Adding a Couchbase database plugin#9034
Closed
fhitchen wants to merge 13 commits into
Closed
Conversation
|
|
Collaborator
|
Hi @fhitchen, Thank you for the contribution! This looks good - I don't think it's quite ready to go yet but it seems to be on the right track. New database plugins generally get their own repo (e.g. vault-plugin-database-mongodbatlas), then get bundled into the Vault binary using go modules. You're of course welcome to continue working on this PR here, but ultimately we'll ask you to create a new PR against the new repo once it's created. Let me know if you want a review now or you'd rather continue to improve the tests first. I also suggest looking at existing database plugin tests in Vault that you might hook into - for example, you could create your own version of TestBackend_StaticRole_Rotations_PostgreSQL to validate the rotation behaviour of your plugin. |
Author
|
Sure, let me add some more tests and then we can review. I have also asked the Couchbase folks to take a look at it and when I get their feedback I will make whatever changes they suggest and contact you through a comment here? |
Collaborator
Sounds good! |
Author
|
Hi, i just looked at the TestBackend_StaticRole_Rotations_PostgreSQL and had a question. Is it testing the static role rotation through a running vault server, or is that simulated? |
Collaborator
I guess sort of in between? It's an in-memory Vault instance for all intents and purposes. It's not invoking the Vault binary though, and there are some (mostly very minor) differences as a result. It's basically the test code invoking almost the same code that |
Author
|
Hi,
I got my code reviewed by the couchbase golang development team and they
had a few suggestions that I have incorporated. I am still working on
making the testing a better structured and will have that finished by the
end of the week.
I see that there is a hashicorp/vault-plugin-database-couchbase opened by
kalafut. Can I fork that and add my work to it please? It is getting to be
a pain keeping my own and the other hashicorp fork in sync.
I also have managed to add couchbase support to the spring-boot-vault
package so that a developer can whistle up couchbase credentials with a
couple of annotated lines of code and a valid Vault token.
regards, Francis.
|
Collaborator
Yup, that's what it's there for. |
Contributor
|
@fhitchen - do you mind if I close this in favor of your PR in the other repo: hashicorp/vault-plugin-database-couchbase#1 ? |
Author
|
Absolutely not a problem. Please go ahead and close it.
…On Fri, Jun 26, 2020 at 12:18 PM Patrick Bernal ***@***.***> wrote:
@fhitchen <https://github.com/fhitchen> - do you mind if I close this in
favor of your PR in the other repo:
hashicorp/vault-plugin-database-couchbase#1
<hashicorp/vault-plugin-database-couchbase#1> ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#9034 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABML24GXAKGB7B7CJQ5AZEDRYTJ5LANCNFSM4NFFTEBA>
.
|
Author
|
Hi,
any idea when you will get around to having a look at my PR? I would like
to finish it before I forget what I did.
regards, Francis.
On Fri, Jun 26, 2020 at 12:30 PM Francis Hitchens <fhitchen@gmail.com>
wrote:
… Absolutely not a problem. Please go ahead and close it.
On Fri, Jun 26, 2020 at 12:18 PM Patrick Bernal ***@***.***>
wrote:
> @fhitchen <https://github.com/fhitchen> - do you mind if I close this in
> favor of your PR in the other repo:
> hashicorp/vault-plugin-database-couchbase#1
> <hashicorp/vault-plugin-database-couchbase#1> ?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#9034 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABML24GXAKGB7B7CJQ5AZEDRYTJ5LANCNFSM4NFFTEBA>
> .
>
|
Contributor
|
Hi @fhitchen. We'll be reviewing this soon. Thanks for your patience! |
Author
|
Hi Jim,
Great, I have also added it to the Spring Cloud Vault Config project if you
want to take a look at that too.
spring-cloud/spring-cloud-vault#408
regards, Francis.
…On Thu, Jul 9, 2020 at 11:49 PM Jim Kalafut ***@***.***> wrote:
Hi @fhitchen <https://github.com/fhitchen>. We'll be reviewing this soon.
Thanks for your patience!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#9034 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABML24GXUQYL2GGFM2YCDDDR22MUFANCNFSM4NFFTEBA>
.
