Commit graph

17362 commits

Author SHA1 Message Date
Daniel Huckins 958ccda6b1
agent: Add implementation for injecting secrets as environment variables to vault agent cmd (#20739)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* first go of exec server

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor for config changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* account for auth token changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* only start the runner once we have a token

* tests in diff branch

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix rename

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/exec/exec.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unnecessary lock

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor to use enum

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* dont block

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle default

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* make more explicit

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused file

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove test app

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* new channel for exec server token

* wire to run with vault agent

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* watch for child process to exit on its own

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* block before returning

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-25 09:23:56 -04:00
Peter Wilson 9723462891
updated Leader godoc comment to give a warning on possible deadlock (#20773) 2023-05-25 12:02:39 +00:00
akshya96 38250d1917
Revert "User Lockout Perf Standby Error oss (#20766)" (#20770)
This reverts commit 7a546a96e41e24b8341bb890154c9093accb9dc9.
2023-05-24 18:55:34 -07:00
akshya96 3200310b90
User Lockout Perf Standby Error oss (#20766)
* adding changes from ent

* add changelog

* removing new line
2023-05-24 17:35:17 -07:00
Jonathan Frappier 24edfc6be4
Add additional endpoints, remove non-protected endpoints (#20669)
* Add additional endpoints, remove non-protected endpoints

* Add step-down per engineering

* Match HTTP verb to individual doc pages

* Add /sys/internal/inspect/router to table

* Apply additional suggestions

* Updates based on engineering feedback

* Adding unsaved changes
2023-05-24 17:32:53 -04:00
Angel Garbarino 4a402ca128
Address Test-ui suite failure for package install issues (#20756)
* fix

* apparently its going to take me two commits.. for one line.

* test removing the installation of the packages.

* remove browser dependencies
2023-05-24 15:24:47 -06:00
Steven Clark d2f74c3901
Address various issues related to ACME EAB (#20755)
* Fix various EAB related issues

 - List API wasn't plumbed through properly so it did not work as expected
 - Use random 32 bytes instead of an EC key for EAB key values
 - Update OpenAPI definitions

* Clean up unused EAB keys within tidy

* Move Vault EAB creation path to pki/acme/new-eab

* Update eab vault responses to match up with docs
2023-05-24 21:17:33 +00:00
Alexander Scheel f156a57325
Validate no_store=false on role configuration (#20757)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 21:13:28 +00:00
Daniel Huckins 2343ff04f6
agent: Add implementation for injecting secrets as environment variables (#20628)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* first go of exec server

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor for config changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* account for auth token changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* only start the runner once we have a token

* tests in diff branch

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix rename

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/exec/exec.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unnecessary lock

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor to use enum

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* dont block

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle default

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* make more explicit

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused file

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove test app

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* watch for child process to exit on its own

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-24 16:56:06 -04:00
Raymond Ho c921a74b56
fix: upgrade vault-plugin-secrets-openldap to v0.11.0 (#20753) 2023-05-24 13:45:24 -07:00
vinay-gopalan 1ef982849b
upgrade vault-plugin-secrets-ad to v0.16.0 (#20750) 2023-05-24 13:37:41 -07:00
Nick Cabatoff 46b0b33bda
Cluster test helper improvements (#20424) 2023-05-24 20:21:10 +00:00
Christopher Swenson 7956c382e6
fix: upgrade vault-plugin-database-redis-elasticache to v0.2.1 (#20751) 2023-05-24 20:15:53 +00:00
kpcraig 628c51516a
VAULT-12226: Add Static Roles to the AWS plugin (#20536)
Add static roles to the aws secrets engine

---------

Co-authored-by: maxcoulombe <max.coulombe@hashicorp.com>
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-05-24 14:55:13 -04:00
John-Michael Faircloth a151ec76dd
fix: upgrade vault-plugin-auth-oci to v0.14.0 (#20743) 2023-05-24 13:00:49 -05:00
John-Michael Faircloth a123ca2b6a
fix: upgrade vault-plugin-secrets-kv to v0.15.0 (#20746) 2023-05-24 13:00:23 -05:00
Steven Clark f29fabe7c1
Enforce valid ACME accounts in challenge APIS (#20744)
- Make sure we have an ACME account in a valid state and
   enforce EAB policies on that account for the challenge
   and revocation by account ACME apis.
2023-05-24 17:28:56 +00:00
Alexander Scheel c67546511d
Move activityType to a constant, set precedence (#20738)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 12:29:47 -04:00
Alexander Scheel 04bb7eef15
Update transit public keys for Ed25519 support (#20727)
* Refine documentation for public_key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Support additional key types in importing version

