Commit graph

4738 commits

Author SHA1 Message Date
Alexander Scheel 06f30de35f
Optional automatic default issuer selection (#17824)
* Correctly preserve other issuer config params

When setting a new default issuer, our helper function would overwrite
other parameters in the issuer configuration entry. However, up until
now, there were none.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new parameter to allow default to follow new

This parameter will allow operators to have the default issuer
automatically update when a new root is generated or a single issuer
with a key (potentially with others lacking key) is imported.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Storage migration tests fail on new members

These internal members shouldn't be tested by the storage migration
code, and so should be elided from the test results.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Follow new issuer on root generation, import

This updates the two places where issuers can be created (outside of
legacy CA bundle migration which already sets the default) to follow
newly created issuers when the config is set.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for new default-following behavior

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-08 14:40:29 -05:00
Theron Voran 32cdd59cdb
docs/vault-k8s: update env example (#17818)
Specifying only `args` will just append them to the container image's
entrypoint instead of replacing it. Setting command overrides the
entrypoint, and args is then appended to the command.
2022-11-04 10:56:00 -07:00
Steven Clark 419ba9159c
Add new API to PKI to list revoked certificates (#17779)
* Add new API to PKI to list revoked certificates

 - A new API that will return the list of serial numbers of
   revoked certificates on the local cluster.

* Add cl

* PR feedback
2022-11-03 14:17:17 -04:00
Alexander Scheel ffa4825693
PKI - Fix order of chain building writes (#17772)
* Ensure correct write ordering in rebuildIssuersChains

When troubleshooting a recent migration failure from 1.10->1.11, it was
noted that some PKI mounts had bad chain construction despite having
valid, chaining issuers. Due to the cluster's leadership trashing
between nodes, the migration logic was re-executed several times,
partially succeeding each time. While the legacy CA bundle migration
logic was written with this in mind, one shortcoming in the chain
building code lead us to truncate the ca_chain: by sorting the list of
issuers after including non-written issuers (with random IDs), these
issuers would occasionally be persisted prior to storage _prior_ to
existing CAs with modified chains.

The migration code carefully imported the active issuer prior to its
parents. However, due to this bug, there was a chance that, if write to
the pending parent succeeded but updating the active issuer didn't, the
active issuer's ca_chain field would only contain the self-reference and
not the parent's reference as well. Ultimately, a workaround of setting
and subsequently unsetting a manual chain would force a chain
regeneration.

In this patch, we simply fix the write ordering: because we need to
ensure a stable chain sorting, we leave the sort location in the same
place, but delay writing the provided referenceCert to the last
position. This is because the reference is meant to be the user-facing
action: without transactional write capabilities, other chains may
succeed, but if the last user-facing action fails, the user will
hopefully retry the action. This will also correct migration, by
ensuring the subsequent issuer import will be attempted again,
triggering another chain build and only persisting this issuer when
all other issuers have also been updated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remigrate ca_chains to fix any missing issuers

In the previous commit, we identified an issue that would occur on
legacy issuer migration to the new storage format. This is easy enough
to detect for any given mount (by an operator), but automating scanning
and remediating all PKI mounts in large deployments might be difficult.

Write a new storage migration version to regenerate all chains on
upgrade, once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add issue to PKI considerations documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correct %v -> %w in chain building errs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-03 11:50:03 -04:00
Ellie aa4448efd7
docs: in transit secret engine docs, specify order with batch_input param (#17770) 2022-11-03 08:50:47 -05:00
Alex Cahn 4c67919182
Update interoperability-matrix (#17793)
* Update interoperability-matrix.mdx

Updating the matrix to include new validations.

* Fixing a grammatical error
2022-11-02 17:32:53 -07:00
Tom Proctor ab658a3479
Docs: Add known issue for 1.12.1 builtin plugin version upgrades (#17783) 2022-11-02 21:36:49 +00:00
Tom Proctor e9ced09e70
Docs: Update plugin info API docs (#17760) 2022-11-02 20:03:17 +00:00
dyma solovei 1552f9ac4e
chore: Update seal.mdx, use consistent terminology (#17767)
This article seems to use the terms "shares" and "shards" interchangeably to describe the parts in which the secret is split under SSS.
While both seem to be correct, sticking to one term would save a newbie reader (like myself) the confusion.  

