN_ID: testtoken
|
||||
SKIP_SETCAP: "true"
|
||||
VAULT_LOCAL_CONFIG: '{"disable_mlock": true}'
|
||||
ports:
|
||||
- 8200:8200
|
||||
privileged: true
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "VAULT_ADDR=http://127.0.0.1:8200 vault status"]
|
||||
interval: 1s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
vault-enterprise:
|
||||
image: hashicorp/vault-enterprise:latest
|
||||
image: hashicorp/vault-enterprise:2.0-ent
|
||||
environment:
|
||||
VAULT_DEV_ROOT_TOKEN_ID: testtoken
|
||||
VAULT_LICENSE: ${VAULT_LICENSE_CI}
|
||||
SKIP_SETCAP: "true"
|
||||
VAULT_LOCAL_CONFIG: '{"disable_mlock": true}'
|
||||
ports:
|
||||
- 8200:8200
|
||||
privileged: true
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "VAULT_ADDR=http://127.0.0.1:8200 vault status"]
|
||||
interval: 1s
|
||||
timeout: 5s
|
||||
retries: 30
|
||||
vault-tls:
|
||||
image: hashicorp/vault:latest
|
||||
image: hashicorp/vault:2.0.0
|
||||
hostname: vault-tls
|
||||
environment:
|
||||
# Used by the vault CLI in the healthcheck to trust the CA
|
||||
VAULT_CAPATH: /etc/vault/ca.crt
|
||||
SKIP_SETCAP: "true"
|
||||
VAULT_LOCAL_CONFIG: '{"disable_mlock": true}'
|
||||
ports:
|
||||
- 8200:8200
|
||||
privileged: true
|
||||
healthcheck:
|
||||
# Exit 2 means sealed-but-running, which is acceptable during startup
|
||||
test:
|
||||
- CMD-SHELL
|
||||
- |
|
||||
export VAULT_ADDR=https://127.0.0.1:8200 VAULT_CACERT=/etc/vault/ca.crt VAULT_CLIENT_CERT=/etc/vault/client.crt VAULT_CLIENT_KEY=/etc/vault/client.key
|
||||
vault status; s=$$?; [ $$s -eq 0 ] || [ $$s -eq 2 ]
|
||||
interval: 1s
|
||||
timeout: 5s
|
||||
retries: 30
|
||||
volumes:
|
||||
- ${PWD}/integrationTests/e2e-tls/configs:/etc/vault
|
||||
- vault-data:/var/lib/vault:rw
|
||||
# Certs generated by scripts/gen-tls-certs.sh into .build/certs/
|
||||
- ${PWD}/.build/certs:/etc/vault
|
||||
# tmpfs gives the non-root vault user write access without chown tricks;
|
||||
# ephemeral storage is fine since tests always reinitialize vault from scratch
|
||||
tmpfs: /var/lib/vault
|
||||
entrypoint: vault server -config=/etc/vault/config.hcl
|
||||
|
||||
volumes:
|
||||
vault-data:
|
||||
|
|
|
|||
|
|
@ -1,24 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEFjCCAv6gAwIBAgIUe0i7/HGZKvbDb30L9mC99KXFwj8wDQYJKoZIhvcNAQEL
|
||||
BQAwgaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
|
||||
Ew1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAxIzAhBgNVBAsTGlRl
|
||||
