Commit graph

4549 commits

Author SHA1 Message Date
Yoko Hyakuna 402b8279b4
Fix a broken URL (#17192) 2022-09-19 08:57:07 -07:00
Steven Clark 555a5833ec
Bring back managed key documentation update from ENT to OSS (#17190) 2022-09-19 11:46:30 -04:00
Max Coulombe 709c1bebf6
+ added Redis ElastiCache documentation (#17133)
* added Redis ElastiCache documentation
2022-09-19 10:26:49 -04:00
Scott Miller 7f38b0440e
Fetch CRLs from a user defined URL (#17136)
* Fetch CRLs from a user defined CDP (PoC)

* Handle no param sent

* Move CRL fetch to a periodFunc.  Use configured CA certs + system root as trusted certs for CRL fetch

* comments

* changelog

* Just use root trust

* cdp->url in api

* Store CRL and populate it initially in cdlWrite

* Update docs

* Update builtin/credential/cert/path_crls.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Handle pre-verification of a CRL url better

* just in case

* Fix crl write locking

* Add a CRL fetch unit test

* Remove unnecessary validity clear

* Better func name

* Don't exit early updating CRLs

* lock in updateCRLs

* gofumpt

* err-

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-09-16 16:44:30 -05:00
Luis (LT) Carbonell a0f4c18f44
Add links for service registration provides (#17170) 2022-09-16 15:28:18 -05:00
Mike Palmiotto fc87471580
docs: Add faq for deprecation status (#17096) 2022-09-16 15:38:40 -04:00
Theron Voran c9e5bee8d0
docs/vault-k8s: update for v1.0.0 release (#17165) 2022-09-16 08:46:39 -07:00
Jordan Reimer d258740f24
Prevent Requests to resultant-acl Endpoint When Unauthenticated (#17139)
* prevents requests to resultant-acl endpoint when not logged in

* removes unauthenticated mentions from resultant-acl api doc

* adds changelog entry
2022-09-15 12:45:33 -06:00
Jason O'Donnell 87350f927f
agent/auto-auth: add exit_on_err configurable (#17091)
* agent/auto-auth: add exit_on_err configurable

* changelog

* Update backoff function to quit

* Clarify doc

* Fix test
2022-09-15 11:00:31 -07:00
Austin Gebauer f9af44a0bb
auth/oidc: update docs for google workspace config (#17128)
* auth/oidc: update docs for google workspace config

* make fmt
2022-09-14 08:42:02 -07:00
Devon Powley bb0f93044f
Update Vault Azure Secrets docs for permanent deletion feature (#17045)
* Update Vault Azure Secrets docs for permanent deletion feature

* Add changelog for vault azure doc update

* Update CL based on PR feedback

Co-authored-by: Devon Powley <dpowley@users.noreply.github.com>
2022-09-13 16:25:19 -07:00
Scott Miller 12a8ef1cfd
Implement partial_failure_response_code_override for batch requests (#17118)
* Implement partial_failure_response_code_override for batch requests

* docs

* changelog

* one more test case
2022-09-13 12:51:09 -05:00
Alexander Scheel 1bbabf19d7
Add more docs on revocation changes (#17085)
* Add more notes about issuer revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Note BYOC in considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about http access to CRLs, OCSP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Recommend enabling auto-tidy & crl rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing paths to personas

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-12 11:46:01 -05:00
Mike Palmiotto 9849af8663
Add deprecation status to plugin api and cli (#17077)
* api: Add deprecation status to plugin endpoints

* cli: Add -detailed flag to `plugin list`

* docs: Update plugin list/info docs
2022-09-09 16:03:07 -04:00
Steven Clark 5b5699e9b0
Update PKI documentation to clear up PKCS8 marshalling behavior (#17080)
- Update the documentation in regards to the private_key_format
   argument only controls the behavior of the private_key response field
   and does not modify the encoding of the private key within the
   pem_bundle.
2022-09-09 11:31:08 -04:00
Christopher Swenson 2c11121c19
Update docs for helm 0.22.0 (#17072)
Update docs for helm 0.22.0

Including Prometheus Operator support.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-09-08 15:30:32 -07:00
deidra.prado ea8c6a32a8
Update validate.mdx (#17023)
Removed reference of ``` --header "X-Vault-Token: ..." \``` in Sample request. X-Vault-Token is not required for this endpoint.
2022-09-08 12:50:42 -07:00
Christopher Swenson 1926f71b0d
Update deprecation notice related to SHA-1 in Go 1.18+ (#17066)
Update deprecation notice related to SHA-1 in Go 1.18+