Since the Wikipedia article that's linked in this article only mentions "shares" and the CLI flags (for recovery keys) also use `-shares`, I opted for that.
2022-11-02 13:58:04 -06:00
Steven Clark 550fbdc41c
Return revocation info within existing certs/<serial> api (#17774)
* Return revocation info within existing certs/<serial> api

 - The api already returned both the certificate and a revocation_time
   field populated. Update the api to return revocation_time_rfc3339
   as we do elsewhere and also the issuer id if it was revoked.
 - This will allow callers to associate a revoked cert with an issuer

* Add cl

* PR feedback (docs update)
2022-11-02 13:06:04 -04:00
Violet Hynes a11f62abf2
VAULT-8518 Increase HMAC limit to 4096, and limit approle names to the same limit (#17768)
* VAULT-8518 Increase HMAC limit to 4096, and limit approle names to the same limit

* VAULT-8518 Changelog

* VAULT-8518 Sprintf the byte limit
2022-11-02 10:42:09 -04:00
Mark Lewis 0d3a4a3201
Update signed-ssh-certificates.mdx (#17746)
* Update signed-ssh-certificates.mdx

Add a pointer to the doc regarding reading back the pub key with the CLI

* Update website/content/docs/secrets/ssh/signed-ssh-certificates.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-31 12:33:46 -04:00
Alexander Scheel d5f6c36c1c
Clarify ssh/public_key response, recommend -format=raw (#17745)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-31 11:14:49 -04:00
Alexander Scheel 6d92ef4d9a
Fix raw format for other commands, add to docs! (#17730)
* Clarify when -format=raw fails

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Document Vault read's new -format=raw mode

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add raw format to usage, completion

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing support for raw format field printing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prohibit command execution with wrong formatter

This allows us to restrict the raw formatter to only commands that
understand it; otherwise, when running `vault write -format=raw`, we'd
actually hit the Vault server, but hide the output from the user. By
switching this to a flag-parse time check, we avoid running the rest of
the command if a bad formatter was specified.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-28 12:53:23 -04:00
Tom Proctor e4143f2b6f
Docs: Patch command ordering (#17725) 2022-10-28 08:39:44 -04:00
Tom Proctor 07b4e42c9b
Update documentation for vault-helm v0.22.1 release (#17695) 2022-10-28 11:56:02 +01:00
aphorise e73813c41f
Docs: API secret/ssh clarity on Create & Update (#17033)
* Docs: API secret/ssh clarity on Create & Update

Added clarity notes on required permissions (`update` & `create`) that's otherwise not obvious without experience of other mounts that have requirements for similar ACL to manage. Resolves #9888.

* Update website/content/api-docs/secret/ssh.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/secret/ssh.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Docs: API secret/ssh clarity on Create & Update...

Reduced text (-1 line) further to feedback from @benashz; retaining details on `create` vs `update` difference as per [API transit method that calls this out too.](https://www.vaultproject.io/api-docs/secret/transit#encrypt-data)

* trigger ci

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-10-27 17:23:33 -07:00
davidadeleon 4f4a3b215a
Add mTLS and Load Balancers section to Enterprise Replication Documentation (#17676)
* Adding mTLS and Load Balancers section

* Adding patch CLI docs to nav JSON
2022-10-27 12:14:24 -07:00
aphorise 571cf3dc85
Docs: API overview text clarity & kv2 mention... #16746 (#16748)
* Docs: API overview text clarity & kv2 mention... #16746 

Corrected text and terminology. Relates to #6378 & should allow for closure of that issue too.
<img width="1158" alt="Screenshot 2022-08-16 at 19 23 20" src="https://user-images.githubusercontent.com/974854/184941452-2b2c680a-b6d5-4db6-85aa-e5dc672499f6.png">

* Trigger CI

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update website/content/api-docs/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Updated based on feedback.

* Docs: API overview text clarity & kv2 mention...

Added KV2 explict further to feedback from @benashz.

Also:
 - Adjusted very first paragraph a bit.
 - improved grammer and over use of `via` and `to` in certian places.

Co-authored-by: Zlaticanin <zlaticaninmilena@gmail.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-10-27 08:35:17 -07:00
Bernhard Kaindl bf3749ff6d
website: Update api-docs for /ssh/sign/:name and /ssh/issue/:name (#17694)
Extend the documentation the API endpoint '/ssh/issue/:name' (added
in #15561 with v1.12.0) and '/ssh/issue/:name':

- Be more specific that the issued certificate uses the defaults
  given of the role at the given endpoint; and that it is subject
  to the limitations configured in this role.

- Note that the endpoint /ssh/issue/:name is available with v1.12+.

- Make it more clear that the generated credentials are only returned
  but not stored by Vault (not just the generated private key).
2022-10-27 07:56:08 -07:00
Alexander Scheel 1733d2a3d6
Add support for PKCSv1_5_NoOID signatures (#17636)
* Add support for PKCSv1_5_NoOID signatures

This assumes a pre-hashed input has been provided to Vault, but we do
not write the hash's OID into the signature stream. This allows us to
generate the alternative PKCSv1_5_NoOID signature type rather than the
existing PKCSv1_5_DERnull signature type we presently use.

