Commit graph

1001 commits

Author SHA1 Message Date
Steven Zamborsky 6d6d8c2765
Update apiVersion of the ClusterRoleBinding example (#16808) 2022-08-22 09:49:46 -07:00
Yoko Hyakuna e7e21a36ef
Clarify keytab gen process #12880 (#16803) 2022-08-21 19:19:08 -07:00
Yoko Hyakuna 1ec3e21d83
included jwt_claim expiration error message (#16804) 2022-08-21 19:15:31 -07:00
Mike Green 6be8e7adca
Docs/autopilot typo fix and DR autopilot clarification (#12596)
* autopilot cleanup and parameter typo cleanup

* clarify DR AP lives now

* typo myself cleanup

* trigger ci

Co-authored-by: aphorise <aphorise@gmail.com>
Co-authored-by: taoism4504 <loann@hashicorp.com>
2022-08-19 14:30:13 -07:00
Mike Green 08171ee9d6
Telemetry typo fix in vault.secret.kv.count (#12631) 2022-08-19 13:06:57 -07:00
Mike Palmiotto 9ecab66535
Clarify key distribution in shamir unsealing (#16737)
* Clarify key distribution in shamir unsealing

* Further clarify contradictory statements
2022-08-19 16:03:39 -04:00
Alexander Scheel 49fd772fcc
Add per-issuer AIA URI information to PKI secrets engine (#16563)
* Add per-issuer AIA URI information

Per discussion on GitHub with @maxb, this allows issuers to have their
own copy of AIA URIs. Because each issuer has its own URLs (for CA and
CRL access), its necessary to mint their issued certs pointing to the
correct issuer and not to the global default issuer. For anyone using
multiple issuers within a mount, this change allows the issuer to point
back to itself via leaf's AIA info.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on per-issuer AIA info

Also add it to the considerations page as something to watch out for.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for per-issuer AIA information

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor AIA setting on the issuer

This introduces a common helper per Steve's suggestion.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error messages w.r.t. AIA naming

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error messages regarding AIA URLs

This clarifies which request parameter the invalid URL is contained
in, disambiguating the sometimes ambiguous usage of AIA, per suggestion
by Max.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename getURLs -> getGlobalAIAURLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correct AIA acronym expansion word orders

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix bad comment suggesting re-generating roots

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add two entries to URL tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-19 11:43:44 -04:00
Alexander Scheel 0c22c76907
Allow marking issuers as revoked (#16621)
* Allow marking issuers as revoked

This allows PKI's issuers to be considered revoked and appear on each
others' CRLs. We disable issuance (via removing the usage) and prohibit
modifying the usage via the regular issuer management interface.

A separate endpoint is necessary because issuers (especially if signed
by a third-party CA using incremental serial numbers) might share a
serial number (e.g., an intermediate under cross-signing might share the
same number as an external root or an unrelated intermediate).

When the next CRL rebuild happens, this issuer will then appear on
others issuers CRLs, if they validate this issuer's certificate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on revoking issuers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for issuer revocation semantics

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Notate that CRLs will be rebuilt

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix timestamp field from _utc -> to _rfc3339

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure serial-based accesses shows as revoked

Thanks Kit!

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when revoking default issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-18 18:08:31 -04:00
Loann Le a0ba3202a8
vault documentation: updated use cases doc (#16783)
* incorporated feedback

* added link
2022-08-18 15:00:12 -07:00
Robert f7c20bc745
docs: add multi-host connection string info to postgres secrets API docs (#16780)
* Add multihost connection string information to postgres API docs

* Add note about replication manager
2022-08-18 14:38:30 -05:00
Yoko Hyakuna 404edd4c08
Mount paths case-sensitivity (#16743)
* Add a callout note about case-sensitivity

* Update website/content/docs/commands/secrets/enable.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-17 09:57:47 -07:00
Yoko Hyakuna 224d2e9794
Fix typos (#16749) 2022-08-17 09:47:56 -07:00
Yoko Hyakuna 7193f380b6
Fix the referenced learn link (#16747) 2022-08-17 09:47:35 -07:00
Theron Voran 2ab297a24f
docs/vault-helm: updates for the v0.21.0 release (#16731)
Also added a partial for the helm version note.
2022-08-16 14:56:30 -07:00
Yoko Hyakuna 511e442909
Update the Vault Agent config example (#16751)
* Update the Vault Agent config example

* Update index.mdx

* Update the Vault Agent config example - edit

Small additions.

