Commit graph

5000 commits

Author SHA1 Message Date
Kit Haines d2ecf8ffc5
Add PKI-CLI to docs (#19669)
* Add pki-cli docs.

* Tiny updates.

* Whitespace fix, include description

* Closing-tags.

* Update website/content/docs/commands/pki/verify-sign.mdx

Title Code as Shell

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/commands/pki/reissue.mdx

Title More Code as Shell

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/commands/pki/list-intermediates.mdx

Title code block as shell

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/commands/pki/issue.mdx

Title code-block as shell

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Apply suggestions from code review

Label Code-Blocks as Shell-Session

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Apply suggestions from code review

Comma and Period Changes.

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Apply suggestions from code review

ascheels highlighting-1

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix highlighting throughout.

* Update website/content/docs/commands/pki/list-intermediates.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/docs/commands/pki/reissue.mdx

Clarifying note on why unknown fields might be there.

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/docs/commands/pki/reissue.mdx

cipherboy request

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add Key-ID RFC link.

* k=v add link

* correct link

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-03-30 07:31:48 -04:00
Theron Voran f0391962a2
docs/vault-secrets-operator: update for beta install (#19835)
Update the helm commands to work with the beta release.
2023-03-29 22:51:34 +00:00
Brian Shumate f4fbca8050
Docs: API: Update token_period description (#19821)
- Clarify token_period per feedback in SPE-34
2023-03-29 13:53:16 -07:00
Ben Ash 7322dd952b
Add vault-secrets-operator beta docs. (#19827)
Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2023-03-29 20:33:06 +00:00
Robert 71071fd954
docs: Change wording for AssumeRole permissions in AWS secrets (#19823)
Co-authored-by: wernerwws <wernerwws@users.noreply.github.com>
2023-03-29 13:03:26 -05:00
Raymond Ho 554674fb59
add docs for VAULT_RUN_MODE (#19808) 2023-03-28 21:18:45 -07:00
Victor Rodriguez bd76f6c539
Update Vault PKCS#11 Provider documentation for v0.2.0. (#19783) 2023-03-28 14:57:45 -04:00
Anton Averchenkov 41466b9eca
docs: Fix duration format link in kv-v2 docs page (#19768) 2023-03-27 13:18:25 -04:00
Raymond Ho f725e151b8
add warning for vault lambda extension cache ttl (#19738) 2023-03-24 23:37:38 +00:00
ram-parameswaran f491cc8225
Update username template description for AWS (#19690)
Update username template description for AWS by calling out what DisplayName and PolicyName actually are placeholders for
2023-03-23 19:56:55 -07:00
Yoko Hyakuna 11a748de4a
Add OpenAPI Go and C# (#18896)
* Add OpenAPI Go and C#

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: AnPucel <adiroff@hashicorp.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: AnPucel <adiroff@hashicorp.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: AnPucel <adiroff@hashicorp.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: AnPucel <adiroff@hashicorp.com>

* Add code sample links for OpenAPI-based Go and .NET

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Remove command flags that are no longer needed

* Fix 'OpenAPI C#' > 'OpenAPI .NET'

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: AnPucel <adiroff@hashicorp.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: AnPucel <adiroff@hashicorp.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: AnPucel <adiroff@hashicorp.com>

* Update website/content/docs/get-started/developer-qs.mdx

Co-authored-by: AnPucel <adiroff@hashicorp.com>

---------

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
Co-authored-by: AnPucel <adiroff@hashicorp.com>
2023-03-23 16:04:50 -07:00
Rowan Smith 8627b8aca5
Update tcp.mdx (#19546)
expand the info for using x-forwarded-for option
2023-03-23 15:59:42 -07:00
Yoko Hyakuna af842e2cee
Fix the title parsing error (#19685) 2023-03-22 20:35:35 -07:00
Luis (LT) Carbonell 91e04109be
add clarifying statement for pkcs11 support (#19673) 2023-03-22 12:40:23 -04:00
ram-parameswaran b24115cf1e
Updated connection_url to be pgx library relevant (#19667)
Updated connection_url to be according to the options available in the pgx library instead of the now deprecated use of the lib/pq which was done as part of Vault 1.11 as documented here - https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#june-20-2022
2023-03-22 09:02:47 -07:00
Karel 7469b0828a
Fix: Optionally reload x509 key-pair from disk on agent auto-auth (#19002)
* Optionally reload x509 key-pair from disk

* Document 'reload' config value

* Added changelog release note
2023-03-22 11:01:58 -04:00
Raymond Ho 96e966e9ef
VAULT-13614 Support SCRAM-SHA-256 encrypted passwords for PostgreSQL (#19616) 2023-03-21 12:12:53 -07:00
mickael-hc 427b4dbd49
security model updates (#19656) 2023-03-21 11:14:00 -07:00
Rowan Smith c29f5e718a
docs / Update 1.13.0 Known Issues (#19601)
* Update 1.13.0.mdx

add a note to known issues

* Update website/content/docs/release-notes/1.13.0.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-03-20 18:14:41 -07:00
Daniel Huckins 058710d33d
Add -mount flag to kv list command (#19378)
* add flag

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle kv paths

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* scaffold test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* need metadata for list paths

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add (broken) test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* fix test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update docs

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* format

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add godoc

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test case for mount only

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle case of no unnamed arg

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add non-mount behavior

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add more detail to comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add v1 tests

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-03-20 16:26:21 -04:00
Rowan Smith c581f90c05
Update deregister.mdx (#19573)
adding `-version=` parameter to docs
2023-03-20 12:08:20 -07:00
Tom Proctor 7fd394fc76
Docs: Implementing the plugin version interface (#19606) 2023-03-20 17:43:31 +00:00
Alexander Scheel 1fe1c756ab
Add known issue text for PKI revocation (#19632)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-03-20 12:24:05 -04:00
Steven Clark 6fbf3da148
Add known issue about OCSP GET redirection responses (#19523) 2023-03-17 18:07:04 +00:00
Violet Hynes 31f764b82b
Update KV-V2 docs to explicitly call out the secret mount path as a parameter (#19607)
* Update KV-V2 docs to explicitly call out the secret mount path as a parameter

* Missed some angular brackets

* remove wishy language
2023-03-17 12:21:55 -04:00
miagilepner ec4bd1fb25
VAULT-14204 Update parameter policy documentation (#19586) 2023-03-17 11:14:54 +01:00
Mike Palmiotto 89d7b874ba
Add upgrade note for Removed builtins in 1.13 (#19531) 2023-03-15 22:18:44 +00:00
Hamid Ghaf 27bb03bbc0
adding copyright header (#19555)
* adding copyright header

