Commit graph

1149 commits

Author SHA1 Message Date
Violet Hynes 3d7f9a402f
VAULT-6368 Metrics-only listener for Agent (#18101)
* VAULT-6368 Metrics-only listener for Agent

* VAULT-6368 changelog

* VAULT-6368 Update config to use string instead of bool

* VAULT-6368 Fix leftover code

* VAULT-6368 Fix changelog

* VAULT-6368 fix typo

* VAULT-6368 recommended doc update

* VAULT-6368 use != over !(==)
2022-11-25 16:00:56 -05:00
Steven Clark 92c1a2bd0a
New PKI API to generate and sign a CRL based on input data (#18040)
* New PKI API to generate and sign a CRL based on input data

 - Add a new PKI API that allows an end-user to feed in all the
   information required to generate and sign a CRL by a given issuer.
 - This is pretty powerful API allowing an escape hatch for 3rd parties
   to craft customized CRLs with extensions based on their individual
   needs

* Add api-docs and error if reserved extension is provided as input

* Fix copy/paste error in Object Identifier constants

* Return nil on errors instead of partially filled slices

* Add cl
2022-11-22 11:41:04 -05:00
Chris Capurso a14ba5f044
Add Consul Dataplane compatibility info to docs (#18041)
* add compatibility info to consul service reg docs

* fix alert formatting

* add consul dataplane compatibility partial

* add compat partial to more consul doc pages

* fix links
2022-11-22 08:56:18 -05:00
Chris Capurso 5f27ab3fed
mention Consul Dataplane compat in 1.12.x upgrade notes (#18066) 2022-11-22 08:55:35 -05:00
Chris Capurso d392754914
mention Consul Dataplane compat in 1.13.x upgrade notes (#18063)
* mention Consul Dataplane compat in 1.13.x upgrade notes

* change heading level

Co-authored-by: Meggie <meggie@hashicorp.com>

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-11-21 19:11:13 +00:00
Meggie 99408e3372
Update MFA docs (#18049)
Some updates from our MFA discussion
2022-11-18 15:31:27 -05:00
Tom Proctor dc85e37cf4
storage/raft: Add retry_join_as_non_voter config option (#18030) 2022-11-18 17:58:16 +00:00
Alexander Scheel 75b70d84e6
Add list to cert auth's CRLs (#18043)
* Add crl list capabilities to cert auth

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on cert auth CRL listing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for cert auth listing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-18 11:39:17 -05:00
mickael-hc 8927a55741
docs: detail policies parameter for auth methods using tokenutil (#18015)
* docs: detail policies parameter for auth methods using tokenutil

* Update website/content/partials/tokenfields.mdx


Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-11-18 11:09:29 -05:00
Tom Proctor 6dd453080d
Docs: Clarify plugin versioning known issue (#17799) 2022-11-18 11:49:33 +00:00
Theron Voran 0909408f0c
docs/vault-k8s: updates for v1.1.0 (#18020) 2022-11-17 13:58:28 -08:00
John-Michael Faircloth 0acecb7ee0
add draft 1.13.x upgrade guide (#18023)
* add draft upgrade guide

* add note this is a draft

* make 1.13 guide hidden

* add heading for alicloud change
2022-11-17 15:57:16 -06:00
Steven Clark 01e87c481c
Add new PKI api to combine and sign different CRLs from the same issuer (#17813)
* Add new PKI api to combine and sign different CRLs from the same issuer

 - Add a new PKI api /issuer/<issuer ref>/resign-crls that will allow
   combining and signing different CRLs that were signed by the same
   issuer.
 - This allows external actors to combine CRLs into a single CRL across
   different Vault clusters that share the CA certificate and key material
   such as performance replica clusters and the primary cluster

* Update API docs

* PR Feedback - Delta CRL rename

* Update to latest version of main

* PR Feedback - Get rid of the new caEntry struct

* Address PR feedback in api-docs and PEM encoded response
2022-11-17 16:53:05 -05:00
Christopher Swenson 9724f2860d
Add docs for vault-k8s JSON patch (#17712)
From https://github.com/hashicorp/vault-k8s/pull/399

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-11-17 12:32:18 -08:00
Yoko Hyakuna 59cec0a96c
Add known issue about PKI secrets engine with Consul (#18003)
* Add known issue about PKI secrets engine with Consul

* Added KB article URL

* Update website/content/docs/secrets/pki/index.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-11-17 10:09:41 -08:00
Brian Shumate 3775f69f3a
Docs: Enterprise TOTP updates (#18007)
* Docs: Enterprise TOTP updates