* Update the Vault Agent config example - edit2

Added IP note too.

* Minor fix: add missing 'Vault'

Co-authored-by: aphorise <aphorise@gmail.com>
2022-08-16 14:42:02 -07:00
Loann Le d5254b6a29
vault documentation: general doc cleanup (#16446)
* editorial work

* edited

* added resources

* rewrote use cases

* added links

* updated content

* Update website/content/docs/what-is-vault.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Suggested edits on Vault use cases (#16502)

* Suggested edits on Vault use cases

* Remove redundant sentense

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* fixed spelling error

* fixed subject-verb agreement

* added missing comma

* incorporate feedback

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-16 14:08:32 -07:00
Jakob Beckmann 21a10e09b6
fix bug with allowed_users_template and add allowed_domains_template for SSH role (#16056)
* impr(ssh): fix bug with allowed_users_template and add allowed_domains_template field in SSH role configuration, closes #10943

* chore: add changelog entry
2022-08-16 14:59:29 -05:00
jweissig 2cdfce9967
docs: Update required OpenShift version (#9738)
Helm 3 support was added in OpenShift 4.3 [1]. So, we might support 4.X but if we require Helm 3 then we need to start at 4.3. Just didn't want someone to try 4.0-4.2 and wonder why it wasn't working because Helm 3 isn't supported.

[1] https://www.openshift.com/blog/openshift-4-3-deploy-applications-with-helm-3
2022-08-16 15:45:06 -04:00
Eadinator 0424db473d
docs: k8s auth, differentiate between different identities in use (#9288) 2022-08-16 15:39:01 -04:00
Alexander Scheel 1e6730573c
Add proof possession revocation for PKI secrets engine (#16566)
* Allow Proof of Possession based revocation

Revocation by proof of possession ensures that we have a private key
matching the (provided or stored) certificate. This allows callers to
revoke certificate they own (as proven by holding the corresponding
private key), without having an admin create innumerable ACLs around
the serial_number parameter for every issuance/user.

We base this on Go TLS stack's verification of certificate<->key
matching, but extend it where applicable to ensure curves match, the
private key is indeed valid, and has the same structure as the
corresponding public key from the certificate.

This endpoint currently is authenticated, allowing operators to disable
the endpoint if it isn't desirable to use, via ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error message on ParseDERKey

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Leave revoke-with-key authenticated

After some discussion, given the potential for DoS (via submitting a lot
of keys/certs to validate, including invalid pairs), it seems best to
leave this as an authenticated endpoint. Presently in Vault, there's no
way to have an authenticated-but-unauthorized path (i.e., one which
bypasses ACL controls), so it is recommended (but not enforced) to make
this endpoint generally available by permissive ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API documentation on PoP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add acceptance tests for Proof of Possession

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exercise negative cases in PoP tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-16 14:01:26 -04:00
Yoko Hyakuna 0926143363
Fix a typo -> 'authorised' should be 'authorized' (#16730) 2022-08-15 20:27:59 -07:00
akshya96 ba15b1f822
Remove extra empty lines from vault.log - Debug command (#16714)
* debug empty lines in vault.log

* minor grammar fix

* add changelog

* add fmt changes
2022-08-15 14:16:57 -07:00
Alexander Scheel e388cfec64
Add BYOC-based revocation to PKI secrets engine (#16564)
* Refactor serial creation to common helper

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add BYOC revocation to PKI mount

This allows operators to revoke certificates via a PEM blob passed to
Vault. In particular, Vault verifies the signature on the certificate
from an existing issuer within the mount, ensuring that one indeed
issued this certificate. The certificate is then added to storage and
its serial submitted for revocation.

