Commit graph

16802 commits

Author SHA1 Message Date
Alexander Scheel 8e1e95b2e2
Allow listing health checks without mount path (#19199)
* Allow listing health checks without mount path

This allows the bare:

    $ vault pki health-check -list

without a corresponding mount path to complete. Otherwise, users would
be greeted with a prompt for the mount, which is less than ideal.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix usage, use <mount> over pki

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-15 19:08:19 +00:00
Austin Gebauer 5691ec3201
secrets/gcp: use feature format for changelog entry of impersonated accounts (#19200) 2023-02-15 11:06:50 -08:00
Anton Averchenkov 14316ea44e
Refactor approle response validation tests (#19188) 2023-02-15 12:29:15 -05:00
Steven Clark 95efc9b569
Add PKI unified-revocation changelog (#19196) 2023-02-15 09:54:14 -05:00
Steven Zamborsky 7534689818
Update raftautosnapshots.mdx (#18996)
Clarify that the `local_max_space` value for local automated snapshots is cumulative for all snapshots in the `file_prefix` path.
2023-02-14 22:46:41 -08:00
Jordan Reimer c3d4b2ff7b
Kubernetes config payload fix (#19184)
* unsets kubernetes manual config properties when saving local cluster option

* fixes test
2023-02-14 15:47:23 -07:00
John-Michael Faircloth fc13efc80e
docs/plugins: update upgrading plugins (#19109)
* docs/plugins: update upgrading plugins

* Update website/content/docs/upgrading/plugins.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

---------

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-14 17:40:06 +00:00
Jaymala 99d4151a38
Fetch replication status in its own resource (#19132)
* Fix json decode errors for Enos replication verification module

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Rewrite the pr connection check script

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Do not fail on get replication status

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

---------

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-02-14 12:21:29 -05:00
Angel Garbarino 3003ff85ce
Disabling License Banners (#19116)
* work in progress: got the expired banner set with license check

* wip: got the logic for both banners, need to test and write tests

* add notes

* prep for test writing

* test coverage

* add changelog

* clean up

* clarify dismissTypes and conditionals

* updates

* update comment

* update comment

* address pr comments

* update test

* small naming change

* small naming changes

* clean localStorage

* comment clean up

* another comment clean up

* remove meep

* add test coverage for new method in localStorage
2023-02-14 17:00:24 +00:00
Alexander Scheel d0925f3661
Add cryptosec as codeowners to relevant docs (#19070)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-14 10:48:16 -05:00
Fulton Byrne 000e643ecf
LifeTimeWatcher SleepDuration calculation testing (#17919)
* factor out sleep duration calc
* property based sleep duration test

Co-authored-by: peteski22 <peter.wilson@hashicorp.com>
2023-02-14 14:57:25 +00:00
Steven Clark 9338c22c53
Trap errors related to vault pki list-intermediate issuer reading (#19165)
* Rename files to match test suite and existing pattern

* Factor out issuer loading into a dedicated function

 - Add a little more checks/validation when loading the a PKI issuer
 - Factor out the issuer loading into a dedicated function
 - Leverage existing health check code to parse issuer certificates

* Read parent issuer once instead of reloading it for every child

 - Read in our parent issuer once instead of running it for every child
   we want to compare against
 - Provides clearer error message that we have failed reading from which
   path to the end user

* PR Feedback

 - Rename a variable for clarity
 - Use readIssuer in the validation of the parent issuer within
   pkiIssuer
 - Add some missing return 1 statements in error handlers that had been
   missed
2023-02-14 08:51:44 -05:00
Steven Clark 225dd869d4
Attempt at fixing the memory usage in CI (#19171)
- Do not keep many intervals of the in memory sink metrics
   collector. Otherwise we fill up the CI's memory
2023-02-14 08:40:25 -05:00
Max Coulombe 2c32190eed
Fix database sample payload doc (#19170)
* * fix database static-user rotation statement in sample payload

* + added changelog
2023-02-14 08:29:27 -05:00
Theron Voran dda2df25db
docs/vault-helm: fix multi-line block copy (#19119)
Add a `$` before the command in shell blocks that include command
output, so that the "Copy" button on the website only copies the
command and not the output.
2023-02-13 22:21:11 -08:00
Christopher Swenson 98513eb784
Update namespace.FromContext comment (#18840)
It looks like namespace context caching was removed in
https://github.com/hashicorp/vault/pull/5200
but this comment was left referencing it, which I found confusing
at first glance.
2023-02-13 11:04:32 -08:00
Kuba Wieczorek 04729162e3
Update version to 1.14.0 and version prerelease to beta1 (#19163) 2023-02-13 16:37:45 +00:00
mickael-hc f144c8c239
bump dev depenendencies (#19140)
reduces alert noise
2023-02-13 10:31:43 -05:00
Ellie 08ef61cc00
add error message when trying to rotate mssql root without password in configuration (#19103)
* add error message when trying to rotate mssql root without password in configuration