- Add note to TOTP about authenticator supported alogrithms
- Fix typos

* Path update
2022-11-17 08:50:01 -08:00
Steven Clark 0341c88030
Fix path typo in Generate Intermediate CSR PKI docs (#17989)
- Within the table specifying the various paths to generate a CSR
   in the PKI docs, the new issuers based api has a typo in it missing
   the issuers/ prefix.
 - Brought to our attention by Chelsea and Claire, thanks!
2022-11-16 18:23:13 -05:00
Meggie 775a1b3001
Docker Deprecation Update (#17825)
* Docker Deprecation Update

Trying to make implications and required changes a little clearer.

* Further clarifications
2022-11-16 10:33:14 -05:00
Alexander Scheel 82ac91907a
Add missing anchor for set-crl-configuration (#17959)
When renaming the header to Set Revocation Configuration, we broke
bookmarks. Add in the named anchor so the old bookmarks and links still
work.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 10:30:28 -05:00
Alexander Scheel a43e428b01
Fix docs by adding self-closing BRs (#17958)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 10:01:43 -05:00
Alexander Scheel ab395f2c79
Clarify more documentation on audit logging (#17957)
Thanks to Khai Tran for identifying that syslogging has a lower limit
on message size and sometimes large CRLs can hit that limit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 09:21:29 -05:00
JD Goins 7b52e688f4
Fix link to architecture in AWS platform page (#17327) 2022-11-15 11:44:37 -06:00
Alexander Scheel 6cbfc4afb2
Docs clarifications around PKI considerations (#17916)
* Add clarifications on revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Talk about rationale for separating roots from intermediates

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-15 08:43:40 -05:00
Steven Clark b1b8b9fb69
Update api-doc about PKI automatic tidying of issuers and the default issuer (#17933) 2022-11-14 18:26:15 -05:00
divyaac 065782e75d
Added documentation for Introspection API (#17753)
* Added documentation for Introspection API

* Edit hyperlink in index doc

* Added the path to the nav file

* Edited some mispelled words

* Fix deployment issue. Change link in nav file

* Edit the router mdx and add response values

* Edit nav doc

* Changed hyperlink, changed response to json, changed some wording

* Remove requirement that the endpoint is off by default

* Update website/content/api-docs/system/inspect/router.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update website/content/api-docs/system/inspect/router.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update website/content/api-docs/system/inspect/index.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2022-11-11 09:50:44 -08:00
Chris Stella 1bae5eed3e
Update Azure 'key_type' description (#17903)
Updated the description for the 'key_type' parameter to read 'RSA-HSM' as the only supported value.
2022-11-11 09:42:37 -06:00
Peter Wilson 0fad0c3864
VAULT-8732: Add log-file to Vault Agent (#17841)
* Started work on adding log-file support to Agent
* Allow log file to be picked up and appended
* Use NewLogFile everywhere
* Tried to pull out the config aggregation from Agent.Run

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-11-11 10:59:16 +00:00
John Smart 6cc6875d6d
Add DataStax Astra DB to Partner DBs (#17814) 2022-11-10 16:18:47 -08:00
Anton Averchenkov f9fac68980
Revert "Add mount path into the default generated openapi.json spec (#17839)" (#17890)
This reverts commit 02064eccb42bb2ec1a3d12ec0d49c661312acd2d.
2022-11-10 15:39:53 -08:00
Anton Averchenkov f3aea876b9
Add mount path into the default generated openapi.json spec (#17839)
The current behaviour is to only add mount paths into the generated `opeanpi.json` spec if a `generic_mount_paths` flag is added to the request. This means that we would have to maintain two different `openapi.json` files, which is not ideal. The new solution in this PR is to add `{mount_path}` into every path with a default value specified:

```diff
--    "/auth/token/accessors/": {
++    "/auth/{mount_path}/accessors/": {
      "parameters": [
        {
          "name": "mount_path",
          "description": "....",
          "in": "path",
          "schema": {
            "type": "string",
++          "default": "token"
          }
        }
      ],
```

Additionally, fixed the logic to generate the `operationId` (used to generate method names in the code generated from OpenAPI spec). It had a bug where the ID had `mountPath` in it. The new ID will look like this:

```diff
-- "operationId": "listAuthMountpathAccessors",
++ "operationId": "listTokenAccessors",
```
2022-11-10 15:44:43 -05:00
Chris Capurso 8ad82d9de4
clarify that init recovery options are only available for auto unseal (#17862)
* clarify that init recovery options are only available for auto unseal