This allows certificates generated with no_store=true to be submitted
for revocation afterwards, given a full copy of the certificate. As a
consequence, all roles can now safely move to no_store=true (if desired
for performance) and revocation can be done on a case-by-case basis.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on BYOC revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PEM length check to BYOC import

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for BYOC

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Guard against legacy CA bundle usage

This prevents usage of the BYOC cert on a hybrid 1.10/1.12 cluster with
an non-upgraded CA issuer bundle.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-15 08:50:57 -05:00
Loann Le 67f2f4ea2d
vault documentation: doc cleanup effort-batch4 (#16711)
* cleanup effort

* modified text

* Update website/content/docs/internals/integrated-storage.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-12 15:39:58 -07:00
Stuart Purgavie d17a32bad3
Update internal-ui-mounts.mdx (#16399)
* Update internal-ui-mounts.mdx

For sys/internal/ui/mounts:
Make it clear that this endpoint is not only being leveraged on the Web UI, but is also leveraged in other places such as `command/kv_helpers.go` for example. Also update response to standard Vault API response JSON, not just `data` portion of response, and include options data present on KV v2 mounts.

For sys/internal/ui/mounts/:path:
Add initial version of this endpoint family.

* docs(website/content/api-docs/system/internal): backwards compatibility disclaimer

* realign MD table

* restrict response sample to data portion to be in line with other docs

* docs(website/content/api-docs/system/internal): ui/mounts calling mode notes
2022-08-12 11:10:56 -07:00
mallika-hc 9e340ed7f8
Update health.mdx (#16645)
* Update health.mdx

Added sample request and response for customizing the status code being returned from the sys/health endpoint

* Update website/content/api-docs/system/health.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-12 10:39:51 -07:00
mallika-hc 4c0ccf28ec
Update replication-dr.mdx (#16665)
Updated the Revoke DR Secondary token section with detail about from where the command needs to be run
2022-08-12 09:10:40 -07:00
Austin Gebauer 7bda58a1fd
secrets/db: update documentation on password policies (#16679) 2022-08-10 17:52:20 -07:00
Calvin Leung Huang 42de4a40b2
docs: update agent template certificate section (#16573)
* docs: update agent template certificate section

* extend template language section

* make recommendation to use pkiCert over secret
2022-08-10 19:38:56 -04:00
Tom Proctor 2d167b3427
Docs: Update Vault CSI Provider SecretProviderClass config options (#16506) 2022-08-10 21:30:20 +01:00
Violet Hynes 398d51bb3d
VAULT-6818 Docs for entity merge functionality (#16593)
* VAULT-6818 Docs for entity merge functionality

* VAULT-6818 Elaborate more on what happens to non-kept aliases
2022-08-10 09:10:10 -04:00
Loann Le 6d3cd5249e
modified wording (#16655) 2022-08-09 15:09:49 -07:00
Rachel Culpepper c367f883a0
Vault-5626: add key wrapping guide for transit import (#16365)
* add key wrapping guide for transit import

* link to key wrap guide from transit overview

* add new page to nav

* fix formatting

* fix note format

* fix link
2022-08-09 16:14:15 -05:00
Josh Black 005903f1ae
Clarify upgrades post 1.11 (#16650) 2022-08-09 13:57:58 -07:00
Chris Capurso 52d6287d4b
update license FAQ docs with termination changes (#16634)
* update license FAQ docs with termination changes

* change intro statement

* change temp eval license issuance callout

* PR feedback

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-09 11:27:57 -07:00
Chris Capurso 707fcad006
Add custom metadata to namespace API and CLI docs (#16633)
* add custom_metadata to ns api docs