Go 1.19 has not removed SHA-1 support, and it is not clear yet when
they will remove support, so we need to slightly adjust our docs.
2022-09-08 11:58:44 -07:00
Kevin Wang bc568c4dea
Update index.mdx to fix broken link (#17052) 2022-09-08 14:04:02 -04:00
Jason O'Donnell ced0109c41
docs/k8s: use pod labels for upgrades (#17059)
* docs/helm: use pod labels for upgrades

* Grammar

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-09-08 11:13:11 -04:00
Troy Ready a79dc6c1e9
Minor doc grammar update (#17032)
Update to clarify present perfect tense.
2022-09-07 10:04:18 -04:00
Luis (LT) Carbonell cd574b5cc6
docs: update token type for auth enable CLI command (#17026)
* docs: update token type for enable

* update
2022-09-06 15:00:21 -05:00
Mike Palmiotto bf744e3bde
Handle deprecated builtins (#17005)
* core: Handle deprecated mounts on enable and unseal
* changelog: Deprecation Status handling
* core: Add Pending Removal override var
* core: Add some documentation for Pending Removal override
2022-09-06 15:49:35 -04:00
Matt Schultz 1aaace756f
Update transform documentation to include MSSQL. (#17021) 2022-09-06 10:55:48 -05:00
Rachel Culpepper a1fba8d29a
add missing flag to wrapKey command (#16988) 2022-09-06 10:52:02 -05:00
Scott Miller 606edb66d6
Add support for a dedicated HMAC type in Transit. (#16668)
* Get import correct

* limits, docs

* changelog

* unit tests

* And fix import for hmac unit test

* typo

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Update builtin/logical/transit/path_keys.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Validate key sizes a bit more carefully

* Update sdk/helper/keysutil/policy.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
2022-09-06 10:17:58 -05:00
aphorise e2805311be
Docs: GCP SA clarity. Resolved merge conflict. Closes: #12231. (#16787) 2022-09-06 08:11:34 -04:00
aphorise aab9c50577
Docs: PostgreSQL Docs added DB name note for connection_url. (#16789)
* Docs: PostgreSQL Docs added DB name note for connection_url. Relates to #12458.

* Trigger CI

Co-authored-by: Zlaticanin <zlaticaninmilena@gmail.com>
2022-09-06 08:10:50 -04:00
Tom Proctor 5bc9206e96
Docs: Add log level environment variable for Vault Lambda Extension (#17000) 2022-09-02 19:53:53 +01:00
Remco Buddelmeijer b93d6e44e0
Add fields 'ttl' and 'num_uses' to SecretID generation. (#14474)
* Add fields 'ttl' and 'num_uses' to SecretID generation.

Add fields 'ttl' and 'num_uses' when generating/obtaining a SecretID.
Rather than just being able to use the Role's SecretID ttl and num uses. #14390

* Add secret_id_num_uses response field to generating SecretID

Add the response field secret_id_num_uses to the endpoints for generating
SecretIDs. Used in testing but also to supply the vendor with this variable.

* Add tests for new ttl and num_uses SecretID generation fields

Add tests to assert the new TTL and NumUses option in the SecretID entry.
Separate test for testing with just parameters vs a -force example.

* Patch up test for ttl and num_uses fields

* Add changelog entry for auth/approle 'ttl' and 'num_uses' fields

* Add fields to API Docs and AppRole Auth Docs example

* Correct error message for failing test on missing field.
Change the error message produced when a test fails due to a missing field.
Previous values did not map to correct fields.

* Remove unnecessary int cast to int "secret_id_num_uses" field.
Unnecessary cast to int where type already is int.

* Move numUses field check to after assignment.

* Remove metadata entry in sample payload to limit change to changes made.
Remove metadata entry in sample payload for custom-secret-id. The metadata was not
changed in the features pull request.

* Bind fields 'ttl' and 'num_uses' to role's configuration.

Rather than implicitly overriding, error when the ttl is lower than and the num
uses higher than the role's configuration. #14390

* Update changelog 14474 with a more detailed description.

More elaborate description for the changelog. Specifying the per-request based fields.

* Elaborate more on the bounds of the 'ttl' and 'num_uses' field.

Specify in both the api-docs and the CLI the limits of the fields.
Specify that the role's configuration is still the leading factor.

* Upper bound ttl with role secret id ttl

Upper bound ttl with role secret id ttl when creating a secret id
Adding test cases for infinite ttl and num uses
Adding test cases for negative ttl and num uses
Validation on infinite ttl and num uses

* Formatting issues. Removed unnecessary newline

* Update documentation for AppRole Secret ID and Role

Changed that TTL is not allowed to be shorter to longer

* Cleanup approle secret ID test and impl

* Define ttl and num_uses in every test

Define ttl and num_uses in every test despite them not being tested.
This is to ensure that no unexpected behaviour comes to mind.