* fix fmt and a test
2023-03-15 09:00:52 -07:00
Scott Miller de31641aea
Add the Tokenization/Rotation persistence issue as a Known Issue (#19542)
* Note the known issue with rotation interaction with tokenization key policy persistence

* typo
2023-03-15 09:42:02 -05:00
Violet Hynes fdd38deb49
Update auto-auth docs to remove tilde for home (#19548)
* Update auto-auth docs to remove tilde for home

* Extra clean-up
2023-03-15 09:35:43 -04:00
Francis Chuang 74c3697144
Add Oracle Cloud auth to the Vault Agent (#19260)
* Add Oracle Cloud auth to the Vault Agent

* Use ParseDurationSecond to parse credential_poll_interval

* Use os.UserHomeDir()
2023-03-15 09:08:52 -04:00
Violet Hynes 85f845c3e0
VAULT-12798 Correct removal behaviour when JWT is symlink (#18863)
* VAULT-12798 testing for jwt symlinks

* VAULT-12798 Add testing of jwt removal

* VAULT-12798 Update docs for clarity

* VAULT-12798 Small change, and changelog

* VAULT-12798 Lstat -> Stat

* VAULT-12798 remove forgotten comment

* VAULT-12798 small refactor, add new config item

* VAULT-12798 Require opt-in config for following symlinks for JWT deletion

* VAULT-12798 change changelog
2023-03-14 15:44:19 -04:00
Ashlee M Boyer 788af4a90e
Remove .mdx extension from link (#19514) 2023-03-13 15:03:06 -04:00
Meggie be18d6cac3
Un-hiding link to 1.13 upgrade guide (#19505)
* Un-hiding link to 1.13 upgrade guide

* Removing draft notice
2023-03-10 11:30:19 -05:00
Robert 0315efba0c
Add info about gcp service account key encoding (#19496) 2023-03-10 09:13:37 -06:00
Yoko Hyakuna e392b6650f
Remove the note about Vault not supporting number Okta verify push number challenge (#19497) 2023-03-09 16:30:49 -08:00
Max Winslow dbbdd33c63
Change headings to h2 (#19402) 2023-03-07 15:48:51 -08:00
Phil Renaud d09c716e4b
Link to the Nomad tutorial for Vault as OIDC provider (#19461) 2023-03-06 10:30:14 -08:00
Yoko Hyakuna 40dc1d39d9
Add more context on the Release Notes landing page (#19456)
* Add little more verbiage on the Release Notes landing page

* Add missing comma
2023-03-03 14:39:39 -08:00
prabhat-hashi e5b982199f
Docs - update ldap page to add clarity around sAMAccountName (#19450)
* Docs - update ldap page to add clarity around sAMAccountName

Updated https://developer.hashicorp.com/vault/docs/secrets/ldap#active-directory-ad-1 to clarify customers configure username properly using username_template when sAMAccountName is involved.

* Docs -  edit on last update for ldap page

Fixed the link /vault/docs/concepts/username-templating
2023-03-03 10:09:13 -08:00
Max Winslow c44f94d7ff
update entity-alias doc fix (#19435) 2023-03-03 08:16:26 -08:00
Tony Wittinger 64b4ee234d
docs: updated key size in transit documentation (#19346) 2023-03-02 16:07:40 -08:00
akshya96 09057073ae
Vault Status Command Differs Depending on Format (#19361)
* vault-issue-9185

* removing new lines:

* removing new space

* fix grammar

* change field name
2023-03-01 12:57:53 -08:00
Alexander Scheel dabe38dcc1
Document RSA operations (#19377)
Also clarify hash function choices.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-03-01 13:35:35 -05:00
Mark Sailes 4c3c56dee4
Remove the Lambda SnapStart incompatibility notice. (#19394) 2023-03-01 18:13:18 +00:00
Malte S. Stretz 320f46ba8a
Add documentation for tls_max_version (#19398) 2023-03-01 14:45:04 +00:00
Max Winslow 109fbe06bb
change verbiage for lookup group and entity (#19406) 2023-02-28 12:40:38 -08:00
Austin Gebauer 10fe43701f
docs/ad: adds deprecation announcements and migration guide (#19388)
* docs/ad: adds deprecation announcements and migration guide

* fix table ending

* remove fully-qualified links

* Minor format fixes - migrationguide

* Update website/content/docs/secrets/ad/migration-guide.mdx

Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>

* Update website/content/docs/secrets/ad/migration-guide.mdx

Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
2023-02-28 10:41:59 -08:00
Alexander Scheel 2970b15a63
Add docs on FIPS Inside vs Seal Wrap (#19310)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-28 10:22:17 -05:00
Yoko Hyakuna cd7f7cc131
Vault 1.13.0 Release Notes (#19360)
* Adding Vault 1.13.0 Release Notes

* Add OpenAPI Go and .NET client libraries to the list

* Add the 'UI wizard removal' to the release note
2023-02-27 12:44:13 -08:00
Rowan Smith 4fd467a53b
approle naming syntax documentation (#19369)
Documentation does not currently detail the accepted naming scheme for approle roles, this aims to provide clarity based on customer feedback. https://github.com/hashicorp/vault/blob/main/sdk/framework/path.go#L16-L18 details the regex used.
2023-02-27 12:08:15 -08:00
Alexander Scheel 7182949029
Fix transit byok tool, add docs, tests (#19373)
* Fix Vault Transit BYOK helper argument parsing

This commit fixes the following issues with the importer:

 - More than two arguments were not supported, causing the CLI to error
   out and resulting in a failure to import RSA keys.
 - The @file notation support was not accepted for KEY, meaning
   unencrypted keys had to be manually specified on the CLI.
 - Parsing of additional argument data was done in a non-standard way.
 - Fix parsing of command line options and ensure only relevant
   options are included.