c3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MS0wKwYDVQQDEyRQcm90b3R5cGUgVGVz
|
||||
dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjAwODA1MTg1MjAwWhcNMjUwODA0
|
||||
MTg1MjAwWjCBojELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAU
|
||||
BgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEjMCEGA1UE
|
||||
CxMaVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxLTArBgNVBAMTJFByb3RvdHlw
|
||||
ZSBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||
ggEPADCCAQoCggEBAMrRXuu2+zhBs0pLYEdXIaPc4KoWO3xm2RJdbzy3hfjFybQ8
|
||||
H/Y6Hi7txjGGSb45xSfXT/RF2srNfs235I+sfB8rrEizNpzkXqOgGa8LKvh2tgBT
|
||||
BK/jDWsEdDhxmkpFhE69wEW+D5ub7QGnx9jrqLKfwCmUA0utlzcFBk2nRNhRtsrp
|
||||
CI5YL1VN4coLpgXdvbodzbynPzGHe9R/o9K0Uiz2hgHooyKwhkVYwo0BIAQamLFz
|
||||
TS7lyeLf0thDOxV31NX8SpSucqRf50WHNk8T/YtKZ9EhlBDT4ybZwwvcC/ocxxcg
|
||||
1LvB0YweZNjSeO78S4CMh1TFGXnF/xOtGABlIbcCAwEAAaNCMEAwDgYDVR0PAQH/
|
||||
BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFABD/NxvYLpo5zVNeD01
|
||||
r8IIFYlBMA0GCSqGSIb3DQEBCwUAA4IBAQB7TfpIx53gf/oI3mgR6Ciz287WBzFR
|
||||
OzhJXwHk5J3mx8VC1W8tDRXih2lCLd/f9qDy6LyL/hZcoonev6w9oReuOMBiH6l4
|
||||
Pf3yq2aDXX0AoGgm75c1m34kY669JLMsHq5+xuUDeeFUMd60w9zVtZfBSumy/sgN
|
||||
PdjtvThh8sSByocYULs3tuxZDGyQ6GyQcn/xlMrGtmcD5IuX5IXqcKRVlZttykNx
|
||||
S2ltcR00fekw8WZyPSzMJaP+/Kcq3T2viN02MS6qEycQZoYfEAMdj+A0kjbsZG9D
|
||||
6J92z78b2DuLAUvZVpynNk/UbpDeqIDy40V3JDmtvrfGUMkMhMqgK/+J
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIENTCCAx2gAwIBAgIUMu5h1ysA5DlM6lzZFliT2C2n4lEwDQYJKoZIhvcNAQEL
|
||||
BQAwgaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
|
||||
Ew1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAxIzAhBgNVBAsTGlRl
|
||||
c3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MS0wKwYDVQQDEyRQcm90b3R5cGUgVGVz
|
||||
dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwIBcNMjAwODA1MTg1MjAwWhgPMjEyMDA3
|
||||
MTIxODUyMDBaMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
|
||||
MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMSMwIQYD
|
||||
VQQLExpUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAxMOaGFzaGlj
|
||||
b3JwLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/zYDKdDGo
|
||||
+Qy7eJUNjOe6jpeGvK1lMu5T1Xka+h2ay6WH5gLyrPw5pi582iYpJdHVbplKMywx
|
||||
LxZv7mAbKNxqdp8UZKy0A3bCuHQqRF8ssXXHufQ8EGxNkLMLJP0e2q39OnrxXekS
|
||||
8Ct3aJm3V8qkcV3CpVdPNgJh4TSuneCXIxVWjFYSiyHi0/5TRd2D+aQPz12szg5F
|
||||
mBW4dLzYKHEMlWcjWG8mxtbLyt+jSR1+tSehQx7KndufdfniOWEDBdbeR3yDnZdn
|
||||
p8DnRWK4oaEI3Sl8tKlDd1Yp+R96aqOEn1tPW6Jy6Vdvk3fCefclbWZ6B9kiJ/1r