* Rename test RoleSecretID -> RoleSecretIDWithoutFields

* Test secret id generation defaults to Role's config

Test secret id generation defaults to Role's configuration entries.

* Change finit -> finite

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Rephrase comments to the correct validation check

* Rephrase role-secret-id option description

* Remove "default" incorrect statement about ttl

* Remove "default" incorrect statement about ttl for custom secret id

* Touch up approle.mdx to align more with path_role documentation

Co-authored-by: Remco Buddelmeijer <r.buddelmeijer@fullstaq.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2022-09-02 09:29:59 -07:00
Florin Cătălin Țiucra-Popa 608a4777a0
Update pkcs11.mdx (#16994) 2022-09-02 09:01:29 -07:00
Jason O'Donnell 615d591486
auth/oidc: add extra context about claim names in doc (#16987) 2022-09-01 15:30:50 -07:00
André Freitas c59bb185bc
Fix typos in architecture page (#16978)
Some minor typos fix after I read the whole page.
2022-09-01 12:02:50 -07:00
Ikko Ashimine 2444e92917
docs: fix typo in faq.mdx (#16979)
occuring -> occurring
2022-09-01 10:01:01 -07:00
Mike Palmiotto 2c16be25e3
Add deprecation status to auth/secrets list (#16849)
* auth: Add Deprecation Status to auth list -detailed
* secrets: Add Deprecation Status to secrets list -detailed
* Add changelog entry for deprecation status list
2022-08-31 16:11:14 -04:00
Alexander Scheel b8576a8de4
Add ability to request manual rebuild of Delta CRLs (#16964)
* Add path to manually rebuild delta CRLs

The crl/rotate-delta path behaves like crl/rotate, triggering a
cluster-local rebuild of just the delta CRL. This is useful for when
delta CRLs are enabled with a longer-than-desired auto-rebuild period
after some high-profile revocations occur.

In the event delta CRLs are not enabled, this becomes a no-op.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for Delta CRL rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update documentation about Delta CRLs

Also fixes a omission in the If-Modified-Since docs to mention that the
response header should probably also be passed through.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 12:42:59 -07:00
Alexander Scheel f0a127487b
Add ability to cancel PKI tidy operations, pause between tidying certs (#16958)
* Allow tidy operations to be cancelled

When tidy operations take a long time to execute (and especially when
executing them automatically), having the ability to cancel them becomes
useful to reduce strain on Vault clusters (and let them be rescheduled
at a later time).

To this end, we add the /tidy-cancel write endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing auto-tidy synopsis / description

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add a pause duration between tidying certificates

By setting pause_duration, operators can have a little control over the
resource utilization of a tidy operation. While the list of certificates
remain in memory throughout the entire operation, a pause is added
between processing certificates and the revocation lock is released.
This allows other operations to occur during this gap and potentially
allows the tidy operation to consume less resources per unit of time
(due to the sleep -- though obviously consumes the same resources over
the time of the operation).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for cancellation, pause

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API docs on pause_duration, /tidy-cancel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add lock releasing around tidy pause

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Reset cancel guard, return errors

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 11:36:12 -07:00
John-Michael Faircloth 96b97017b1
docs: update plugin docs for secrets/auth multiplexing (#16923)
* docs: update plugin docs for secrets/auth multiplexing

* update index

* update plugin development

* fix spacing in code snippet

* update links to multiplexing resources

* add note on sdk version and update db example text

* Update website/content/docs/plugins/plugin-architecture.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* reword index intro

* Update website/content/docs/plugins/plugin-development.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/plugins/plugin-development.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* remove word and fix code format

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-31 11:21:20 -07:00
Viacheslav Vasilyev d0b7362e36
OpenLDAP secrets documentation, reflect some other objects may have userPassword (#8918)
* Update index.mdx

* Docs: OpenLDAP userPassword clarity

corrected grammar slightly

Co-authored-by: aphorise <aphorise@gmail.com>
2022-08-31 09:58:25 -07:00
Zalary Young bed027db81
adds note about aws kms_key_id alias (#10693)
Co-authored-by: zalary <zalary@hashicorp.com>
2022-08-31 09:35:06 -07:00
Trishank Karthik Kuppusamy 303f59dce3
Allow configuring the possible salt lengths for RSA PSS signatures (#16549)
* accommodate salt lengths for RSA PSS

* address feedback

* generalise salt length to an int

* fix error reporting

* Revert "fix error reporting"

This reverts commit 8adfc15fe3303b8fdf9f094ea246945ab1364077.

