* Update description of certificate fetch API
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify /config/crl and /config/url PKI are empty
GET-ing these URLs will return 404 until such time as a config is posted
to them, even though (in the case of CRL), default values will be used.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify usage of /pki/crl/rotate
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update documentation around PKI key_bits
This unifies the description of key_bits to match the API description
(which is consistent across all usages).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix indented field descriptions in PKI paths
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify documentation around serial_number
Note that this field has no impact on the actual Serial Number field and
only an attribute in the requested certificate's Subject.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix spelling of localdomain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add tip for how to force a secrets engine disable
* add warning to force disable secrets instructions
* clean up wording
* add force secrets engine disable info to api doc
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/commands/secrets/disable.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/commands/secrets/disable.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* feedback updates
* impl taoism feedback
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* remove mount accessor from MFA config
* Update login_mfa_duo_test.go
* DUO test with entity templating
* using identitytpl.PopulateString to perform templating
* minor refactoring
* fixing fmt failures in CI
* change username format to username template
* fixing username_template example
* Add documentation for Managed Keys
- Add concept, sys/api and pki updates related to managed keys
* Review feedback
- Reworked quite a bit of the existing documentation based on feedback
and a re-reading
- Moved the managed keys out of the concepts section and into the
enterprise section
* Address broken links and a few grammar tweaks
* add documentation for AWS KMS managed keys
* a couple small fixes
* # Conflicts:
# website/content/api-docs/secret/pki.mdx
# website/content/api-docs/system/managed-keys.mdx
# website/content/docs/enterprise/managed-keys.mdx
* docs updates
* # Conflicts:
# sdk/version/version_base.go
# vault/seal_autoseal_test.go
# website/content/api-docs/system/managed-keys.mdx
# website/content/docs/enterprise/managed-keys.mdx
* remove endpoint env var
* Document Azure Key Vault parameters for managed keys.
* docs changes for aws kms managed keys
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
* add mount move docs
* add missed word
* Update website/content/api-docs/system/remount.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* one clarification
* docs changes from feedback
* couple things i missed
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
As pointed out internally, a lot of the API docs and FrameworkField
descriptions of parameters were out of date. This syncs a number of
them, updating their descriptions where relevant.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
The operations are handled identically, but ~85% of the references were
POST, and having a mix of PUT and POST was a source of questions.
A subsequent commit will update the internal use of "PUT" such as by
the API client and -output-curl-string.
We note that:
- allow_bare_domains, allow_glob_domains, and allow_subdomains are all
independent,
- enforce_hostnames and allow_wildcard_certificates take precedence over
allow_any_name,
- We limit to RFC 6125 wildcards.
- Clarify that both allow_bare_domains and allow_glob_domains will permit
wildcard issuance in certain scenarios.
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
* agent/azure: adds ability to use specific user assigned managed identity for auto auth
* add changelog
* change wording in error and docs
* Update website/content/docs/agent/autoauth/methods/azure.mdx
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Update website/content/docs/agent/autoauth/methods/azure.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* docs formatting
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Clarify when service_registraion was introduced
Resolves https://github.com/hashicorp/vault/issues/8768
Language is modeled after the nomad acl version limits
> ~> Version information ACLs are only available on Nomad 0.7.0 and above.
1e720054e5/website/pages/docs/secrets/nomad/index.mdx
* Update phrasing to clarify vault isn't rquired
* rephrase
* Rewording statements
Co-authored-by: Spencer Owen <owenspencer@gmail.com>
* Add documentation for managed key test sign API
- Add the documentation for the new managed key api that allows
operators to test the managed key configuration by going through
a sign/verify workflow with some randomly generated data.
* PR feedback
* Allow OpenSSH-style key type identifiers
To bring better parity with the changes of #14008, wherein we allowed
OpenSSH-style key identifiers during generation. When specifying a list
of allowed keys, validate against both OpenSSH-style key identifiers
and the usual simplified names as well ("rsa" or "ecdsa"). Notably, the
PKI secrets engine prefers "ec" over "ecdsa", so we permit both as well.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix missing quote in docs
* Explicitly call out SSH algorithm_signer default
Related: #11608
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use rsa-sha2-256 as the default SSH CA hash algo
As mentioned in the OpenSSH 8.2 release notes, OpenSSH will no longer be
accepting ssh-rsa signatures by default as these use the insecure SHA-1
algorithm.
For roles in which an explicit signature type wasn't specified, we
should change the default from SHA-1 to SHA-256 for security and
compatibility with modern OpenSSH releases.
See also: https://www.openssh.com/txt/release-8.2
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update docs mentioning new algorithm change
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix missing parenthesis, clarify new default value
* Add to side bar
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This patch adds a new /agent/v1/metrics that will return metrics on the
running Vault agent. Configuration is done using the same telemetry
stanza as the Vault server. For now default runtime metrics are
returned with a few additional ones specific to the agent:
- `vault.agent.auth.failure` and `vault.agent.auth.success` to monitor
the correct behavior of the auto auth mechanism
- `vault.agent.proxy.success`, `vault.agent.proxy.client_error` and
`vault.agent.proxy.error` to check the connection with the Vault server
- `vault.agent.cache.hit` and `vault.agent.cache.miss` to monitor the
cache
Closes https://github.com/hashicorp/vault/issues/8649
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Allow specifying multiple allowed SSH key lengths
In the ssh secrets engine, only a single allowed key length was allowed
for each algorithm type. However, many algorithms have multiple safe
values (such as RSA and ECDSA); allowing a single role to have multiple
values for a single algorithm is thus helpful.
On creation or update, roles can now specify multiple types using a list
or comma separated string of allowed values:
allowed_user_key_lengths: map[string][]int{"rsa": []int{2048, 4096}}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Break out ssh upgrade logic into separate function
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update parseutil for optional lists of integers
go get -u github.com/hashicorp/go-secure-stdlib/parseutil
go mod tidy
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Simplify parse logic using new parseutil
The newly introduced parseutil.ParseIntSlice handles the more
complicated optional int-like slice logic for us.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>