These are specified in RFC 3447 Section 9.2.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exclude new none type from PSS based tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for PKCS#1v1.5 signatures

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-27 08:26:20 -04:00
Alexander Scheel 1721cc9f75
Add PATCH support to Vault CLI (#17650)
* Add patch support to CLI

This is based off the existing write command, using the
JSONMergePatch(...) API client method rather than Write(...), allowing
us to update specific fields.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on PATCH support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-26 14:30:40 -04:00
Johan Brandhorst-Satzkorn 1dd9e1cb53
Fix rendering of custom response headers (#17652)
The double quote used broke syntax highlighting. Replace with a proper double quote.
2022-10-26 13:44:48 -04:00
Theron Voran 7553ef2c4a
docs/vault-helm: update cert-manager example (#17651)
Use injector.webhook.annotations instead of the deprecated
injector.webhookAnnotations
2022-10-26 10:12:06 -07:00
Yoko Hyakuna 337a2b1915
Added 'Manually Revocable' to the table (#17646) 2022-10-24 18:57:28 -07:00
Yoko Hyakuna ba9f94166b
Fix a broken link (#17644) 2022-10-24 17:09:33 -07:00
Alexander Scheel 09939f0ba9
Add AD mode to Transit's AEAD ciphers (#17638)
* Allow passing AssociatedData factories in keysutil

This allows the high-level, algorithm-agnostic Encrypt/Decrypt with
Factory to pass in AssociatedData, and potentially take multiple
factories (to allow KMS keys to work). On AEAD ciphers with a relevant
factory, an AssociatedData factory will be used to populate the
AdditionalData field of the SymmetricOpts struct, using it in the AEAD
Seal process.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add associated_data to Transit Encrypt/Decrypt API

This allows passing the associated_data (the last AD in AEAD) to
Transit's encrypt/decrypt when using an AEAD cipher (currently
aes128-gcm96, aes256-gcm96, and chacha20-poly1305). We err if this
parameter is passed on non-AEAD ciphers presently.

This associated data can be safely transited in plaintext, without risk
of modifications. In the event of tampering with either the ciphertext
or the associated data, decryption will fail.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add to documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-24 13:41:02 -04:00
Rowan Smith 85d759faf0
added note regarding persistence for log level changes (#17596) 2022-10-20 18:14:29 -07:00
Austin Gebauer 5d0aab1099
auth/azure: documents auth support for VMSS flexible orchestration (#17540)
* auth/azure: documents auth support for VMSS flexible orchestration

* adds changelog
2022-10-20 12:36:29 -07:00
divyaac a1548f0f2b
Edit Telemetry Docs (#17209) 2022-10-19 12:13:32 -07:00
Yoko Hyakuna 46cd8069be
[Release Notes] Add a note about storage support for VE (#17597)
* Add a note about storage support

* Add a row for VE storage backend
2022-10-19 08:26:24 -07:00
Bryce Kalow 3f25394b89
fixes more broken links (#17592) 2022-10-19 10:24:53 -04:00
Kapil Arora 2ab8b7fa23
Updated Name reported by k8s auth (#15507)
Since 1.9 k8s auth method supports setting  Name reported by auth method to Service Account name which is not reflected in this doc

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-10-19 11:15:54 +01:00
Rowan Smith 1c0f7ec491
Update aws.mdx (#16075)
* Update aws.mdx

* Update aws.mdx

* Update website/content/docs/auth/aws.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-10-18 22:09:21 -07:00
Bryce Kalow cc5db86fe1
reset redirects array (#17585) 2022-10-18 15:18:22 -04:00
HashiBot 6ba1362a6d
chore: Update Digital Team Files (#17589)
* Update generated scripts (should-build.sh)

* Update generated website Makefile

* Update generated scripts (website-start.sh)

* Update generated scripts (website-build.sh)
2022-10-18 15:18:12 -04:00
Bryce Kalow 34339ec9a8
website: fixes redirected links (#17574)
* fixes redirected links

* fix broken link to key wrapping guide
2022-10-18 14:06:27 -04:00
Bernd Straehle 392fad9365
Rename "Google Apigee" to "Apigee" (#17561) 2022-10-18 15:07:39 +01:00
Mike Wickett 33679fdd39
fix broken link to transit key wrap (#17566) 2022-10-18 09:54:29 -04:00
Jose Diaz-Gonzalez 0bbd57a561
docs: add a missing letter to the upgrade guide (#17554) 2022-10-17 10:02:37 -07:00
Chris Capurso 2e1dc4ed24
Add storage check upgrade notes (#17539)
* docs for ent storage check

* add 1.12.x upgrade notes

* Make ENT distinction a little clearer

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-10-13 19:22:34 -04:00
Scott Miller 7bd4755142
Document the deletion_allowed transform flag (#17544)
* Document the deletion_allowed transform flag

* Remove duplicated sentence
2022-10-13 16:31:07 -05:00
deidra.prado 0a4779ef76
Update raft.mdx join endpoint example (#17525)
Update to remove "X-Vault-Token" from /sys/storage/raft/join Sample Request. Token not required for this endpoint.
2022-10-13 08:40:46 -07:00
Alexander Scheel 26503e8540
Add note about transit BYOK key formats (#17529)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-13 09:10:26 -05:00
Alexander Scheel 838bac037d
Clarify language around PSS CSR issues (#17528)
* Clarify language around PSS CSR issues