* add some language consistency

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2022-11-10 15:43:11 -05:00
Ron DeMena ccc291ae9e
Update interoperability-matrix.mdx (#17882)
* Update interoperability-matrix.mdx

Corrected obvious spelling miss.   Vaut to Vault

* Create 17882.txt

Noting changelog for spelling change in PR#17882

* Delete 17882.txt
2022-11-10 13:15:14 -05:00
Alexander Scheel 5a2ee4ca7a
Add automatic tidy of expired issuers (#17823)
* Add automatic tidy of expired issuers

To aid PKI users like Consul, which periodically rotate intermediates,
and provided a little more consistency with older versions of Vault
which would silently (and dangerously!) replace the configured CA on
root/intermediate generation, we introduce an automatic tidy of expired
issuers.

This includes a longer safety buffer (1 year) and logging of the
relevant issuer information prior to deletion (certificate contents, key
ID, and issuer ID/name) to allow admins to recover this value if
desired, or perform further cleanup of keys.

From my PoV, removal of the issuer is thus a relatively safe operation
compared to keys (which I do not feel comfortable removing) as they can
always be re-imported if desired. Additionally, this is an opt-in tidy
operation, not enabled by default. Lastly, most major performance
penalties comes with lots of issuers within the mount, not as much
large numbers of keys (as only new issuer creation/import operations are
affected, unlike LIST /issuers which is a public, unauthenticated
endpoint).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on tidy of issuers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Restructure logging

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing fields to expected tidy output

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-10 10:53:26 -05:00
Michele Baldessari d04b91ed0a
Fix a typo around custom-metadata in kv put docs (#17876)
* Fix a typo around custom-metadata in kv put docs

There is a missing dash before 'custom-metadata':

    $ vault kv metadata put custom-metadata="foo=bar" secret/hub/config-demo
    Too many arguments (expected 1, got 2)
    $ vault kv metadata put -custom-metadata="foo=bar" secret/hub/config-demo
    Success! Data written to: secret/metadata/hub/config-demo

Signed-off-by: Michele Baldessari <michele@acksyn.org>

* Update website/content/docs/commands/kv/metadata.mdx

Signed-off-by: Michele Baldessari <michele@acksyn.org>
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2022-11-10 09:00:19 -05:00
Chris Capurso 987e499a9e
clarify that certain policy examples are for KVv1 (#17861) 2022-11-09 15:42:58 -05:00
Alexander Scheel 06f30de35f
Optional automatic default issuer selection (#17824)
* Correctly preserve other issuer config params

When setting a new default issuer, our helper function would overwrite
other parameters in the issuer configuration entry. However, up until
now, there were none.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new parameter to allow default to follow new

This parameter will allow operators to have the default issuer
automatically update when a new root is generated or a single issuer
with a key (potentially with others lacking key) is imported.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Storage migration tests fail on new members

These internal members shouldn't be tested by the storage migration
code, and so should be elided from the test results.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Follow new issuer on root generation, import

This updates the two places where issuers can be created (outside of
legacy CA bundle migration which already sets the default) to follow
newly created issuers when the config is set.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for new default-following behavior

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-08 14:40:29 -05:00
Theron Voran 32cdd59cdb
docs/vault-k8s: update env example (#17818)
Specifying only `args` will just append them to the container image's
entrypoint instead of replacing it. Setting command overrides the
entrypoint, and args is then appended to the command.
2022-11-04 10:56:00 -07:00
Steven Clark 419ba9159c
Add new API to PKI to list revoked certificates (#17779)
* Add new API to PKI to list revoked certificates

 - A new API that will return the list of serial numbers of
   revoked certificates on the local cluster.

* Add cl

* PR feedback
2022-11-03 14:17:17 -04:00
Alexander Scheel ffa4825693
PKI - Fix order of chain building writes (#17772)
* Ensure correct write ordering in rebuildIssuersChains

When troubleshooting a recent migration failure from 1.10->1.11, it was
noted that some PKI mounts had bad chain construction despite having
valid, chaining issuers. Due to the cluster's leadership trashing
between nodes, the migration logic was re-executed several times,
partially succeeding each time. While the legacy CA bundle migration
logic was written with this in mind, one shortcoming in the chain
building code lead us to truncate the ca_chain: by sorting the list of
issuers after including non-written issuers (with random IDs), these
issuers would occasionally be persisted prior to storage _prior_ to
existing CAs with modified chains.