* update ns CLI docs to add custom-metadata flag
2022-08-09 14:10:41 -04:00
Kevin 9365250dfc
fix typo in Discovering the service account issuer (#16641) 2022-08-09 13:27:30 -04:00
Austin Gebauer e72b7a8938
identity/oidc: minor fixes to the API documentation (#16638) 2022-08-09 08:09:37 -07:00
Milena Zlaticanin 78e8c135fc
Hana - Add username customization (#16631)
* implement username customization feature

* adding changelog

* update database capabilities doc

* update database capabilities doc

Co-authored-by: Zlaticanin <milena@hashicorp.com>
2022-08-08 16:01:34 -05:00
Austin Gebauer 59831a8d5c
identity/oidc: adds client_secret_post token endpoint authentication method (#16598)
* identity/oidc: adds client_secret_post token endpoint authentication method

* fix test

* adds changelog
2022-08-08 08:41:09 -07:00
Meggie b7365df464
Adding PGX change to release & upgrade notes (#16613)
Also some heading size tidying
2022-08-05 14:57:47 -04:00
Austin Gebauer 67339b71e8
identity/oidc: fixes validation of the request and request_uri parameters (#16600)
* identity/oidc: add request_parameter_supported to discovery document

* adds changelog
2022-08-05 11:55:15 -07:00
Austin Gebauer a2bc8cfb96
identity/oidc: change the state parameter to optional (#16599)
* identity/oidc: change the state parameter to optional

* adds changelog

* update docs
2022-08-05 11:37:24 -07:00
David Fleming f08143cec8
Fix Link: OIDC Provider Config - Okta (#16607)
Okta was pointing at /docs/auth/jwt/oidc-providers/kubernetes.  Updated to point at /docs/auth/jwt/oidc-providers/okta
2022-08-05 12:40:03 -04:00
Jason O'Donnell bc93baaaab
auth/kerberos: add remove_instance_name config (#16594)
* auth/kerberos: add remove_instance_name config

* Update website

* Fix doc

* Fix doc

* changelog
2022-08-04 16:38:12 -04:00
Loann Le 85539da102
vault documentation: updated architecture doc page (#16569)
* updated content

* fixed spelling error

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* updated content

* italicized barrier

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-04 11:29:31 -07:00
Austin Gebauer e2d3846a25
identity/oidc: adds detailed listing capability for clients and providers (#16567)
* identity/oidc: adds detailed listing capability for clients and providers

* change approach to use ListResponseWithInfo

* adds changelog
2022-08-04 10:10:28 -07:00
Chris Capurso 1820b771ce
fix typo in certificate (#16588) 2022-08-04 13:01:34 -04:00
Robert de Bock 4a6218ca45
Update raft.mdx (#16579)
Explicitly explain that the content of a certificate or key is expected, not a path.
2022-08-04 09:56:23 -04:00
Nick Cabatoff 5e504944d7
Document how replication uses cluster addresses. (#16545) 2022-08-04 09:10:23 -04:00
Ikko Ashimine 49bfd3a944
Fix typo in managed-keys.mdx (#16578)
targetting -> targeting
2022-08-04 09:02:13 -04:00
FalcoSuessgott f7cb95968e
Add vkv to related tools list (#16285) 2022-08-03 15:18:54 -04:00
Alexander Scheel 8acbf7f480
Add PSS support to PKI Secrets Engine (#16519)
* Add PSS signature support to Vault PKI engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use issuer's RevocationSigAlg for CRL signing

We introduce a new parameter on issuers, revocation_signature_algorithm
to control the signature algorithm used during CRL signing. This is
because the SignatureAlgorithm value from the certificate itself is
incorrect for this purpose: a RSA root could sign an ECDSA intermediate
with say, SHA256WithRSA, but when the intermediate goes to sign a CRL,
it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When
coupled with support for PSS-only keys, allowing the user to set the
signature algorithm value as desired seems like the best approach.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add use_pss, revocation_signature_algorithm docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PSS to signature role issuance test matrix

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow roots to self-identify revocation alg

When using PSS support with a managed key, sometimes the underlying
device will not support PKCS#1v1.5 signatures. This results in CRL
building failing, unless we update the entry's signature algorithm
prior to building the CRL for the new root.

