This change proposes adding [vaultrs](https://crates.io/crates/vaultrs) to the list of community-supported libraries. This crate has a mature base and is expected to expand to accommodate most of the API.
* Document new force_rw_session parameter within pkcs11 seals
* documentation for key_id and hmac_key_id fields
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/configuration/seal/pkcs11.mdx
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify that backend authors can specify that all or no values are sealwrapped rather than the vague statement that all values _may_ be seal wrapped
* typo
Include recommendation to use Vault agent injector on OpenShift
instead of CSI due to production security constraints.
Additional instructions included for testing and development
clusters.
* Add auto_rotate_interval field to transit key creation path.
* Add auto_rotate_interval field to transit key config update path.
* Implement transit automatic key rotation on an hourly interval.
* Fixes transit key autorotation key listing typo.
* Add unit tests for transit key autorotation.
* Add unit tests for transit key creation with autorotation interval.
* Add unit tests for transit key config update with autorotation interval.
* Document new auto_rotate_interval fields in key creation and key config update endpoints.
* Add changelog for transit key autorotation.
* Wrap individual transit key autorotation in a policy lock.
* Add a safeguard to transit key autorotation to ensure only one execution happens simultaneously.
"algorithm_signer": "rsa-sha2-256"
to prevent /var/log/auth.log `userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]` due to vault defaulting to ssh-rsa which is insecure
* docs: add known issues section to 1.9.x upgrade guide
* minor rephrasing on oidc known issue
* use relative references for URLs
* Update website/content/docs/upgrading/upgrade-to-1.9.x.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* update known issues section for id token
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* auth/kubernetes: support for short-lived tokens
* Uplift new version of Kubernetes auth plugin that does not store the
service account token persistently to Vault storage.
* Update the documentation to recommend local token again when running
Vault inside cluster.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* Added changelog entry
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* clarification to changelog entry, executed go mod tidy
* clarifications and added targeted release version
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* add kv metadata patch command
* add changelog entry
* success tests for kv metadata patch flags
* add more kv metadata patch flags tests
* add kv metadata patch cas warning test
* add kv-v2 key metadata patch API docs
* add kv metadata patch to docs
* prevent unintentional field overwriting in kv metadata put cmd
* like create/update ops, prevent patch to paths ending in /
* fix kv metadata patch cmd in docs
* fix flag defaults for kv metadata put
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* fix TestKvMetadataPatchCommand_Flags test
* doc fixes
* go get vault-plugin-secrets-kv@master; go mod tidy
