* Refine documentation for public_key
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Support additional key types in importing version
This originally left off the custom support for Ed25519 and RSA-PSS
formatted keys that we've added manually.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add support for Ed25519 keys
Here, we prevent importing public-key only keys with derived Ed25519
keys. Notably, we still allow import of derived Ed25519 keys via private
key method, though this is a touch weird: this private key must have
been packaged in an Ed25519 format (and parseable through Go as such),
even though it is (strictly) an HKDF key and isn't ever used for Ed25519.
Outside of this, importing non-derived Ed25519 keys works as expected.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add public-key only export method to Transit
This allows the existing endpoints to retain private-key only, including
empty strings for versions which lack private keys. On the public-key
endpoint, all versions will have key material returned.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update tests for exporting via public-key interface
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add public-key export option to docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add current_billing_period activity endpoint param
This commit introduces a new parameter: `current_billing_period`, which
can be used in lieu of `start_time` and `end_time` options.
GET ... /sys/internal/counters/activity?current_billing_period=true now
results in a response which contains the full billing period
information.
* changelog
* Update internal counters docs
* VAULT-15546 First pass at Vault Proxy docs
* VAULT-15546 correct errors
* VAULT-15546 fully qualify paths
* VAULT-15546 remove index
* VAULT-15546 Some typos and clean up
* VAULT-15546 fix link
* VAULT-15546 Add redirects so old links stay working
* VAULT-15546 more explicit redirects
* VAULT-15546 typo fixes
* Suggestions for Vault Agent & Vault Proxy docs (#20612)
* Rename 'agentandproxy' to 'agent-and-proxy' for better URL
* Update the index pages for each section
* VAULT-15546 fix link typo
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Fixed a typo in the "Environment Variable Example" because it was generating a parsing error:
template server error: error="(dynamic): execute: template: :2:30: executing \"\" at <.Data.data.payments_api_key>: can't evaluate field data in type *dependency.Secret"
* import rsa and ecdsa public keys
* allow import_version to update public keys - wip
* allow import_version to update public keys
* move check key fields into func
* put private/public keys in same switch cases
* fix method in UpdateKeyVersion
* move asymmetrics keys switch to its own method - WIP
* test import public and update it with private counterpart
* test import public keys
* use public_key to encrypt if RSAKey is not present and failed to decrypt
if key version does not have a private key
* move key to KeyEntry parsing from Policy to KeyEntry method
* move extracting of key from input fields into helper function
* change back policy Import signature to keep backwards compatibility and
add new method to import private or public keys
* test import with imported public rsa and ecdsa keys
* descriptions and error messages
* error messages, remove comments and unused code
* changelog
* documentation - wip
* suggested changes - error messages/typos and unwrap public key passed
* fix unwrap key error
* fail if both key fields have been set
* fix in extractKeyFromFields, passing a PolicyRequest wouldn't not work
* checks for read, sign and verify endpoints so they don't return errors when a private key was not imported and tests
* handle panic on "export key" endpoint if imported key is public
* fmt
* remove 'isPrivateKey' argument from 'UpdateKeyVersion' and
'parseFromKey' methods
also: rename 'UpdateKeyVersion' method to 'ImportPrivateKeyForVersion' and 'IsPublicKeyImported' to 'IsPrivateKeyMissing'
* delete 'RSAPublicKey' when private key is imported
* path_export: return public_key for ecdsa and rsa when there's no private key imported
* allow signed data validation with pss algorithm
* remove NOTE comment
* fix typo in EC public key export where empty derBytes was being used
* export rsa public key in pkcs8 format instead of pkcs1 and improve test
* change logic on how check for is private key missing is calculated
---------
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update elasticdb.mdx
Remove success message of vault write operations from text blocks to better support copy&paste to console
* Update code block types
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* Add missing tidy-status state values
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add docs on auto-tidy reading
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing tidy status field revocation_queue_safety_buffer
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Include pause_duration in tidy-status docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add date of last auto-tidy operation to status
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add additional existing keys response field
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update tests for validating existing keys
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update docs for import to include new fields
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update index.mdx
Updated instructions for Vault Upgrade HA
* Create vault-ha-upgrade.mdx
Moved HA Vault upgrade instruction to a new page and added a Note for disabling automated upgrade procedure
* Add the new vault-ha-upgrade page to the side menu
* Format and wording edits
* Remove extra paracentesis
* Fix a typo
* Change the title appears on the navigation
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* Update service_registration if use Vault HA
* Update protocol
* Minor updates for style consistency
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* docs(postgresql): Update Postgresql SE API doco
Update the postgresql secret engine API docs to include some "caveats"
of the pgx library. In particular, this enhances the docs to inform the
user that if any sslcreds are supplied as a part of the Database
connection string, the user/vault admin will need to ensure that the
certificates are present at those paths.
* Chore: fixup minor error with db docs
* Keep the language simple
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
In the Kubernetes Auth Code Example, the indentation for the `auth` import is off, causing it to not be indented the same amount as the previous `vault` import. This change ensures that both imports use the same indentation.
* Update wrapping-unwrap.mdx
It is possible to unwrap data without authentication in Vault. I've added an example of a curl request.
* Add changelog record
* Minor follow-ups to #16865
Fix PKI issuer upgrade logic when upgrading to 1.12 or later, to
actually turn off the issuer crl-signing usage when it intended to.
Fix minor typo in docs.
* changelog
* Update userpass.mdx
vault write auth/userpass/users/mitchellh password=foo policies=admins
in the path "userpass" is actually a path, if custom path is defined, custom path need to used, instead of userpass.
* Add extra description
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
I was wondering why the default VaultAuth CR was not created. It was due the fact that I copy/pasted the snippet from the docs here, which has the wrong key.