Additionally, some error messages and help text was clarified.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing documentation on Transit CLI to website

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for Transit BYOK vault subcommand

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Appease CI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-27 18:25:38 +00:00
Jakob Beckmann 078a245939
Allow alias dereferencing in LDAP searches (#18230)
* impr(auth/ldap): allow to dereference aliases in searches

* docs: add documentation for LDAP alias dereferencing

* chore(auth/ldap): add changelog entry for PR 18230

* chore: run formatter

* fix: update default LDAP configuration with new default

* Update website/content/docs/auth/ldap.mdx

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>

* docs(ldap): add alias dereferencing to API docs for LDAP

---------

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
2023-02-24 13:49:17 -05:00
David Yu 9753379fe8
Update consul.mdx (#19300) 2023-02-22 17:45:26 -05:00
Austin Gebauer a8d382d52a
docs/oidc: make it clear that contents of CA certificate are expected (#19297) 2023-02-22 11:33:53 -08:00
Bryce Kalow 2fa1153e95
adds content-check command and README update (#19271) 2023-02-22 12:04:00 -05:00
Max Coulombe b9bcd135e5
Added disambiguation that creation request can also update roles (#17371)
+ added  disambiguation that creation request can also update roles
2023-02-22 12:02:31 -05:00
Alexander Scheel fbebf2508b
Add note clarifying revoked issuer associations (#19289)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-22 15:48:20 +00:00
Raymond Ho 57ff9835f7
use github token env var if present when fetching org id (#19244) 2023-02-21 12:17:35 -08:00
Christopher Swenson 724ccd5bc4
docs: Add page about events (#19243)
This page details the new events experiment that will be
released in Vault 1.13.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-21 16:43:34 +00:00
Tero Saarni b634bb897b
docs/k8s: updated helm doc for short-lived SA tokens (#15675)
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-02-21 12:09:27 +00:00
Max Winslow 3a132c2428
Add vault print token to commands in Vault docs (#19183)
* doc-update

* Update website/content/docs/commands/print.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-02-17 20:51:48 -08:00
Scott Miller 0a5f3208fd
Document the 'convergent' tokenization transform option (#19249) 2023-02-17 13:15:40 -06:00
Alexander Scheel dd3356752a
Add note on client cert definition (#19248)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-17 11:36:41 -05:00
John-Michael Faircloth 9c837ef4b5
docs/upgrade guide: add changes to plugin loading (#19231)
* docs/upgrade guide: add changes to plugin loading

* clarify this is for external plugins
2023-02-16 22:47:29 +00:00
claire bontempo a5a80b895d
replace whitelist with allow (#19217) 2023-02-16 14:35:30 -08:00
Peter Wilson 70f1d3c217
Remove incorrect information about being able to set environment variables for certain log config (#19208) 2023-02-16 13:37:59 +00:00
Raymond Ho 91446e129e
Add rotate root docs for azure secrets (#19187) 2023-02-15 13:07:42 -08:00
Steven Zamborsky 7534689818
Update raftautosnapshots.mdx (#18996)
Clarify that the `local_max_space` value for local automated snapshots is cumulative for all snapshots in the `file_prefix` path.
2023-02-14 22:46:41 -08:00
John-Michael Faircloth fc13efc80e
docs/plugins: update upgrading plugins (#19109)
* docs/plugins: update upgrading plugins

* Update website/content/docs/upgrading/plugins.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

---------

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-14 17:40:06 +00:00
Max Coulombe 2c32190eed
Fix database sample payload doc (#19170)
* * fix database static-user rotation statement in sample payload

* + added changelog
2023-02-14 08:29:27 -05:00
Theron Voran dda2df25db
docs/vault-helm: fix multi-line block copy (#19119)
Add a `$` before the command in shell blocks that include command
output, so that the "Copy" button on the website only copies the
command and not the output.
2023-02-13 22:21:11 -08:00
ram-parameswaran 7dff0e6ae4
Update PKI Secret Engine doc for auto-tidy (#19122)
PKI Secret Engine documentation for auto-tidy(https://developer.hashicorp.com/vault/api-docs/secret/pki#configure-automatic-tidy) has a parameter interval_duration(https://developer.hashicorp.com/vault/api-docs/secret/pki#interval_duration). This needs to explicitly call out the default value to be 12 hours.
2023-02-10 15:57:58 -05:00
Milena Zlaticanin b6c5d07c5e
Azure Auth - rotate-root documentation (#18780)
* add documentation for rotate root

* commit suggestions

* move api permissions section
2023-02-08 18:14:28 -07:00
Steven Clark e599068323
Add OCSP GET known issue (#19066) 2023-02-08 15:06:44 +00:00
Tom Crayford 532f4ab60a
Docs: Remove duplicated, outdated raft information (#11620)
Co-authored-by: Mehdi Ahmadi <aphorise@gmail.com>
2023-02-08 13:37:54 +00:00
Alexander Scheel 06e950b40e
Fix documentation on CRL fixed version (#19046)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-07 20:51:03 +00:00
akshya96 6b96bd639c
adding emit duration for telemetry (#19027) 2023-02-07 11:26:38 -08:00
Alexander Scheel 3f8aaedc2a
Add suggested root rotation procedure (#19033)
* Add suggested root rotation procedure

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify docs heading

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-07 13:51:33 -05:00
Alexander Scheel 9130a786bb
Document pki cross cluster behavior (#19031)
* Add documentation on cross-cluster CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing revocation queue safety buffer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-07 11:11:33 -05:00
Max Winslow 54a4b9c4d3
docs: Typo (#18541) 2023-02-07 11:35:41 +00:00
Bryce Kalow f33e779d5d
update learn links to point to developer locations (#19026) 2023-02-06 20:34:51 -08:00
Scott Miller 78aaa3ca92
Add a note that multi-cluster ENT setups can avoid this risk (#19024)
* wip

* all-seals

* typo

* add note about unreplicated items

* italics

* word-smithing
2023-02-06 19:25:14 -06:00
Theron Voran 4278ed606c
docs/vault-k8s: 1.2.0 release updates (#19010) 2023-02-06 22:35:12 +00:00
Scott Miller b43e4fbd9c
Add a stronger warning about the usage of recovery keys (#19011)
* Add a stronger warning about the usage of recovery keys

* Update website/content/docs/concepts/seal.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* Keep the mitigation text in the warning box

---------

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-02-06 16:23:05 -06:00
Kyle Schochenmaier e5af4d34c1
update annotation docs for agent telemetry stanza (#18681)
* update annotation docs for telemetry stanza
Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
2023-02-06 13:47:50 -06:00
Matt Schultz 6bfebc3ce3
Transit Managed Keys Documentation (#18994)
* Document 'managed_key' key type for transit. Document new 'usages' parameter when creating a managed key in the system backend.