With a RSA-type key and use_pss=true, we use the signature bits value to
decide which hash function to use for PSS support.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add clearer error message on failed import

When CRL building fails during cert/key import, due to PSS failures,
give a better indication to the user that import succeeded its just CRL
building that failed. This tells them the parameter to adjust on the
issuer and warns that CRL building will fail until this is fixed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add case insensitive SigAlgo matching

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Convert UsePSS back to regular bool

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor PSS->certTemplate into helper function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Proper string output on rev_sig_alg display

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Copy root's SignatureAlgorithm for CRL building

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 12:42:24 -04:00
Kevin Wang d136ba385a
fix(docs): typos (#16555) 2022-08-03 08:58:27 -07:00
Mike Palmiotto c4140522a6
Docs/vault 7338 retry join known issue (#16540)
* storage/raft: Add known issue for retry_join

* storage/raft: Update known issues with issue reference

* docs: Add return between includes
2022-08-03 15:42:51 +02:00
Alexander Scheel cf7105929f
Allow old certs to be cross-signed (#16494)
* Allow old certs to be cross-signed

In Vault 1.11, we introduced cross-signing support, but the earlier SKID
field change in Vault 1.10 causes problems: notably, certs created on
older versions of Vault (<=1.9) or outside of Vault (with a different
SKID method) cannot be cross-signed and validated in OpenSSL.

In particular, OpenSSL appears to be unique in requiring a SKID/AKID
match for chain building. If AKID and SKID are present on an otherwise
valid client/parent cert pair and the values are different, OpenSSL will
not build a valid path over those two, whereas most other chain
validation implementations will.

Regardless, to have proper cross-signing support, we really aught to
support copying an SKID. This adds such support to the sign-intermediate
endpoint. Support for the /issue endpoint is not added, as cross-signing
leaf certs isn't generally useful and can accept random SKIDs.

Resolves: #16461

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback, fix tests

Also adds a known-answer test using LE R3 CA's SKID.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback regarding separators

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 06:34:21 -07:00
Yoko Hyakuna dc0b4315f3
Move the IS Autopilot note from 1.11 upgrade guide (#16541)
* Move the IS Autopilot note from 1.11 upgrade guide

* Minor update to the verbiage

* Update website/content/docs/upgrading/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/upgrading/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Remove extra spaces

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-02 19:05:17 -07:00
Violet Hynes adb65bd0f2
VAULT-6615 Update docs for 1.12 quota changes (#16381)
* VAULT-6615 Update docs for 1.12 quota changes

* VAULT-6615 Add info about globbing

* VAULT-6615 some small updates for role param

* Update website/content/docs/enterprise/lease-count-quotas.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/lease-count-quotas.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-02 15:37:56 -04:00
Loann Le ab27921d85
Vault documentation: updated install and ha files (#16498)
* revised content

* Update website/content/docs/install.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/high-availability.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/high-availability.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/high-availability.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/high-availability.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-02 11:40:09 -07:00
Chris Capurso 0474352f65
add merkle.flushDirty.outstanding_pages metric to docs (#16530) 2022-08-02 12:58:25 -04:00
TheHussky 22b01bcd01
Fix last sample request (#16509)
Add a missing \
2022-08-01 14:09:12 -04:00
Alexander Scheel 4987bcfcd6
Add KMIP CSPs + initial Seal Wrap list (#16515)
* Add note on KMIP EA usage

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add wrapped parameters section to Seal Wrap docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-01 10:32:47 -04:00
Ian Ferguson dc603b4f7f
Allow identity templates in ssh backend default_user field (#16351)
* Allow identity templates in ssh backend `default_user` field