|
||||
gxq7AN7iKmHNAgMBAAGjdTBzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
|
||||
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRn2mwyk+MPChnLg0iWy1r9
|
||||
b3JvwTAfBgNVHSMEGDAWgBQAQ/zcb2C6aOc1TXg9Na/CCBWJQTANBgkqhkiG9w0B
|
||||
AQsFAAOCAQEAOpCy0vHp1Kxgv0VBRrbrwSQLBGP8a1ubVWoeoZQ+EvX9ozqDrHxm
|
||||
gM4XPYUJlUOOEu0ZRgCW60YK33E1zNKnA1F0/3/rmqMkKnm0BBs/5WzMWtsIBPcU
|
||||
e0CeJmaRIXnERQMH/svD+RrFo1dcF8rUDIlWez7+xGqoIGBg7v4jEmkZ3HdckcE+
|
||||
/xvC61YSG8NsJwR/CEcQ8YCyVfgvuS0ukWs4dN15aVDL3Oe61h3bRcGAywOJBrdq
|
||||
9xaq7ezZp/+lUSkYnatWJBuC/aviH9g9s+gMT0I3fWHh8BB0Ne2txwJ15K/qz5he
|
||||
TjxFsumrh50aFqjSiEHndtY5UWuGAFLiSw==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAv82AynQxqPkMu3iVDYznuo6XhrytZTLuU9V5Gvodmsulh+YC
|
||||
8qz8OaYufNomKSXR1W6ZSjMsMS8Wb+5gGyjcanafFGSstAN2wrh0KkRfLLF1x7n0
|
||||
PBBsTZCzCyT9Htqt/Tp68V3pEvArd2iZt1fKpHFdwqVXTzYCYeE0rp3glyMVVoxW
|
||||
Eosh4tP+U0Xdg/mkD89drM4ORZgVuHS82ChxDJVnI1hvJsbWy8rfo0kdfrUnoUMe
|
||||
yp3bn3X54jlhAwXW3kd8g52XZ6fA50ViuKGhCN0pfLSpQ3dWKfkfemqjhJ9bT1ui
|
||||
culXb5N3wnn3JW1megfZIif9a4MauwDe4iphzQIDAQABAoIBAQCYHJuidAoaTwGZ
|
||||
ACV9rJzuqD1lvubpFj5KwEcebPPjmtQ5deIqoaQa+D9wBvYyteq3ENKDNRg8HXL2
|
||||
7B7OC1bbHB5HZxxMW17pSK3gA39Ti52z+zbGF+Q8k6BbG0efG6DW7nUoTOkWeuCN
|
||||
/6fA7uAoEDxirQwUJuo2xAsq3MyMLwcs95rke9Bly8ABFNaV1oMZq8YT/w8oSc2b
|
||||
/7WtxXmChHlVYXTcMqzVPqNFqPRixZRWQ+BSHoXmEDviuGd51L4s9D7iXp32TvUx
|
||||
DMHeS1DFA2en7ZF1uc9VXZeplkkDtVhUe4d6qOqCcUwDFEvMonnyVSa6/FkR5jYZ
|
||||
2yujTdfhAoGBAM0hGOnmnDnCjADUt4mZlr+Mf0XmdKzEV+hid4CQUvBoTXgjYMvv
|
||||
c397eNePce7SwSUE1/APERInGUPhRLVFW5q6/34WRtGBbQkT8ByeJANXes4UFZe3
|
||||
wdNLczWUlSl0G3jTf+Kh3+K5/PtmyxSrAS/9GIk+ibs1mlJOPyVnWqUJAoGBAO9e
|
||||
WlP9/ruXluvkQyM5ZlnAnZYMsFGzzPx4tkazUjurtqxQoyZ0z+pPItGQ7lOl+pDA
|
||||
EWiTun66g+Da9uBiBCJUeXiC1ge2p6bT6N194BrYyrWML9hcIL4mqVojUEUmhnSh
|
||||
6b9h1pC7vFmw5ZFMIIkS60cfBMgQMZxMJN8NuaulAoGBAJM5hwURg90c2ZkbEyPK
|
||||
PVz7fLlxnxoEzcc3LOf0LeLoKXnpgma8VJwRxXiJNs+fKgrkwAtG9QyfTU3f1412
|
||||
2zlhr1ASsv9ZMiXKzpHrmpNfbP+NgLXkqFN7mpPBMZGQCMuemPHTFrpGnODfNTB/
|
||||
T5newIZ4gSgBX+Jk0IOK+47pAoGAeKo6pK6ck9pV5TIbOg18b/AuQG7DD1yxD/CW
|
||||
CkvpP1VPb8vygrdN/FLKPZRu39IC3qdD31DhKXNCeb5Hx1MBvICS/1INLLRCDVIz
|
||||
yDvlFgOFJEG3+LxwcQqyQlMc6s8B5pecarKaZDmPODN5dmZG3HKiEicr1OJ878pe
|
||||
p+aWW1UCgYBmGFbCc1qqlqp+srYGsv3rIgNs5HSfrAjbgY8xh9foMgrYCRAm57gv
|
||||
01yVxMXWmKA6ReVEu8OTVy9fkuOL/vw2o+C6W4IPZYdvSQoPwd5Lf+AqxEQvFF1m
|
||||