* Document new managed key parameters for transit managed key rotation.
2023-02-03 18:49:02 -06:00
Alexander Scheel 660979d58b
Document Cross-Cluster CRLs/OCSP for Vault Enterprise (#18970)
* Add documentation on fetching unified CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on unified OCSP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify that OCSP requests need to be URL encoded

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Document new CRL config parameters

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify notes about cross-cluster options

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-02-03 16:30:23 -05:00
Christopher Swenson dfdeca7b5d
docs: Remove XKS proxy TLS setup note (#18988)
The TLS settings should not need to be modified as xks-proxy should
generate the certificate and key itself for listening.
2023-02-03 13:22:04 -08:00
Alexander Scheel cb2f6ff7fe
Add docs on cross-cluster listing endpoints (#18987)
* Add docs on cross-cluster listing endpoints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/api-docs/secret/pki.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-02-03 20:01:10 +00:00
Alexander Scheel 8b331fa769
Add notes on cross cluster CRLs (#18986)
* Group CRL related sections

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix casing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add notes about cluster size and revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Apply suggestions from code review

Thanks Yoko!

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-02-03 19:51:30 +00:00
Alexander Scheel 1a2eef482d
Add docs on cross cluster tidy operations (#18979)
* List tidy parameters in one place

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new tidy status outputs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on new tidy parameters

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-03 14:27:18 -05:00
Rowan Smith 6c53845db9
docs allow_forwarding_via_token syntax update (#18956)
* allow_forwarding_via_token syntax update

the example syntax used for `allow_forwarding_via_token` marks the option as an array when it does not need to be, this updates the format on the page to be a code block and removes the square braces

* another update to `allow_forwarding_via_token` syntax
2023-02-03 10:58:19 -08:00
Sascha Marcel Schmidt 544f07de66
docs: Change default value for ha_enabled to false (#18983)
see: https://github.com/hashicorp/vault/blob/main/physical/mysql/mysql.go#L132
2023-02-03 18:20:14 +00:00
Austin Gebauer e165697ce7
secrets/azure: changes permission recommendation to be minimally permissive (#18937) 2023-02-01 11:07:57 -08:00
Hamid Ghaf 6a8716ac18
docs for named login MFA (#18833)
* docs for named login MFA

* feedback
2023-02-01 10:30:14 -05:00
Alexander Scheel 5d17f9b142
Allow cleanup ssh dynamic keys host keys (#18939)
* Add ability to clean up host keys for dynamic keys

This adds a new endpoint, tidy/dynamic-keys that removes any stale host
keys still present on the mount. This does not clean up any pending
dynamic key leases and will not remove these keys from systems with
authorized hosts entries created by Vault.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-01 15:09:16 +00:00
Alexander Scheel 881ae5a303
Remove dynamic keys from SSH Secrets Engine (#18874)
* Remove dynamic keys from SSH Secrets Engine

This removes the functionality of Vault creating keys and adding them to
the authorized keys file on hosts.

This functionality has been deprecated since Vault version 0.7.2.

The preferred alternative is to use the SSH CA method, which also allows
key generation but places limits on TTL and doesn't require Vault reach
out to provision each key on the specified host, making it much more
secure.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove dynamic ssh references from documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove dynamic key secret type entirely

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify changelog language

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add removal notice to the website

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-31 16:02:22 -05:00
Florin Cătălin Țiucra-Popa 597e97264e
Update integrated-storage.mdx (#18893)
* Update integrated-storage.mdx

The quorum paragraph shall also be updated with the table:
instead of: 
"A Raft cluster of 3 nodes can tolerate a single node failure while a cluster
of 5 can tolerate 2 node failures. The recommended configuration is to either
run 3 or 5 Vault servers per cluster."

shall be:
"A Raft cluster of 3 nodes can tolerate a single node failure while a cluster
of 5 can tolerate 2 node failures. The recommended configuration is to either
run 5 or 7 Vault servers per cluster."

* Give an explicit node recommendation

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-01-31 12:19:28 -08:00
Brandon Romano a74cc88c45
Updates for Plugin Portal deprecation in favor of new Integrations section (#18898)
* Add Redirect for Plugin Portal -> Integration Library

* Remove Plugin Portal page & update sidebar

* Replace the Plugin Portal link to point Vault Integrations (#18897)

* Replace the Plugin Portal link to point Vault Integrations

* Update website/content/docs/partnerships.mdx

Co-authored-by: Brandon Romano <brandon@hashicorp.com>

---------

Co-authored-by: Brandon Romano <brandon@hashicorp.com>

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-01-31 10:17:18 -08:00
Nathan Button c9a5c196b8
Update docs for Azure Secrets Engine new feature (#16537)
* Update docs for Azure Secrets Enginee new feature

* Fix default vaule and clean up the description

* indent second line
2023-01-30 13:35:51 -08:00
Alexander Scheel cc57a0f73e
Clarify key bits for ssh (#18854)
* Clarify error on due to unsupported EC key bits

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove documentation about unsupported EC/224

Resolves: #18843

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-26 10:14:05 -05:00
Alexander Scheel 4b78146476
Add note about cluster deployments (#18855)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-26 09:34:11 -05:00
Ashlee M Boyer f3df55ad58
docs: Migrate link formats (#18696)
* Adding check-legacy-links-format workflow

* Adding test-link-rewrites workflow

* Updating docs-content-check-legacy-links-format hash

* Migrating links to new format

Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
2023-01-25 16:12:15 -08:00
Kit Haines 27be887bfd
Vault 9406 enablement certs need userid handling in role (#18397)
* The fields.

* UserID set, add to certificate

* Changelog.

* Fix test (set default).

* Add UserID constant to certutil, revert extension changes

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add user_ids as field for leaf signing

Presumably, this isn't necessary for CAs, given that CAs probably don't
have a user ID corresponding to them.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Support setting multiple user_ids in Subject

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow any User ID with sign-verbatim

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for User IDs in PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs about user_ids, allowed_user_ids

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-25 13:13:54 -05:00
Alexander Scheel 7b98b4ab6a
Document setting manual_chain after cross-signing (#18839)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-25 16:54:14 +00:00
Violet Hynes 72fc343ff8
VAULT-12564 Docs for token file auth method (#18783)
* VAULT-12564 Docs for token file auth method

* VAULT-12564 fix typo

* VAULT-12564 nav data

* VAULT-12564 Add note, remove token file removal config

* VAULT-12564 stronger wording

* VAULT-12564 auth -> auto-auth
2023-01-25 11:21:22 -05:00
Peter Wilson 292207b7d1
Parallel migration (#18815) (#18817)
* Parallel migration (#18815)
* flagParallel sanity check
* Attempt to use ErrGroups
* Updated docs
* Allow 'start' and 'max-parallel' together
* parallel flag renamed to max-parallel
* tests for start + parallel
* Removed permit pool
* Updated docs to make it clearer that a high setting might not be honored based on storage backend setting
* System dependent max int size
* Default max-parallel 1 => 10
* Test folder/paths updated

