Commit graph

4651 commits

Author SHA1 Message Date
Bernd Straehle 392fad9365
Rename "Google Apigee" to "Apigee" (#17561) 2022-10-18 15:07:39 +01:00
Mike Wickett 33679fdd39
fix broken link to transit key wrap (#17566) 2022-10-18 09:54:29 -04:00
Jose Diaz-Gonzalez 0bbd57a561
docs: add a missing letter to the upgrade guide (#17554) 2022-10-17 10:02:37 -07:00
Chris Capurso 2e1dc4ed24
Add storage check upgrade notes (#17539)
* docs for ent storage check

* add 1.12.x upgrade notes

* Make ENT distinction a little clearer

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-10-13 19:22:34 -04:00
Scott Miller 7bd4755142
Document the deletion_allowed transform flag (#17544)
* Document the deletion_allowed transform flag

* Remove duplicated sentence
2022-10-13 16:31:07 -05:00
deidra.prado 0a4779ef76
Update raft.mdx join endpoint example (#17525)
Update to remove "X-Vault-Token" from /sys/storage/raft/join Sample Request. Token not required for this endpoint.
2022-10-13 08:40:46 -07:00
Alexander Scheel 26503e8540
Add note about transit BYOK key formats (#17529)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-13 09:10:26 -05:00
Alexander Scheel 838bac037d
Clarify language around PSS CSR issues (#17528)
* Clarify language around PSS CSR issues

Also point out that PKCS#11 tokens have the same problem.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/docs/secrets/pki/considerations.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-10-13 09:45:58 -04:00
Shueh Chou Lu 2f99734a49
doc: fix broken link in transit api (#17501)
synchronize the doc between two import api
2022-10-12 10:51:42 -07:00
Tom Proctor 918ce6f90e
Docs: Plugin versioning documentation (#17460)
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-11 23:12:02 +01:00
Violet Hynes ee85f0098a
VAULT-1603 add sys/quotas to root-only api path docs (#17496) 2022-10-11 15:09:29 -04:00
Mike Palmiotto aad41fba5b
docs: Update retry_join Known Issue versions (#17474)
Update the doc to show affected versions 1.11.2 and 1.10.6.
2022-10-11 11:54:36 -04:00
Anton Averchenkov 1c102979ba
Remove Async-HVAC from recommended libraries list (#17480) 2022-10-10 17:15:32 -04:00
Austin Gebauer ae17e57e73
secrets/ldap: updates documentation (#17481)
* secrets/ldap: updates documentation

* Update website/content/docs/secrets/ldap.mdx

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-10 13:43:59 -07:00
Brian Shumate 5264783e6c
Docs: Update Transform API (#17477)
- Correct some methods in sample requests
2022-10-10 13:25:31 -04:00
aphorise e4960d0fb0
Docs: What is Vault missing 'S' resolves: #16587 (#17183) 2022-10-10 10:34:21 -04:00
Mike Palmiotto 9dc8744885
Update main to go 1.19.2 (#17437)
* Update go version to 1.19.2

This commit updates the default version of go to 1.19.2. This update
includes minor security fixes for archive/tar, net/http/httputil, and
regexp packages.

For more information on the release, see: https://go.dev/doc/devel/release#go1.19.2

* Update Docker versions in CI to 20.10.17

After updating Vault to go version 1.19.2, there were several SIGABRTs
in the vault tests. These were related to a missing `pthread_create`
syscall in Docker. Since CI was using a much older version of Docker,
the fix was to bump it to latest-1 (20.10.17).

While we're at it, add a note in the developer docs encouraging the use
of the latest Docker version.
2022-10-07 14:24:14 -04:00
Nick Cabatoff 39c7e7c191
Add more raft metrics, emit more metrics on non-perf standbys (#12166)
Add some metrics helpful for monitoring raft cluster state.

Furthermore, we weren't emitting bolt metrics on regular (non-perf) standbys, and there were other metrics
in metricsLoop that would make sense to include in OSS but weren't.  We now have an active-node-only func,
emitMetricsActiveNode.  This runs metricsLoop on the active node.  Standbys and perf-standbys run metricsLoop
from a goroutine managed by the runStandby rungroup.
2022-10-07 09:09:08 -07:00
Austin Gebauer db8c690684
secrets/ldap: updates API documentation (#17448)
* secrets/ldap: updates API documentation

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-10-07 08:50:37 -05:00
Peter Wilson 191f6e4bf0
Add 'note' for surpassing dead server threshold time (#17455)
* Add 'note' for surpassing dead server threshold time

* Update website/content/docs/commands/operator/raft.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-10-07 14:26:56 +01:00
Alexander Scheel a2b1f00a9b
Better docs on PKI key stuff (#17443)
* Clarify signature_bits restrictions apply relative to issuer's key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify key_type=any roles must sign CSRs; cannot generate keys

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 15:27:53 -04:00
HashiBot e54441b725
Upgrade next version (#17445)
Co-authored-by: Bryce Kalow <bkalow@hashicorp.com>
2022-10-06 15:19:11 -04:00
Alexander Scheel b85d6ec434
Fix RevocationSigAlgo support in OCSP (#17436)
* Allow OCSP to use issuer's RevocationSigAlgo

When an issuer specifies a RevocationSigAlgo, we should largely follow
this for both CRLs and OCSP. However, x/crypto/ocsp lacks support for
PSS signatures, so we drop these down to PKCS#1v1.5 instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when issuer has PSS-based RevSigAlgo

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about OCSP and PSS support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 12:01:12 -04:00
Austin Gebauer 6bba760da0
docs/ldap: rename openldap secrets to ldap secrets (#17433) 2022-10-05 13:16:26 -07:00
Florin Cătălin Țiucra-Popa 4af76eda14
Update oracle.mdx (#17401)
Remove the duplicated "the" word.
Instead of "the the" it should be only "the".
2022-10-05 10:29:35 -07:00
Josh Black c7d8e7c7f6
Raft index telemetry and docs (#17397)
* add raft index to telemetry

* add definitions and defaults to both autopilot pages

* adjust messages

* Revert "add raft index to telemetry"

This reverts commit 010b091c7e35c1da677567746db90b490ca707ab.
2022-10-04 11:46:11 -07:00
Christopher Swenson ff8d8338cc
docs: Add docs for PKCS#11 provider (#17312)
docs: Add docs for PKCS#11 provider

The PKCS#11 provider is being released shortly.
This moves over the preliminary docs and cleans them up.

I added them as a new section under "Vault Enterprise" ->
"PKCS#11 Provider", but I am open to suggestion on if there is a
better place for them, e.g., "Platforms", or somehow merging
with "Vault Enterprise" -> "HSM"?

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-10-03 11:11:46 -07:00
Divya Pola bc9be4064b
Add documentation for KMIP features implemented in 1.12 (#17294)
* Add documentation for KMIP features implemented in 1.12

* Add documentation for kmip-profiles

* Address PR review feedback

* PR review feedback - update links, add intro and remove collapsed tables

* Add PR review feedback
2022-10-03 12:39:04 -05:00
Steven Clark 10ecf10248
PKI: Add support for signature_bits param to the intermediate/generate api (#17388)
* PKI: Add support for signature_bits param to the intermediate/generate api

 - Mainly to work properly with GCP backed managed keys, we need to
   issue signatures that would match the GCP key algorithm.
 - At this time due to https://github.com/golang/go/issues/45990 we
   can't issue PSS signed CSRs, as the libraries in Go always request
   a PKCS1v15.
 - Add an extra check in intermediate/generate that validates the CSR's
   signature before providing it back to the client in case we generated
   a bad signature such as if an end-user used a GCP backed managed key
   with a RSA PSS algorithm.
   - GCP ignores the requested signature type and always signs with the
     key's algorithm which can lead to a CSR that says it is signed with
     a PKCS1v15 algorithm but is actually a RSA PSS signature

* Add cl

* PR feedback
2022-10-03 12:39:54 -04:00
Austin Gebauer fdc6e2e46a
auth/oidc: fix documentation link anchors for Google Workspace integration (#17379) 2022-10-03 09:09:35 -07:00
Loann Le b7bcd61a42
Vault documentation: release notes for 1.12 (#17237)
* added new release notes

* new rns

* added changelog link

* incorporated feeedback

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Incorporated additional changes

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Removed TFVP and added Redis and Elasticache to the release highlights

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-10-03 08:36:02 -07:00
Alex Cahn 9542cffa65
Updating the VIP..again (#17375)
* Updating the VIP..again

* Update website/content/docs/partnerships.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-09-30 17:02:34 -07:00
Peter Wilson 42ba1384ff
Added flag and env var which will disable client redirection (#17352)
* Added flag and env var which will disable client redirection

* Added changelog

* Docs fix for unsaved file, and test single request made

* Updated test for case when redirect is enabled, updated docs based on suggestions
2022-09-30 09:29:37 +01:00
Mike Palmiotto 0078822d1d
core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319)
* core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool

* docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc
2022-09-29 14:35:52 -04:00
Loann Le e27204c57b
updated table for 1.12 release (#17362) 2022-09-29 10:47:58 -07:00
Tom Proctor 12ca81bc9b
cli/api: Update plugin listing to always include version info in the response (#17347) 2022-09-29 18:22:33 +01:00
mickael-hc e885ccfd8c
fix formatting for note in audit section (#17335) 2022-09-28 10:17:36 -07:00
Steven Clark c746befced
Update docs for new test/sign params for managed key api and GCP parameters (#17323)
* Update docs for new test/sign params for managed key api

 - The existing test/sign managed key api now has two new api params
   allowing an operator to specify to use RSA PSS signatures (use_pss)
   and to specify the hashing algorithm to use (hash_algorithm)

* Remove duplicate GCP signing algo entry

* Formatting nits and mention the key_ring for GCP needs to exist prior to usage

* Add some additional GCP environment vars
2022-09-27 16:17:44 -04:00
mickael-hc feddc21019
docs: clarify json types and workaround (#17318)
* docs: clarify json types and workaround

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-09-27 15:35:41 -04:00
Violet Hynes 5bc85b08ef
VAULT-8144 Improve docs around exec (#17316)
* VAULT-8144 Improve docs around exec

* VAULT-8144 Add justification
2022-09-26 14:39:49 -04:00
Milena Zlaticanin 89aa236bc5
docs/api-docs for Redis (#17029)
* docs/api-docs for Redis

* update doc

* add navigation to the docs

* Update website/content/api-docs/secret/databases/redis.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* update setup list and lang tag for shell code blocks

* update language tag

* update based on suggestions

* update docs to include tls params

* add plugin to the plugin portal doc

* add -

* update api-docs-nav-data.json

* update field name

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/api-docs/secret/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* update docs

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
2022-09-23 10:25:43 -05:00
Alexander Scheel 0c76168d3d
Add note about issuer naming and CRLs (#17298)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-23 10:04:54 -04:00
Rachel Culpepper b17ea8c6bd
Add managed key docs for gcp (#17280)
* add managed key docs for gcp

* fix algorithm parameter

* add missing bracket
2022-09-22 14:44:21 -05:00
Hridoy Roy 5477fd86fa
Activity new clients for current month docs (#16472)
* docs draft

* docs complete

* change json for legibility

* change json for legibility

* namespace and mount attribution should exist outside new clients stanza

* address feedback

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* remove version from doc

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-09-22 10:00:18 -07:00
Rachel Culpepper 1c69e690aa
Transform BYOK Documentation (#17121)
* add api docs for transform byok endpoints

* add byok description to transform index page

* fix merge conflicts

* remove import_version for FPE

* text edits and add note about convergent tokenization

* add note for convergent tokenization
2022-09-22 10:56:12 -05:00
Bryce Kalow dfc3ad015a
website: content updates for developer (#17035)
* Chore (dev portal): update learn nav data links  (#15515)

* Update docs-nav-data.json

* Update docs-nav-data.json

* website: fixes internal redirects (#15750)

* chore: remove duplicate overview item (#15805)

* Use `badge` for `<sup>` tags in nav data JSON files (#15928)

* Replacing <sup> tags with badge

* Adding type and color to badges

* fix broken links in vault docs (#15976)

* website: Update old learn links to redirect locations (#16047)

* update previews to render developer UI

* update redirects

* adjust content so it is backwards compat

Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com>
Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com>
2022-09-22 08:11:04 -07:00
Mike Palmiotto dc3beb428e
docs: Update agent autoauth sinks examples (#17229) 2022-09-21 14:19:16 -04:00
DevOps Rob 6495522ab7
adding boundary and waypoint plugins to portal (#17259) 2022-09-21 14:05:17 -04:00
Yoko Hyakuna 9164d04262
Remove extra spaces in the table (#17257) 2022-09-21 08:42:51 -07:00
Bernd Straehle 3623271601
vault-plugin-secrets-apigee (#17249) 2022-09-21 09:08:25 -04:00
Alexander Scheel ad3a093b40
Prevent PSS with Go-incompatible CAs, CSRs, Private Keys (#17223)
* Fix interoperability concerns with PSS

When Go parses a certificate with rsaPSS OID, it will accept this
certificate but not parse the SubjectPublicKeyInfo, leaving the
PublicKeyAlgorithm and PublicKey fields blank, but otherwise not erring.
The same behavior occurs with rsaPSS OID CSRs.

On the other hand, when Go parses rsaPSS OID PKCS8 private keys, these
keys will fail to parse completely.

Thus, detect and fail on any empty PublicKey certs and CSRs, warning the
user that we cannot parse these correctly and thus refuse to operate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Run more PKI tests in parallel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add notes about PSS shortcomings to considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-20 17:30:58 -04:00
Hamid Ghaf 35258379fd
adding missing telemetry entry for cached auth response (#17197) 2022-09-19 14:08:39 -04:00
Yoko Hyakuna 402b8279b4
Fix a broken URL (#17192) 2022-09-19 08:57:07 -07:00
Steven Clark 555a5833ec
Bring back managed key documentation update from ENT to OSS (#17190) 2022-09-19 11:46:30 -04:00
Max Coulombe 709c1bebf6
+ added Redis ElastiCache documentation (#17133)
* added Redis ElastiCache documentation
2022-09-19 10:26:49 -04:00
Scott Miller 7f38b0440e
Fetch CRLs from a user defined URL (#17136)
* Fetch CRLs from a user defined CDP (PoC)

* Handle no param sent

* Move CRL fetch to a periodFunc.  Use configured CA certs + system root as trusted certs for CRL fetch

* comments

* changelog

* Just use root trust

* cdp->url in api

* Store CRL and populate it initially in cdlWrite

* Update docs

* Update builtin/credential/cert/path_crls.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Handle pre-verification of a CRL url better

* just in case

* Fix crl write locking

* Add a CRL fetch unit test

* Remove unnecessary validity clear

* Better func name

* Don't exit early updating CRLs

* lock in updateCRLs

* gofumpt

* err-

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-09-16 16:44:30 -05:00
Luis (LT) Carbonell a0f4c18f44
Add links for service registration provides (#17170) 2022-09-16 15:28:18 -05:00
Mike Palmiotto fc87471580
docs: Add faq for deprecation status (#17096) 2022-09-16 15:38:40 -04:00
Theron Voran c9e5bee8d0
docs/vault-k8s: update for v1.0.0 release (#17165) 2022-09-16 08:46:39 -07:00
Jordan Reimer d258740f24
Prevent Requests to resultant-acl Endpoint When Unauthenticated (#17139)
* prevents requests to resultant-acl endpoint when not logged in

* removes unauthenticated mentions from resultant-acl api doc

* adds changelog entry
2022-09-15 12:45:33 -06:00
Jason O'Donnell 87350f927f
agent/auto-auth: add exit_on_err configurable (#17091)
* agent/auto-auth: add exit_on_err configurable

* changelog

* Update backoff function to quit

* Clarify doc

* Fix test
2022-09-15 11:00:31 -07:00
Austin Gebauer f9af44a0bb
auth/oidc: update docs for google workspace config (#17128)
* auth/oidc: update docs for google workspace config

* make fmt
2022-09-14 08:42:02 -07:00
Devon Powley bb0f93044f
Update Vault Azure Secrets docs for permanent deletion feature (#17045)
* Update Vault Azure Secrets docs for permanent deletion feature

* Add changelog for vault azure doc update

* Update CL based on PR feedback

Co-authored-by: Devon Powley <dpowley@users.noreply.github.com>
2022-09-13 16:25:19 -07:00
Scott Miller 12a8ef1cfd
Implement partial_failure_response_code_override for batch requests (#17118)
* Implement partial_failure_response_code_override for batch requests

* docs

* changelog

* one more test case
2022-09-13 12:51:09 -05:00
Alexander Scheel 1bbabf19d7
Add more docs on revocation changes (#17085)
* Add more notes about issuer revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Note BYOC in considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about http access to CRLs, OCSP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Recommend enabling auto-tidy & crl rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing paths to personas

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-12 11:46:01 -05:00
Mike Palmiotto 9849af8663
Add deprecation status to plugin api and cli (#17077)
* api: Add deprecation status to plugin endpoints

* cli: Add -detailed flag to `plugin list`

* docs: Update plugin list/info docs
2022-09-09 16:03:07 -04:00
Steven Clark 5b5699e9b0
Update PKI documentation to clear up PKCS8 marshalling behavior (#17080)
- Update the documentation in regards to the private_key_format
   argument only controls the behavior of the private_key response field
   and does not modify the encoding of the private key within the
   pem_bundle.
2022-09-09 11:31:08 -04:00
Christopher Swenson 2c11121c19
Update docs for helm 0.22.0 (#17072)
Update docs for helm 0.22.0

Including Prometheus Operator support.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-09-08 15:30:32 -07:00
deidra.prado ea8c6a32a8
Update validate.mdx (#17023)
Removed reference of ``` --header "X-Vault-Token: ..." \``` in Sample request. X-Vault-Token is not required for this endpoint.
2022-09-08 12:50:42 -07:00
Christopher Swenson 1926f71b0d
Update deprecation notice related to SHA-1 in Go 1.18+ (#17066)
Update deprecation notice related to SHA-1 in Go 1.18+

Go 1.19 has not removed SHA-1 support, and it is not clear yet when
they will remove support, so we need to slightly adjust our docs.
2022-09-08 11:58:44 -07:00
Kevin Wang bc568c4dea
Update index.mdx to fix broken link (#17052) 2022-09-08 14:04:02 -04:00
Jason O'Donnell ced0109c41
docs/k8s: use pod labels for upgrades (#17059)
* docs/helm: use pod labels for upgrades

* Grammar

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-09-08 11:13:11 -04:00
Troy Ready a79dc6c1e9
Minor doc grammar update (#17032)
Update to clarify present perfect tense.
2022-09-07 10:04:18 -04:00
Luis (LT) Carbonell cd574b5cc6
docs: update token type for auth enable CLI command (#17026)
* docs: update token type for enable

* update
2022-09-06 15:00:21 -05:00
Mike Palmiotto bf744e3bde
Handle deprecated builtins (#17005)
* core: Handle deprecated mounts on enable and unseal
* changelog: Deprecation Status handling
* core: Add Pending Removal override var
* core: Add some documentation for Pending Removal override
2022-09-06 15:49:35 -04:00
Matt Schultz 1aaace756f
Update transform documentation to include MSSQL. (#17021) 2022-09-06 10:55:48 -05:00
Rachel Culpepper a1fba8d29a
add missing flag to wrapKey command (#16988) 2022-09-06 10:52:02 -05:00
Scott Miller 606edb66d6
Add support for a dedicated HMAC type in Transit. (#16668)
* Get import correct

* limits, docs

* changelog

* unit tests

* And fix import for hmac unit test

* typo

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Update builtin/logical/transit/path_keys.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Validate key sizes a bit more carefully

* Update sdk/helper/keysutil/policy.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
2022-09-06 10:17:58 -05:00
aphorise e2805311be
Docs: GCP SA clarity. Resolved merge conflict. Closes: #12231. (#16787) 2022-09-06 08:11:34 -04:00
aphorise aab9c50577
Docs: PostgreSQL Docs added DB name note for connection_url. (#16789)
* Docs: PostgreSQL Docs added DB name note for connection_url. Relates to #12458.

* Trigger CI

Co-authored-by: Zlaticanin <zlaticaninmilena@gmail.com>
2022-09-06 08:10:50 -04:00
Tom Proctor 5bc9206e96
Docs: Add log level environment variable for Vault Lambda Extension (#17000) 2022-09-02 19:53:53 +01:00
Remco Buddelmeijer b93d6e44e0
Add fields 'ttl' and 'num_uses' to SecretID generation. (#14474)
* Add fields 'ttl' and 'num_uses' to SecretID generation.

Add fields 'ttl' and 'num_uses' when generating/obtaining a SecretID.
Rather than just being able to use the Role's SecretID ttl and num uses. #14390

* Add secret_id_num_uses response field to generating SecretID

Add the response field secret_id_num_uses to the endpoints for generating
SecretIDs. Used in testing but also to supply the vendor with this variable.

* Add tests for new ttl and num_uses SecretID generation fields

Add tests to assert the new TTL and NumUses option in the SecretID entry.
Separate test for testing with just parameters vs a -force example.

* Patch up test for ttl and num_uses fields

* Add changelog entry for auth/approle 'ttl' and 'num_uses' fields

* Add fields to API Docs and AppRole Auth Docs example

* Correct error message for failing test on missing field.
Change the error message produced when a test fails due to a missing field.
Previous values did not map to correct fields.

* Remove unnecessary int cast to int "secret_id_num_uses" field.
Unnecessary cast to int where type already is int.

* Move numUses field check to after assignment.

* Remove metadata entry in sample payload to limit change to changes made.
Remove metadata entry in sample payload for custom-secret-id. The metadata was not
changed in the features pull request.

* Bind fields 'ttl' and 'num_uses' to role's configuration.

Rather than implicitly overriding, error when the ttl is lower than and the num
uses higher than the role's configuration. #14390

* Update changelog 14474 with a more detailed description.

More elaborate description for the changelog. Specifying the per-request based fields.

* Elaborate more on the bounds of the 'ttl' and 'num_uses' field.

Specify in both the api-docs and the CLI the limits of the fields.
Specify that the role's configuration is still the leading factor.

* Upper bound ttl with role secret id ttl

Upper bound ttl with role secret id ttl when creating a secret id
Adding test cases for infinite ttl and num uses
Adding test cases for negative ttl and num uses
Validation on infinite ttl and num uses

* Formatting issues. Removed unnecessary newline

* Update documentation for AppRole Secret ID and Role

Changed that TTL is not allowed to be shorter to longer

* Cleanup approle secret ID test and impl

* Define ttl and num_uses in every test

Define ttl and num_uses in every test despite them not being tested.
This is to ensure that no unexpected behaviour comes to mind.

* Rename test RoleSecretID -> RoleSecretIDWithoutFields

* Test secret id generation defaults to Role's config

Test secret id generation defaults to Role's configuration entries.

* Change finit -> finite

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Rephrase comments to the correct validation check

* Rephrase role-secret-id option description

* Remove "default" incorrect statement about ttl

* Remove "default" incorrect statement about ttl for custom secret id

* Touch up approle.mdx to align more with path_role documentation

Co-authored-by: Remco Buddelmeijer <r.buddelmeijer@fullstaq.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2022-09-02 09:29:59 -07:00
Florin Cătălin Țiucra-Popa 608a4777a0
Update pkcs11.mdx (#16994) 2022-09-02 09:01:29 -07:00
Jason O'Donnell 615d591486
auth/oidc: add extra context about claim names in doc (#16987) 2022-09-01 15:30:50 -07:00
André Freitas c59bb185bc
Fix typos in architecture page (#16978)
Some minor typos fix after I read the whole page.
2022-09-01 12:02:50 -07:00
Ikko Ashimine 2444e92917
docs: fix typo in faq.mdx (#16979)
occuring -> occurring
2022-09-01 10:01:01 -07:00
Mike Palmiotto 2c16be25e3
Add deprecation status to auth/secrets list (#16849)
* auth: Add Deprecation Status to auth list -detailed
* secrets: Add Deprecation Status to secrets list -detailed
* Add changelog entry for deprecation status list
2022-08-31 16:11:14 -04:00
Alexander Scheel b8576a8de4
Add ability to request manual rebuild of Delta CRLs (#16964)
* Add path to manually rebuild delta CRLs

The crl/rotate-delta path behaves like crl/rotate, triggering a
cluster-local rebuild of just the delta CRL. This is useful for when
delta CRLs are enabled with a longer-than-desired auto-rebuild period
after some high-profile revocations occur.

In the event delta CRLs are not enabled, this becomes a no-op.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for Delta CRL rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update documentation about Delta CRLs

Also fixes a omission in the If-Modified-Since docs to mention that the
response header should probably also be passed through.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 12:42:59 -07:00
Alexander Scheel f0a127487b
Add ability to cancel PKI tidy operations, pause between tidying certs (#16958)
* Allow tidy operations to be cancelled

When tidy operations take a long time to execute (and especially when
executing them automatically), having the ability to cancel them becomes
useful to reduce strain on Vault clusters (and let them be rescheduled
at a later time).

To this end, we add the /tidy-cancel write endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing auto-tidy synopsis / description

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add a pause duration between tidying certificates

By setting pause_duration, operators can have a little control over the
resource utilization of a tidy operation. While the list of certificates
remain in memory throughout the entire operation, a pause is added
between processing certificates and the revocation lock is released.
This allows other operations to occur during this gap and potentially
allows the tidy operation to consume less resources per unit of time
(due to the sleep -- though obviously consumes the same resources over
the time of the operation).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for cancellation, pause

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API docs on pause_duration, /tidy-cancel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add lock releasing around tidy pause

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Reset cancel guard, return errors

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 11:36:12 -07:00
John-Michael Faircloth 96b97017b1
docs: update plugin docs for secrets/auth multiplexing (#16923)
* docs: update plugin docs for secrets/auth multiplexing

* update index

* update plugin development

* fix spacing in code snippet

* update links to multiplexing resources

* add note on sdk version and update db example text

* Update website/content/docs/plugins/plugin-architecture.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* reword index intro

* Update website/content/docs/plugins/plugin-development.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/plugins/plugin-development.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* remove word and fix code format

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-31 11:21:20 -07:00
Viacheslav Vasilyev d0b7362e36
OpenLDAP secrets documentation, reflect some other objects may have userPassword (#8918)
* Update index.mdx

