* docs(#16222): add documentation for changes in PR hashicorp/vault-plugin-secrets-kubernetes#10
* docs(#16222): add changelog entry
* docs(#16222): improve documentation to make the use case of setting both allowed_kubernetes_namespaces and allowed_kubernetes_namespace_selector parameters for role configuration
* pki: When a role sets key_type to any ignore key_bits value when signing
- Bypass the validation for the role's key_bits value when signing CSRs
if the key_type is set to any. We still validate the key is at least
2048 for RSA backed CSRs as we did in 1.9.x and lower.
- Make the dev quick start link readily available on the client library documentation page
- Move the full code samples to the top of the dev quickstart page so that they're easily accessible.
- Update the api/readme to have a link to the dev quickstart
* add func to set level for specific logger
* add endpoints to modify log level
* initialize base logger with IndependentLevels
* test to ensure other loggers remain unchanged
* add DELETE loggers endpoints to revert back to config
* add API docs page
* add changelog entry
* remove extraneous line
* add log level field to Core struct
* add godoc for getLogLevel
* add some loggers to c.allLoggers
* Add signature_bits to sign-intermediate
This endpoint was lacking the signature_bits field like all the other
endpoints. Notably, in #15478, the ability to customize the intermediate
CSR's signature bits was removed without checking for the ability to
customize the final (root-signed) intermediate certificate's value.
This adds in that missing ability, bringing us parity with root
generation and role-based signing.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add signature_bits to sign-verbatim
This endpoint was also lacking the signature_bits field, preventing
other signature hash functions from being utilized here.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
The KMIP backend has four new parameters for the API call to create or update a
role:
- operation_decrypt
- operation_encrypt
- operation_import
- operation_query
The returned chain on the issuer is presented both for signing request
responses and (if the default issuer) on the /ca_chain path. Overriding
the issuers' automatically constructed chain with a manual_chain allows
removal of the root CA if desired.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add cn_validations PKI Role parameter
This new parameter allows disabling all validations on a common name,
enabled by default on sign-verbatim and issuer generation options.
Presently, the default behavior is to allow either an email address
(denoted with an @ in the name) or a hostname to pass validation.
Operators can restrict roles to just a single option (e.g., for email
certs, limit CNs to have strictly email addresses and not hostnames).
By setting the value to `disabled`, CNs of other formats can be accepted
without validating their contents against our minimal correctness checks
for email/hostname/wildcard that we typically apply even when broad
permissions (allow_any_name=true, enforce_hostnames=false, and
allow_wildcard_certificates=true) are granted on the role.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update PKI tests for cn_validation support
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add PKI API documentation on cn_validations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* VAULT-6091 Document duration format
* VAULT-6091 Document duration format
* VAULT-6091 Update wording
* VAULT-6091 Update to duration format string, replace everywhere I've found so far
* VAULT-6091 Add the word 'string' to the nav bar
* VAULT-6091 fix link
* VAULT-6091 fix link
* VAULT-6091 Fix time/string, add another reference
* VAULT-6091 add some misses for references to this format
* Handle func
* Update - check if key_type and key_bits are allowed
* Update - fields
* Generating keys based on provided key_type and key_bits
* Returning signed key
* Refactor
* Refactor update to common logic function
* Descriptions
* Tests added
* Suggested changes and tests added and refactored
* Suggested changes and fmt run
* File refactoring
* Changelog file
* Update changelog/15561.txt
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Suggested changes - consistent returns and additional info to test messages
* ssh issue key pair documentation
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Overhaul consul docs and api-docs for new 1.11 features
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
This adds a note that manual_chain is required for cross-signed
intermediates, as Vault will not automatically associate the
cross-signed pair during chain construction. During issuance, the chain
is used verbatim from the issuer, so no chain detection will be used
then.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Update AWS auth docs for SHA-1 deprecation
We now recommend `/rsa2048` as the preferred AWS signature moving
foward, as `/pkcs7` and `/signature` will stop working by default in
Vault 1.12 without setting `GODEBUG=x509sha1=1` in the Vault deployment
due to the move to Go 1.18.
I also took this oppoturnity to try to make the docs less confusing
and more consistent with all of the usages of signature, PKCS#7, DSA,
and RSA terminology.
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Match listing_visibility in system/auth with system/mounts
See also: #15209
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix path-help for listing_visibility
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing key_ref parameter to gen root docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add API docs section on key generation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about managed key access
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add integration tests for aliased PKI paths (root/rotate, root/replace)
- Add tests for the two api endpoints
- Also return the issuer_name field within the generate root api response
* Add key_name to generate root api endpoint response and doc updates
- Since we are now returning issuer_name, we should also return key_name
- Update the api-docs for the generate root endpoint responses and add
missing arguments that we accept.