* docs(#16222): add documentation for changes in PR hashicorp/vault-plugin-secrets-kubernetes#10
* docs(#16222): add changelog entry
* docs(#16222): improve documentation to make the use case of setting both allowed_kubernetes_namespaces and allowed_kubernetes_namespace_selector parameters for role configuration
* Clarification for local mounts in the context of DR
The docs were unclear on this point, so @russparsloe and I looked into it.
Local mounts are indeed replicated to DR secondaries.
This is the opposite of what it says on https://developer.hashicorp.com/vault/tutorials/enterprise/performance-replication#disaster-recovery
> Local backend mounts are not replicated and their use will require existing DR mechanisms if DR is necessary in your implementation.
So that page will also need updating
* changelog
* fix changelog syntax for local mount with DR (#16218)
- Make the dev quick start link readily available on the client library documentation page
- Move the full code samples to the top of the dev quickstart page so that they're easily accessible.
- Update the api/readme to have a link to the dev quickstart
I added a small example from the main docs along with some explanation,
and added links to the main docs and the tutorial.
I also took this opportunity to sort the platform left nav bar.
Update helm standalone TLS doc for k8s 1.22
The `CertificateSigningRequest` for `v1beta1` API is no longer
available, and now requires the `signerName` parameter.
Many thanks to @DavidRBanks for the helpful notes in
https://github.com/hashicorp/vault-helm/issues/243#issuecomment-962551898
I tested this on Kubernetes 1.21 and 1.24. I also adjusted the `tr`
command to work better on macOS (and still works fine on Linux).
- Document Transit and sys random endpoint in 1.11+
- Document PKI and SSH CAs only, no leaves
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use new -mount syntax for all KV subcommands in 1.11 docs
* Use more appropriate heading size for mount flag syntax
* Add the explanatory syntax blurb from the -help text
* Adjust some wording
The injector's `service` annotation is really the vault address to
use, and not just the name of the service.
Also change a couple mentions of "controller" to "injector".
* VAULT-6091 Document duration format
* VAULT-6091 Document duration format
* VAULT-6091 Update wording
* VAULT-6091 Update to duration format string, replace everywhere I've found so far
* VAULT-6091 Add the word 'string' to the nav bar
* VAULT-6091 fix link
* VAULT-6091 fix link
* VAULT-6091 Fix time/string, add another reference
* VAULT-6091 add some misses for references to this format
* Overhaul consul docs and api-docs for new 1.11 features
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
This adds a note that manual_chain is required for cross-signed
intermediates, as Vault will not automatically associate the
cross-signed pair during chain construction. During issuance, the chain
is used verbatim from the issuer, so no chain detection will be used
then.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Update AWS auth docs for SHA-1 deprecation
We now recommend `/rsa2048` as the preferred AWS signature moving
foward, as `/pkcs7` and `/signature` will stop working by default in
Vault 1.12 without setting `GODEBUG=x509sha1=1` in the Vault deployment
due to the move to Go 1.18.
I also took this oppoturnity to try to make the docs less confusing
and more consistent with all of the usages of signature, PKCS#7, DSA,
and RSA terminology.
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Add support notes, Entropy Augmentation notes, RH repo
This adds a known-panic w.r.t. Entropy Augmentation due to restrictions
in how BoringCrypto's RNG works. Additionally adds the RH Access
container repository and adds a note about restricted support scenarios.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Wording changes per Scott
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing key_ref parameter to gen root docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add API docs section on key generation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about managed key access
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update fips1402.mdx
Added Link to new Compliance letter and details on what makes this different from Seal Wrap
* Update website/content/docs/enterprise/fips/fips1402.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/enterprise/fips/fips1402.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/enterprise/fips/fips1402.mdx
* Update website/content/docs/enterprise/fips/fips1402.mdx
* Update website/content/docs/enterprise/fips/fips1402.mdx
* Update website/content/docs/enterprise/fips/fips1402.mdx
* Update website/content/docs/enterprise/fips/fips1402.mdx
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
This explanation of root key is incorrect. Root key is not sharded and reconstructed. The root key is encrypted by the unseal key which is sharded and reconstructed back in the unsealing process.