Co-authored-by: Tomasz Pawelczak <10206601+gites@users.noreply.github.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-01-25 15:19:45 +00:00
Chris Capurso b69dad8a05
change indentation level of cas field (#18806)
* change indentation leve of cas field

* change formatting for cas_required

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-01-24 15:27:15 -05:00
Yoko Hyakuna 740726404b
Add the description front matter (#18800) 2023-01-23 20:13:17 +00:00
Jason O'Donnell 16f199cff9
secrets/mysql: Add tls_server_name and tls_skip_verify parameters (#18799)
* secret/mysql: add tls_server_name config parameter

* Add skip verify

* Add doc

* changelog

* changelog

* Update plugins/database/mysql/connection_producer.go

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update plugins/database/mysql/connection_producer.go

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2023-01-23 20:06:46 +00:00
Tom Proctor fc378c0908
Event system alpha experiment (#18795) 2023-01-23 19:26:49 +00:00
Tom Proctor 97eac57b4f
Docs: Add ACL hints to Consul secrets engine instructions (#18750) 2023-01-19 10:48:17 +00:00
Max Coulombe 553e1cfb0d
* added the new redis parameter documentation (#18752)
* added the new redis parameter documentation
* added changelog
2023-01-18 15:51:15 -05:00
Ashlee M Boyer 0f1a82b377
Wrapping example link value with backticks (#18709) 2023-01-17 15:25:25 -08:00
akshya96 ab4f1719fd
user-lockout documentation changes (#18478)
* added user-lockout documentation changes

* add changelog

* remove new lines

* changing method name

* changing lockedusers to locked-users

* Update website/content/docs/concepts/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update website/content/api-docs/system/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update website/content/api-docs/system/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update website/content/partials/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update website/content/partials/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* adding suggested changes

* adding bullet points to disable

* Update website/content/api-docs/system/user-lockout.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update website/content/partials/user-lockout.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update website/content/docs/commands/auth/tune.mdx

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

* Update website/content/docs/commands/auth/tune.mdx

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

* Update website/content/docs/concepts/user-lockout.mdx

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

Co-authored-by: Meggie <meggie@hashicorp.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-01-17 15:12:16 -08:00
Kendall Strautman 19b863404c
docs: updates inline alert authoring info (#18713)
* docs: updates inline alert authoring info

* chore: other readme updates

* chore: update package, fix typo

* chore: update to stable
2023-01-17 14:13:09 -05:00
tjperry07 9f488db88e
added jwt token validation (#18703) 2023-01-17 09:57:40 -05:00
Tom Proctor d5c35f39c3
Add experiment system + events experiment (#18682) 2023-01-16 16:07:18 +00:00
Yoko Hyakuna 0899635ce3
Add VAULT_LOG_LEVEL to the environment var list (#18694) 2023-01-13 12:54:51 -05:00
Austin Gebauer d1c1a73c77
docs/oidc: change user type recommendation for Google workspace integration (#18676)
* docs/oidc: change user type recommendation for Google workspace integration

* Update website/content/docs/auth/jwt/oidc-providers/google.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2023-01-12 00:44:01 +00:00
Max Bowsher d1f2b101b5
Add option 'elide_list_responses' to audit backends (#18128)
This PR relates to a feature request logged through HashiCorp commercial
support.

Vault lacks pagination in its APIs. As a result, certain list operations
can return **very** large responses.  The user's chosen audit sinks may
experience difficulty consuming audit records that swell to tens of
megabytes of JSON.

In our case, one of the systems consuming audit log data could not cope,
and failed.

The responses of list operations are typically not very interesting, as
they are mostly lists of keys, or, even when they include a "key_info"
field, are not returning confidential information. They become even less
interesting once HMAC-ed by the audit system.

Some example Vault "list" operations that are prone to becoming very
large in an active Vault installation are:

    auth/token/accessors/
    identity/entity/id/
    identity/entity-alias/id/
    pki/certs/

In response, I've coded a new option that can be applied to audit
backends, `elide_list_responses`. When enabled, response data is elided
from audit logs, only when the operation type is "list".

For added safety, the elision only applies to the "keys" and "key_info"
fields within the response data - these are conventionally the only
fields present in a list response - see logical.ListResponse, and
logical.ListResponseWithInfo. However, other fields are technically
possible if a plugin author writes unusual code, and these will be
preserved in the audit log even with this option enabled.

The elision replaces the values of the "keys" and "key_info" fields with
an integer count of the number of entries. This allows even the elided
audit logs to still be useful for answering questions like "Was any data
returned?" or "How many records were listed?".
2023-01-11 16:15:52 -05:00
Ellie 6f7757e949
add core state lock deadlock detection config option v2 (#18604)
* add core state lockd eadlock detection config option v2

* add changelog

* split out NewTestCluster function to maintain build flag

* replace long func with constant

* remove line

* rename file, and move where detect deadlock flag is set
2023-01-11 13:32:05 -06:00
Austin Gebauer 94a4f7d3c9
docs/plugin: adds note on leases and tokens during upgrades (#18669)
* docs/plugin: adds note on leases and tokens during upgrades

* Update website/content/docs/upgrading/plugins.mdx

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2023-01-11 18:24:54 +00:00
Alexander Scheel 44c3b736bf
Allow tidy to backup legacy CA bundles (#18645)
* Allow tidy to backup legacy CA bundles

With the new tidy_move_legacy_ca_bundle option, we'll use tidy to move
the legacy CA bundle from /config/ca_bundle to /config/ca_bundle.bak.
This does two things:

 1. Removes ca_bundle from the hot-path of initialization after initial
    migration has completed. Because this entry is seal wrapped, this
    may result in performance improvements.
 2. Allows recovery of this value in the event of some other failure
    with migration.

Notably, this cannot occur during migration in the unlikely (and largely
unsupported) case that the operator immediately downgrades to Vault
<1.11.x. Thus, we reuse issuer_safety_buffer; while potentially long,
tidy can always be run manually with a shorter buffer (and only this
flag) to manually move the bundle if necessary.

In the event of needing to recover or undo this operation, it is
sufficient to use sys/raw to read the backed up value and subsequently
write it to its old path (/config/ca_bundle).

The new entry remains seal wrapped, but otherwise isn't used within the
code and so has better performance characteristics.

