Commit graph

4876 commits

Author SHA1 Message Date
Alexander Scheel 44c3b736bf
Allow tidy to backup legacy CA bundles (#18645)
* Allow tidy to backup legacy CA bundles

With the new tidy_move_legacy_ca_bundle option, we'll use tidy to move
the legacy CA bundle from /config/ca_bundle to /config/ca_bundle.bak.
This does two things:

 1. Removes ca_bundle from the hot-path of initialization after initial
    migration has completed. Because this entry is seal wrapped, this
    may result in performance improvements.
 2. Allows recovery of this value in the event of some other failure
    with migration.

Notably, this cannot occur during migration in the unlikely (and largely
unsupported) case that the operator immediately downgrades to Vault
<1.11.x. Thus, we reuse issuer_safety_buffer; while potentially long,
tidy can always be run manually with a shorter buffer (and only this
flag) to manually move the bundle if necessary.

In the event of needing to recover or undo this operation, it is
sufficient to use sys/raw to read the backed up value and subsequently
write it to its old path (/config/ca_bundle).

The new entry remains seal wrapped, but otherwise isn't used within the
code and so has better performance characteristics.

Performing a fat deletion (DELETE /root) will again remove the backup
like the old legacy bundle, preserving its wipe characteristics.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation about new tidy parameter

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for migration scenarios

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clean up time comparisons

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-11 12:12:53 -05:00
Alexander Scheel a2c2f56923
Add pki health-check docs (#18517)
* Add documentation on vault pki health-check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refer users to online docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-11 11:46:30 -05:00
Divya Pola 55760606c2
Add documentation for KMIP features implemented in 1.13 (#18613)
* Add documentation for KMIP features implemented in 1.13

* Add release version for key format types

* Fix syntax

* Add supported hashing algorithms and padding methods

* Fix formatting

* Add  nit picks from review feedback
2023-01-11 20:33:05 +05:30
Ellie 90bc746379
docs: note that env vars must be set on the vault process and can be checked in 1.13 (#18652) 2023-01-10 15:35:45 -06:00
Peter Wilson e4685c10ef
VAULT-9883: Agent Reloadable Config (#18638)
* Update command/agent.go
* Attempt to only reload log level and certs
* Mimicked 'server' test for cert reload in 'agent'

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Left out the `c.config` tweak that meant changes to lots of lines of code within the `Run` function of Agent command. :)
2023-01-10 17:45:34 +00:00
Alexander Scheel 38de21468e
Add cluster_aia_path templating variable (#18493)
* Add cluster_aia_path templating variable

Per discussion with maxb, allow using a non-Vault distribution point
which may use an insecure transport for RFC 5280 compliance.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address feedback from Max

Co-authored-by: Max Bowsher <maxbowsher@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Max Bowsher <maxbowsher@gmail.com>
2023-01-10 09:51:37 -05:00
Alexander Scheel 2ab775e60a
Add vault pki command website documentation (#18514)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-10 09:39:41 -05:00
Violet Hynes 8bcc08dccb
VAULT-12491 Add docs for group policy config (#18616)
* VAULT-12491 Add docs for group policy config

* VAULT-12491 typo

* VAULT-12491 typo

* VAULT-12491 Update language a bit

* VAULT-12491 Update language a bit

* VAULT-12491 Update language a bit
2023-01-09 12:50:16 -05:00
Christopher Swenson fae2935880
docs: Update PKCS#11 provider docs for XKS and RNG (#18597)
Better IV random generation is supported with XKS in the latest version
of the provider (0.1.3).
2023-01-05 09:42:52 -08:00
John-Michael Faircloth 58e2eb669b
docs: db plugin add link to lease docs (#18605) 2023-01-05 16:14:54 +00:00
Prasanna Kumar 9143d2f186
Correct sample payload at Generate Secret (#18561)
Correct sample payload of Generate Service Account Key secrets section
2023-01-04 16:00:16 -05:00
mickael-hc 4d5fb0aa68
docs: clarify parameter constraints limitations when using globs (#18593) 2023-01-04 15:58:27 -05:00
Steven Clark cfd5b8a933
Resolve unrecognized parameter warnings on batch_input parameter in transit (#18299)
* Resolve unused warnings on batch_input parameter in transit

* Add cl

* Fix text in hmac batch_input parameter description
2023-01-04 09:15:48 -05:00
Florin Cătălin Țiucra-Popa 82dedd8773
Update integrated-storage.mdx (#18581)
* Update integrated-storage.mdx

The old paragraph "The recommended deployment is either 3 or 5 servers." should match the "Minimums & Scaling" purpose from below.
It also reaffirms that, in a PRODUCTION environment,  a number of 5 nodes are the minimum requirement.

A rewording is also necessary: "The recommended deployment consists in a minimum of 5 or more of servers that are odd in their total (5, 7, etc)."

* Update website/content/docs/internals/integrated-storage.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-01-04 13:43:05 +01:00
Violet Hynes 0b15ad18a2
VAULT-12095 Support multiple config files for Vault Agent (#18403)
* VAULT-12095 Code changes for multi-config

* VAULT-12095 typo

* VAULT-12095 make vault non-nil during update

* VAULT-12095 docs

* VAULT-12095 small refactor

* VAULT-12095 typos
2023-01-03 12:50:19 -05:00
Robert 7858cc758f
secrets/gcp: add documentation for impersonated account support (#18519)
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2023-01-02 14:18:14 -06:00
Austin Gebauer 1b82aa5997
auth/oidc: fix permissions for Azure 200+ group workflow (#18532)
* auth/oidc: fix permissions for Azure 200+ group workflow

* use autonumbering
2022-12-22 23:51:08 +00:00
Christopher Swenson 7a048b1097
Update XKS docs to use AWS CLI (#18536)
And add note about requiring the zero IV until `vault-pkcs11-provider`
is released.
2022-12-22 23:20:21 +00:00
Ellie c16e9df88c
docs: highlight paragraph about path in kv secrets engines docs (#18413) 2022-12-19 13:52:22 -06:00
Jagger 1fd715f2cb
Fix typo (#18459)
If there are other typo related changes in flight, this fix can be included there.
2022-12-19 18:30:19 +00:00
Yoko Hyakuna fc79152c48
Update the notes about Consul Connect CA issue (#18444) 2022-12-16 10:52:42 -08:00
John-Michael Faircloth 74f5a44684
docs: update azure docs to reflect new managed identity support (#18357)
* docs: update azure docs to reflect new managed identity support

* update links and formatting

* update wording

* update resource_id description

* fix formatting; add section on token limitations

* fix link and formatting
2022-12-16 09:40:59 -06:00
divyaac cb3f47065f
Added default endpoint info. Added note about backwards compabitibility (#17972)
* Added default endpoint info. Added note about backwards compabitibility

* Change wording

* Added note to router
2022-12-15 13:01:56 -08:00
Turan Asikoglu 8c8a17f83b
[Doc] Fix minor inconsistencies with vault Helm chart (#18306)
* Fix minor inconsistencies with vault Helm chart

* extraSecretEnvironmentVars not a multiline string

* Trigger CCI
2022-12-15 11:59:09 -05:00
Alexander Scheel 3a5b48afe4
Correctly handle issuer tidying in auto-tidy config (#18347)
* Correctly handle issuer tidying in auto-tidy config