The explanation differed from the correct one at https://www.vaultproject.io/docs/concepts/seal
* Add a little more information about PKI and replicated data sets.
- Add a TOC to the PKI considerations page
- Merge in the existing certificate storage into a new Replicated DataSets
section
- Move the existing Cluster Scalability section from the api-docs into the
considerations page.
* Add recommendations on key types and PKI performance
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update website/content/docs/secrets/pki/considerations.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* fix plugin reload mounts
* do not require sys/ prefix
* update plugin reload docs with examples
* fix unit test credential read path
* update docs to reflect correct cli usage
* allow sys/auth/foo or auth/foo
* append trailing slash if it doesn't exist in request
* add changelog
* use correct changelog number
Add deprecation note about X.509/SHA-1
In preparation for moving to Go 1.18 in Vault 1.12.
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Updated documentation to describe the behavior when supplying `VAULT_HTTP_PROXY`. Also added support for `VAULT_PROXY_ADDR` as a 'better name' for `VAULT_HTTP_PROXY`.
* Add note about cross-cluster CRL URIs
As suggested by Ricardo Oliveira, thanks!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note that short TTLs are relative to quantity
As suggested by Ricardo Oliveira, thanks!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note to make sure default is configured
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about automating certificate renewal
As suggested by Ricardo Oliveira, thanks!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* initial updates for license FAQs for 1.11
* add links, tense fixes
* Update deprecation doc link
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* fix links
* fix a couple missed version-specific links
* change 1 to one
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Add leaf not after best practice
Also suggest concrete recommendations for lifetimes of various issuers.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add advice to use a proper CA hierarchy
Also mention name constraints and HSM backing.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add section on safer usage of Roles
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add initial RBAC example for PKI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This clarifies a limitation of the FIPS based container images,
to note that due to OpenShift requirements, we need to suggest
ways of disabling mlock or allowing Vault to set mlock.
* Begin restructuring FIPS documentation
This creates a new FIPS category under Enterprise and copies the
FIPS-specific seal wrap documentation into it.
We leave the existing Seal Wrap page at the old path, but document that
the FIPS-specific portions of it have moved.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add initial FIPS 140-2 inside documentation
This documents the new FIPS 140-2 Inside binary and how to use and
validate it. This also documents which algorithms are certified for
use in the BoringCrypto distribution.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add notes about FIPS algorithm restrictions
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Rename pki.mdx -> pki/index.mdx
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Split off quick-start document
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Split off considerations document
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Split off intermediate CA setup document
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Split off setup and usage document
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Consistent quick-start doc naming
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add table of contents to index
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add server information as well as ability to collect metrics from DR secondary
* Update debug docs
Adding additional information around ability to gather metrics from DR secondary
* Fix broken link in updated doc
* Create 15316.txt
Create changelog entry
* Fix Formatting
* Update website/content/docs/commands/debug.mdx
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update changelog/15316.txt
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Trigger Build
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Add command help info
* Explain CLI and API correlation
* Update the heading level
* Updated the command example with more description
* Update website/content/docs/commands/index.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/commands/index.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/commands/index.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Incorporate review feedback
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* VAULT-5422: Add rate limit for TOTP passcode attempts
* fixing the docs
* CL
* feedback
* Additional info in doc
* rate limit is done per entity per methodID
* refactoring a test
* rate limit OSS work for policy MFA
* adding max_validation_attempts to TOTP config
* feedback
* checking for non-nil reference
* Add explanation to help text and flag usage text
* KV get with new mount flag
* Clearer naming
* KV Put, Patch, Metadata Get + corresponding tests
* KV Delete, Destroy, Rollback, Undelete, MetadataDelete, MetadataPatch, MetadataPut
* Update KV-v2 docs to use mount flag syntax
* Add changelog
* Run make fmt
* Clarify deprecation message in help string
* Address style comments
* docs/multiplexing: overhaul plugin documentation