This originally left off the custom support for Ed25519 and RSA-PSS
formatted keys that we've added manually.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support for Ed25519 keys

Here, we prevent importing public-key only keys with derived Ed25519
keys. Notably, we still allow import of derived Ed25519 keys via private
key method, though this is a touch weird: this private key must have
been packaged in an Ed25519 format (and parseable through Go as such),
even though it is (strictly) an HKDF key and isn't ever used for Ed25519.

Outside of this, importing non-derived Ed25519 keys works as expected.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add public-key only export method to Transit

This allows the existing endpoints to retain private-key only, including
empty strings for versions which lack private keys. On the public-key
endpoint, all versions will have key material returned.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update tests for exporting via public-key interface

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add public-key export option to docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 11:26:35 -04:00
Peter Wilson 8698650394
VAULT-11595: Augment forwarded requests with host:port info (from/to nodes) (Enterprise) (#20733)
* Allow audit entries to contain forwarded from host info
* adjust logical/request and audit format to use bool instead of string for 'to' host
2023-05-24 13:57:45 +01:00
Tom Proctor e41119d5f4
Docs: Updates for latest Vault CSI Provider releases (#20721) 2023-05-24 13:07:00 +01:00
Peter Wilson 21d6432ea6
Revert "Allow audit entries may contain forwarded to/from host info (#20689)" (#20732)
This reverts commit 732dda34e726859fbb24ea51a87f3a1772bf9b7a.
2023-05-24 09:44:57 +01:00
miagilepner fdecd99d26
VAULT-14735: repeated and segmented activity log clients (#20699)
* add repeated, segmented, and writing

* simplify

* pr fixes

* remove comment

* Update vault/logical_system_activity_write_testonly.go

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

---------

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-05-24 08:42:00 +00:00
claire bontempo 4da72c45ce
UI: pki auto-tidy views (#20685)
* UI: plumbing for pki tidy work (#20611)

* update tidy model

* Dynamic group on tidy based on version

* UI: VAULT-16261 PKI autotidy config view (#20641)

* UI: VAULT-16203 tidy status page (#20635)

* ui: pki tidy form (#20630)

* order routes to match tabs

* add tidy routes

* add tidy-status page component

* update routes rename edit to configure, remove manage

* add page component to route template

* add comment

* finish routing

* change to queryRecord, delete old tidy file

* remove findRecord

* fix serializer name

* tidy.index only needs controller empty state logic

* build form and page components

* update tidy model

* alphabetize!

* revert model changes

* finish adapter

* move form out of page folder in tests

* refactor to accommodate model changes from chelseas pr

* WIP tests

* reuse shared fields in model

* finish tests

* update model hook and breadcrumbs

* remove subtext for checkbox

* fix tests add ACME fields

* Update ui/app/adapters/pki/tidy.js

* Update ui/app/adapters/pki/tidy.js

* refactor intervalDuration using feedback suggested

* move errors to second line, inside conditional brackets

* add ternary operator to allByKey attr

* surface error message

* make polling request longer

* UI: VAULT-16368 pki tidy custom method (#20696)

* ui: adds empty state and updates modal (#20695)

* add empty state to status page

* update tidy modal

* conditionally change cancel transition route for auto tidy form

* teeny copy update

* organize tidy-status conditoionals

* a couple more template cleanups

* fix conditional, change to settings

* UI: VAULT-16367 VAULT-16378 Tidy acceptance tests + tidy toolbar cleanup (#20698)

* update copy

* move tidyRevokedCertIssuerAssociations up to applicable section

* add tidy info to readme

* update copy

* UI: Add tidy as a tab to the error route (#20723)

* small cleanup items

* fix prettier

* cancel polling when we leave tidy.index (status view)

* revert changes to declaration file

* remove space

---------

Co-authored-by: Chelsea Shaw <cshaw@hashicorp.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
2023-05-23 23:05:15 +00:00
claire bontempo 527f4fe2ba
UI: add pki cluster config parameters (#20724)
* add config directory, rename crl and urls models

* fix imports

* add cluster config fields to edit form

* reorder url save

* update tests

* add to details page

* add details test;

* fix adapter name

* fix cluster adapter test name

* combine adapter tests

* update imports

* fix git diff

* move crl and urls adapters to config folder

* add config file

* woops add config adapter

* final renaming!!