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing parameters to auto-tidy docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-12-14 15:35:21 -05:00
Jason O'Donnell fccc90ce75
docs/policies: update denied_parameters description (#18366) 2022-12-14 16:51:02 +00:00
Mike Palmiotto 4b8747ab51
command/audit: Recommend multiple audit devices (#18348)
* command/audit: Add note about enabling multiple audit devices

* docs: Recommend multiple audit devices
2022-12-13 17:51:03 -05:00
John-Michael Faircloth 5d8897528f
docs: add note on aws snapstart incompatibility (#18344)
* add note on snapstart incompatibility

* update note with link to aws and more details

* fix typo
2022-12-13 15:38:38 -06:00
Scott Miller c9531431a4
Add the batch reference field, as in Transform, to Transit operations (#18243)
* Add the batch reference field, as in Transform, to Transit operations

* changelog

* docs

* More mapstructure tags
2022-12-13 12:03:40 -06:00
Scott Miller c1cfc11a51
Return the partial success code override for all batch error types (#18310)
* Return the partial success code override for all batch error types

* changelog

* docs

* Lost the actual override logic. :)

* And don't hardcode 400

* gate on success
2022-12-12 17:08:22 -06:00
Steven Clark 3bf683b872
Document adding metadata to entity alias within cert auth (#18308)
* Document adding metadata to entity alias within cert auth

* Update website/content/api-docs/auth/cert.mdx

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
2022-12-12 13:08:00 -05:00
Steven Zamborsky d639e4e8e3
Vault Docs Autopilot Typo (#18307)
Replace the hyphens with underscores in the `disable_upgrade_migration` parameter.
2022-12-12 09:46:09 -05:00
Sanad Haj Yahya 3b2e74477e
Server: add and support unix listener (UDS) (#18227)
Co-authored-by: shaj13 <hajsanad@gamil.com>
2022-12-09 12:28:18 -08:00
Meggie 3af208bcc9
Fix broken link (#18286) 2022-12-09 11:32:37 -05:00
Geoffrey Grosenbach 59a93ecdbc
Remove mention of public Vault trial license form (#18280)
No longer in use.
2022-12-09 09:04:37 -05:00
Violet Hynes 176c149a38
VAULT-8336 Fix default rate limit paths (#18273)
* VAULT-8336 Fix default rate limit paths

* VAULT-8336 changelog
2022-12-09 08:49:17 -05:00
Alexander Scheel f3911cce66
Add transit key config to disable upserting (#18272)
* Rename path_config -> path_keys_config

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add config/keys to disable upserting

Transit would allow anyone with Create permissions on the encryption
endpoint to automatically create new encryption keys. This becomes hard
to reason about for operators, especially if typos are subtly
introduced (e.g., my-key vs my_key) -- there is no way to merge these
two keys afterwards.

Add the ability to globally disable upserting, so that if the
applications using Transit do not need the capability, it can be
globally disallowed even under permissive policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on disabling upsert

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
2022-12-08 15:45:18 -05:00
Josh Black 4212cfd5f4
Update namespace LIST response example to be more accurate (#18274) 2022-12-08 12:05:34 -08:00
Roberto Pommella Alegro 5352c4b754
Docs: improve bound_audiences documentation for jwt role (#18265) 2022-12-07 12:50:09 -05:00
Violet Hynes 398cf38e1e
VAULT-11510 Vault Agent can start listeners without caching (#18137)
* VAULT-11510 Vault Agent can start listeners without caching

* VAULT-11510 fix order of imports

* VAULT-11510 changelog

* VAULT-11510 typo and better switch

* VAULT-11510 update name

* VAULT-11510 New api_proxy stanza to configure API proxy

* VAULT-11510 First pass at API Proxy docs

* VAULT-11510 nav data

* VAULT-11510 typo

* VAULT-11510 docs update
2022-12-05 10:51:03 -05:00
Alexander Scheel f86fdf530f
Allow templating cluster-local AIA URIs (#18199)
* Allow templating of cluster-local AIA URIs

This adds a new configuration path, /config/cluster, which retains
cluster-local configuration. By extending /config/urls and its issuer
counterpart to include an enable_templating parameter, we can allow
operators to correctly identify the particular cluster a cert was
issued on, and tie its AIA information to this (cluster, issuer) pair
dynamically.

Notably, this does not solve all usage issues around AIA URIs: the CRL
and OCSP responder remain local, meaning that some merge capability is
required prior to passing it to other systems if they use CRL files and
must validate requests with certs from any arbitrary PR cluster.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation about templated AIAs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* AIA URIs -> AIA URLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* issuer.AIAURIs might be nil

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow non-nil response to config/urls

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Always validate URLs on config update

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure URLs lack templating parameters

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Review feedback

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-12-05 10:38:26 -05:00
tjperry07 2e9f0e921b
remove semi colon (#18220) 2022-12-02 16:02:28 -05:00
Alex Cahn 71b790bd0f
Add Nutanix to the interoperability matrix (#18218) 2022-12-02 12:57:40 -05:00
Tom Proctor f5543bd25b
Docs: Add known issue for 1.12 plugin list endpoint (#18191) 2022-12-01 18:06:07 +00:00
Chris Capurso 5b731699a1
ENT supported storage updates (#17885)
* note that ENT supported storage check will log warning

* callout difference between 1.12.0 and 1.12.2

* add a bit more guidance

* startup -> start
2022-11-30 18:34:17 -05:00
Mike Palmiotto 117b09808d
docs: Add 1.12 upgrade note for pending removal builtins (#18176) 2022-11-30 23:07:00 +00:00
Christopher Swenson cbdbad0629
Add doc for AWS XKS Proxy with PKCS#11 Provider (#18149)
AWS announced [KMS External Key Store](https://aws.amazon.com/blogs/aws/announcing-aws-kms-external-key-store-xks/),
which we support using their reference [`xks-proxy`](https://github.com/aws-samples/aws-kms-xks-proxy)
software.
This adds a documentation page showing how to configure KMIP and the
PKCS#11 provider to to work with KMS and `xks-proxy`.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-11-30 13:49:27 -08:00
Sudharshan K S 615aa4fdd9
Update nomad.mdx (#18134)
Corrected a typo
2022-11-29 09:39:15 -08:00
Peter Wilson 33e6a3a87c
VAULT-9900: Log rotation for 'agent' and 'server' commands (#18031)
* Work to unify log-file for agent/server and add rotation
* Updates to rotation code, tried to centralise the log config setup
* logging + tests
* Move LogFile to ShareConfig in test
* Docs
2022-11-29 14:07:04 +00:00
Tom Proctor 08e89a7e9e
Docs: vault-helm 0.23.0 updates (#18131) 2022-11-29 10:43:00 +00:00
Alexander Scheel 2a387b1d3a
Clarify that cluster_id differs between PR Primary/Secondary clusters (#18130)
Per conversation on Slack with Nick.

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-11-28 19:39:41 +00:00
Chris Capurso 2843cfcdc1
VAULT-9427: Add read support to sys/loggers endpoints (#17979)
* add logger->log-level str func

* ensure SetLogLevelByName accounts for duplicates

* add read handlers for sys/loggers endpoints

* add changelog entry

* update docs

* ignore base logger

* fix docs formatting issue

* add ReadOperation support to TestSystemBackend_Loggers

* add more robust checks to TestSystemBackend_Loggers

* add more robust checks to TestSystemBackend_LoggersByName

* check for empty name in delete handler
2022-11-28 11:18:36 -05:00
Violet Hynes 3d7f9a402f
VAULT-6368 Metrics-only listener for Agent (#18101)
* VAULT-6368 Metrics-only listener for Agent

* VAULT-6368 changelog

* VAULT-6368 Update config to use string instead of bool

* VAULT-6368 Fix leftover code

* VAULT-6368 Fix changelog

* VAULT-6368 fix typo

* VAULT-6368 recommended doc update

* VAULT-6368 use != over !(==)
2022-11-25 16:00:56 -05:00
Steven Clark 92c1a2bd0a
New PKI API to generate and sign a CRL based on input data (#18040)
* New PKI API to generate and sign a CRL based on input data

 - Add a new PKI API that allows an end-user to feed in all the
   information required to generate and sign a CRL by a given issuer.
 - This is pretty powerful API allowing an escape hatch for 3rd parties
   to craft customized CRLs with extensions based on their individual
   needs

* Add api-docs and error if reserved extension is provided as input

* Fix copy/paste error in Object Identifier constants

* Return nil on errors instead of partially filled slices

* Add cl
2022-11-22 11:41:04 -05:00
Bryce Kalow 642f6b0395
website: restrict node engines to <= 16.x (#18077) 2022-11-22 10:39:53 -05:00
Chris Capurso a14ba5f044
Add Consul Dataplane compatibility info to docs (#18041)
* add compatibility info to consul service reg docs

* fix alert formatting

* add consul dataplane compatibility partial

* add compat partial to more consul doc pages

* fix links
2022-11-22 08:56:18 -05:00
Chris Capurso 5f27ab3fed
mention Consul Dataplane compat in 1.12.x upgrade notes (#18066) 2022-11-22 08:55:35 -05:00
Chris Capurso d392754914
mention Consul Dataplane compat in 1.13.x upgrade notes (#18063)
* mention Consul Dataplane compat in 1.13.x upgrade notes

* change heading level

Co-authored-by: Meggie <meggie@hashicorp.com>

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-11-21 19:11:13 +00:00
Meggie 99408e3372
Update MFA docs (#18049)
Some updates from our MFA discussion
2022-11-18 15:31:27 -05:00
Tom Proctor dc85e37cf4
storage/raft: Add retry_join_as_non_voter config option (#18030) 2022-11-18 17:58:16 +00:00
Alexander Scheel 75b70d84e6
Add list to cert auth's CRLs (#18043)
* Add crl list capabilities to cert auth

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on cert auth CRL listing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for cert auth listing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-18 11:39:17 -05:00
mickael-hc 8927a55741
docs: detail policies parameter for auth methods using tokenutil (#18015)
* docs: detail policies parameter for auth methods using tokenutil

* Update website/content/partials/tokenfields.mdx


Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-11-18 11:09:29 -05:00
Tom Proctor 6dd453080d
Docs: Clarify plugin versioning known issue (#17799) 2022-11-18 11:49:33 +00:00
Theron Voran 0909408f0c
docs/vault-k8s: updates for v1.1.0 (#18020) 2022-11-17 13:58:28 -08:00
John-Michael Faircloth 0acecb7ee0
add draft 1.13.x upgrade guide (#18023)
* add draft upgrade guide

* add note this is a draft

* make 1.13 guide hidden

* add heading for alicloud change
2022-11-17 15:57:16 -06:00
Steven Clark 01e87c481c
Add new PKI api to combine and sign different CRLs from the same issuer (#17813)
* Add new PKI api to combine and sign different CRLs from the same issuer

 - Add a new PKI api /issuer/<issuer ref>/resign-crls that will allow
   combining and signing different CRLs that were signed by the same
   issuer.
 - This allows external actors to combine CRLs into a single CRL across
   different Vault clusters that share the CA certificate and key material
   such as performance replica clusters and the primary cluster

* Update API docs

* PR Feedback - Delta CRL rename

* Update to latest version of main

* PR Feedback - Get rid of the new caEntry struct

* Address PR feedback in api-docs and PEM encoded response
2022-11-17 16:53:05 -05:00
Christopher Swenson 9724f2860d
Add docs for vault-k8s JSON patch (#17712)
From https://github.com/hashicorp/vault-k8s/pull/399

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-11-17 12:32:18 -08:00
Yoko Hyakuna 59cec0a96c
Add known issue about PKI secrets engine with Consul (#18003)
* Add known issue about PKI secrets engine with Consul

* Added KB article URL

* Update website/content/docs/secrets/pki/index.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-11-17 10:09:41 -08:00
Brian Shumate 3775f69f3a
Docs: Enterprise TOTP updates (#18007)
* Docs: Enterprise TOTP updates

- Add note to TOTP about authenticator supported alogrithms
- Fix typos

* Path update
2022-11-17 08:50:01 -08:00
Steven Clark 0341c88030
Fix path typo in Generate Intermediate CSR PKI docs (#17989)
- Within the table specifying the various paths to generate a CSR
   in the PKI docs, the new issuers based api has a typo in it missing
   the issuers/ prefix.
 - Brought to our attention by Chelsea and Claire, thanks!
2022-11-16 18:23:13 -05:00
Meggie 775a1b3001
Docker Deprecation Update (#17825)
* Docker Deprecation Update

Trying to make implications and required changes a little clearer.

* Further clarifications
2022-11-16 10:33:14 -05:00
Alexander Scheel 82ac91907a
Add missing anchor for set-crl-configuration (#17959)
When renaming the header to Set Revocation Configuration, we broke
bookmarks. Add in the named anchor so the old bookmarks and links still
work.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 10:30:28 -05:00
Alexander Scheel a43e428b01
Fix docs by adding self-closing BRs (#17958)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 10:01:43 -05:00
Alexander Scheel ab395f2c79
Clarify more documentation on audit logging (#17957)
Thanks to Khai Tran for identifying that syslogging has a lower limit
on message size and sometimes large CRLs can hit that limit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 09:21:29 -05:00
JD Goins 7b52e688f4
Fix link to architecture in AWS platform page (#17327) 2022-11-15 11:44:37 -06:00
Alexander Scheel 6cbfc4afb2
Docs clarifications around PKI considerations (#17916)
* Add clarifications on revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Talk about rationale for separating roots from intermediates

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-15 08:43:40 -05:00
Steven Clark b1b8b9fb69
Update api-doc about PKI automatic tidying of issuers and the default issuer (#17933) 2022-11-14 18:26:15 -05:00
divyaac 065782e75d
Added documentation for Introspection API (#17753)
* Added documentation for Introspection API

* Edit hyperlink in index doc

* Added the path to the nav file

* Edited some mispelled words

* Fix deployment issue. Change link in nav file

* Edit the router mdx and add response values

* Edit nav doc

* Changed hyperlink, changed response to json, changed some wording

* Remove requirement that the endpoint is off by default

* Update website/content/api-docs/system/inspect/router.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update website/content/api-docs/system/inspect/router.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update website/content/api-docs/system/inspect/index.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2022-11-11 09:50:44 -08:00
Chris Stella 1bae5eed3e
Update Azure 'key_type' description (#17903)
Updated the description for the 'key_type' parameter to read 'RSA-HSM' as the only supported value.
2022-11-11 09:42:37 -06:00
Peter Wilson 0fad0c3864
VAULT-8732: Add log-file to Vault Agent (#17841)
* Started work on adding log-file support to Agent
* Allow log file to be picked up and appended
* Use NewLogFile everywhere
* Tried to pull out the config aggregation from Agent.Run

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-11-11 10:59:16 +00:00
John Smart 6cc6875d6d
Add DataStax Astra DB to Partner DBs (#17814) 2022-11-10 16:18:47 -08:00
Anton Averchenkov f9fac68980
Revert "Add mount path into the default generated openapi.json spec (#17839)" (#17890)
This reverts commit 02064eccb42bb2ec1a3d12ec0d49c661312acd2d.
2022-11-10 15:39:53 -08:00
Anton Averchenkov f3aea876b9
Add mount path into the default generated openapi.json spec (#17839)
The current behaviour is to only add mount paths into the generated `opeanpi.json` spec if a `generic_mount_paths` flag is added to the request. This means that we would have to maintain two different `openapi.json` files, which is not ideal. The new solution in this PR is to add `{mount_path}` into every path with a default value specified:

```diff
--    "/auth/token/accessors/": {
++    "/auth/{mount_path}/accessors/": {
      "parameters": [
        {
          "name": "mount_path",
          "description": "....",
          "in": "path",
          "schema": {
            "type": "string",
++          "default": "token"
          }
        }
      ],
```

Additionally, fixed the logic to generate the `operationId` (used to generate method names in the code generated from OpenAPI spec). It had a bug where the ID had `mountPath` in it. The new ID will look like this:

```diff
-- "operationId": "listAuthMountpathAccessors",
++ "operationId": "listTokenAccessors",
```
2022-11-10 15:44:43 -05:00
Chris Capurso 8ad82d9de4
clarify that init recovery options are only available for auto unseal (#17862)
* clarify that init recovery options are only available for auto unseal

* add some language consistency

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2022-11-10 15:43:11 -05:00
Ron DeMena ccc291ae9e
Update interoperability-matrix.mdx (#17882)
* Update interoperability-matrix.mdx

Corrected obvious spelling miss.   Vaut to Vault

* Create 17882.txt

Noting changelog for spelling change in PR#17882

* Delete 17882.txt
2022-11-10 13:15:14 -05:00
Alexander Scheel 5a2ee4ca7a
Add automatic tidy of expired issuers (#17823)
* Add automatic tidy of expired issuers

To aid PKI users like Consul, which periodically rotate intermediates,
and provided a little more consistency with older versions of Vault
which would silently (and dangerously!) replace the configured CA on
root/intermediate generation, we introduce an automatic tidy of expired
issuers.

This includes a longer safety buffer (1 year) and logging of the
relevant issuer information prior to deletion (certificate contents, key
ID, and issuer ID/name) to allow admins to recover this value if
desired, or perform further cleanup of keys.

From my PoV, removal of the issuer is thus a relatively safe operation
compared to keys (which I do not feel comfortable removing) as they can
always be re-imported if desired. Additionally, this is an opt-in tidy
operation, not enabled by default. Lastly, most major performance
penalties comes with lots of issuers within the mount, not as much
large numbers of keys (as only new issuer creation/import operations are
affected, unlike LIST /issuers which is a public, unauthenticated
endpoint).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on tidy of issuers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Restructure logging

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing fields to expected tidy output

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-10 10:53:26 -05:00
Michele Baldessari d04b91ed0a
Fix a typo around custom-metadata in kv put docs (#17876)
* Fix a typo around custom-metadata in kv put docs

There is a missing dash before 'custom-metadata':

    $ vault kv metadata put custom-metadata="foo=bar" secret/hub/config-demo
    Too many arguments (expected 1, got 2)
    $ vault kv metadata put -custom-metadata="foo=bar" secret/hub/config-demo
    Success! Data written to: secret/metadata/hub/config-demo

Signed-off-by: Michele Baldessari <michele@acksyn.org>

* Update website/content/docs/commands/kv/metadata.mdx

Signed-off-by: Michele Baldessari <michele@acksyn.org>
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2022-11-10 09:00:19 -05:00
Chris Capurso 987e499a9e
clarify that certain policy examples are for KVv1 (#17861) 2022-11-09 15:42:58 -05:00
Alexander Scheel 06f30de35f
Optional automatic default issuer selection (#17824)
* Correctly preserve other issuer config params

When setting a new default issuer, our helper function would overwrite
other parameters in the issuer configuration entry. However, up until
now, there were none.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new parameter to allow default to follow new

This parameter will allow operators to have the default issuer
automatically update when a new root is generated or a single issuer
with a key (potentially with others lacking key) is imported.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Storage migration tests fail on new members

These internal members shouldn't be tested by the storage migration
code, and so should be elided from the test results.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Follow new issuer on root generation, import

This updates the two places where issuers can be created (outside of
legacy CA bundle migration which already sets the default) to follow
newly created issuers when the config is set.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for new default-following behavior

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-08 14:40:29 -05:00
Theron Voran 32cdd59cdb
docs/vault-k8s: update env example (#17818)
Specifying only `args` will just append them to the container image's
entrypoint instead of replacing it. Setting command overrides the
entrypoint, and args is then appended to the command.
2022-11-04 10:56:00 -07:00
Steven Clark 419ba9159c
Add new API to PKI to list revoked certificates (#17779)
* Add new API to PKI to list revoked certificates

 - A new API that will return the list of serial numbers of
   revoked certificates on the local cluster.

* Add cl

* PR feedback
2022-11-03 14:17:17 -04:00
Alexander Scheel ffa4825693
PKI - Fix order of chain building writes (#17772)
* Ensure correct write ordering in rebuildIssuersChains

When troubleshooting a recent migration failure from 1.10->1.11, it was
noted that some PKI mounts had bad chain construction despite having
valid, chaining issuers. Due to the cluster's leadership trashing
between nodes, the migration logic was re-executed several times,
partially succeeding each time. While the legacy CA bundle migration
logic was written with this in mind, one shortcoming in the chain
building code lead us to truncate the ca_chain: by sorting the list of
issuers after including non-written issuers (with random IDs), these
issuers would occasionally be persisted prior to storage _prior_ to
existing CAs with modified chains.

The migration code carefully imported the active issuer prior to its
parents. However, due to this bug, there was a chance that, if write to
the pending parent succeeded but updating the active issuer didn't, the
active issuer's ca_chain field would only contain the self-reference and
not the parent's reference as well. Ultimately, a workaround of setting
and subsequently unsetting a manual chain would force a chain
regeneration.

In this patch, we simply fix the write ordering: because we need to
ensure a stable chain sorting, we leave the sort location in the same
place, but delay writing the provided referenceCert to the last
position. This is because the reference is meant to be the user-facing
action: without transactional write capabilities, other chains may
succeed, but if the last user-facing action fails, the user will
hopefully retry the action. This will also correct migration, by
ensuring the subsequent issuer import will be attempted again,
triggering another chain build and only persisting this issuer when
all other issuers have also been updated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remigrate ca_chains to fix any missing issuers

In the previous commit, we identified an issue that would occur on
legacy issuer migration to the new storage format. This is easy enough
to detect for any given mount (by an operator), but automating scanning
and remediating all PKI mounts in large deployments might be difficult.

Write a new storage migration version to regenerate all chains on
upgrade, once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add issue to PKI considerations documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correct %v -> %w in chain building errs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-03 11:50:03 -04:00
Ellie aa4448efd7
docs: in transit secret engine docs, specify order with batch_input param (#17770) 2022-11-03 08:50:47 -05:00
Alex Cahn 4c67919182
Update interoperability-matrix (#17793)
* Update interoperability-matrix.mdx

Updating the matrix to include new validations.

* Fixing a grammatical error
2022-11-02 17:32:53 -07:00
Tom Proctor ab658a3479
Docs: Add known issue for 1.12.1 builtin plugin version upgrades (#17783) 2022-11-02 21:36:49 +00:00
Tom Proctor e9ced09e70
Docs: Update plugin info API docs (#17760) 2022-11-02 20:03:17 +00:00
dyma solovei 1552f9ac4e
chore: Update seal.mdx, use consistent terminology (#17767)
This article seems to use the terms "shares" and "shards" interchangeably to describe the parts in which the secret is split under SSS.
While both seem to be correct, sticking to one term would save a newbie reader (like myself) the confusion.  

Since the Wikipedia article that's linked in this article only mentions "shares" and the CLI flags (for recovery keys) also use `-shares`, I opted for that.
2022-11-02 13:58:04 -06:00
Steven Clark 550fbdc41c
Return revocation info within existing certs/<serial> api (#17774)
* Return revocation info within existing certs/<serial> api

 - The api already returned both the certificate and a revocation_time
   field populated. Update the api to return revocation_time_rfc3339
   as we do elsewhere and also the issuer id if it was revoked.
 - This will allow callers to associate a revoked cert with an issuer

* Add cl

* PR feedback (docs update)
2022-11-02 13:06:04 -04:00
Violet Hynes a11f62abf2
VAULT-8518 Increase HMAC limit to 4096, and limit approle names to the same limit (#17768)
* VAULT-8518 Increase HMAC limit to 4096, and limit approle names to the same limit

* VAULT-8518 Changelog

* VAULT-8518 Sprintf the byte limit
2022-11-02 10:42:09 -04:00
Mark Lewis 0d3a4a3201
Update signed-ssh-certificates.mdx (#17746)
* Update signed-ssh-certificates.mdx

Add a pointer to the doc regarding reading back the pub key with the CLI

* Update website/content/docs/secrets/ssh/signed-ssh-certificates.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-31 12:33:46 -04:00
Alexander Scheel d5f6c36c1c
Clarify ssh/public_key response, recommend -format=raw (#17745)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-31 11:14:49 -04:00
Alexander Scheel 6d92ef4d9a
Fix raw format for other commands, add to docs! (#17730)
* Clarify when -format=raw fails

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Document Vault read's new -format=raw mode

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add raw format to usage, completion

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing support for raw format field printing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prohibit command execution with wrong formatter

This allows us to restrict the raw formatter to only commands that
understand it; otherwise, when running `vault write -format=raw`, we'd
actually hit the Vault server, but hide the output from the user. By
switching this to a flag-parse time check, we avoid running the rest of
the command if a bad formatter was specified.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-28 12:53:23 -04:00
Tom Proctor e4143f2b6f
Docs: Patch command ordering (#17725) 2022-10-28 08:39:44 -04:00
Tom Proctor 07b4e42c9b
Update documentation for vault-helm v0.22.1 release (#17695) 2022-10-28 11:56:02 +01:00
aphorise e73813c41f
Docs: API secret/ssh clarity on Create & Update (#17033)
* Docs: API secret/ssh clarity on Create & Update

Added clarity notes on required permissions (`update` & `create`) that's otherwise not obvious without experience of other mounts that have requirements for similar ACL to manage. Resolves #9888.

* Update website/content/api-docs/secret/ssh.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/secret/ssh.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Docs: API secret/ssh clarity on Create & Update...

Reduced text (-1 line) further to feedback from @benashz; retaining details on `create` vs `update` difference as per [API transit method that calls this out too.](https://www.vaultproject.io/api-docs/secret/transit#encrypt-data)

* trigger ci

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-10-27 17:23:33 -07:00
davidadeleon 4f4a3b215a
Add mTLS and Load Balancers section to Enterprise Replication Documentation (#17676)
* Adding mTLS and Load Balancers section

* Adding patch CLI docs to nav JSON
2022-10-27 12:14:24 -07:00
aphorise 571cf3dc85
Docs: API overview text clarity & kv2 mention... #16746 (#16748)
* Docs: API overview text clarity & kv2 mention... #16746 

Corrected text and terminology. Relates to #6378 & should allow for closure of that issue too.
<img width="1158" alt="Screenshot 2022-08-16 at 19 23 20" src="https://user-images.githubusercontent.com/974854/184941452-2b2c680a-b6d5-4db6-85aa-e5dc672499f6.png">

* Trigger CI

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Updated based on feedback.

* Docs: API overview text clarity & kv2 mention...

Added KV2 explict further to feedback from @benashz.

Also:
 - Adjusted very first paragraph a bit.
 - improved grammer and over use of `via` and `to` in certian places.

Co-authored-by: Zlaticanin <zlaticaninmilena@gmail.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-10-27 08:35:17 -07:00
Bernhard Kaindl bf3749ff6d
website: Update api-docs for /ssh/sign/:name and /ssh/issue/:name (#17694)
Extend the documentation the API endpoint '/ssh/issue/:name' (added
in #15561 with v1.12.0) and '/ssh/issue/:name':

- Be more specific that the issued certificate uses the defaults
  given of the role at the given endpoint; and that it is subject
  to the limitations configured in this role.

- Note that the endpoint /ssh/issue/:name is available with v1.12+.

- Make it more clear that the generated credentials are only returned
  but not stored by Vault (not just the generated private key).
2022-10-27 07:56:08 -07:00
Alexander Scheel 1733d2a3d6
Add support for PKCSv1_5_NoOID signatures (#17636)
* Add support for PKCSv1_5_NoOID signatures

This assumes a pre-hashed input has been provided to Vault, but we do
not write the hash's OID into the signature stream. This allows us to
generate the alternative PKCSv1_5_NoOID signature type rather than the
existing PKCSv1_5_DERnull signature type we presently use.

These are specified in RFC 3447 Section 9.2.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exclude new none type from PSS based tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for PKCS#1v1.5 signatures

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-27 08:26:20 -04:00
Alexander Scheel 1721cc9f75
Add PATCH support to Vault CLI (#17650)
* Add patch support to CLI

This is based off the existing write command, using the
JSONMergePatch(...) API client method rather than Write(...), allowing
us to update specific fields.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on PATCH support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-26 14:30:40 -04:00
Johan Brandhorst-Satzkorn 1dd9e1cb53
Fix rendering of custom response headers (#17652)
The double quote used broke syntax highlighting. Replace with a proper double quote.
2022-10-26 13:44:48 -04:00
Theron Voran 7553ef2c4a
docs/vault-helm: update cert-manager example (#17651)
Use injector.webhook.annotations instead of the deprecated
injector.webhookAnnotations
2022-10-26 10:12:06 -07:00
Yoko Hyakuna 337a2b1915
Added 'Manually Revocable' to the table (#17646) 2022-10-24 18:57:28 -07:00
Yoko Hyakuna ba9f94166b
Fix a broken link (#17644) 2022-10-24 17:09:33 -07:00
Alexander Scheel 09939f0ba9
Add AD mode to Transit's AEAD ciphers (#17638)
* Allow passing AssociatedData factories in keysutil

This allows the high-level, algorithm-agnostic Encrypt/Decrypt with
Factory to pass in AssociatedData, and potentially take multiple
factories (to allow KMS keys to work). On AEAD ciphers with a relevant
factory, an AssociatedData factory will be used to populate the
AdditionalData field of the SymmetricOpts struct, using it in the AEAD
Seal process.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add associated_data to Transit Encrypt/Decrypt API

This allows passing the associated_data (the last AD in AEAD) to
Transit's encrypt/decrypt when using an AEAD cipher (currently
aes128-gcm96, aes256-gcm96, and chacha20-poly1305). We err if this
parameter is passed on non-AEAD ciphers presently.

This associated data can be safely transited in plaintext, without risk
of modifications. In the event of tampering with either the ciphertext
or the associated data, decryption will fail.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add to documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-24 13:41:02 -04:00
Rowan Smith 85d759faf0
added note regarding persistence for log level changes (#17596) 2022-10-20 18:14:29 -07:00
Austin Gebauer 5d0aab1099
auth/azure: documents auth support for VMSS flexible orchestration (#17540)
* auth/azure: documents auth support for VMSS flexible orchestration

* adds changelog
2022-10-20 12:36:29 -07:00
divyaac a1548f0f2b
Edit Telemetry Docs (#17209) 2022-10-19 12:13:32 -07:00
Yoko Hyakuna 46cd8069be
[Release Notes] Add a note about storage support for VE (#17597)
* Add a note about storage support

* Add a row for VE storage backend
2022-10-19 08:26:24 -07:00
Bryce Kalow 3f25394b89
fixes more broken links (#17592) 2022-10-19 10:24:53 -04:00
Kapil Arora 2ab8b7fa23
Updated Name reported by k8s auth (#15507)
Since 1.9 k8s auth method supports setting  Name reported by auth method to Service Account name which is not reflected in this doc

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-10-19 11:15:54 +01:00
Rowan Smith 1c0f7ec491
Update aws.mdx (#16075)
* Update aws.mdx

* Update aws.mdx

* Update website/content/docs/auth/aws.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-10-18 22:09:21 -07:00
Bryce Kalow cc5db86fe1
reset redirects array (#17585) 2022-10-18 15:18:22 -04:00
HashiBot 6ba1362a6d
chore: Update Digital Team Files (#17589)
* Update generated scripts (should-build.sh)

* Update generated website Makefile

* Update generated scripts (website-start.sh)

* Update generated scripts (website-build.sh)
2022-10-18 15:18:12 -04:00
Bryce Kalow 34339ec9a8
website: fixes redirected links (#17574)
* fixes redirected links

* fix broken link to key wrapping guide
2022-10-18 14:06:27 -04:00
Bernd Straehle 392fad9365
Rename "Google Apigee" to "Apigee" (#17561) 2022-10-18 15:07:39 +01:00
Mike Wickett 33679fdd39
fix broken link to transit key wrap (#17566) 2022-10-18 09:54:29 -04:00
Jose Diaz-Gonzalez 0bbd57a561
docs: add a missing letter to the upgrade guide (#17554) 2022-10-17 10:02:37 -07:00
Chris Capurso 2e1dc4ed24
Add storage check upgrade notes (#17539)
* docs for ent storage check

* add 1.12.x upgrade notes

* Make ENT distinction a little clearer

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-10-13 19:22:34 -04:00
Scott Miller 7bd4755142
Document the deletion_allowed transform flag (#17544)
* Document the deletion_allowed transform flag

* Remove duplicated sentence
2022-10-13 16:31:07 -05:00
deidra.prado 0a4779ef76
Update raft.mdx join endpoint example (#17525)
Update to remove "X-Vault-Token" from /sys/storage/raft/join Sample Request. Token not required for this endpoint.
2022-10-13 08:40:46 -07:00
Alexander Scheel 26503e8540
Add note about transit BYOK key formats (#17529)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-13 09:10:26 -05:00
Alexander Scheel 838bac037d
Clarify language around PSS CSR issues (#17528)
* Clarify language around PSS CSR issues

Also point out that PKCS#11 tokens have the same problem.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/docs/secrets/pki/considerations.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-10-13 09:45:58 -04:00
Shueh Chou Lu 2f99734a49
doc: fix broken link in transit api (#17501)
synchronize the doc between two import api
2022-10-12 10:51:42 -07:00
Tom Proctor 918ce6f90e
Docs: Plugin versioning documentation (#17460)
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-11 23:12:02 +01:00
Violet Hynes ee85f0098a
VAULT-1603 add sys/quotas to root-only api path docs (#17496) 2022-10-11 15:09:29 -04:00
Mike Palmiotto aad41fba5b
docs: Update retry_join Known Issue versions (#17474)
Update the doc to show affected versions 1.11.2 and 1.10.6.
2022-10-11 11:54:36 -04:00
Anton Averchenkov 1c102979ba
Remove Async-HVAC from recommended libraries list (#17480) 2022-10-10 17:15:32 -04:00
Austin Gebauer ae17e57e73
secrets/ldap: updates documentation (#17481)
* secrets/ldap: updates documentation

* Update website/content/docs/secrets/ldap.mdx

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-10 13:43:59 -07:00
Brian Shumate 5264783e6c
Docs: Update Transform API (#17477)
- Correct some methods in sample requests
2022-10-10 13:25:31 -04:00
aphorise e4960d0fb0
Docs: What is Vault missing 'S' resolves: #16587 (#17183) 2022-10-10 10:34:21 -04:00
Mike Palmiotto 9dc8744885
Update main to go 1.19.2 (#17437)
* Update go version to 1.19.2

This commit updates the default version of go to 1.19.2. This update
includes minor security fixes for archive/tar, net/http/httputil, and
regexp packages.

For more information on the release, see: https://go.dev/doc/devel/release#go1.19.2

* Update Docker versions in CI to 20.10.17

After updating Vault to go version 1.19.2, there were several SIGABRTs
in the vault tests. These were related to a missing `pthread_create`
syscall in Docker. Since CI was using a much older version of Docker,
the fix was to bump it to latest-1 (20.10.17).

While we're at it, add a note in the developer docs encouraging the use
of the latest Docker version.
2022-10-07 14:24:14 -04:00
Nick Cabatoff 39c7e7c191
Add more raft metrics, emit more metrics on non-perf standbys (#12166)
Add some metrics helpful for monitoring raft cluster state.