tT3SZAM3EhQ7tIXdIQHY27SJ1KlUJMrvUq1CiRWiG/MOKf/87JXPog==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEXjCCA0agAwIBAgIUAswquazrfsyDRvXZwn5718DUhU4wDQYJKoZIhvcNAQEL
|
||||
BQAwgaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
|
||||
Ew1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAxIzAhBgNVBAsTGlRl
|
||||
c3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MS0wKwYDVQQDEyRQcm90b3R5cGUgVGVz
|
||||
dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwIBcNMjAwODA1MTg1MjAwWhgPMjEyMDA3
|
||||
MTIxODUyMDBaMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
|
||||
MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJSGFzaGlDb3JwMSMwIQYD
|
||||
VQQLExpUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAxMOaGFzaGlj
|
||||
b3JwLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0azdZsrPC
|
||||
5Rv8nRxVJnLi+oZgCJYgzhCDiEbYqt1QK1gqNXp0ml5ck6ycj0drwzHzrrX+xcPV
|
||||
5FcNKH3RFyon9XkzjwaXkMv6IkgvH6/jQ1dDW9kWBf3Io3Y59wnD/YaIzNK0CYJS
|
||||
fRNdsZb4InH8gh+RL33+FeysgJwXG1TVA4tTUj7DQxDE0cDd9UD+C9Yx7OWiUjC1
|
||||
IjqdFPusX1nziKYjeI5/UiCmOUGqJJRoMPonuzuGIj9GdmBKmga64OfeZFqn4f6a
|
||||
ay61VnGCwZ24VniUwYElsFbcF2Nv9WqnrOeQlHOsYN68VMqHzaYPqE6SPa6mO5mI
|
||||
/tmpXrDG3Y+RAgMBAAGjgZ0wgZowDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG
|
||||
CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFE03/UTs2ZmJpWHSmstt
|
||||
hDngW6F3MB8GA1UdIwQYMBaAFABD/NxvYLpo5zVNeD01r8IIFYlBMCUGA1UdEQQe
|
||||
MByCCWxvY2FsaG9zdIIJdmF1bHQtdGxzhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
|
||||
AQCzarBGJium5oZDSSP5GqxpS13QP2onEen6I1k2eRdcOqtbfNdQ20RJrb4dfNkE
|
||||
Dc09KWVlZAn+hYge2KKTXJ+4ltIC9V1LvquyWipNczOT1ve0H9gt3Wm88LdESqI5
|
||||
HOx43pIaa3cWXBlbzrFmT1SASYm1V5Oo1mXzpUukGokHLLmAz36VVuJGbD0BxYke
|
||||
5MefG4tNT1SsMsIqVvGxI9NiVs7YTdJu81MctSYK5snsEKnYdi9N7CHOk3bdDpeC
|
||||
v2Vo7XBk3s4sBMGmnJO+1JOcRFJioooEFkqNyQmg3atfInysVbreKS5KtWNTaCPm
|
||||
yI55plW8ga5ucja2VX3WbwAO
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAtGs3WbKzwuUb/J0cVSZy4vqGYAiWIM4Qg4hG2KrdUCtYKjV6
|
||||
dJpeXJOsnI9Ha8Mx8661/sXD1eRXDSh90RcqJ/V5M48Gl5DL+iJILx+v40NXQ1vZ
|
||||
FgX9yKN2OfcJw/2GiMzStAmCUn0TXbGW+CJx/IIfkS99/hXsrICcFxtU1QOLU1I+
|
||||
w0MQxNHA3fVA/gvWMezlolIwtSI6nRT7rF9Z84imI3iOf1IgpjlBqiSUaDD6J7s7
|
||||
hiI/RnZgSpoGuuDn3mRap+H+mmsutVZxgsGduFZ4lMGBJbBW3Bdjb/Vqp6znkJRz
|
||||
rGDevFTKh82mD6hOkj2upjuZiP7ZqV6wxt2PkQIDAQABAoIBAQCvK0HsVvLtkSCh
|
||||
HbF6gwAcnHyHFQ8d/rRN4KxYhVynD85j/NRODer8G20F/J6tZDFFlSWinUTMkQxr
|
||||
/BpcPg9yCIWKp50Q30cMLujCyBMvphw9jBmzplGG0h5hnRbgMXDDtYoFvw3HJST+
|
||||
XQRlGpxtO7GGdwPvBD5sJdpnHOQ6g7qIYKmlHM99kHU8vr0VghqZAYxEh8RpnYez
