* VAULT-1564 report in-flight requests
* adding a changelog
* Changing some variable names and fixing comments
* minor style change
* adding unauthenticated support for in-flight-req
* adding documentation for the listener.profiling stanza
* adding an atomic counter for the inflight requests
addressing comments
* addressing comments
* logging completed requests
* fixing a test
* providing log_requests_info as a config option to determine at which level requests should be logged
* removing a member and a method from the StatusHeaderResponseWriter struct
* adding api docks
* revert changes in NewHTTPResponseWriter
* Fix logging invalid log_requests_info value
* Addressing comments
* Fixing a test
* use an tomic value for logRequestsInfo, and moving the CreateClientID function to Core
* fixing go.sum
* minor refactoring
* protecting InFlightRequests from data race
* another try on fixing a data race
* another try to fix a data race
* addressing comments
* fixing couple of tests
* changing log_requests_info to log_requests_level
* minor style change
* fixing a test
* removing the lock in InFlightRequests
* use single-argument form for interface assertion
* adding doc for the new configuration paramter
* adding the new doc to the nav data file
* minor fix
* Adding support for SHA3 in the transit backend.
* Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing.
* Adds changelog entry.
Co-authored-by: robison jacka <robison@packetized.io>
* Rework 1.21 content into one heading and add note at top
* Add notes about extended k8s token duration
* Add example of ClusterRoleBinding for using client JWTs
- Add the kms_library configuration stanza to Vault's command/server
- Provide validation of keys and general configuration.
- Add initial kms_library configuration documentation
- Attempt at startup to verify we can read the configured HSM Library
- Hook in KmsLibrary config into the Validate to detect typo/unused keys
Currently the example given results in 2.3.4.5 if it is indexed from other side. This new example prevents confusion because it is now clear which side x_forwarded_for_hop_skips is indexing from
A few sidebar elements are hidden for unknown reasons. If we have a
reason to keep them hidden (vs deleting the element and associated docs),
maybe we could add `"_comment":"Hidden because ..."` to them.
A few other elements were definitely obsolete so I've removed them.
* update custom headers to mention 1.9 is required
Per https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#190-rc1 the custom response headers are a new feature introduced in 1.9, meaning we should explicitly call out this version requirement in documentation, otherwise users of earlier versions of Vault will unable to use the functionality and may consider it a bug.
* Update website/content/docs/configuration/listener/tcp.mdx
reads better, agreed
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* change default vaule for disable_iss_validation to be true
* mark as deprecated | remove issuer from sample
* deprecation section
* additional informaiton about when fields will be removed
* additional deprecation note under csi provider
* punctuation
* make the deprecation note more noticable
* missing issuer sentence | remove whitespace
* Update website/content/docs/platform/k8s/csi/index.mdx
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* cleanup
* additional deprecation comments
* fix discovery link
* highlight
* no need to configure the issuer
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Moved from one of the first items in the navbar down to one of the last. They are not high priority information and should be grouped with upgrade and release notes.
* docs for counting tokens without entities
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: swayne275 <swayne275@gmail.com>
* remove parens in docs
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* update documentation to be consistent with the non-entity token terminology
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* add line about client ids to the api docs
* syntax and grammar
Co-authored-by: swayne275 <swayne275@gmail.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* add api lock doc
* add docs nav data
* Update website/content/api-docs/system/namespaces.mdx
Co-authored-by: Chris Capurso <christopher.capurso@gmail.com>
* update command doc
* clarify locked http status code
* add example exempt path
* further exempt clarification
* link api locked response
* add x-vault-namespace api example
* Update website/content/docs/concepts/namespace-api-lock.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* review suggestions
* few other small tweaks
Co-authored-by: Chris Capurso <christopher.capurso@gmail.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Add note that monitor command may truncate logs
* Apply suggestions from code review
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Added a note that agent cache requires at least one listener or template
to be defined in the config, and a couple spelling corrections.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
VAULT-444: Add PKI tidy-status endpoint.
Add metrics so that the PKI tidy status can be monitored using telemetry as well.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add note to TLS cipher suite configuration
Ordering is no longer respected and the tls_max_version flag must be
used for this list to be relevant (as TLSv1.3 will ignore the cipher
suite list entirely).
See blog post linked in the docs for more information.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Note that server cipher suite flag is ignored
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add upgrade note about TLS cipher suites
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Document allow_different_signature_algorithm param
* Flip the semantics of different key types for sign self issued
* More language tweaks
* Fix the field definition description
* Rework differenttype test for the new flag
* typo
* Impl Fathom analytics
* Proper Fathom site ID (and prettier edits)
* Use analytics package instead of direct impl
* Upgrade platform analytics package
* Update to hashicorp/go-kms-wrapping@v0.6.8
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation around Managed HSM KeyVault
This introduces the "resource" config parameter and the
AZURE_AD_RESOURCE environment variable from the updated go-kms-wrapping
dependency.
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry for g-k-w changes
Includes changes from @stevendpclark.
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
* fix json code block in kv api docs
* add custom_metadata to GET, PUT, PATCH in kv api docs
* add custom_metadata to get, put, and patch in kv CLI docs
There are a number of auth methods that support creating tokens with a limited number of uses. However, Vault Agent doesn't track the uses remaining for its auto-auth token, so it may result in flaky permission denied responses if that limit is hit and Vault Agent remains unaware.
* add data patch section to kv-v2 api docs
* fix trucated output for kv put command with cas cmd in kv-v2 docs
* wip vault kv patch CLI docs
* add new flags to 'vault kv patch' CLI command docs
* fix cas_required formatting
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* fix cas formatting
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* additional format fixes
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* operator generate-root -decode: allow token from stdin
Allow passing "-" as the value for -decode, causing the encoded token to
be read from stdin. This is intended to prevent leaking the encoded
token + otp into process logs in enterprise environments.