* update index.mdx with correct installation doc ref
update index.mdx with installation doc ref to point to the right installation.mdx path
* Update installation ref
Update installation ref
* Update index ref without relative path
Update installation doc index ref without relative path
Adding an example of using pkiCert and writeToFile to write cert and
key files from a template.
---------
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* add flag
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* handle kv paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* scaffold test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* need metadata for list paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add (broken) test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* fix test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* update docs
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add changelog
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* format
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add godoc
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add test case for mount only
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* handle case of no unnamed arg
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add non-mount behavior
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add more detail to comment
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add v1 tests
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Docs - update ldap page to add clarity around sAMAccountName
Updated https://developer.hashicorp.com/vault/docs/secrets/ldap#active-directory-ad-1 to clarify customers configure username properly using username_template when sAMAccountName is involved.
* Docs - edit on last update for ldap page
Fixed the link /vault/docs/concepts/username-templating
* Fix Vault Transit BYOK helper argument parsing
This commit fixes the following issues with the importer:
- More than two arguments were not supported, causing the CLI to error
out and resulting in a failure to import RSA keys.
- The @file notation support was not accepted for KEY, meaning
unencrypted keys had to be manually specified on the CLI.
- Parsing of additional argument data was done in a non-standard way.
- Fix parsing of command line options and ensure only relevant
options are included.
Additionally, some error messages and help text was clarified.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing documentation on Transit CLI to website
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for Transit BYOK vault subcommand
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Appease CI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* impr(auth/ldap): allow to dereference aliases in searches
* docs: add documentation for LDAP alias dereferencing
* chore(auth/ldap): add changelog entry for PR 18230
* chore: run formatter
* fix: update default LDAP configuration with new default
* Update website/content/docs/auth/ldap.mdx
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
* docs(ldap): add alias dereferencing to API docs for LDAP
---------
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
Add a `$` before the command in shell blocks that include command
output, so that the "Copy" button on the website only copies the
command and not the output.
* Add a stronger warning about the usage of recovery keys
* Update website/content/docs/concepts/seal.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Keep the mitigation text in the warning box
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Document 'managed_key' key type for transit. Document new 'usages' parameter when creating a managed key in the system backend.
* Document new managed key parameters for transit managed key rotation.
* Add documentation on fetching unified CRLs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on unified OCSP
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify that OCSP requests need to be URL encoded
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Document new CRL config parameters
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify notes about cross-cluster options
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add docs on cross-cluster listing endpoints
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* List tidy parameters in one place
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new tidy status outputs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add docs on new tidy parameters
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* allow_forwarding_via_token syntax update
the example syntax used for `allow_forwarding_via_token` marks the option as an array when it does not need to be, this updates the format on the page to be a code block and removes the square braces
* another update to `allow_forwarding_via_token` syntax
* Add ability to clean up host keys for dynamic keys
This adds a new endpoint, tidy/dynamic-keys that removes any stale host
keys still present on the mount. This does not clean up any pending
dynamic key leases and will not remove these keys from systems with
authorized hosts entries created by Vault.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove dynamic keys from SSH Secrets Engine
This removes the functionality of Vault creating keys and adding them to
the authorized keys file on hosts.
This functionality has been deprecated since Vault version 0.7.2.
The preferred alternative is to use the SSH CA method, which also allows
key generation but places limits on TTL and doesn't require Vault reach
out to provision each key on the specified host, making it much more
secure.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove dynamic ssh references from documentation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove dynamic key secret type entirely
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify changelog language
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add removal notice to the website
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update integrated-storage.mdx
The quorum paragraph shall also be updated with the table:
instead of:
"A Raft cluster of 3 nodes can tolerate a single node failure while a cluster
of 5 can tolerate 2 node failures. The recommended configuration is to either
run 3 or 5 Vault servers per cluster."
shall be:
"A Raft cluster of 3 nodes can tolerate a single node failure while a cluster
of 5 can tolerate 2 node failures. The recommended configuration is to either
run 5 or 7 Vault servers per cluster."
* Give an explicit node recommendation
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* Add Redirect for Plugin Portal -> Integration Library
* Remove Plugin Portal page & update sidebar
* Replace the Plugin Portal link to point Vault Integrations (#18897)
* Replace the Plugin Portal link to point Vault Integrations
* Update website/content/docs/partnerships.mdx
Co-authored-by: Brandon Romano <brandon@hashicorp.com>
---------
Co-authored-by: Brandon Romano <brandon@hashicorp.com>
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* Clarify error on due to unsupported EC key bits
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove documentation about unsupported EC/224
Resolves: #18843
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* The fields.
* UserID set, add to certificate
* Changelog.
* Fix test (set default).
* Add UserID constant to certutil, revert extension changes
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add user_ids as field for leaf signing
Presumably, this isn't necessary for CAs, given that CAs probably don't
have a user ID corresponding to them.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Support setting multiple user_ids in Subject
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow any User ID with sign-verbatim
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for User IDs in PKI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add docs about user_ids, allowed_user_ids
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Parallel migration (#18815)
* flagParallel sanity check
* Attempt to use ErrGroups
* Updated docs
* Allow 'start' and 'max-parallel' together
* parallel flag renamed to max-parallel
* tests for start + parallel
* Removed permit pool
* Updated docs to make it clearer that a high setting might not be honored based on storage backend setting
* System dependent max int size
* Default max-parallel 1 => 10
* Test folder/paths updated
Co-authored-by: Tomasz Pawelczak <10206601+gites@users.noreply.github.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* change indentation leve of cas field
* change formatting for cas_required
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>