Performing a fat deletion (DELETE /root) will again remove the backup
like the old legacy bundle, preserving its wipe characteristics.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation about new tidy parameter

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for migration scenarios

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clean up time comparisons

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-11 12:12:53 -05:00
Alexander Scheel a2c2f56923
Add pki health-check docs (#18517)
* Add documentation on vault pki health-check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refer users to online docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-11 11:46:30 -05:00
Divya Pola 55760606c2
Add documentation for KMIP features implemented in 1.13 (#18613)
* Add documentation for KMIP features implemented in 1.13

* Add release version for key format types

* Fix syntax

* Add supported hashing algorithms and padding methods

* Fix formatting

* Add  nit picks from review feedback
2023-01-11 20:33:05 +05:30
Ellie 90bc746379
docs: note that env vars must be set on the vault process and can be checked in 1.13 (#18652) 2023-01-10 15:35:45 -06:00
Peter Wilson e4685c10ef
VAULT-9883: Agent Reloadable Config (#18638)
* Update command/agent.go
* Attempt to only reload log level and certs
* Mimicked 'server' test for cert reload in 'agent'

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Left out the `c.config` tweak that meant changes to lots of lines of code within the `Run` function of Agent command. :)
2023-01-10 17:45:34 +00:00
Alexander Scheel 38de21468e
Add cluster_aia_path templating variable (#18493)
* Add cluster_aia_path templating variable

Per discussion with maxb, allow using a non-Vault distribution point
which may use an insecure transport for RFC 5280 compliance.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address feedback from Max

Co-authored-by: Max Bowsher <maxbowsher@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Max Bowsher <maxbowsher@gmail.com>
2023-01-10 09:51:37 -05:00
Alexander Scheel 2ab775e60a
Add vault pki command website documentation (#18514)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-10 09:39:41 -05:00
Violet Hynes 8bcc08dccb
VAULT-12491 Add docs for group policy config (#18616)
* VAULT-12491 Add docs for group policy config

* VAULT-12491 typo

* VAULT-12491 typo

* VAULT-12491 Update language a bit

* VAULT-12491 Update language a bit

* VAULT-12491 Update language a bit
2023-01-09 12:50:16 -05:00
Christopher Swenson fae2935880
docs: Update PKCS#11 provider docs for XKS and RNG (#18597)
Better IV random generation is supported with XKS in the latest version
of the provider (0.1.3).
2023-01-05 09:42:52 -08:00
John-Michael Faircloth 58e2eb669b
docs: db plugin add link to lease docs (#18605) 2023-01-05 16:14:54 +00:00
Prasanna Kumar 9143d2f186
Correct sample payload at Generate Secret (#18561)
Correct sample payload of Generate Service Account Key secrets section
2023-01-04 16:00:16 -05:00
mickael-hc 4d5fb0aa68
docs: clarify parameter constraints limitations when using globs (#18593) 2023-01-04 15:58:27 -05:00
Steven Clark cfd5b8a933
Resolve unrecognized parameter warnings on batch_input parameter in transit (#18299)
* Resolve unused warnings on batch_input parameter in transit

* Add cl

* Fix text in hmac batch_input parameter description
2023-01-04 09:15:48 -05:00
Florin Cătălin Țiucra-Popa 82dedd8773
Update integrated-storage.mdx (#18581)
* Update integrated-storage.mdx

The old paragraph "The recommended deployment is either 3 or 5 servers." should match the "Minimums & Scaling" purpose from below.
It also reaffirms that, in a PRODUCTION environment,  a number of 5 nodes are the minimum requirement.

A rewording is also necessary: "The recommended deployment consists in a minimum of 5 or more of servers that are odd in their total (5, 7, etc)."

* Update website/content/docs/internals/integrated-storage.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-01-04 13:43:05 +01:00
Violet Hynes 0b15ad18a2
VAULT-12095 Support multiple config files for Vault Agent (#18403)
* VAULT-12095 Code changes for multi-config

* VAULT-12095 typo

* VAULT-12095 make vault non-nil during update

* VAULT-12095 docs

* VAULT-12095 small refactor

* VAULT-12095 typos
2023-01-03 12:50:19 -05:00
Robert 7858cc758f
secrets/gcp: add documentation for impersonated account support (#18519)
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2023-01-02 14:18:14 -06:00
Austin Gebauer 1b82aa5997
auth/oidc: fix permissions for Azure 200+ group workflow (#18532)
* auth/oidc: fix permissions for Azure 200+ group workflow

* use autonumbering
2022-12-22 23:51:08 +00:00
Christopher Swenson 7a048b1097
Update XKS docs to use AWS CLI (#18536)
And add note about requiring the zero IV until `vault-pkcs11-provider`
is released.
2022-12-22 23:20:21 +00:00
Ellie c16e9df88c
docs: highlight paragraph about path in kv secrets engines docs (#18413) 2022-12-19 13:52:22 -06:00
Jagger 1fd715f2cb
Fix typo (#18459)
If there are other typo related changes in flight, this fix can be included there.
2022-12-19 18:30:19 +00:00
Yoko Hyakuna fc79152c48
Update the notes about Consul Connect CA issue (#18444) 2022-12-16 10:52:42 -08:00
John-Michael Faircloth 74f5a44684
docs: update azure docs to reflect new managed identity support (#18357)
* docs: update azure docs to reflect new managed identity support

* update links and formatting

* update wording

* update resource_id description

* fix formatting; add section on token limitations

* fix link and formatting
2022-12-16 09:40:59 -06:00
divyaac cb3f47065f
Added default endpoint info. Added note about backwards compabitibility (#17972)
* Added default endpoint info. Added note about backwards compabitibility

* Change wording

* Added note to router
2022-12-15 13:01:56 -08:00
Turan Asikoglu 8c8a17f83b
[Doc] Fix minor inconsistencies with vault Helm chart (#18306)
* Fix minor inconsistencies with vault Helm chart

* extraSecretEnvironmentVars not a multiline string

* Trigger CCI
2022-12-15 11:59:09 -05:00
Alexander Scheel 3a5b48afe4
Correctly handle issuer tidying in auto-tidy config (#18347)
* Correctly handle issuer tidying in auto-tidy config

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing parameters to auto-tidy docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-12-14 15:35:21 -05:00
Jason O'Donnell fccc90ce75
docs/policies: update denied_parameters description (#18366) 2022-12-14 16:51:02 +00:00
Mike Palmiotto 4b8747ab51
command/audit: Recommend multiple audit devices (#18348)
* command/audit: Add note about enabling multiple audit devices

* docs: Recommend multiple audit devices
2022-12-13 17:51:03 -05:00
John-Michael Faircloth 5d8897528f
docs: add note on aws snapstart incompatibility (#18344)
* add note on snapstart incompatibility