|
||||
NLra+7ep+Zp1pFIniU6B8ohyL3OArbQ65qYrZYriAEI5HeEk0RhjewcPsV56LwbS
|
||||
CncTVS/dNYgk1zRIvytmbDVD3v/4lLvnpIWeKVdk7p1aGJeCdpLeWNvDLX0Ws67r
|
||||
QeZQizwhAoGBAMwAIA6+HPsx+8dhNbN3ydX8YU6uUfSeshhshIFZPIYL2vrKyAHU
|
||||
/GAYVzYJH/cU0IvlLJlLdQuiZkOXEX87tgdfmM/o4Qdl12RR0BvU0Cae0txtzNrP
|
||||
yTdfZqDhTz/V8jOAXUNA5oQA45Y3rI7JES8hBd1F9WFOH2WINp344GzlAoGBAOJo
|
||||
SgmRE24VcnfUMqrBpwZBdBrTxDQyTagvd+MuGomIQfcE2Y4rr1eIuJJ0HF5/eYxc
|
||||
DZRO/LVP9tQ8ozXi2tdmgUdKC79O2edmdOCWW5of464R/TLcM5B4SmS36RtdE3qJ
|
||||
ig4fcUmsJ15MAGpkXLMh5YSD/N3TmcnURtx06Fk9AoGATi+mGcBnnybzFuF9EYHR
|
||||
y7/lE6DgLF8+ZvoAdwralY2pqgFaUslsyO/LTRyGMc66d0OoqkAvZfwiMbmOrTMX
|
||||
ew/6o4Tf6lPwD7UDjAcul/67VlyG7T5CIoTf8r0oAJFhOLf0BrizINiuYX6JFlid
|
||||
y3BerQYJG/gzNFjWhglDCrkCgYA+3wUISRAjNrN10ShMwL/3/b8XIA1RDVMBTEU3
|
||||
gfr+jCb9SIx9bWYgoafXi4TBPRbswjdHIvQMCWuankgYU6m/vQhTWp2Of4AFQS9d
|
||||
moNPdmGMWhR8xidPjAfklimWXq9lDMKYj2SvN64rAmHvKXWQjO4mcVyL4RHIuTkA
|
||||
STqoZQKBgQDKHd8F6tjZHEFolmjS5l682g7zVTpBhozezJ/RqYvhJh5ew1pXoD/O
|
||||
Zu9iMfHoDjR4ZUXq6aeLUj/oIt1AsjwaGChOLLAvFbvePgS9XkYkwIlaxS4efAya
|
||||
+CQE/JmY/a1/c2MDLNMCEXvUqX68pv6iDF8pfn+i4tn0omYqgfUlCA==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
773
package-lock.json
generated
773
package-lock.json
generated
File diff suppressed because it is too large
Load diff
35
scripts/.functions
Normal file
35
scripts/.functions
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
#!/usr/bin/env bash
|
||||
# Copyright IBM Corp. 2019, 2025
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
# Adapted from: https://github.com/hashicorp/vault-secrets-operator/blob/main/hack/.functions
|
||||
|
||||
# getGH downloads files from GitHub with optional authentication
|
||||
# Usage: getGH <url> [dest_file] [num_retries]
|
||||
function getGH() {
|
||||
local url="$1"
|
||||
local dest="$2"
|
||||
local num_retries="${3:-${GH_GET_RETRIES}}"
|
||||
|
||||
headers=(
|
||||
'--header' "Accept: application/vnd.github+json"
|
||||
'--header' "X-GitHub-Api-Version: 2022-11-28"
|
||||
)
|
||||
if [ -n "${GITHUB_TOKEN}" ]; then
|
||||
headers+=(
|
||||
'--header' "Authorization: Bearer ${GITHUB_TOKEN}"
|
||||
)
|
||||
fi
|
||||
cmd=curl
|
||||
opts=('-sfSL')
|
||||
echo "Fetching ${url}"
|
||||
if [ -z "${dest}" ]; then
|
||||
opts+=('-O')
|
||||
else
|
||||
opts+=('-o' "${dest}")
|
||||
fi
|
||||
if [ -n "${num_retries}" ]; then
|
||||
opts+=('--retry' "${num_retries}")
|
||||
fi
|
||||
${cmd} "${opts[@]}" "${headers[@]}" "${url}"