Furthermore, we weren't emitting bolt metrics on regular (non-perf) standbys, and there were other metrics
in metricsLoop that would make sense to include in OSS but weren't.  We now have an active-node-only func,
emitMetricsActiveNode.  This runs metricsLoop on the active node.  Standbys and perf-standbys run metricsLoop
from a goroutine managed by the runStandby rungroup.
2022-10-07 09:09:08 -07:00
Austin Gebauer db8c690684
secrets/ldap: updates API documentation (#17448)
* secrets/ldap: updates API documentation

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-10-07 08:50:37 -05:00
Peter Wilson 191f6e4bf0
Add 'note' for surpassing dead server threshold time (#17455)
* Add 'note' for surpassing dead server threshold time

* Update website/content/docs/commands/operator/raft.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-10-07 14:26:56 +01:00
Alexander Scheel a2b1f00a9b
Better docs on PKI key stuff (#17443)
* Clarify signature_bits restrictions apply relative to issuer's key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify key_type=any roles must sign CSRs; cannot generate keys

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 15:27:53 -04:00
HashiBot e54441b725
Upgrade next version (#17445)
Co-authored-by: Bryce Kalow <bkalow@hashicorp.com>
2022-10-06 15:19:11 -04:00
Alexander Scheel b85d6ec434
Fix RevocationSigAlgo support in OCSP (#17436)
* Allow OCSP to use issuer's RevocationSigAlgo

When an issuer specifies a RevocationSigAlgo, we should largely follow
this for both CRLs and OCSP. However, x/crypto/ocsp lacks support for
PSS signatures, so we drop these down to PKCS#1v1.5 instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when issuer has PSS-based RevSigAlgo

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about OCSP and PSS support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 12:01:12 -04:00
Austin Gebauer 6bba760da0
docs/ldap: rename openldap secrets to ldap secrets (#17433) 2022-10-05 13:16:26 -07:00
Florin Cătălin Țiucra-Popa 4af76eda14
Update oracle.mdx (#17401)
Remove the duplicated "the" word.
Instead of "the the" it should be only "the".
2022-10-05 10:29:35 -07:00
Josh Black c7d8e7c7f6
Raft index telemetry and docs (#17397)
* add raft index to telemetry

* add definitions and defaults to both autopilot pages

* adjust messages

* Revert "add raft index to telemetry"

This reverts commit 010b091c7e35c1da677567746db90b490ca707ab.
2022-10-04 11:46:11 -07:00
Christopher Swenson ff8d8338cc
docs: Add docs for PKCS#11 provider (#17312)
docs: Add docs for PKCS#11 provider

The PKCS#11 provider is being released shortly.
This moves over the preliminary docs and cleans them up.

I added them as a new section under "Vault Enterprise" ->
"PKCS#11 Provider", but I am open to suggestion on if there is a
better place for them, e.g., "Platforms", or somehow merging
with "Vault Enterprise" -> "HSM"?

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-10-03 11:11:46 -07:00
Divya Pola bc9be4064b
Add documentation for KMIP features implemented in 1.12 (#17294)
* Add documentation for KMIP features implemented in 1.12

* Add documentation for kmip-profiles

* Address PR review feedback

* PR review feedback - update links, add intro and remove collapsed tables

* Add PR review feedback
2022-10-03 12:39:04 -05:00
Steven Clark 10ecf10248
PKI: Add support for signature_bits param to the intermediate/generate api (#17388)
* PKI: Add support for signature_bits param to the intermediate/generate api

 - Mainly to work properly with GCP backed managed keys, we need to
   issue signatures that would match the GCP key algorithm.
 - At this time due to https://github.com/golang/go/issues/45990 we
   can't issue PSS signed CSRs, as the libraries in Go always request
   a PKCS1v15.
 - Add an extra check in intermediate/generate that validates the CSR's
   signature before providing it back to the client in case we generated
   a bad signature such as if an end-user used a GCP backed managed key
   with a RSA PSS algorithm.
   - GCP ignores the requested signature type and always signs with the
     key's algorithm which can lead to a CSR that says it is signed with
     a PKCS1v15 algorithm but is actually a RSA PSS signature

* Add cl

* PR feedback
2022-10-03 12:39:54 -04:00
Austin Gebauer fdc6e2e46a
auth/oidc: fix documentation link anchors for Google Workspace integration (#17379) 2022-10-03 09:09:35 -07:00
Loann Le b7bcd61a42
Vault documentation: release notes for 1.12 (#17237)
* added new release notes

* new rns

* added changelog link

* incorporated feeedback

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Incorporated additional changes

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Removed TFVP and added Redis and Elasticache to the release highlights

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-10-03 08:36:02 -07:00
Alex Cahn 9542cffa65
Updating the VIP..again (#17375)
* Updating the VIP..again

* Update website/content/docs/partnerships.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-09-30 17:02:34 -07:00
Peter Wilson 42ba1384ff
Added flag and env var which will disable client redirection (#17352)
* Added flag and env var which will disable client redirection

* Added changelog

* Docs fix for unsaved file, and test single request made

* Updated test for case when redirect is enabled, updated docs based on suggestions
2022-09-30 09:29:37 +01:00
Mike Palmiotto 0078822d1d
core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319)
* core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool

* docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc
2022-09-29 14:35:52 -04:00
Loann Le e27204c57b
updated table for 1.12 release (#17362) 2022-09-29 10:47:58 -07:00
Tom Proctor 12ca81bc9b
cli/api: Update plugin listing to always include version info in the response (#17347) 2022-09-29 18:22:33 +01:00
mickael-hc e885ccfd8c
fix formatting for note in audit section (#17335) 2022-09-28 10:17:36 -07:00
Steven Clark c746befced
Update docs for new test/sign params for managed key api and GCP parameters (#17323)
* Update docs for new test/sign params for managed key api

 - The existing test/sign managed key api now has two new api params
   allowing an operator to specify to use RSA PSS signatures (use_pss)
   and to specify the hashing algorithm to use (hash_algorithm)

* Remove duplicate GCP signing algo entry

* Formatting nits and mention the key_ring for GCP needs to exist prior to usage

* Add some additional GCP environment vars
2022-09-27 16:17:44 -04:00
mickael-hc feddc21019
docs: clarify json types and workaround (#17318)
* docs: clarify json types and workaround

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-09-27 15:35:41 -04:00
Violet Hynes 5bc85b08ef
VAULT-8144 Improve docs around exec (#17316)
* VAULT-8144 Improve docs around exec

* VAULT-8144 Add justification
2022-09-26 14:39:49 -04:00
Milena Zlaticanin 89aa236bc5
docs/api-docs for Redis (#17029)
* docs/api-docs for Redis

* update doc

* add navigation to the docs

* Update website/content/api-docs/secret/databases/redis.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* update setup list and lang tag for shell code blocks

* update language tag

* update based on suggestions

* update docs to include tls params

* add plugin to the plugin portal doc

* add -

* update api-docs-nav-data.json

* update field name

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/api-docs/secret/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* update docs

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
2022-09-23 10:25:43 -05:00
Alexander Scheel 0c76168d3d
Add note about issuer naming and CRLs (#17298)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-23 10:04:54 -04:00
Rachel Culpepper b17ea8c6bd
Add managed key docs for gcp (#17280)
* add managed key docs for gcp

* fix algorithm parameter

* add missing bracket
2022-09-22 14:44:21 -05:00
Hridoy Roy 5477fd86fa
Activity new clients for current month docs (#16472)
* docs draft

* docs complete

* change json for legibility

* change json for legibility

* namespace and mount attribution should exist outside new clients stanza

* address feedback

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* remove version from doc

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-09-22 10:00:18 -07:00
Rachel Culpepper 1c69e690aa
Transform BYOK Documentation (#17121)
* add api docs for transform byok endpoints

* add byok description to transform index page

* fix merge conflicts

* remove import_version for FPE

* text edits and add note about convergent tokenization

* add note for convergent tokenization
2022-09-22 10:56:12 -05:00
Bryce Kalow dfc3ad015a
website: content updates for developer (#17035)
* Chore (dev portal): update learn nav data links  (#15515)

* Update docs-nav-data.json

* Update docs-nav-data.json

* website: fixes internal redirects (#15750)

* chore: remove duplicate overview item (#15805)

* Use `badge` for `<sup>` tags in nav data JSON files (#15928)