* update note with link to aws and more details

* fix typo
2022-12-13 15:38:38 -06:00
Scott Miller c9531431a4
Add the batch reference field, as in Transform, to Transit operations (#18243)
* Add the batch reference field, as in Transform, to Transit operations

* changelog

* docs

* More mapstructure tags
2022-12-13 12:03:40 -06:00
Scott Miller c1cfc11a51
Return the partial success code override for all batch error types (#18310)
* Return the partial success code override for all batch error types

* changelog

* docs

* Lost the actual override logic. :)

* And don't hardcode 400

* gate on success
2022-12-12 17:08:22 -06:00
Steven Clark 3bf683b872
Document adding metadata to entity alias within cert auth (#18308)
* Document adding metadata to entity alias within cert auth

* Update website/content/api-docs/auth/cert.mdx

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
2022-12-12 13:08:00 -05:00
Steven Zamborsky d639e4e8e3
Vault Docs Autopilot Typo (#18307)
Replace the hyphens with underscores in the `disable_upgrade_migration` parameter.
2022-12-12 09:46:09 -05:00
Sanad Haj Yahya 3b2e74477e
Server: add and support unix listener (UDS) (#18227)
Co-authored-by: shaj13 <hajsanad@gamil.com>
2022-12-09 12:28:18 -08:00
Meggie 3af208bcc9
Fix broken link (#18286) 2022-12-09 11:32:37 -05:00
Geoffrey Grosenbach 59a93ecdbc
Remove mention of public Vault trial license form (#18280)
No longer in use.
2022-12-09 09:04:37 -05:00
Violet Hynes 176c149a38
VAULT-8336 Fix default rate limit paths (#18273)
* VAULT-8336 Fix default rate limit paths

* VAULT-8336 changelog
2022-12-09 08:49:17 -05:00
Alexander Scheel f3911cce66
Add transit key config to disable upserting (#18272)
* Rename path_config -> path_keys_config

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add config/keys to disable upserting

Transit would allow anyone with Create permissions on the encryption
endpoint to automatically create new encryption keys. This becomes hard
to reason about for operators, especially if typos are subtly
introduced (e.g., my-key vs my_key) -- there is no way to merge these
two keys afterwards.

Add the ability to globally disable upserting, so that if the
applications using Transit do not need the capability, it can be
globally disallowed even under permissive policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on disabling upsert

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
2022-12-08 15:45:18 -05:00
Josh Black 4212cfd5f4
Update namespace LIST response example to be more accurate (#18274) 2022-12-08 12:05:34 -08:00
Roberto Pommella Alegro 5352c4b754
Docs: improve bound_audiences documentation for jwt role (#18265) 2022-12-07 12:50:09 -05:00
Violet Hynes 398cf38e1e
VAULT-11510 Vault Agent can start listeners without caching (#18137)
* VAULT-11510 Vault Agent can start listeners without caching

* VAULT-11510 fix order of imports

* VAULT-11510 changelog

* VAULT-11510 typo and better switch

* VAULT-11510 update name

* VAULT-11510 New api_proxy stanza to configure API proxy

* VAULT-11510 First pass at API Proxy docs

* VAULT-11510 nav data

* VAULT-11510 typo

* VAULT-11510 docs update
2022-12-05 10:51:03 -05:00
Alexander Scheel f86fdf530f
Allow templating cluster-local AIA URIs (#18199)
* Allow templating of cluster-local AIA URIs

This adds a new configuration path, /config/cluster, which retains
cluster-local configuration. By extending /config/urls and its issuer
counterpart to include an enable_templating parameter, we can allow
operators to correctly identify the particular cluster a cert was
issued on, and tie its AIA information to this (cluster, issuer) pair
dynamically.

Notably, this does not solve all usage issues around AIA URIs: the CRL
and OCSP responder remain local, meaning that some merge capability is
required prior to passing it to other systems if they use CRL files and
must validate requests with certs from any arbitrary PR cluster.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation about templated AIAs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* AIA URIs -> AIA URLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* issuer.AIAURIs might be nil

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow non-nil response to config/urls

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Always validate URLs on config update

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure URLs lack templating parameters

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Review feedback

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-12-05 10:38:26 -05:00
tjperry07 2e9f0e921b
remove semi colon (#18220) 2022-12-02 16:02:28 -05:00
Alex Cahn 71b790bd0f
Add Nutanix to the interoperability matrix (#18218) 2022-12-02 12:57:40 -05:00
Tom Proctor f5543bd25b
Docs: Add known issue for 1.12 plugin list endpoint (#18191) 2022-12-01 18:06:07 +00:00
Chris Capurso 5b731699a1
ENT supported storage updates (#17885)
* note that ENT supported storage check will log warning

* callout difference between 1.12.0 and 1.12.2

* add a bit more guidance

* startup -> start
2022-11-30 18:34:17 -05:00
Mike Palmiotto 117b09808d
docs: Add 1.12 upgrade note for pending removal builtins (#18176) 2022-11-30 23:07:00 +00:00
Christopher Swenson cbdbad0629
Add doc for AWS XKS Proxy with PKCS#11 Provider (#18149)
AWS announced [KMS External Key Store](https://aws.amazon.com/blogs/aws/announcing-aws-kms-external-key-store-xks/),
which we support using their reference [`xks-proxy`](https://github.com/aws-samples/aws-kms-xks-proxy)
software.
This adds a documentation page showing how to configure KMIP and the
PKCS#11 provider to to work with KMS and `xks-proxy`.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-11-30 13:49:27 -08:00
Sudharshan K S 615aa4fdd9
Update nomad.mdx (#18134)
Corrected a typo
2022-11-29 09:39:15 -08:00
Peter Wilson 33e6a3a87c
VAULT-9900: Log rotation for 'agent' and 'server' commands (#18031)
* Work to unify log-file for agent/server and add rotation
* Updates to rotation code, tried to centralise the log config setup
* logging + tests
* Move LogFile to ShareConfig in test
* Docs
2022-11-29 14:07:04 +00:00
Tom Proctor 08e89a7e9e
Docs: vault-helm 0.23.0 updates (#18131) 2022-11-29 10:43:00 +00:00
Alexander Scheel 2a387b1d3a
Clarify that cluster_id differs between PR Primary/Secondary clusters (#18130)
Per conversation on Slack with Nick.