|
||||
}
|
||||
112
scripts/gen-tls-certs.sh
Executable file
112
scripts/gen-tls-certs.sh
Executable file
|
|
@ -0,0 +1,112 @@
|
|||
#!/usr/bin/env bash
|
||||
# Copyright IBM Corp. 2019, 2025
|
||||
# SPDX-License-Identifier: MIT
|
||||
#
|
||||
# Generates a PKI chain (CA, server cert, client cert) using cfssl.
|
||||
# Outputs certs to .build/certs/ and writes .build/e2e-tls.env for local
|
||||
# act usage (act --env-file .build/e2e-tls.env).
|
||||
#
|
||||
# Usage: ./scripts/gen-tls-certs.sh
|
||||
# Requires: cfssl, cfssljson (brew install cfssl)
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
pushd "$(git rev-parse --show-toplevel || echo .)" > /dev/null
|
||||
|
||||
OUTDIR=".build/certs"
|
||||
ENVFILE=".build/e2e-tls.env"
|
||||
|
||||
if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
|
||||
echo "error: cfssl and cfssljson are required." >&2
|
||||
popd > /dev/null
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "$OUTDIR"
|
||||
pushd "$OUTDIR" > /dev/null
|
||||
|
||||
# ── cfssl signing config ──────────────────────────────────────────────────────
|
||||
cat > cfssl-config.json <<'EOF'
|
||||
{
|
||||
"signing": {
|
||||
"default": { "expiry": "8760h" },
|
||||
"profiles": {
|
||||
"server": {
|
||||
"usages": ["signing", "key encipherment", "server auth"],
|
||||
"expiry": "8760h"
|
||||
},
|
||||
"client": {
|
||||
"usages": ["signing", "key encipherment", "client auth"],
|
||||
"expiry": "8760h"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
# ── CA ────────────────────────────────────────────────────────────────────────
|
||||
echo "Generating CA..."
|
||||
cfssl gencert -initca - <<'EOF' | cfssljson -bare ca
|
||||
{
|
||||
"CN": "Vault Test CA",
|
||||
"key": { "algo": "rsa", "size": 2048 },
|
||||
"ca": { "expiry": "87600h" }
|
||||
}
|
||||
EOF
|
||||
|
||||
# ── Server cert ───────────────────────────────────────────────────────────────
|
||||
echo "Generating server certificate..."
|
||||
cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=cfssl-config.json \
|
||||
-profile=server - <<'EOF' | cfssljson -bare server
|
||||
{
|
||||
"CN": "vault-tls",
|
||||
"hosts": ["localhost", "127.0.0.1", "vault-tls"],
|
||||
"key": { "algo": "rsa", "size": 2048 }
|
||||
}
|
||||
EOF
|
||||
|
||||
# ── Client cert ───────────────────────────────────────────────────────────────
|
||||
echo "Generating client certificate..."
|
||||
cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=cfssl-config.json \
|
||||
-profile=client - <<'EOF' | cfssljson -bare client
|
||||
{
|
||||
"CN": "vault-client",
|
||||
"key": { "algo": "rsa", "size": 2048 }
|
||||
}
|
||||
EOF
|
||||
|
||||
# ── Rename to names expected by vault config ──────────────────────────────────
|
||||
mv ca.pem ca.crt
|
||||
mv server.pem server.crt
|
||||
mv server-key.pem server.key
|
||||
mv client.pem client.crt
|
||||
mv client-key.pem client.key
|
||||
|
||||
# ── Remove intermediates not needed at runtime ────────────────────────────────
|
||||
rm -f ca.csr server.csr client.csr ca-key.pem cfssl-config.json
|
||||
|
||||
# Ensure files are readable by the vault container user
|
||||
chmod 644 ./*.crt ./*.key
|
||||
|
||||
popd > /dev/null
|
||||
|
||||
# ── Copy vault server config ──────────────────────────────────────────────────
|
||||
cp "integrationTests/e2e-tls/configs/config.hcl" "$OUTDIR/config.hcl"
|
||||
|
||||
# ── Write env file for local act usage ───────────────────────────────────────
|
||||
{
|
||||
printf 'VAULTCA=%s\n' "$(base64 < "$OUTDIR/ca.crt" | tr -d '\n')"
|
||||
printf 'VAULT_CLIENT_CERT=%s\n' "$(base64 < "$OUTDIR/client.crt" | tr -d '\n')"
|
||||
printf 'VAULT_CLIENT_KEY=%s\n' "$(base64 < "$OUTDIR/client.key" | tr -d '\n')"
|
||||
} > "$ENVFILE"
|
||||
|
||||
echo "Certs generated in $OUTDIR"
|
||||
echo "Env file written to $ENVFILE"
|
||||
|
||||
popd > /dev/null
|
||||
|
|
@ -36,7 +36,9 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
|
|||
for (const secretRequest of secretRequests) {
|
||||
let { path, selector } = secretRequest;
|
||||
|
||||
const requestPath = `v1/${path}`;
|
||||
// Strip leading slashes to avoid double-slash in the request path
|
||||
// (e.g. /cubbyhole/test → v1/cubbyhole/test)
|
||||
const requestPath = `v1/${path.replace(/^\/+/, '')}`;
|
||||
let body;
|
||||
let cachedResponse = false;
|
||||
if (responseCache.has(requestPath)) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue