* store version history as utc; add self-heal logic
* add sys/version-history endpoint
* change version history from GET to LIST, require auth
* add "vault version-history" CLI command
* add vault-version CLI error message for version string parsing
* adding version-history API and CLI docs
* add changelog entry
* some version-history command fixes
* remove extraneous cmd args
* fix version-history command help text
* specify in docs that endpoint was added in 1.10.0
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* enforce UTC within storeVersionTimestamp directly
* fix improper use of %w in logger.Warn
* remove extra err check and erroneous return from loadVersionTimestamps
* add >= 1.10.0 warning to version-history cmd
* move sys/version-history tests
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Adding a note on the parameter necessary for deletion on a key deletion example seems like a good idea.
From my limited research I found other people that had trouble finding the relevant part of the documentation.
Though I'm not sure this is the best wording or formatting for it.
Added an example to explicitly show how to perform a Rekey operation when the Vault cluster is using Auto Unseal. This is placed as the second example.
The existing example code combines with the PGP keys so added a simple example without the PGP keys.
* CLI changes for new mount tune config parameter allowed_managed_keys
* Correct allowed_managed_keys description in auth and secrets
* Documentation update for secrets and removed changes for auth
* Add changelog and remove documentation changes for auth
* removed changelog
* Correct the field description
* docs for counting tokens without entities
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: swayne275 <swayne275@gmail.com>
* remove parens in docs
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* update documentation to be consistent with the non-entity token terminology
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* add line about client ids to the api docs
* syntax and grammar
Co-authored-by: swayne275 <swayne275@gmail.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* add api lock doc
* add docs nav data
* Update website/content/api-docs/system/namespaces.mdx
Co-authored-by: Chris Capurso <christopher.capurso@gmail.com>
* update command doc
* clarify locked http status code
* add example exempt path
* further exempt clarification
* link api locked response
* add x-vault-namespace api example
* Update website/content/docs/concepts/namespace-api-lock.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* review suggestions
* few other small tweaks
Co-authored-by: Chris Capurso <christopher.capurso@gmail.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Add note that monitor command may truncate logs
* Apply suggestions from code review
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* add data patch section to kv-v2 api docs
* fix trucated output for kv put command with cas cmd in kv-v2 docs
* wip vault kv patch CLI docs
* add new flags to 'vault kv patch' CLI command docs
* fix cas_required formatting
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* fix cas formatting
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* additional format fixes
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* operator generate-root -decode: allow token from stdin
Allow passing "-" as the value for -decode, causing the encoded token to
be read from stdin. This is intended to prevent leaking the encoded
token + otp into process logs in enterprise environments.
* add changelog entry for PR12881
* add check/test for empty decode value passed via stdin
* patch to support VAULT_HTTP_PROXY variable
* simplify the proxy replacement
* internal code review
* rename to VAULT_HTTP_PROXY, apply within ReadEnvironment
* clean up some unintended whitespace changes
* add docs for the new env variable and a changelog entry
Co-authored-by: Dave Du Cros <davidducros@gmail.com>
* VAULT-2285 adding capability to accept comma separated entries for auth enable/tune
* Adding changelog
* Adding logic to detect invalid input parameter for auth enable config
* Updating tune.mdx
* Updating secret enable/tune for comma separated parameters
* Adding further parameter checks for auth/secret tests
Fixing changelog
using builtin type for a switch statement
Fixing a possible panic scenario
* Changing a function name, using deep.Equal instead of what reflect package provides
* Fixing auth/secret enable/tune mdx files
* One more mdx file fix
* Only when users provide a single comma separated string in a curl command, split the entries by commas
* Fixing API docs for auth/mount enable/tune for comma separated entries
* updating docs, removing an unnecessary switch case
* Add link to Learn's usage tutorial
* Update website/content/docs/commands/operator/usage.mdx
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* snapshot
* basic test
* update command and add documentation
* update help text
* typo
* add changelog for lease lookup command
* run go mod vendor
* remove tabs from help output
* Update init.mdx
Updated operator init documentation to try to avoid steering customers towards running Auto Unseal seals with recovery-shares=1 and recovery-threshold=1. This is a bad security posture, as it can allow a single user with access to that recovery share to create root tokens and do other very sensitive tasks.
Also rewrote parts of the HSM/KMS Options section to indicate that recovery-related options are not solely for HSM-mode Vault but are for ANY Auto Unseal seal.
* Update website/content/docs/commands/operator/init.mdx
Adding an appropriate number of recovery-pgp-keys
Co-authored-by: Yoko <yoko@hashicorp.com>
Co-authored-by: Yoko <yoko@hashicorp.com>
Chris Capurso