|
Contributor
|
Closing this, as the review is happening in the plugin repo. |
jadeidev
pushed a commit
to jadeidev/vault
that referenced
this pull request
Sep 2, 2025
…) (hashicorp#9034) * allow restoring ssh config/ca * add some unit tests * address PR review * imports and test upgrades * linter complaints * add PR comment and linter fixes * address review Co-authored-by: Bruno Oliveira de Souza <bruno.souza@hashicorp.com>
pull Bot
pushed a commit
to sigtrap/vault
that referenced
this pull request
Sep 11, 2025
…ain (hashicorp#9048) (hashicorp#9260) * improve auth/ldap TestRotateRootWithRotationUrl test case * add const * Update path_config_rotate_root_test.go * Backport VAULT-34830: enable the new workflow into ce/main (hashicorp#8681) * VAULT-34830: enable the new workflow (hashicorp#8661) * pipeline: various fixes for the cutover to the enterprise first workflow (hashicorp#8686) Various small fixes that were discovered when doing the cutover to the enterprise first merge workflow: - The `actions-docker-build` action infers enterprise metadata magically from the repository name. Use a branch that allows configuring the repo name until it's merged upstream. - Fix some CE-In-Enterprise outputs in our metadata job. - Pass the recurse depth flag correctly when creating backports - Set the package name when calling the `build-vault` composite action - Disallow merging changes into `main` and `release/*` when executing in the `hashicorp/vault` repository. This is a hack until PSS-909 is resolved. - Use self-hosted runners when testing arm64 CE containers in enterprise. Conflicts: .github/workflows/backport-automation-ent.yml .github/workflows/test-run-enos-scenario-containers.yml --------- * remove file that slipped in during the backport but before the changed file checks (hashicorp#8706) * UI: Creating Metadata card for configuration page (hashicorp#8679) (hashicorp#8709) * card setup * updating to pass in vals * remove test usage * actions(metadata): fix metadata version for ce (hashicorp#8713) (hashicorp#8714) * Add support for AES-CBC to transit (hashicorp#8367) (hashicorp#8741) * add key types and encryption for cbc * add decryption * start adding tests * add tests for policy functions * add convergent case * add enterprise check and key creation test cases * fix key generation and add import/export * add tests and fixes * add changelog * linter * refactor policy functions and fix IV * add ce change * fix function calls * fix factories in function call * fix IV test case * test fixes * add cbc keys to read * change iv * fix merge errors * make fmt * change error name and add iv error * fix tests * UI: Create version card (hashicorp#8710) (hashicorp#8744) * setup version card * folder restructure * Adding todos, removing test * [VAULT-38605] Add self-enrollment option to the TOTP Login MFA method (hashicorp#8711) (hashicorp#8731) * [VAULT-38601] Modify response to MFA enforced requests to enable TOTP self-enrollment (hashicorp#8723) (hashicorp#8746) * Fix token creation in a namespace (hashicorp#8461) (hashicorp#8747) * fix and test for token creation in namespace * add changelog * add nil check * change existing test to work with change * fix imports * add error and more specificity in changelog * enos(sample): don't double sample (hashicorp#8752) (hashicorp#8770) * enos: remove double sample observe * ci(build): fix notification on artifacts build failure * changelog: add hash link to changes that originate from enterprise (hashicorp#8745) (hashicorp#8775) * pipeline(backport): use --strategy-option=theirs (hashicorp#8767) (hashicorp#8780) * VAULT-37630: Recover as a copy (hashicorp#8640) (hashicorp#8798) * recover as a copy implementation * get policy tests passing * add helpers and testing support * fixes * revert a couple of changes * more tests * switch to query param * correctly update source path with the namespace * only add openapi recover source path if there's a path parameter * add changelog * check for no mount in path * [UI] VAULT-37386 Plugin management: General Settings Route + Templates (hashicorp#8726) (hashicorp#8801) * Move components and routes over to new PR * Move components to secrets-engine folder * Use native FormData * Update params that are passed in * Add loading state * Add comments * Update jsdoc description * Remove unused action * Remove debugger * Fix linting errors * Add version card component and fix merge conflict issues * VAULT-38193 Add database observations to Vault (hashicorp#8727) (hashicorp#8802) * VAULT-38193 database observations (WIP) * VAULT-38193 database observations * nil check * make it consistent * Clean up * update vault-plugin-secrets-openldap to v0.16.1 (hashicorp#8820) (hashicorp#8821) * update vault-plugin-secrets-openldap to v0.16.1 * changelog * VAULT-39129: Updating enos tutorial scenario link (hashicorp#8831) (hashicorp#8835) * [VAULT-39153] pipeline(backport): remove docs and pipeline from allowed ce inactive (hashicorp#8819) (hashicorp#8842) Docs have been moved since the tool was written so that exclusion is no longer needed. Since the defaults were added the `pipeline` group has expanded to include all `.github`, which we don't