* Docs: OpenLDAP userPassword clarity

corrected grammar slightly

Co-authored-by: aphorise <aphorise@gmail.com>
2022-08-31 09:58:25 -07:00
Zalary Young bed027db81
adds note about aws kms_key_id alias (#10693)
Co-authored-by: zalary <zalary@hashicorp.com>
2022-08-31 09:35:06 -07:00
Trishank Karthik Kuppusamy 303f59dce3
Allow configuring the possible salt lengths for RSA PSS signatures (#16549)
* accommodate salt lengths for RSA PSS

* address feedback

* generalise salt length to an int

* fix error reporting

* Revert "fix error reporting"

This reverts commit 8adfc15fe3303b8fdf9f094ea246945ab1364077.

* fix a faulty check

* check for min/max salt lengths

* stringly-typed HTTP param

* unit tests for sign/verify HTTP requests

also, add marshaling for both SDK and HTTP requests

* randomly sample valid salt length

* add changelog

* add documentation
2022-08-31 12:27:03 -04:00
Violet Hynes 2fb4ed211d
VAULT-7707 Add docs around making mass amounts of lease count quotas via automation (#16950)
* VAULT-7707 Add docs around making mass amounts of lease count quotas via automation

* VAULT-7707 Changelog

* VAULT-7707 add word

* VAULT-7707 Update some small wordings

* VAULT-7707 use a real em dash
2022-08-31 11:50:01 -04:00
Nick Cabatoff 1997fbb73f
Point people in the right direction for tokens used in transit autounseal. (#16951) 2022-08-31 10:37:25 -04:00
Steven Clark b21e06b917
Add remove_roots_from_chain to sign and issue pki apis (#16935)
* Add remove_roots_from_chain flag to sign and issue pki apis

 - Add a new flag to allow end-users to control if we return the
   root/self-signed CA certificate within the list of certificates in
   ca_chain field on issue and sign api calls.

* Add cl

* PR feedback
2022-08-31 09:51:26 -04:00
Andy Assareh 0a0efd47a4
Doc only: Dead Server Cleanup added in Vault 1.7 (#14297) 2022-08-31 08:34:47 -04:00
Sean Ellefson 11e53a956b
Added missing _ character to parameter (#14441) 2022-08-31 08:32:42 -04:00
Alexander Scheel a5fafd8163
Add ability to perform automatic tidy operations (#16900)
* Add ability to perform automatic tidy operations

This enables the PKI secrets engine to allow tidy to be started
periodically by the engine itself, avoiding the need for interaction.
This operation is disabled by default (to avoid load on clusters which
don't need tidy to be run) but can be enabled.

In particular, a default tidy configuration is written (via
/config/auto-tidy) which mirrors the options passed to /tidy. Two
additional parameters, enabled and interval, are accepted, allowing
auto-tidy to be enabled or disabled and controlling the interval
(between successful tidy runs) to attempt auto-tidy.

Notably, a manual execution of tidy will delay additional auto-tidy
operations. Status is reported via the existing /tidy-status endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent race during parallel testing

We modified the RollbackManager's execution window to allow more
faithful testing of the periodicFunc. However, the TestAutoRebuild and
the new TestAutoTidy would then race against each other for modifying
the period and creating their clusters (before resetting to the old
value).

This changeset adds a lock around this, preventing the races.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use tidyStatusLock to gate lastTidy time

This prevents a data race between the periodic func and the execution of
the running tidy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add read lock around tidyStatus gauges

When reading from tidyStatus for computing gauges, since the underlying
values aren't atomics, we really should be gating these with a read lock
around the status access.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-30 15:45:54 -04:00
Ivan Buymov 99213c2616
Add retry policy and fix documentation for Cassandra storage backend (#10467)
* add simple_retry policy and initial_connection_timeout options,
fix docs for connection_timeout

* Cassandra: policy fix - added changelog.

Co-authored-by: Mehdi Ahmadi <aphorise@gmail.com>
2022-08-30 11:00:48 -07:00