* add changelog entry for PR12881
* add check/test for empty decode value passed via stdin
* Let allowed_users template mix templated and non-templated parts (#10388)
* Add documentation
* Change test function names
* Add documentation
* Add changelog entry
* Update website docs regarding ssh role allowed_extensions parameter
- Add note within the upgrading to 1.9.0 about behaviour change
- Prefix the important note block within the main documentation about
signed ssh certificates that it applies pre-vault 1.9
- Update api docs for the allowed_extensions parameter within the ssh
role parameter.
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* removed unpublished:true for sys/internal/* endpoints
* added changelog file
* updated change log and added placeholder summary as these endpoints are not mentioned in docs.
* added documentation for internal/ui/namspaces and resultant-acl
* updated log configs
* Documentation for custom http response headers
* Adding more explanation of what custom headers are and when to use them
* Header in the config takes precedence
* Update website/content/docs/configuration/listener/tcp.mdx
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* Adding more information on how to use custom response headers
* adding an API link to the ui
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* Disallow alias creation if entity/accessor combination exists
* Add changelog
* Address review comments
* Add handling to aliasUpdate, some field renaming
* Update tests to work under new entity-alias constraint
* Add check to entity merge, other review fixes
* Log duplicated accessors only once
* Fix flaky test
* Add note about new constraint to docs
* Update entity merge warn log
* Update the Vault Integration program page
This includes now support for HCP Vault as well as general updates to the program
* Updated process flow image
* Adding HCP V image
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
* Update website/content/docs/partnerships.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update aws.mdx
Was looking how to give the vault agent with AWS auth-auth the same nonce, but saw it wasn't documented. Dove through the code, found https://github.com/hashicorp/vault/blob/master/command/agent/auth/aws/aws.go#L139 and https://github.com/hashicorp/vault/blob/master/command/agent/auth/aws/aws.go#L215
(tried to call out the importance and point to docs, know setting `nonce` poorly could be very bad!)
* add line breaks
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* upgrades deps and gets it building
* remove unneeded css file
* fix: hide intended elements in print (#12710)
* upgrade deps to latest
Co-authored-by: Zachary Shilton <4624598+zchsh@users.noreply.github.com>
* patch to support VAULT_HTTP_PROXY variable
* simplify the proxy replacement
* internal code review
* rename to VAULT_HTTP_PROXY, apply within ReadEnvironment
* clean up some unintended whitespace changes
* add docs for the new env variable and a changelog entry
Co-authored-by: Dave Du Cros <davidducros@gmail.com>
* update azure instructions
Update instructions in regards to azure AD Authentication and OIDC
* Initial pass of ed25519
* Fix typos on marshal function
* test wip
* typo
* fix tests
* missef changelog
* fix mismatch between signature and algo
* added test coverage for ed25519
* remove pkcs1 since does not exist for ed25519
* add ed25519 support to getsigner
* pull request feedback
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
* typo on key
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
* cast mistake
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
- When two entities are merged, remove the from entity ID in any
associated groups.
- When two entities are merged, also merge their associated group
memberships.
Fixes#10084
The ACL policy examples documented on the Consul Storage Backend and
Consul Service Registration pages are too permissive. Both policies
unnecessarily grant agent:write and node:write access for all agents
within the Consul datacenter. When Consul is used solely for service
registration, `service:write` is only required permission.
This commit modifies the policy for the Consul Storage Backend to
remove node:write access, and changes agent:write to agent:read.
The policy on the Consul Service Registration page is updated to
remove all KV-related privileges, and solely grant the necessary
service:write permission.
* fix: upgrade vault-plugin-auth-kubernetes
- brings in the alias_name_source feature which allows for setting
alternate alias names based on the service accounts's namespace and
name
- document the seurity related aspects for the feature addition above.
* Docs: Seal pkcs11 updated example with actual hex slot reference and notes related to decimal conversion. Minor correction to **Note** area in 'lib' parameter above 'slot'.
* Docs: Seal pkcs11 slot note correction.
* [VAULT-3519] Return no_default_policy on token role read if set
* [VAULT-3519] Add changelog
* [VAULT-3519] Always return token_no_default_policy on role read
* Fix broken test
* Update role read response in docs
* Add allowed_policies_glob and disallowed_policies_glob that are the same as allowed_policies and disallowed_policies but allow glob matching.
* Update changelog, docs, tests, and comments for (dis)allowed_token_glob token role feature.
* Improve docs and unit tests for auth/token role policy globbing.
* Enforce Minimum cache size for transit backend
* enfore minimum cache size and log a warning during backend construction
* Update documentation for transit backend cache configuration
* Added changelog
* Addressed review feedback and added unit test
* Modify code in pathCacheConfigWrite to make use of the updated cache size
* Updated code to refresh cache size on transit backend without restart
* Update code to acquire read and write locks appropriately
While EKS may be the managed kubernetes environment under the hood, I believe the idea behind this section of the documentation is to use AWS KMS for seal/unseal operations, not EKS. (i.e. The surrounding documentation is discussing other Auto Unseal options such as Google KMS.)
The use of the term EKS instead of KMS made it hard for me to discover this section of documentation, and was a little confusing at first until I realized the possible error.
* Upgrade note for Alpine 3.14 docker images
It might break things for some people
* Add CVE #
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
* Adding upgrade note to all relevant versions
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
* add known issue for dr secondary lease count quota invalidation
* Update website/content/partials/lease-count-quota-upgrade.mdx
Co-authored-by: Meggie <meggie@hashicorp.com>
* put known issues to main 1.6 and 1.7 pages
Co-authored-by: Meggie <meggie@hashicorp.com>