* add changelog
2023-02-13 07:31:13 -05:00
Austin Gebauer 1b4bbe2b5b
upgrade vault-plugin-database-mongodbatlas to v0.9.0 (#19153) 2023-02-11 00:57:18 +00:00
Tom Proctor eb1d58257c
Bump kv plugin v0.14.0->v0.14.2 (#19145) 2023-02-10 21:42:05 +00:00
claire bontempo 0860961223
UI: sets operationNone for a kmip role if no checkboxes are selected (#19139)
* fix operationNon not being set on save

* add changelog

* fix overriding operationAll

* remove mirage file
2023-02-10 21:38:31 +00:00
Kit Haines 14adb3b825
Telemetry Metrics Configuration. (#18186)
* Telemetry Metrics Configuration.

* Err Shadowing Fix (woah, semgrep is cool).

* Fix TestBackend_RevokePlusTidy_Intermediate

* Add Changelog.

* Fix memory leak.  Code cleanup as suggested by Steve.

* Turn off metrics by default, breaking-change.

* Show on tidy-status before start-up.

* Fix tests

* make fmt

* Add emit metrics to periodicFunc

* Test not delivering unavailable metrics + fix.

* Better error message.

* Fixing the false-error bug.

* make fmt.

* Try to fix race issue, remove confusing comments.

* Switch metric counter variables to an atomic.Uint32

 - Switch the metric counter variables to an atomic variable type
   so that we are forced to properly load/store values to it

* Fix race-issue better by trying until the metric is sunk.

* make fmt.

* empty commit to retrigger non-race tests that all pass locally

---------

Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
2023-02-10 21:31:56 +00:00
ram-parameswaran 7dff0e6ae4
Update PKI Secret Engine doc for auto-tidy (#19122)
PKI Secret Engine documentation for auto-tidy(https://developer.hashicorp.com/vault/api-docs/secret/pki#configure-automatic-tidy) has a parameter interval_duration(https://developer.hashicorp.com/vault/api-docs/secret/pki#interval_duration). This needs to explicitly call out the default value to be 12 hours.
2023-02-10 15:57:58 -05:00
Christopher Swenson 7a977fd6ea
events: Check token and ACLs on request (#19138)
This checks the request against the `read` permission for
`sys/events/subscribe/{eventType}` on the initial subscribe.

Future work includes moving this to its own verb (`subscribe`)
and periodically rechecking the request.

Tested locally by minting a token with the wrong permissions
and verifying that they are rejected as expected, and that
they work if the policy is adjusted to `sys/event/subscribe/*`
(or the specific topic name) with `read` permissions.

I had to change the `core.checkToken()` to be publicly accessible,
as it seems like the easiest way to check the token on the
`logical.Request` against all relevant policies, but without
going into all of the complex logic further in `handleLogical()`.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-10 20:56:00 +00:00
Chelsea Shaw 54c863c747
UI: Fix cancel button on role transform form (#19135) 2023-02-10 20:37:22 +00:00
Kit Haines 674d56d9c7
Vault 11799 Vault CLI Re-Issue (Templating based on existing certificate) (#18499)
* The verify-sign command in it's cleanest existing form.

* Working state

* Updates to proper verification syntax

Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>

* make fmt

* Base functionality.

* make fmt; changelog

* pki issue command.

* Make fmt. Changelog.

* Error Handling Is Almost A Tutorial

* Issue and ReIssue are Almost the Same Command

* Make Fmt + Changelog.

* Make some of the tests go.

* make fmt

* Merge fix (take 2)

* Fix existing support, add support for use_pss, max_path_length, not_after, permitted_dns_domains and skid

* Good Test which Fails

* Test-correction.

* Fix update to key_type key_bits; allow "," in OU or similar

* More specific includeCNinSANs

* Add tests around trying to use_pss on an ec key.

* GoDoc Test Paragraph thing.

---------

Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
2023-02-10 20:27:36 +00:00
Chelsea Shaw 604239a4ac
UI: Fix id fields not allowing update (#19117) 2023-02-10 13:31:47 -06:00
Tom Proctor a099375f36
events: Allow subscribing to events in namespaces (#19134) 2023-02-10 19:02:42 +00:00
Tom Proctor bd592120e2
Convert events metadata type to google.protobuf.Struct (#19130) 2023-02-10 18:58:03 +00:00
Jordan Reimer caa06f267a
fixes issue saving edited k8s role (#19133) 2023-02-10 18:38:23 +00:00
claire bontempo 4af59fd6cd
UI/vault 13506/pki attr cleanup (#19121)
* add show page for generated CSR

* fix typo, make key-id copyable

* add tests

* move pki tests to designated folder

* list keys when in between state after CSR generation

* uses customTTL for generateing role cert and adds privateKeyFormat

* Revert "move pki tests to designated folder"

This reverts commit 82b60e4beab0717bbace8dee64cc0863a5488079.