* fix imports after naming to base

* add cluster to beforeModel hook

* hide help text

* maybe you should write tests that actually pass, claire

* seriously claire its embarrassing
2023-05-23 15:24:53 -07:00
Alexander Scheel 83d32240c7
Add nonce service to sdk/helpers, use in PKI (#20688)
* Build a better nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add internal nonce service for testing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add benchmarks for nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add statistics around how long tidy took

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Replace ACME nonces with shared nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add an initialize method to nonce services

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use the new initialize helper on nonce service in PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add additional tests for nonces

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Format sdk/helper/nonce

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use default 90s nonce expiry in PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove parallel test case as covered by benchmark

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add additional commentary to encrypted nonce implementation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add nonce to test_packages

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-23 19:44:05 +00:00
Anton Averchenkov f3620b5b4f
agent: Add logic to validate env_template entries (#20569) 2023-05-23 18:37:08 +00:00
Christopher Swenson d12604eff2
fix: upgrade vault-plugin-auth-gcp to v0.16.0 (#20725) 2023-05-23 11:24:33 -07:00
miagilepner 06055fb668
VAULT-15395: Support mocking time functions in the activity log (#20720)
* mock time in the activity log

* cleanup

* fix comment

* pr fixes

* update comment to explain why new timer is needed
2023-05-23 16:25:23 +00:00
Steven Clark c8837f2010
Add ACME health checks to pki health-check CLI (#20619)
* Add ACME health checks to pki health-check CLI

 - Verify we have the required header values listed within allowed_response_headers: 'Replay-Nonce', 'Link', 'Location'
 - Make sure the local cluster config path variable contains an URL with an https scheme

* Split ACME health checks into two separate verifications

 - Promote ACME usage through the enable_acme_issuance check, if ACME is disabled currently
 - If ACME is enabled verify that we have a valid
    'path' field within local cluster configuration as well as the proper response headers allowed.
 - Factor out response header verifications into a separate check mainly to work around possible permission issues.

* Only recommend enabling ACME on mounts with intermediate issuers

* Attempt to connect to the ACME directory based on the cluster path variable

 - Final health check is to attempt to connect to the ACME directory based on the cluster local 'path' value. Only if we successfully connect do we say ACME is healthy.

* Fix broken unit test
2023-05-23 10:37:31 -04:00
Peter Wilson 5eb03f785e
Docs: audit - add warning when disabling device regarding HMAC (#20715)
* added note to warn of potential issues in disabling audit when using HMAC

* added to command docs pages too
2023-05-23 14:55:55 +01:00
Ethan Lowman 3f4dc700bd
Correct signing terminology in comments and error messages (#20714) 2023-05-23 12:44:06 +00:00
Márk Sági-Kazár 258b2ef740
Upgrade go-jose library to v3 (#20559)
* upgrade go-jose library to v3

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* chore: fix unnecessary import alias

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* upgrade go-jose library to v2 in vault

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

---------

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2023-05-23 12:25:58 +00:00
miagilepner bff8931640
VAULT-14735: generate mock clients for activity log (#20252)
* first part of segment client generation

* fix imports

* initial pr fixes

* refactor and fix

* update comments

* assign client type
2023-05-23 11:58:51 +02:00
claire bontempo 4f77524ad4
UI: Add PKI readme and changelog for UI improvements (#20706)
* update pki readme

* add readme

* make it fancier

* add more info

* add config improvements to entry

* move changelog info to release notes

* reword action summary

* stop yelling in bullet points

* update action
2023-05-22 21:20:13 +00:00
claire bontempo f4793cdca1
remove paragraph (#20709) 2023-05-22 16:14:17 -04:00
Peter Wilson afb5610373
Allow audit entries may contain forwarded to/from host info (#20689) 2023-05-22 20:17:20 +01:00
Alexander Scheel 1f21afba21
Fix race in PKI's runUnifiedTransfer (#20701)
* Fix race in PKI's runUnifiedTransfer

During this race, we'll sometimes start (or fail to start) an additional
unified transfer if the updated last run timestamp was written at the
same time as another thread was reading it.