* Replacing <sup> tags with badge

* Adding type and color to badges

* fix broken links in vault docs (#15976)

* website: Update old learn links to redirect locations (#16047)

* update previews to render developer UI

* update redirects

* adjust content so it is backwards compat

Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com>
Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com>
2022-09-22 08:11:04 -07:00
Mike Palmiotto dc3beb428e
docs: Update agent autoauth sinks examples (#17229) 2022-09-21 14:19:16 -04:00
DevOps Rob 6495522ab7
adding boundary and waypoint plugins to portal (#17259) 2022-09-21 14:05:17 -04:00
Yoko Hyakuna 9164d04262
Remove extra spaces in the table (#17257) 2022-09-21 08:42:51 -07:00
Bernd Straehle 3623271601
vault-plugin-secrets-apigee (#17249) 2022-09-21 09:08:25 -04:00
Alexander Scheel ad3a093b40
Prevent PSS with Go-incompatible CAs, CSRs, Private Keys (#17223)
* Fix interoperability concerns with PSS

When Go parses a certificate with rsaPSS OID, it will accept this
certificate but not parse the SubjectPublicKeyInfo, leaving the
PublicKeyAlgorithm and PublicKey fields blank, but otherwise not erring.
The same behavior occurs with rsaPSS OID CSRs.

On the other hand, when Go parses rsaPSS OID PKCS8 private keys, these
keys will fail to parse completely.

Thus, detect and fail on any empty PublicKey certs and CSRs, warning the
user that we cannot parse these correctly and thus refuse to operate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Run more PKI tests in parallel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add notes about PSS shortcomings to considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-20 17:30:58 -04:00
Hamid Ghaf 35258379fd
adding missing telemetry entry for cached auth response (#17197) 2022-09-19 14:08:39 -04:00
Yoko Hyakuna 402b8279b4
Fix a broken URL (#17192) 2022-09-19 08:57:07 -07:00
Steven Clark 555a5833ec
Bring back managed key documentation update from ENT to OSS (#17190) 2022-09-19 11:46:30 -04:00
Max Coulombe 709c1bebf6
+ added Redis ElastiCache documentation (#17133)
* added Redis ElastiCache documentation
2022-09-19 10:26:49 -04:00
Scott Miller 7f38b0440e
Fetch CRLs from a user defined URL (#17136)
* Fetch CRLs from a user defined CDP (PoC)

* Handle no param sent

* Move CRL fetch to a periodFunc.  Use configured CA certs + system root as trusted certs for CRL fetch

* comments

* changelog

* Just use root trust

* cdp->url in api

* Store CRL and populate it initially in cdlWrite

* Update docs

* Update builtin/credential/cert/path_crls.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Handle pre-verification of a CRL url better

* just in case

* Fix crl write locking

* Add a CRL fetch unit test

* Remove unnecessary validity clear

* Better func name

* Don't exit early updating CRLs

* lock in updateCRLs

* gofumpt

* err-

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-09-16 16:44:30 -05:00
Luis (LT) Carbonell a0f4c18f44
Add links for service registration provides (#17170) 2022-09-16 15:28:18 -05:00
Mike Palmiotto fc87471580
docs: Add faq for deprecation status (#17096) 2022-09-16 15:38:40 -04:00
Theron Voran c9e5bee8d0
docs/vault-k8s: update for v1.0.0 release (#17165) 2022-09-16 08:46:39 -07:00
Jordan Reimer d258740f24
Prevent Requests to resultant-acl Endpoint When Unauthenticated (#17139)
* prevents requests to resultant-acl endpoint when not logged in

* removes unauthenticated mentions from resultant-acl api doc

* adds changelog entry
2022-09-15 12:45:33 -06:00
Jason O'Donnell 87350f927f
agent/auto-auth: add exit_on_err configurable (#17091)
* agent/auto-auth: add exit_on_err configurable

* changelog

* Update backoff function to quit

* Clarify doc

* Fix test
2022-09-15 11:00:31 -07:00
Austin Gebauer f9af44a0bb
auth/oidc: update docs for google workspace config (#17128)
* auth/oidc: update docs for google workspace config

* make fmt
2022-09-14 08:42:02 -07:00
Devon Powley bb0f93044f
Update Vault Azure Secrets docs for permanent deletion feature (#17045)
* Update Vault Azure Secrets docs for permanent deletion feature

* Add changelog for vault azure doc update

* Update CL based on PR feedback

Co-authored-by: Devon Powley <dpowley@users.noreply.github.com>
2022-09-13 16:25:19 -07:00
Scott Miller 12a8ef1cfd
Implement partial_failure_response_code_override for batch requests (#17118)
* Implement partial_failure_response_code_override for batch requests

* docs

* changelog

* one more test case
2022-09-13 12:51:09 -05:00
Alexander Scheel 1bbabf19d7
Add more docs on revocation changes (#17085)
* Add more notes about issuer revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Note BYOC in considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about http access to CRLs, OCSP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Recommend enabling auto-tidy & crl rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing paths to personas

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-12 11:46:01 -05:00
Mike Palmiotto 9849af8663
Add deprecation status to plugin api and cli (#17077)
* api: Add deprecation status to plugin endpoints

* cli: Add -detailed flag to `plugin list`

* docs: Update plugin list/info docs
2022-09-09 16:03:07 -04:00
Steven Clark 5b5699e9b0
Update PKI documentation to clear up PKCS8 marshalling behavior (#17080)
- Update the documentation in regards to the private_key_format
   argument only controls the behavior of the private_key response field
   and does not modify the encoding of the private key within the
   pem_bundle.
2022-09-09 11:31:08 -04:00
Christopher Swenson 2c11121c19
Update docs for helm 0.22.0 (#17072)
Update docs for helm 0.22.0

Including Prometheus Operator support.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-09-08 15:30:32 -07:00
deidra.prado ea8c6a32a8
Update validate.mdx (#17023)
Removed reference of ``` --header "X-Vault-Token: ..." \``` in Sample request. X-Vault-Token is not required for this endpoint.
2022-09-08 12:50:42 -07:00
Christopher Swenson 1926f71b0d
Update deprecation notice related to SHA-1 in Go 1.18+ (#17066)
Update deprecation notice related to SHA-1 in Go 1.18+

Go 1.19 has not removed SHA-1 support, and it is not clear yet when
they will remove support, so we need to slightly adjust our docs.
2022-09-08 11:58:44 -07:00
Kevin Wang bc568c4dea
Update index.mdx to fix broken link (#17052) 2022-09-08 14:04:02 -04:00
Jason O'Donnell ced0109c41
docs/k8s: use pod labels for upgrades (#17059)
* docs/helm: use pod labels for upgrades

* Grammar

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-09-08 11:13:11 -04:00
Troy Ready a79dc6c1e9
Minor doc grammar update (#17032)
Update to clarify present perfect tense.
2022-09-07 10:04:18 -04:00
Luis (LT) Carbonell cd574b5cc6
docs: update token type for auth enable CLI command (#17026)
* docs: update token type for enable

* update
2022-09-06 15:00:21 -05:00
Mike Palmiotto bf744e3bde
Handle deprecated builtins (#17005)
* core: Handle deprecated mounts on enable and unseal
* changelog: Deprecation Status handling
* core: Add Pending Removal override var
* core: Add some documentation for Pending Removal override
2022-09-06 15:49:35 -04:00