* Boost max_operations to the greater of that specified or absoluteMinOperations
* Forward rotation config requests to the primary
* Reject rotation configs outside the min/max range
* Minor wording fix
Remove template_retry config section. Add new vault.retry section which only has num_retries field; if num_retries is 0 or absent, default it to 12 for backwards compat with pre-1.7 template retrying. Setting num_retries=-1 disables retries.
Configured retries are used for both templating and api proxy, though if template requests go through proxy (currently requires persistence enabled) we'll only configure retries for the latter to avoid duplicate retrying. Though there is some duplicate retrying already because whenever the template server does a retry when not going through the proxy, the Vault client it uses allows for 2 behind-the-scenes retries for some 400/500 http error codes.
* snapshot
* basic test
* update command and add documentation
* update help text
* typo
* add changelog for lease lookup command
* run go mod vendor
* remove tabs from help output
It does not appear to be documented that Vault must rotate the password upon static role creation in order to know the password, as it is not provided.
* remove skip
* remove skip from create test
* some changes
* small changes to address local failures
* replace page object with dom click to help with flaky control group test
* small fix that seems to help control group failures
* some skipping to bring back my sanity
* focusing on the section-cert-test for pki
* another try at the secret cert test
* skipping to focus on secret-certs
* fingers crossed for pki role test
* hopefully some help with control group
* more on control groups
* trying for one less skip here
* create test remove skips
* remove skip
* remove comment
* back to skip this test
* shouldn't make sense but it does, changed the name to hit it first in acceptance test and that works
* redirect testing
* remove catch because that was not the issue, it never got triggered
* cleanup
* clean up
* remove comments and add catch
* Make sure we sanitize the rotation config on each clone
* Add regression test for missing rotation config
* use Equals
* simplify
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
* Update init.mdx
Updated operator init documentation to try to avoid steering customers towards running Auto Unseal seals with recovery-shares=1 and recovery-threshold=1. This is a bad security posture, as it can allow a single user with access to that recovery share to create root tokens and do other very sensitive tasks.
Also rewrote parts of the HSM/KMS Options section to indicate that recovery-related options are not solely for HSM-mode Vault but are for ANY Auto Unseal seal.
* Update website/content/docs/commands/operator/init.mdx
Adding an appropriate number of recovery-pgp-keys
Co-authored-by: Yoko <yoko@hashicorp.com>
Co-authored-by: Yoko <yoko@hashicorp.com>
Chelsea Shaw