want to always backport. It seems unlike that `pipeline` tooling changes are likely to be required often on inactive branches so we'll exclude all together for now. * [VAULT-39157] enos(cloud): add basic vault cloud scenario (hashicorp#8828) (hashicorp#8847) * [VAULT-39157] enos(cloud): add basic vault cloud scenario Add the skeleton of a Vault Cloud scenario whereby we create an HCP network, Vault Cloud cluster, and admin token. In subsequent PR's we'll wire up building images, waiting on builds, and ultimately fully testing the resulting image. * copywrite: add headers --------- * Upgrade to CRT schema 2 to fix crt-report-dispatch event (hashicorp#8572) (hashicorp#8809) * api/client: support setting extra headers with new logical request interface. (hashicorp#8808) (hashicorp#8858) * [VAULT-39208]: actions: update action pins (hashicorp#8864) (hashicorp#8865) * UI: Create Lease Duration card component + style updates (hashicorp#8815) (hashicorp#8870) * updating components to use hds flex, removing custom css * creating layout, updating fields to use select instead of dropdown * conditional render, remove commented code * adding external link * update handlers and style * updating general settings layout so TTL doesnt stretch other cards * typo * [UI] Cubbyhole List View Bug (hashicorp#8859) (hashicorp#8871) * fixes issue with cubbyhole list view throwing error in child namespace * updates to use engineType prop * Disallow writing of barrier keyring if seals aren't healthy (hashicorp#8707) (hashicorp#8885) * Set the full rewrap context for barrier keyring writes * Retain some logging at Trace but get rid of the overall context pattern. Apply correct ctx transform * changelog * remove logger * here too * remove other unnecessary changes * VAULT-38888 Add prefix vault to metric summary definitions into main (hashicorp#8725) (hashicorp#8892) * VAULT-38888 Add prefix vault to metric summary definitions * VAULT-38888 Add changelog for fix * Edit changelog file name --------- * [VAULT-39235]: pipeline(changed-files): don't group underscore prefixed changelogs as enterprise only files (hashicorp#8906) (hashicorp#8934) Don't categorize changelog files that begin with an underscore as enterprise only, otherwise they'll be removed when backporting changes to CE. Since we want to include links to commit SHAs in the changelog we have to create the changelog in the context of CE and thus need to backport all of those changes. We also fix a few Go tests that hand not been updated to handle the updated default inactive CE groups. * VAULT-39010 Adding new go-discover logic (hashicorp#8884) (hashicorp#8931) * testing new go-discover logic * add changelog * Delete website/content/partials/known-issues/aws-auto-join-fails.mdx * Backport bump go-getter to 1.7.9 into ce/main (hashicorp#8926) * bump go-getter to 1.7.9 (hashicorp#8899) * bump go-getter to 1.7.9 * add changelog * go mod tidy --------- * VAULT-38463: Addressing ldap pipeline failure (hashicorp#8817) (hashicorp#8911) * VAULT-38463: Addressing ldap pipeline failure * testing ldap tests * testing ldap tests * debugging ldap issue * testing pipeline * testing pipeline * testing pipeline * testing pipeline * testing pipeline * testing pipeline * testing pipeline * debugging ldap failure * debugging ldap failure * debugging pipeline * adding dependency for verify secrets * removing extra code * undo changes * undo changes * Backport [VAULT-38910]: upgrade docker package to resolve GO-2025-3829 into ce/main (hashicorp#8875) * [VAULT-38910]upgrade docker package to resolve GO-2025-3829 (hashicorp#8642) * bump github.com/hashicorp/go-secure-stdlib/plugincontainer to v0.4.2 * bump github.com/docker/docker to v28.3.3+incompatible * go mod tidy --------- * manually copy over missing changelogs for main (hashicorp#8956) * Improve error messages in TestRotateRootWithRotationUrl for BindDN and URL checks * Use bitnamilegacy cassandra image for tests (hashicorp#8984) (hashicorp#8985) * use default cassandra image for tests * switch to bitnamilegacy * [VAULT-39237] actions(generate-changelog) generate changelogs in ce for active ce versions (hashicorp#8973) (hashicorp#8976) Update our changelog generator to dynamically decide which repository context that it should use when generating the changelog. If the version given corresponds to an active CE branch then we generate the changelog in the context of `hashicorp/vault` with the `note-ce.md` template. If the version corresponds to an enterprise only branch we generate the changelog in the context of `hashicorp/vault-enterprise` with the `note-ent.md` template. The reason we do all of this is so that we can add commit links to changelogs that for changes that are actually in community editions. * UI: Moving settings/mount-backend-form to secrets/mounts (hashicorp#8975) (hashicorp#8998) * adding route and replacing old route usage * adding comments * updating secrets tests to new route * Update CHANGELOG.md for 1.20.3 1.19.9 1.18.14 and 1.16.25 (hashicorp#31527) * changelog: fix commit URL in CE generated template (hashicorp#9010) (hashicorp#9013) * VAULT-38463: Fix ldap failure (hashicorp#8996) (hashicorp#9001) * Backport [VAULT-38600] Fix the name of the CE stub for mfaLoginEnterprisePaths into ce/main (hashicorp#9021) * Update CHANGELOG.md (hashicorp#31528) added "Enterprise" to 1.19, 1.18 and 1.16 minor releases * VAULT-38796, VAULT-38889 reformat observation schema to version 2 (hashicorp#9006) (hashicorp#9023) * [VAULT-39267] actions(slack): migrate to v2 action (hashicorp#8964) (hashicorp#8990) * VAULT-37633: Database static role recover operations (hashicorp#8922) (hashicorp#8982) * initial implementation * fix * tests * changelog * fix vet errors * pr comments * [VAULT-38600] Create TOTP Login MFA credential self-enrollment API endpoint (hashicorp#8970) (hashicorp#8999) * VAULT-36947: Support force unloading a snapshot (hashicorp#8740) (hashicorp#9036) * portion of changes for autoloading * add test checking for panic * add endpoint for force unloading * separate method for force unload * changelog * don't redefine constants * VAULT-39294: Deprecate recover_snapshot_id query param and use a header instead (hashicorp#8834) (hashicorp#9042) * deprecate snapshot query params, use a header instead * keep read query param, but deprecate recover one * fix test * remove list change * add changelog * rename header, allow request method * update changelog * VAULT-37632 allow restoring SSH CA from loaded snapshot (hashicorp#8581) (hashicorp#9034) * allow restoring ssh config/ca * add some unit tests * address PR review * imports and test upgrades * linter complaints * add PR comment and linter fixes * address review * Revert "Merge hashicorp#31503 into main" This reverts commit 6f2ffcf64cd6a01cdbf685db296053adb428e26b, reversing changes made to 681d1d5c7a2298a8b5dd403554dec2e98c3ce971. * Update path_config_rotate_root_test.go --------- Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec> Co-authored-by: jadeidev <32917209+jadeidev@users.noreply.github.com> Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com> Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com> Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com> Co-authored-by: miagilepner <mia.epner@hashicorp.com> Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com> Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com> Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com> Co-authored-by: Tin Vo <tintvo08@gmail.com> Co-authored-by: james-warren0 <95658341+james-warren0@users.noreply.github.com> Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> Co-authored-by: Jordan Reimer <zofskeez@gmail.com> Co-authored-by: Scott Miller <smiller@hashicorp.com> Co-authored-by: roh-ag <rohit.agrawal@hashicorp.com> Co-authored-by: JMGoldsmith <spartanaudio@gmail.com> Co-authored-by: Josh Black <raskchanky@gmail.com> Co-authored-by: Luciano Di Lalla <88449051+ldilalla-HC@users.noreply.github.com> Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com> Co-authored-by: Bruno Oliveira de Souza <bruno.souza@hashicorp.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi,
please could you take a look at this custom plugin. We use Couchbase extensively and I wanted to learn more about how Vault worked so ...
It handles credential rotation and dynamic and static roles.
I still need to clean up the testing code, add support for client certificate authentication and I think the object locking on Close is missing and write some description of how to configure vault and the accounts and roles that need to be created in Couchbase for the tests to work.
Please excuse the go code, it is my first attempt at writing anything serious in it so it is probably not as idiomatic as it should be. The go package is also pointing to my own repo where I initially created the plugin.
Example Vault configuration and roles to use the plugin.
$ SHA256=$(shasum -a 256 plugins/couchbase-database-plugin | cut -d' ' -f1)
$ vault secrets enable database
$ vault write sys/plugins/catalog/database/couchbase-database-plugin sha256=$SHA256 command=couchbase-database-plugin
Get self signed CA cert out of the DB.
BASE64PEM=$(openssl s_client -connect localhost:18091 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM | base64 -w 0)
TLS encrypted connection
vault write database/config/my-couchbase plugin_name="couchbase-database-plugin" hosts="couchbases://localhost" username=Administrator password=Admin123
tls=true insecure_tls=true base64pem=${BASE64PEM} allowed_roles=my-couchbase-admin-role,my-couchbase-bucket-role
vault write database/roles/my-couchbase-admin-role db_name=my-couchbase default_ttl="5m" max_ttl="1h" creation_statements='[{"name":"admin"}]' revocation_statements="nil statement"
vault write database/roles/my-couchbase-bucket-role db_name=my-couchbase default_ttl="5m" max_ttl="1h" creation_statements='[{"name":"ro_admin"},{"name":"bucket_admin","bucket":"foo"}]' revocation_statements="nil statement"
Plain text connection
vault write database/config/other-couchbase plugin_name="couchbase-database-plugin" hosts="chanchan2" username=root password=rootpassword allowed_roles=other-couchbase-admin-role,other-couchbase-bucket-role,education
vault write database/static-roles/education db_name=other-couchbase username=vault-edu rotation_statements="nil statement" rotation_period="5m"