Also point out that PKCS#11 tokens have the same problem.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/docs/secrets/pki/considerations.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-10-13 09:45:58 -04:00
Shueh Chou Lu 2f99734a49
doc: fix broken link in transit api (#17501)
synchronize the doc between two import api
2022-10-12 10:51:42 -07:00
Tom Proctor 918ce6f90e
Docs: Plugin versioning documentation (#17460)
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-11 23:12:02 +01:00
Violet Hynes ee85f0098a
VAULT-1603 add sys/quotas to root-only api path docs (#17496) 2022-10-11 15:09:29 -04:00
Mike Palmiotto aad41fba5b
docs: Update retry_join Known Issue versions (#17474)
Update the doc to show affected versions 1.11.2 and 1.10.6.
2022-10-11 11:54:36 -04:00
Anton Averchenkov 1c102979ba
Remove Async-HVAC from recommended libraries list (#17480) 2022-10-10 17:15:32 -04:00
Austin Gebauer ae17e57e73
secrets/ldap: updates documentation (#17481)
* secrets/ldap: updates documentation

* Update website/content/docs/secrets/ldap.mdx

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-10 13:43:59 -07:00
Brian Shumate 5264783e6c
Docs: Update Transform API (#17477)
- Correct some methods in sample requests
2022-10-10 13:25:31 -04:00
aphorise e4960d0fb0
Docs: What is Vault missing 'S' resolves: #16587 (#17183) 2022-10-10 10:34:21 -04:00
Mike Palmiotto 9dc8744885
Update main to go 1.19.2 (#17437)
* Update go version to 1.19.2

This commit updates the default version of go to 1.19.2. This update
includes minor security fixes for archive/tar, net/http/httputil, and
regexp packages.

For more information on the release, see: https://go.dev/doc/devel/release#go1.19.2

* Update Docker versions in CI to 20.10.17

After updating Vault to go version 1.19.2, there were several SIGABRTs
in the vault tests. These were related to a missing `pthread_create`
syscall in Docker. Since CI was using a much older version of Docker,
the fix was to bump it to latest-1 (20.10.17).

While we're at it, add a note in the developer docs encouraging the use
of the latest Docker version.
2022-10-07 14:24:14 -04:00
Nick Cabatoff 39c7e7c191
Add more raft metrics, emit more metrics on non-perf standbys (#12166)
Add some metrics helpful for monitoring raft cluster state.

Furthermore, we weren't emitting bolt metrics on regular (non-perf) standbys, and there were other metrics
in metricsLoop that would make sense to include in OSS but weren't.  We now have an active-node-only func,
emitMetricsActiveNode.  This runs metricsLoop on the active node.  Standbys and perf-standbys run metricsLoop
from a goroutine managed by the runStandby rungroup.
2022-10-07 09:09:08 -07:00
Austin Gebauer db8c690684
secrets/ldap: updates API documentation (#17448)
* secrets/ldap: updates API documentation

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-10-07 08:50:37 -05:00
Peter Wilson 191f6e4bf0
Add 'note' for surpassing dead server threshold time (#17455)
* Add 'note' for surpassing dead server threshold time

* Update website/content/docs/commands/operator/raft.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-10-07 14:26:56 +01:00
Alexander Scheel a2b1f00a9b
Better docs on PKI key stuff (#17443)
* Clarify signature_bits restrictions apply relative to issuer's key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify key_type=any roles must sign CSRs; cannot generate keys

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 15:27:53 -04:00
HashiBot e54441b725
Upgrade next version (#17445)
Co-authored-by: Bryce Kalow <bkalow@hashicorp.com>
2022-10-06 15:19:11 -04:00
Alexander Scheel b85d6ec434
Fix RevocationSigAlgo support in OCSP (#17436)
* Allow OCSP to use issuer's RevocationSigAlgo

When an issuer specifies a RevocationSigAlgo, we should largely follow
this for both CRLs and OCSP. However, x/crypto/ocsp lacks support for
PSS signatures, so we drop these down to PKCS#1v1.5 instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when issuer has PSS-based RevSigAlgo

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about OCSP and PSS support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 12:01:12 -04:00
Austin Gebauer 6bba760da0
docs/ldap: rename openldap secrets to ldap secrets (#17433) 2022-10-05 13:16:26 -07:00
Florin Cătălin Țiucra-Popa 4af76eda14
Update oracle.mdx (#17401)
Remove the duplicated "the" word.
Instead of "the the" it should be only "the".
2022-10-05 10:29:35 -07:00
Josh Black c7d8e7c7f6
Raft index telemetry and docs (#17397)
* add raft index to telemetry

* add definitions and defaults to both autopilot pages

* adjust messages

* Revert "add raft index to telemetry"

This reverts commit 010b091c7e35c1da677567746db90b490ca707ab.
2022-10-04 11:46:11 -07:00
Christopher Swenson ff8d8338cc
docs: Add docs for PKCS#11 provider (#17312)
docs: Add docs for PKCS#11 provider

The PKCS#11 provider is being released shortly.
This moves over the preliminary docs and cleans them up.