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-11-28 19:39:41 +00:00
Chris Capurso 2843cfcdc1
VAULT-9427: Add read support to sys/loggers endpoints (#17979)
* add logger->log-level str func

* ensure SetLogLevelByName accounts for duplicates

* add read handlers for sys/loggers endpoints

* add changelog entry

* update docs

* ignore base logger

* fix docs formatting issue

* add ReadOperation support to TestSystemBackend_Loggers

* add more robust checks to TestSystemBackend_Loggers

* add more robust checks to TestSystemBackend_LoggersByName

* check for empty name in delete handler
2022-11-28 11:18:36 -05:00
Violet Hynes 3d7f9a402f
VAULT-6368 Metrics-only listener for Agent (#18101)
* VAULT-6368 Metrics-only listener for Agent

* VAULT-6368 changelog

* VAULT-6368 Update config to use string instead of bool

* VAULT-6368 Fix leftover code

* VAULT-6368 Fix changelog

* VAULT-6368 fix typo

* VAULT-6368 recommended doc update

* VAULT-6368 use != over !(==)
2022-11-25 16:00:56 -05:00
Steven Clark 92c1a2bd0a
New PKI API to generate and sign a CRL based on input data (#18040)
* New PKI API to generate and sign a CRL based on input data

 - Add a new PKI API that allows an end-user to feed in all the
   information required to generate and sign a CRL by a given issuer.
 - This is pretty powerful API allowing an escape hatch for 3rd parties
   to craft customized CRLs with extensions based on their individual
   needs

* Add api-docs and error if reserved extension is provided as input

* Fix copy/paste error in Object Identifier constants

* Return nil on errors instead of partially filled slices

* Add cl
2022-11-22 11:41:04 -05:00
Bryce Kalow 642f6b0395
website: restrict node engines to <= 16.x (#18077) 2022-11-22 10:39:53 -05:00
Chris Capurso a14ba5f044
Add Consul Dataplane compatibility info to docs (#18041)
* add compatibility info to consul service reg docs

* fix alert formatting

* add consul dataplane compatibility partial

* add compat partial to more consul doc pages

* fix links
2022-11-22 08:56:18 -05:00
Chris Capurso 5f27ab3fed
mention Consul Dataplane compat in 1.12.x upgrade notes (#18066) 2022-11-22 08:55:35 -05:00
Chris Capurso d392754914
mention Consul Dataplane compat in 1.13.x upgrade notes (#18063)
* mention Consul Dataplane compat in 1.13.x upgrade notes

* change heading level

Co-authored-by: Meggie <meggie@hashicorp.com>

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-11-21 19:11:13 +00:00
Meggie 99408e3372
Update MFA docs (#18049)
Some updates from our MFA discussion
2022-11-18 15:31:27 -05:00
Tom Proctor dc85e37cf4
storage/raft: Add retry_join_as_non_voter config option (#18030) 2022-11-18 17:58:16 +00:00
Alexander Scheel 75b70d84e6
Add list to cert auth's CRLs (#18043)
* Add crl list capabilities to cert auth

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on cert auth CRL listing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for cert auth listing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-18 11:39:17 -05:00
mickael-hc 8927a55741
docs: detail policies parameter for auth methods using tokenutil (#18015)
* docs: detail policies parameter for auth methods using tokenutil

* Update website/content/partials/tokenfields.mdx


Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-11-18 11:09:29 -05:00
Tom Proctor 6dd453080d
Docs: Clarify plugin versioning known issue (#17799) 2022-11-18 11:49:33 +00:00
Theron Voran 0909408f0c
docs/vault-k8s: updates for v1.1.0 (#18020) 2022-11-17 13:58:28 -08:00
John-Michael Faircloth 0acecb7ee0
add draft 1.13.x upgrade guide (#18023)
* add draft upgrade guide

* add note this is a draft

* make 1.13 guide hidden

* add heading for alicloud change
2022-11-17 15:57:16 -06:00
Steven Clark 01e87c481c
Add new PKI api to combine and sign different CRLs from the same issuer (#17813)
* Add new PKI api to combine and sign different CRLs from the same issuer

 - Add a new PKI api /issuer/<issuer ref>/resign-crls that will allow
   combining and signing different CRLs that were signed by the same
   issuer.
 - This allows external actors to combine CRLs into a single CRL across
   different Vault clusters that share the CA certificate and key material
   such as performance replica clusters and the primary cluster

* Update API docs

* PR Feedback - Delta CRL rename

* Update to latest version of main

* PR Feedback - Get rid of the new caEntry struct

* Address PR feedback in api-docs and PEM encoded response
2022-11-17 16:53:05 -05:00
Christopher Swenson 9724f2860d
Add docs for vault-k8s JSON patch (#17712)
From https://github.com/hashicorp/vault-k8s/pull/399

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-11-17 12:32:18 -08:00
Yoko Hyakuna 59cec0a96c
Add known issue about PKI secrets engine with Consul (#18003)
* Add known issue about PKI secrets engine with Consul

* Added KB article URL

* Update website/content/docs/secrets/pki/index.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-11-17 10:09:41 -08:00
Brian Shumate 3775f69f3a
Docs: Enterprise TOTP updates (#18007)
* Docs: Enterprise TOTP updates

- Add note to TOTP about authenticator supported alogrithms
- Fix typos

* Path update
2022-11-17 08:50:01 -08:00
Steven Clark 0341c88030
Fix path typo in Generate Intermediate CSR PKI docs (#17989)
- Within the table specifying the various paths to generate a CSR
   in the PKI docs, the new issuers based api has a typo in it missing
   the issuers/ prefix.
 - Brought to our attention by Chelsea and Claire, thanks!
2022-11-16 18:23:13 -05:00
Meggie 775a1b3001
Docker Deprecation Update (#17825)
* Docker Deprecation Update

Trying to make implications and required changes a little clearer.

* Further clarifications
2022-11-16 10:33:14 -05:00
Alexander Scheel 82ac91907a
Add missing anchor for set-crl-configuration (#17959)
When renaming the header to Set Revocation Configuration, we broke
bookmarks. Add in the named anchor so the old bookmarks and links still
work.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 10:30:28 -05:00
Alexander Scheel a43e428b01
Fix docs by adding self-closing BRs (#17958)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 10:01:43 -05:00
Alexander Scheel ab395f2c79
Clarify more documentation on audit logging (#17957)
Thanks to Khai Tran for identifying that syslogging has a lower limit
on message size and sometimes large CRLs can hit that limit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 09:21:29 -05:00
JD Goins 7b52e688f4
Fix link to architecture in AWS platform page (#17327) 2022-11-15 11:44:37 -06:00
Alexander Scheel 6cbfc4afb2
Docs clarifications around PKI considerations (#17916)
* Add clarifications on revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Talk about rationale for separating roots from intermediates

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-15 08:43:40 -05:00