* update nav data
* remove dupe nav data
* add external plugin section to index
* move custom plugin backends under internals/plugins
* remove ref to moved page
* revert moving custom plugin backends
* add building plugins from source section to plug dev
* add mux section to plugin arch
* add mux section to custom plugin page
* reorder custom database page
* use 'external plugin' where appropriate
* add link to plugin multiplexing
* fix example serve multiplex func call
* address review comments
* address review comments
* Minor format updates (#14590)
* mv Plugins to top-level; update upgrading plugins
* update links after changing paths
* add section on external plugin scaling characteristics
* add updates on plugin registration in plugin management page
* add plugin learn resource
* be more explicit about mux upgrade steps; add notes on when to avoid db muxing
* add plugin upgrade built-in section
* add caveats to built-in plugin upgrade
* improvements to built-in plugin override
* formatting, add redirects, correct multiplexing use case
* fix go-plugin link
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* remove single item list; add link to Database interface
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* create release notes file
* added content for Tranform FPE
* fixed spelling errors
* modified content for scaling db plugins
* updated based on feedback
* more feedback
* removed integrated storage enhancements per feedback
* removed extra wording
* fixed broken link
* updated verbage for db2 support based on feedback
* added link to readme for caching
* fixed broken link
* fixed out of place text
* added another known issue
* modified text
* changed forward statement
* added note
* add tip for how to force a secrets engine disable
* add warning to force disable secrets instructions
* clean up wording
* add force secrets engine disable info to api doc
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/commands/secrets/disable.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/commands/secrets/disable.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* feedback updates
* impl taoism feedback
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* remove mount accessor from MFA config
* Update login_mfa_duo_test.go
* DUO test with entity templating
* using identitytpl.PopulateString to perform templating
* minor refactoring
* fixing fmt failures in CI
* change username format to username template
* fixing username_template example
* Add documentation for Managed Keys
- Add concept, sys/api and pki updates related to managed keys
* Review feedback
- Reworked quite a bit of the existing documentation based on feedback
and a re-reading
- Moved the managed keys out of the concepts section and into the
enterprise section
* Address broken links and a few grammar tweaks
* add documentation for AWS KMS managed keys
* a couple small fixes
* # Conflicts:
# website/content/api-docs/secret/pki.mdx
# website/content/api-docs/system/managed-keys.mdx
# website/content/docs/enterprise/managed-keys.mdx
* docs updates
* # Conflicts:
# sdk/version/version_base.go
# vault/seal_autoseal_test.go
# website/content/api-docs/system/managed-keys.mdx
# website/content/docs/enterprise/managed-keys.mdx
* remove endpoint env var
* Document Azure Key Vault parameters for managed keys.
* docs changes for aws kms managed keys
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
* add mount move docs
* add missed word
* Update website/content/api-docs/system/remount.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* one clarification
* docs changes from feedback
* couple things i missed
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
The operations are handled identically, but ~85% of the references were
POST, and having a mix of PUT and POST was a source of questions.
A subsequent commit will update the internal use of "PUT" such as by
the API client and -output-curl-string.
* agent/azure: adds ability to use specific user assigned managed identity for auto auth
* add changelog
* change wording in error and docs
* Update website/content/docs/agent/autoauth/methods/azure.mdx
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Update website/content/docs/agent/autoauth/methods/azure.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* docs formatting
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Clarify when service_registraion was introduced
Resolves https://github.com/hashicorp/vault/issues/8768
Language is modeled after the nomad acl version limits
> ~> Version information ACLs are only available on Nomad 0.7.0 and above.
1e720054e5/website/pages/docs/secrets/nomad/index.mdx
* Update phrasing to clarify vault isn't rquired
* rephrase
* Rewording statements
Co-authored-by: Spencer Owen <owenspencer@gmail.com>
* Explicitly call out SSH algorithm_signer default
Related: #11608
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use rsa-sha2-256 as the default SSH CA hash algo
As mentioned in the OpenSSH 8.2 release notes, OpenSSH will no longer be
accepting ssh-rsa signatures by default as these use the insecure SHA-1
algorithm.
For roles in which an explicit signature type wasn't specified, we
should change the default from SHA-1 to SHA-256 for security and
compatibility with modern OpenSSH releases.
See also: https://www.openssh.com/txt/release-8.2
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update docs mentioning new algorithm change
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix missing parenthesis, clarify new default value
* Add to side bar
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