* use correct test expected value

* include api docs for `default_user_template` field
2022-07-29 09:45:52 -04:00
Theron Voran 4dc7b71a28
docs/vault-k8s: updated for v0.17.0 release (#16492) 2022-07-28 14:23:47 -07:00
Jason O'Donnell e3f942f51c
agent: add disable_keep_alives configurable (#16479)
agent: add disable_keep_alives config

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-07-28 12:59:49 -07:00
Austin Gebauer b3f138679c
identity/oidc: allow filtering the list providers response by an allowed_client_id (#16181)
* identity/oidc: allow filtering the list providers response by an allowed_client_id

* adds changelog

* adds api documentation

* use identity store view in list provider test
2022-07-28 09:47:53 -07:00
Christopher Swenson b04d6e6720
Remove SHA1 for certs in prep for Go 1.18 (#16455)
Remove SHA1 for certs in prep for Go 1.18

* Remove certs with SHA1 from tests
* Use default SHA-256 with PKCS7 in AWS
* Update SHA1 deprecation note

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-07-28 09:14:33 -07:00
Scott Miller 1b1c6fe168
Correct the Transit HMAC key source in docs (#16463)
* Correct the Transit HMAC key source in docs

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-27 11:48:41 -05:00
Theron Voran 66ef22b735
docs/k8s: adding terraform config examples (#16121)
Adding a terraform examples page for configuring vault-helm.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-07-26 20:43:26 -04:00
Tom Proctor bd0461619c
Docs: Add list of supported k8s versions for agent injector (#16433) 2022-07-26 15:59:27 +01:00
akshya96 6e0c04d602
vault-951Documentation (#16434) 2022-07-25 16:53:03 -07:00
Yoko Hyakuna 7b43bf4c68
Add a note referring to automated upgrade (#16444)
* Add a note referring to automated upgrade

* Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-07-25 15:03:55 -07:00
tdsacilowski 887e77c2ae
Agent JWT auto auth remove_jwt_after_reading config option (#11969)
Add a new config option for Vault Agent's JWT auto auth
`remove_jwt_after_reading`, which defaults to true. Can stop
Agent from attempting to delete the file, which is useful in k8s
where the service account JWT is mounted as a read-only file
and so any attempt to delete it generates spammy error logs.

When leaving the JWT file in place, the read period for new
tokens is 1 minute instead of 500ms to reflect the assumption
that there will always be a file there, so finding a file does not
provide any signal that it needs to be re-read. Kubernetes
has a minimum TTL of 10 minutes for tokens, so a period of
1 minute gives Agent plenty of time to detect new tokens,
without leaving it too unresponsive. We may want to add a
config option to override these default periods in the future.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-07-25 07:42:09 -06:00
Jason O'Donnell 140406143e
command/server: add dev-tls flag (#16421)
* command/server: add dev-tls flag

* Add website documentation

* changelog

* Lower file permissions

* Update cert gen per review

* Add dev-tls-cert-dir flag and cert clean up

* fmt

* Update cert generation per review

* Remove unused function

* Add better error messages

* Log errors in cleanup, fix directory not existing bug

* Remove hidden flag from -dev-tls-cert-dir

* Add usage

* Update 16421.txt

* Update variable names for files

* Remove directory on cleanup
2022-07-22 14:04:03 -04:00
Matt Schultz 31151671ab
Transform tokenization key auto-rotate docs (#16410)
* Document auto rotate fields for transform tokenization endpoints.