* fix a faulty check

* check for min/max salt lengths

* stringly-typed HTTP param

* unit tests for sign/verify HTTP requests

also, add marshaling for both SDK and HTTP requests

* randomly sample valid salt length

* add changelog

* add documentation
2022-08-31 12:27:03 -04:00
Violet Hynes 2fb4ed211d
VAULT-7707 Add docs around making mass amounts of lease count quotas via automation (#16950)
* VAULT-7707 Add docs around making mass amounts of lease count quotas via automation

* VAULT-7707 Changelog

* VAULT-7707 add word

* VAULT-7707 Update some small wordings

* VAULT-7707 use a real em dash
2022-08-31 11:50:01 -04:00
Nick Cabatoff 1997fbb73f
Point people in the right direction for tokens used in transit autounseal. (#16951) 2022-08-31 10:37:25 -04:00
Steven Clark b21e06b917
Add remove_roots_from_chain to sign and issue pki apis (#16935)
* Add remove_roots_from_chain flag to sign and issue pki apis

 - Add a new flag to allow end-users to control if we return the
   root/self-signed CA certificate within the list of certificates in
   ca_chain field on issue and sign api calls.

* Add cl

* PR feedback
2022-08-31 09:51:26 -04:00
Andy Assareh 0a0efd47a4
Doc only: Dead Server Cleanup added in Vault 1.7 (#14297) 2022-08-31 08:34:47 -04:00
Sean Ellefson 11e53a956b
Added missing _ character to parameter (#14441) 2022-08-31 08:32:42 -04:00
Alexander Scheel a5fafd8163
Add ability to perform automatic tidy operations (#16900)
* Add ability to perform automatic tidy operations

This enables the PKI secrets engine to allow tidy to be started
periodically by the engine itself, avoiding the need for interaction.
This operation is disabled by default (to avoid load on clusters which
don't need tidy to be run) but can be enabled.

In particular, a default tidy configuration is written (via
/config/auto-tidy) which mirrors the options passed to /tidy. Two
additional parameters, enabled and interval, are accepted, allowing
auto-tidy to be enabled or disabled and controlling the interval
(between successful tidy runs) to attempt auto-tidy.

Notably, a manual execution of tidy will delay additional auto-tidy
operations. Status is reported via the existing /tidy-status endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent race during parallel testing

We modified the RollbackManager's execution window to allow more
faithful testing of the periodicFunc. However, the TestAutoRebuild and
the new TestAutoTidy would then race against each other for modifying
the period and creating their clusters (before resetting to the old
value).

This changeset adds a lock around this, preventing the races.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use tidyStatusLock to gate lastTidy time

This prevents a data race between the periodic func and the execution of
the running tidy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add read lock around tidyStatus gauges

When reading from tidyStatus for computing gauges, since the underlying
values aren't atomics, we really should be gating these with a read lock
around the status access.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-30 15:45:54 -04:00
Ivan Buymov 99213c2616
Add retry policy and fix documentation for Cassandra storage backend (#10467)
* add simple_retry policy and initial_connection_timeout options,
fix docs for connection_timeout

* Cassandra: policy fix - added changelog.

Co-authored-by: Mehdi Ahmadi <aphorise@gmail.com>
2022-08-30 11:00:48 -07:00
Milena Zlaticanin cf332842cc
update azure docs (#16819) 2022-08-29 14:55:37 -05:00
Gabriel Santos ff5ff849fd
PKI - Honor header If-Modified-Since if present (#16249)
* honor header if-modified-since if present

* pathGetIssuerCRL first version

* check if modified since for CA endpoints

* fix date comparison for CA endpoints

* suggested changes and refactoring

* add writeIssuer to updateDefaultIssuerId and fix error

* Move methods out of storage.go into util.go

For the most part, these take a SC as param, but aren't directly storage
relevant operations. Move them out of storage.go as a result.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use UTC timezone for storage

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rework path_fetch for better if-modified-since handling

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Invalidate all issuers, CRLs on default write

When the default is updated, access under earlier timestamps will not
work as we're unclear if the timestamp is for this issuer or a previous
issuer. Thus, we need to invalidate the CRL and both issuers involved
(previous, next) by updating their LastModifiedTimes.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for If-Modified-Since

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly invalidate default issuer changes

When the default issuer changes, we'll have to mark the invalidation on
PR secondary clusters, so they know to update their CRL mapping as well.
The swapped issuers will have an updated modification time (which will
eventually replicate down and thus be correct), but the CRL modification
time is cluster-local information and thus won't be replicated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* make fmt

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor sendNotModifiedResponseIfNecessary

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on if-modified-since

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-29 15:28:47 -04:00