The migration code carefully imported the active issuer prior to its
parents. However, due to this bug, there was a chance that, if write to
the pending parent succeeded but updating the active issuer didn't, the
active issuer's ca_chain field would only contain the self-reference and
not the parent's reference as well. Ultimately, a workaround of setting
and subsequently unsetting a manual chain would force a chain
regeneration.

In this patch, we simply fix the write ordering: because we need to
ensure a stable chain sorting, we leave the sort location in the same
place, but delay writing the provided referenceCert to the last
position. This is because the reference is meant to be the user-facing
action: without transactional write capabilities, other chains may
succeed, but if the last user-facing action fails, the user will
hopefully retry the action. This will also correct migration, by
ensuring the subsequent issuer import will be attempted again,
triggering another chain build and only persisting this issuer when
all other issuers have also been updated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remigrate ca_chains to fix any missing issuers

In the previous commit, we identified an issue that would occur on
legacy issuer migration to the new storage format. This is easy enough
to detect for any given mount (by an operator), but automating scanning
and remediating all PKI mounts in large deployments might be difficult.

Write a new storage migration version to regenerate all chains on
upgrade, once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add issue to PKI considerations documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correct %v -> %w in chain building errs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-03 11:50:03 -04:00
Ellie aa4448efd7
docs: in transit secret engine docs, specify order with batch_input param (#17770) 2022-11-03 08:50:47 -05:00
Alex Cahn 4c67919182
Update interoperability-matrix (#17793)
* Update interoperability-matrix.mdx

Updating the matrix to include new validations.

* Fixing a grammatical error
2022-11-02 17:32:53 -07:00
Tom Proctor ab658a3479
Docs: Add known issue for 1.12.1 builtin plugin version upgrades (#17783) 2022-11-02 21:36:49 +00:00
Tom Proctor e9ced09e70
Docs: Update plugin info API docs (#17760) 2022-11-02 20:03:17 +00:00
dyma solovei 1552f9ac4e
chore: Update seal.mdx, use consistent terminology (#17767)
This article seems to use the terms "shares" and "shards" interchangeably to describe the parts in which the secret is split under SSS.
While both seem to be correct, sticking to one term would save a newbie reader (like myself) the confusion.  

Since the Wikipedia article that's linked in this article only mentions "shares" and the CLI flags (for recovery keys) also use `-shares`, I opted for that.
2022-11-02 13:58:04 -06:00
Steven Clark 550fbdc41c
Return revocation info within existing certs/<serial> api (#17774)
* Return revocation info within existing certs/<serial> api

 - The api already returned both the certificate and a revocation_time
   field populated. Update the api to return revocation_time_rfc3339
   as we do elsewhere and also the issuer id if it was revoked.
 - This will allow callers to associate a revoked cert with an issuer

* Add cl

* PR feedback (docs update)
2022-11-02 13:06:04 -04:00
Violet Hynes a11f62abf2
VAULT-8518 Increase HMAC limit to 4096, and limit approle names to the same limit (#17768)
* VAULT-8518 Increase HMAC limit to 4096, and limit approle names to the same limit

* VAULT-8518 Changelog

* VAULT-8518 Sprintf the byte limit
2022-11-02 10:42:09 -04:00
Mark Lewis 0d3a4a3201
Update signed-ssh-certificates.mdx (#17746)
* Update signed-ssh-certificates.mdx

Add a pointer to the doc regarding reading back the pub key with the CLI

* Update website/content/docs/secrets/ssh/signed-ssh-certificates.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-31 12:33:46 -04:00
Alexander Scheel d5f6c36c1c
Clarify ssh/public_key response, recommend -format=raw (#17745)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-31 11:14:49 -04:00
Alexander Scheel 6d92ef4d9a
Fix raw format for other commands, add to docs! (#17730)
* Clarify when -format=raw fails

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Document Vault read's new -format=raw mode

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add raw format to usage, completion

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing support for raw format field printing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prohibit command execution with wrong formatter

This allows us to restrict the raw formatter to only commands that
understand it; otherwise, when running `vault write -format=raw`, we'd
actually hit the Vault server, but hide the output from the user. By
switching this to a flag-parse time check, we avoid running the rest of
the command if a bad formatter was specified.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-28 12:53:23 -04:00
Tom Proctor 07b4e42c9b
Update documentation for vault-helm v0.22.1 release (#17695) 2022-10-28 11:56:02 +01:00