* Revert "add tests"

This reverts commit 3c90fc9abacf8309d2cf9f1b90299a5153b743da.

* Revert "fix typo, make key-id copyable"

This reverts commit 8e6f5a1f4580229e6de8f6e919945f03ee29ac3d.

* revert accidental parent commits

* Revert "list keys when in between state after CSR generation"

This reverts commit c01d7852a46d41a72e5eace28aafed5daa93f70f.

* fix empty arrays removed when serialized

* fix comment;
g

* update test
2023-02-10 18:12:40 +00:00
claire bontempo 052c175ce5
UI: display CSR after generation (#19114)
* add show page for generated CSR

* fix typo, make key-id copyable

* add tests

* move pki tests to designated folder

* list keys when in between state after CSR generation

* update tests
2023-02-10 10:05:57 -08:00
Jordan Reimer a682852afb
updates k8s config validation (#19123) 2023-02-10 09:33:26 -08:00
Austin Gebauer 12871c1974
upgrade vault-plugin-secrets-alicloud to v0.14.1 (#19128) 2023-02-10 09:32:46 -08:00
Austin Gebauer cf5abe021f
upgrade vault-plugin-secrets-alicloud to v0.14.0 (#19118) 2023-02-10 09:13:04 -08:00
Hamid Ghaf 4822d4ab6d
replace existing zookeeper import with an actively maintained one (#19086)
* replace existing zookeeper import with an actively maintained one

* remove empty lines
2023-02-10 11:56:27 -05:00
Kuba Wieczorek 51004568aa
update vault auth submodules to new version of API (#19127) 2023-02-10 08:12:10 -08:00
Jordan Reimer 35f1c5cb06
fixes issue with kubernetes config prompt appearing when it shouldn't (#19115) 2023-02-10 07:59:10 -08:00
Kuba Wieczorek db6cb78a22
Use new sdk and api versions (#19126) 2023-02-10 10:40:47 -05:00
kpcraig 5b5f575d1c
fix: upgrade vault-plugin-secrets-kubernetes to v0.3.0 (#19084)
* fix: upgrade vault-plugin-secrets-kubernetes to v0.3.0

* add changelog
2023-02-10 10:23:31 -05:00
kpcraig e83bb669e0
fix: upgrade vault-plugin-auth-kubernetes to v0.15.0 (#19094)
* fix: upgrade vault-plugin-auth-kubernetes to v0.15.0

* add changelog
2023-02-10 10:23:11 -05:00
Jordan Reimer f86b12c68d
updates kubernetes host form field description (#19113) 2023-02-09 16:16:24 -07:00
Austin Gebauer 98b8f5e126
upgrade vault-plugin-database-redis to v0.2.0 (#19112) 2023-02-09 14:39:15 -08:00
John-Michael Faircloth 3d79a13976
fix: upgrade vault-plugin-secrets-mongodbatlas to v0.9.1 (#19111)
* fix: upgrade vault-plugin-secrets-mongodbatlas to v0.9.1

* add changelog

* Update changelog/19111.txt

Co-authored-by: Max Coulombe <109547106+maxcoulombe@users.noreply.github.com>

* use correct plugin type in changelog

---------

Co-authored-by: Max Coulombe <109547106+maxcoulombe@users.noreply.github.com>
2023-02-09 15:55:42 -06:00
Christopher Swenson 7d3d404ee2
events: Add websockets and command (#19057)
Also updates the event receieved to include a timestamp.
Websockets support both JSON and protobuf binary formats.

This can be used by either `wscat` or the new
`vault events subscribe`:

e.g.,
```sh
$ wscat -H "X-Vault-Token: $(vault print token)" --connect ws://127.0.0.1:8200/v1/sys/events/subscribe/abc?json=true
{"event":{"id":"5c5c8c83-bf43-7da5-fe88-fc3cac814b2e", "note":"testing"}, "eventType":"abc", "timestamp":"2023-02-07T18:40:50.598408Z"}
...
```

and

```sh
$ vault events subscribe abc
{"event":{"id":"5c5c8c83-bf43-7da5-fe88-fc3cac814b2e", "note":"testing"}, "eventType":"abc", "timestamp":"2023-02-07T18:40:50.598408Z"}
...
```

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-09 13:18:58 -08:00
Tom Proctor 78d83c9136
Make experiments API authenticated (#18966) 2023-02-09 20:18:14 +00:00
Angel Garbarino 219d77ace8
fix (#19110) 2023-02-09 20:08:37 +00:00
Christopher Swenson 7949d10177
fix: upgrade vault-plugin-auth-centrify to v0.14.0 (#19107) 2023-02-09 11:15:00 -08:00
Austin Gebauer 84c4c12dd9
upgrade vault-plugin-secrets-openldap to v0.10.0 (#19108) 2023-02-09 10:37:58 -08:00