I added them as a new section under "Vault Enterprise" ->
"PKCS#11 Provider", but I am open to suggestion on if there is a
better place for them, e.g., "Platforms", or somehow merging
with "Vault Enterprise" -> "HSM"?

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-10-03 11:11:46 -07:00
Divya Pola bc9be4064b
Add documentation for KMIP features implemented in 1.12 (#17294)
* Add documentation for KMIP features implemented in 1.12

* Add documentation for kmip-profiles

* Address PR review feedback

* PR review feedback - update links, add intro and remove collapsed tables

* Add PR review feedback
2022-10-03 12:39:04 -05:00
Steven Clark 10ecf10248
PKI: Add support for signature_bits param to the intermediate/generate api (#17388)
* PKI: Add support for signature_bits param to the intermediate/generate api

 - Mainly to work properly with GCP backed managed keys, we need to
   issue signatures that would match the GCP key algorithm.
 - At this time due to https://github.com/golang/go/issues/45990 we
   can't issue PSS signed CSRs, as the libraries in Go always request
   a PKCS1v15.
 - Add an extra check in intermediate/generate that validates the CSR's
   signature before providing it back to the client in case we generated
   a bad signature such as if an end-user used a GCP backed managed key
   with a RSA PSS algorithm.
   - GCP ignores the requested signature type and always signs with the
     key's algorithm which can lead to a CSR that says it is signed with
     a PKCS1v15 algorithm but is actually a RSA PSS signature

* Add cl

* PR feedback
2022-10-03 12:39:54 -04:00
Austin Gebauer fdc6e2e46a
auth/oidc: fix documentation link anchors for Google Workspace integration (#17379) 2022-10-03 09:09:35 -07:00
Loann Le b7bcd61a42
Vault documentation: release notes for 1.12 (#17237)
* added new release notes

* new rns

* added changelog link

* incorporated feeedback

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Incorporated additional changes

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Removed TFVP and added Redis and Elasticache to the release highlights

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update website/content/docs/release-notes/1.12.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-10-03 08:36:02 -07:00
Alex Cahn 9542cffa65
Updating the VIP..again (#17375)
* Updating the VIP..again

* Update website/content/docs/partnerships.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-09-30 17:02:34 -07:00
Peter Wilson 42ba1384ff
Added flag and env var which will disable client redirection (#17352)
* Added flag and env var which will disable client redirection

* Added changelog

* Docs fix for unsaved file, and test single request made

* Updated test for case when redirect is enabled, updated docs based on suggestions
2022-09-30 09:29:37 +01:00
Mike Palmiotto 0078822d1d
core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319)
* core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool

* docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc
2022-09-29 14:35:52 -04:00
Loann Le e27204c57b
updated table for 1.12 release (#17362) 2022-09-29 10:47:58 -07:00
Tom Proctor 12ca81bc9b
cli/api: Update plugin listing to always include version info in the response (#17347) 2022-09-29 18:22:33 +01:00
mickael-hc e885ccfd8c
fix formatting for note in audit section (#17335) 2022-09-28 10:17:36 -07:00
Steven Clark c746befced
Update docs for new test/sign params for managed key api and GCP parameters (#17323)
* Update docs for new test/sign params for managed key api

 - The existing test/sign managed key api now has two new api params
   allowing an operator to specify to use RSA PSS signatures (use_pss)
   and to specify the hashing algorithm to use (hash_algorithm)

* Remove duplicate GCP signing algo entry

* Formatting nits and mention the key_ring for GCP needs to exist prior to usage

* Add some additional GCP environment vars
2022-09-27 16:17:44 -04:00
mickael-hc feddc21019
docs: clarify json types and workaround (#17318)
* docs: clarify json types and workaround

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-09-27 15:35:41 -04:00
Violet Hynes 5bc85b08ef
VAULT-8144 Improve docs around exec (#17316)
* VAULT-8144 Improve docs around exec

* VAULT-8144 Add justification
2022-09-26 14:39:49 -04:00
Milena Zlaticanin 89aa236bc5
docs/api-docs for Redis (#17029)
* docs/api-docs for Redis

* update doc

* add navigation to the docs

* Update website/content/api-docs/secret/databases/redis.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* update setup list and lang tag for shell code blocks

* update language tag

* update based on suggestions

* update docs to include tls params

* add plugin to the plugin portal doc

* add -

* update api-docs-nav-data.json

* update field name

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/api-docs/secret/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* update docs

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
2022-09-23 10:25:43 -05:00
Alexander Scheel 0c76168d3d
Add note about issuer naming and CRLs (#17298)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-23 10:04:54 -04:00
Rachel Culpepper b17ea8c6bd
Add managed key docs for gcp (#17280)
* add managed key docs for gcp

* fix algorithm parameter

* add missing bracket
2022-09-22 14:44:21 -05:00
Hridoy Roy 5477fd86fa
Activity new clients for current month docs (#16472)
* docs draft