* Update Transform tokenization docs to mention key auto-rotation.
2022-07-21 15:48:58 -05:00
Steven Zamborsky c0b0c4fde7
Add an "Important Note" regarding EKS CSR approval. (#16406) 2022-07-21 13:34:03 -07:00
Austin Gebauer 5062502756
auth/oidc: documents the client_nonce parameter (#16403) 2022-07-21 09:34:46 -07:00
Rachel Culpepper 133535fabe
add paths for import endpoints (#16401) 2022-07-21 11:19:13 -05:00
Wojtek Czekalski d05e8d1222
Fix typo in the docs (#16323)
It's very confusing, `Volumes` are very similar to `volumes` and can cause confusion 😄
2022-07-21 10:42:46 -04:00
Francois BAYART 24b9fa39bc
Update s3.mdx (#13630)
fix IAM requirements to use KMS key
2022-07-21 10:41:33 -04:00
Jason Peng 08b0cf40d5
Update reload.mdx (#14207)
To match with the API version of docs- https://www.vaultproject.io/api-docs/system/plugins-reload-backend#sys-plugins-reload-backend.
2022-07-21 10:39:25 -04:00
Barak BD 164d37b11a
Add section for Engine V2 requests (#14381)
This may be a related issue: https://github.com/hashicorp/vault/issues/7161
2022-07-21 10:38:57 -04:00
Pratik Khasnabis 3e4f4fdd55
Change AWS to Azure in Tutorial section (#15206)
* Change AWS to Azure in Tutorial section

* trigger ci

Co-authored-by: taoism4504 <loann@hashicorp.com>
2022-07-21 10:36:27 -04:00
Florent Tatard 9dc861a8b3
Missing word (#16269)
Can't believe this went unnoticed for 5 years :)
2022-07-20 08:54:10 -07:00
Loann Le 58a646c726
updated note (#16372) 2022-07-19 16:52:41 -07:00
Andy Assareh 1313a53702
formatting issue - missing list bullet (#16352) 2022-07-19 15:51:36 -07:00
Loïc Saint-Roch 3d978605f8
Add HashiBox to community tools (#16150) 2022-07-19 11:37:58 -07:00
Rodolfo Castelo Méndez b44d0ab1df
Information about aws_s3_server_side_encryption (#16253)
Add when cannot use the combination of parameters.
2022-07-19 11:18:19 -07:00
Jakob Beckmann d72064cb81
[Kubernetes Secret Engine]: Role namespace configuration possible via LabelSelector (#16240)
* docs(#16222): add documentation for changes in PR hashicorp/vault-plugin-secrets-kubernetes#10

* docs(#16222): add changelog entry

* docs(#16222): improve documentation to make the use case of setting both allowed_kubernetes_namespaces and allowed_kubernetes_namespace_selector parameters for role configuration
2022-07-19 13:11:45 -05:00
Tom Proctor 460388d957
Docs: Add release notes for MSSQL TDE (#16326) 2022-07-19 11:52:59 +01:00
Austin Gebauer 1a71678954
docs/plugin-portal: adds missing HashiCorp supported plugins (#16346) 2022-07-18 22:42:49 -07:00
Mạnh Tử 6b3cc4adc0
docs(plugin-portal): added Harbor Robot Account plugin (#16320) 2022-07-18 18:03:32 -07:00
Yoko Hyakuna 745ea70434
Fix the contribution guide link (#16344) 2022-07-18 16:37:31 -07:00
Robert 8169940284
docs: fix consul secrets feature version (#16304)
* Move consul_namespace into Consul v1.7 instead of v1.8
2022-07-18 13:03:45 -05:00
Nestor Reyes e3ce0f0d1d
Update policies.mdx (#16312)
548 From "builtin" to "built-in" to be consistent with the previous sentence. 

589 from "can not" to "cannot"
2022-07-15 15:28:49 -07:00
Kit Haines a4b5813817
append slash to consul path in doc (#15260)
Co-authored-by: Chulki Lee <chulki.lee@gmail.com>
2022-07-14 12:27:31 -07:00
Alexander Scheel 0113f8c586
Update localhost:3000 links to be correct (#16301)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-14 12:08:28 -07:00
Yoko Hyakuna cf0cb3be49
Update the policy examples (#16297)
* Update the policy examples

* Adjusted the examples
2022-07-14 08:01:22 -07:00
Loann Le e6b24b09f0
update sys-mfa-doc (#16291) 2022-07-13 10:36:52 -07:00
Yoko Hyakuna 485b7b0abe
Remove the callout note about Ent (#16288) 2022-07-13 09:00:11 -07:00