Instead, delay this check until we're holding the CAS guard; this will
occasionally result in more messages saying that an existing process is
already running, but otherwise shouldn't impact the functionality at
all.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-22 18:31:19 +00:00
Ryan Cragun 1e752e0cba
ci: request vpc quota increase (#20360)
* Fix regions on two service quotas
* Request an increase in VPCs per region
* Pin github actions workflows

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-05-22 11:18:06 -06:00
Mike Palmiotto dc8d2af2d8
Add current_billing_period activity endpoint param (#20694)
* Add current_billing_period activity endpoint param

This commit introduces a new parameter: `current_billing_period`, which
can be used in lieu of `start_time` and `end_time` options.

GET ... /sys/internal/counters/activity?current_billing_period=true now
results in a response which contains the full billing period
information.

* changelog

* Update internal counters docs
2023-05-22 09:22:45 -04:00
Daniel Huckins 2658dcf48d
agent: Add support for parsing env_template configuration files (#20598)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/config/config.go

* use latest consul-template

* fix build

* fix test

* fix test fixtures

* make fmt

* test docs

* rename file

* env var -> environment variable

* default to SIGTERM

* empty line

* explicit naming

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* clean typo

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* replace $ HOME with /home/username in examples

* remove empty line

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <anton.averchenkov@hashicorp.com>
2023-05-19 18:11:41 -04:00
Mike Palmiotto a40341d176
Add client_type field to EntityRecord protobuf (#20626)
* Add client_type field to EntityRecord protobuf

* changelog

* Add ACME clientType verification
2023-05-19 20:30:12 +00:00
Christopher Swenson f80a73d0fe
docs: Traditional HA standby nodes do *not* serve read requests directly (#20687) 2023-05-19 13:00:57 -07:00
Alexander Scheel e552c06173
Properly validate int ca lifetime error, add warning on leaf cert with basic constraints (#20654)
* Ensure proper error message from CA validity period

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning to issuance of leaf cert with basic constraints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-19 19:52:16 +00:00
Marc Boudreau 8928b30224
Refactor Code Focused on DevTLS Mode into New Function (#20376)
* refactor code focused on DevTLS mode into new function

* add tests for configureDevTLS function

* replace testcase comments with fields in testcase struct
2023-05-19 15:45:22 -04:00
John-Michael Faircloth 4330265469
secrets/aws: fix role field description (#20686) 2023-05-19 18:33:18 +00:00
Alexander Scheel 9d2af72bde
Fix entropy sourcing on Vault Enterprise (#20684)
Note the three overlapping scenarios discussed in the comments. In the
future, when this interface is more broadly supported, we should likely
add the interface directly to SystemView and implement it over the GRPC
interface, removing this nasty layering of already complex SystemView
implementations.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-19 14:15:43 -04:00
Anton Averchenkov f551f4e5ba
cli: Add 'agent generate-config' sub-command (#20530) 2023-05-19 13:42:19 -04:00
Violet Hynes 92dc054bb3
VAULT-15547 Agent/proxy decoupling, take two (#20634)
* VAULT-15547 Additional tests, refactoring, for proxy split

* VAULT-15547 Additional tests, refactoring, for proxy split

* VAULT-15547 Import reorganization

* VAULT-15547 Some missed updates for PersistConfig

* VAULT-15547 address comments

* VAULT-15547 address comments
2023-05-19 13:17:48 -04:00
Violet Hynes a47c0c7073
VAULT-15546 First pass at Vault Proxy docs (#20578)
* VAULT-15546 First pass at Vault Proxy docs

* VAULT-15546 correct errors

* VAULT-15546 fully qualify paths

* VAULT-15546 remove index

* VAULT-15546 Some typos and clean up

* VAULT-15546 fix link

* VAULT-15546 Add redirects so old links stay working

* VAULT-15546 more explicit redirects

* VAULT-15546 typo fixes

* Suggestions for Vault Agent & Vault Proxy docs (#20612)

* Rename 'agentandproxy' to 'agent-and-proxy' for better URL

* Update the index pages for each section

* VAULT-15546 fix link typo

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-05-19 13:11:39 -04:00