* docs complete

* change json for legibility

* change json for legibility

* namespace and mount attribution should exist outside new clients stanza

* address feedback

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/concepts/client-count/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* remove version from doc

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-09-22 10:00:18 -07:00
Rachel Culpepper 1c69e690aa
Transform BYOK Documentation (#17121)
* add api docs for transform byok endpoints

* add byok description to transform index page

* fix merge conflicts

* remove import_version for FPE

* text edits and add note about convergent tokenization

* add note for convergent tokenization
2022-09-22 10:56:12 -05:00
Bryce Kalow dfc3ad015a
website: content updates for developer (#17035)
* Chore (dev portal): update learn nav data links  (#15515)

* Update docs-nav-data.json

* Update docs-nav-data.json

* website: fixes internal redirects (#15750)

* chore: remove duplicate overview item (#15805)

* Use `badge` for `<sup>` tags in nav data JSON files (#15928)

* Replacing <sup> tags with badge

* Adding type and color to badges

* fix broken links in vault docs (#15976)

* website: Update old learn links to redirect locations (#16047)

* update previews to render developer UI

* update redirects

* adjust content so it is backwards compat

Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com>
Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com>
2022-09-22 08:11:04 -07:00
Mike Palmiotto dc3beb428e
docs: Update agent autoauth sinks examples (#17229) 2022-09-21 14:19:16 -04:00
DevOps Rob 6495522ab7
adding boundary and waypoint plugins to portal (#17259) 2022-09-21 14:05:17 -04:00
Yoko Hyakuna 9164d04262
Remove extra spaces in the table (#17257) 2022-09-21 08:42:51 -07:00
Bernd Straehle 3623271601
vault-plugin-secrets-apigee (#17249) 2022-09-21 09:08:25 -04:00
Alexander Scheel ad3a093b40
Prevent PSS with Go-incompatible CAs, CSRs, Private Keys (#17223)
* Fix interoperability concerns with PSS

When Go parses a certificate with rsaPSS OID, it will accept this
certificate but not parse the SubjectPublicKeyInfo, leaving the
PublicKeyAlgorithm and PublicKey fields blank, but otherwise not erring.
The same behavior occurs with rsaPSS OID CSRs.

On the other hand, when Go parses rsaPSS OID PKCS8 private keys, these
keys will fail to parse completely.

Thus, detect and fail on any empty PublicKey certs and CSRs, warning the
user that we cannot parse these correctly and thus refuse to operate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Run more PKI tests in parallel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add notes about PSS shortcomings to considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-20 17:30:58 -04:00
Hamid Ghaf 35258379fd
adding missing telemetry entry for cached auth response (#17197) 2022-09-19 14:08:39 -04:00
Yoko Hyakuna 402b8279b4
Fix a broken URL (#17192) 2022-09-19 08:57:07 -07:00
Steven Clark 555a5833ec
Bring back managed key documentation update from ENT to OSS (#17190) 2022-09-19 11:46:30 -04:00
Max Coulombe 709c1bebf6
+ added Redis ElastiCache documentation (#17133)
* added Redis ElastiCache documentation
2022-09-19 10:26:49 -04:00
Scott Miller 7f38b0440e
Fetch CRLs from a user defined URL (#17136)
* Fetch CRLs from a user defined CDP (PoC)

* Handle no param sent

* Move CRL fetch to a periodFunc.  Use configured CA certs + system root as trusted certs for CRL fetch

* comments

* changelog

* Just use root trust

* cdp->url in api

* Store CRL and populate it initially in cdlWrite

* Update docs

* Update builtin/credential/cert/path_crls.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Handle pre-verification of a CRL url better

* just in case

* Fix crl write locking

* Add a CRL fetch unit test

* Remove unnecessary validity clear

* Better func name

* Don't exit early updating CRLs

* lock in updateCRLs

* gofumpt

* err-

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-09-16 16:44:30 -05:00
Luis (LT) Carbonell a0f4c18f44
Add links for service registration provides (#17170) 2022-09-16 15:28:18 -05:00
Mike Palmiotto fc87471580
docs: Add faq for deprecation status (#17096) 2022-09-16 15:38:40 -04:00
Theron Voran c9e5bee8d0
docs/vault-k8s: update for v1.0.0 release (#17165) 2022-09-16 08:46:39 -07:00
Jordan Reimer d258740f24
Prevent Requests to resultant-acl Endpoint When Unauthenticated (#17139)
* prevents requests to resultant-acl endpoint when not logged in

* removes unauthenticated mentions from resultant-acl api doc

* adds changelog entry
2022-09-15 12:45:33 -06:00
Jason O'Donnell 87350f927f
agent/auto-auth: add exit_on_err configurable (#17091)
* agent/auto-auth: add exit_on_err configurable

* changelog

* Update backoff function to quit

* Clarify doc

* Fix test
2022-09-15 11:00:31 -07:00
Austin Gebauer f9af44a0bb
auth/oidc: update docs for google workspace config (#17128)
* auth/oidc: update docs for google workspace config

* make fmt
2022-09-14 08:42:02 -07:00
Devon Powley bb0f93044f
Update Vault Azure Secrets docs for permanent deletion feature (#17045)
* Update Vault Azure Secrets docs for permanent deletion feature

* Add changelog for vault azure doc update

* Update CL based on PR feedback

Co-authored-by: Devon Powley <dpowley@users.noreply.github.com>
2022-09-13 16:25:19 -07:00
Scott Miller 12a8ef1cfd
Implement partial_failure_response_code_override for batch requests (#17118)
* Implement partial_failure_response_code_override for batch requests

* docs

* changelog

* one more test case
2022-09-13 12:51:09 -05:00
Alexander Scheel 1bbabf19d7
Add more docs on revocation changes (#17085)
* Add more notes about issuer revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Note BYOC in considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about http access to CRLs, OCSP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Recommend enabling auto-tidy & crl rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing paths to personas

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-12 11:46:01 -05:00
Mike Palmiotto 9849af8663
Add deprecation status to plugin api and cli (#17077)
* api: Add deprecation status to plugin endpoints

* cli: Add -detailed flag to `plugin list`

* docs: Update plugin list/info docs
2022-09-09 16:03:07 -04:00
Steven Clark 5b5699e9b0
Update PKI documentation to clear up PKCS8 marshalling behavior (#17080)
- Update the documentation in regards to the private_key_format
   argument only controls the behavior of the private_key response field
   and does not modify the encoding of the private key within the
   pem_bundle.
2022-09-09 11:31:08 -04:00
Christopher Swenson 2c11121c19
Update docs for helm 0.22.0 (#17072)
Update docs for helm 0.22.0

Including Prometheus Operator support.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-09-08 15:30:32 -07:00
deidra.prado ea8c6a32a8
Update validate.mdx (#17023)
Removed reference of ``` --header "X-Vault-Token: ..." \``` in Sample request. X-Vault-Token is not required for this endpoint.
2022-09-08 12:50:42 -07:00
Christopher Swenson 1926f71b0d
Update deprecation notice related to SHA-1 in Go 1.18+ (#17066)
Update deprecation notice related to SHA-1 in Go 1.18+

Go 1.19 has not removed SHA-1 support, and it is not clear yet when
they will remove support, so we need to slightly adjust our docs.
2022-09-08 11:58:44 -07:00
Kevin Wang bc568c4dea
Update index.mdx to fix broken link (#17052) 2022-09-08 14:04:02 -04:00
Jason O'Donnell ced0109c41
docs/k8s: use pod labels for upgrades (#17059)
* docs/helm: use pod labels for upgrades

* Grammar

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-09-08 11:13:11 -04:00
Troy Ready a79dc6c1e9
Minor doc grammar update (#17032)
Update to clarify present perfect tense.
2022-09-07 10:04:18 -04:00
Luis (LT) Carbonell cd574b5cc6
docs: update token type for auth enable CLI command (#17026)
* docs: update token type for enable

* update
2022-09-06 15:00:21 -05:00
Mike Palmiotto bf744e3bde
Handle deprecated builtins (#17005)
* core: Handle deprecated mounts on enable and unseal
* changelog: Deprecation Status handling
* core: Add Pending Removal override var
* core: Add some documentation for Pending Removal override
2022-09-06 15:49:35 -04:00
Matt Schultz 1aaace756f
Update transform documentation to include MSSQL. (#17021) 2022-09-06 10:55:48 -05:00
Rachel Culpepper a1fba8d29a
add missing flag to wrapKey command (#16988) 2022-09-06 10:52:02 -05:00
Scott Miller 606edb66d6
Add support for a dedicated HMAC type in Transit. (#16668)
* Get import correct

* limits, docs

* changelog

* unit tests

* And fix import for hmac unit test

* typo

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Update builtin/logical/transit/path_keys.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Validate key sizes a bit more carefully

* Update sdk/helper/keysutil/policy.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
2022-09-06 10:17:58 -05:00
aphorise e2805311be
Docs: GCP SA clarity. Resolved merge conflict. Closes: #12231. (#16787) 2022-09-06 08:11:34 -04:00
aphorise aab9c50577
Docs: PostgreSQL Docs added DB name note for connection_url. (#16789)
* Docs: PostgreSQL Docs added DB name note for connection_url. Relates to #12458.

* Trigger CI

Co-authored-by: Zlaticanin <zlaticaninmilena@gmail.com>
2022-09-06 08:10:50 -04:00
Tom Proctor 5bc9206e96
Docs: Add log level environment variable for Vault Lambda Extension (#17000) 2022-09-02 19:53:53 +01:00
Remco Buddelmeijer b93d6e44e0
Add fields 'ttl' and 'num_uses' to SecretID generation. (#14474)
* Add fields 'ttl' and 'num_uses' to SecretID generation.

Add fields 'ttl' and 'num_uses' when generating/obtaining a SecretID.
Rather than just being able to use the Role's SecretID ttl and num uses. #14390

* Add secret_id_num_uses response field to generating SecretID

Add the response field secret_id_num_uses to the endpoints for generating
SecretIDs. Used in testing but also to supply the vendor with this variable.

* Add tests for new ttl and num_uses SecretID generation fields

Add tests to assert the new TTL and NumUses option in the SecretID entry.
Separate test for testing with just parameters vs a -force example.

* Patch up test for ttl and num_uses fields

* Add changelog entry for auth/approle 'ttl' and 'num_uses' fields

* Add fields to API Docs and AppRole Auth Docs example

* Correct error message for failing test on missing field.
Change the error message produced when a test fails due to a missing field.
Previous values did not map to correct fields.

* Remove unnecessary int cast to int "secret_id_num_uses" field.
Unnecessary cast to int where type already is int.

* Move numUses field check to after assignment.

* Remove metadata entry in sample payload to limit change to changes made.
Remove metadata entry in sample payload for custom-secret-id. The metadata was not
changed in the features pull request.

* Bind fields 'ttl' and 'num_uses' to role's configuration.

Rather than implicitly overriding, error when the ttl is lower than and the num
uses higher than the role's configuration. #14390

* Update changelog 14474 with a more detailed description.

More elaborate description for the changelog. Specifying the per-request based fields.

* Elaborate more on the bounds of the 'ttl' and 'num_uses' field.

Specify in both the api-docs and the CLI the limits of the fields.
Specify that the role's configuration is still the leading factor.

* Upper bound ttl with role secret id ttl

Upper bound ttl with role secret id ttl when creating a secret id
Adding test cases for infinite ttl and num uses
Adding test cases for negative ttl and num uses
Validation on infinite ttl and num uses

* Formatting issues. Removed unnecessary newline

* Update documentation for AppRole Secret ID and Role

Changed that TTL is not allowed to be shorter to longer

* Cleanup approle secret ID test and impl

* Define ttl and num_uses in every test

Define ttl and num_uses in every test despite them not being tested.
This is to ensure that no unexpected behaviour comes to mind.

* Rename test RoleSecretID -> RoleSecretIDWithoutFields

* Test secret id generation defaults to Role's config

Test secret id generation defaults to Role's configuration entries.

* Change finit -> finite

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Rephrase comments to the correct validation check

* Rephrase role-secret-id option description

* Remove "default" incorrect statement about ttl

* Remove "default" incorrect statement about ttl for custom secret id

* Touch up approle.mdx to align more with path_role documentation

Co-authored-by: Remco Buddelmeijer <r.buddelmeijer@fullstaq.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2022-09-02 09:29:59 -07:00
Florin Cătălin Țiucra-Popa 608a4777a0
Update pkcs11.mdx (#16994) 2022-09-02 09:01:29 -07:00
Jason O'Donnell 615d591486
auth/oidc: add extra context about claim names in doc (#16987) 2022-09-01 15:30:50 -07:00
André Freitas c59bb185bc
Fix typos in architecture page (#16978)
Some minor typos fix after I read the whole page.
2022-09-01 12:02:50 -07:00
Ikko Ashimine 2444e92917
docs: fix typo in faq.mdx (#16979)
occuring -> occurring
2022-09-01 10:01:01 -07:00
Mike Palmiotto 2c16be25e3
Add deprecation status to auth/secrets list (#16849)
* auth: Add Deprecation Status to auth list -detailed
* secrets: Add Deprecation Status to secrets list -detailed
* Add changelog entry for deprecation status list
2022-08-31 16:11:14 -04:00
Alexander Scheel b8576a8de4
Add ability to request manual rebuild of Delta CRLs (#16964)
* Add path to manually rebuild delta CRLs

The crl/rotate-delta path behaves like crl/rotate, triggering a
cluster-local rebuild of just the delta CRL. This is useful for when
delta CRLs are enabled with a longer-than-desired auto-rebuild period
after some high-profile revocations occur.

In the event delta CRLs are not enabled, this becomes a no-op.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for Delta CRL rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update documentation about Delta CRLs

Also fixes a omission in the If-Modified-Since docs to mention that the
response header should probably also be passed through.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 12:42:59 -07:00
Alexander Scheel f0a127487b
Add ability to cancel PKI tidy operations, pause between tidying certs (#16958)
* Allow tidy operations to be cancelled

When tidy operations take a long time to execute (and especially when
executing them automatically), having the ability to cancel them becomes
useful to reduce strain on Vault clusters (and let them be rescheduled
at a later time).

To this end, we add the /tidy-cancel write endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing auto-tidy synopsis / description

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add a pause duration between tidying certificates

By setting pause_duration, operators can have a little control over the
resource utilization of a tidy operation. While the list of certificates
remain in memory throughout the entire operation, a pause is added
between processing certificates and the revocation lock is released.
This allows other operations to occur during this gap and potentially
allows the tidy operation to consume less resources per unit of time
(due to the sleep -- though obviously consumes the same resources over
the time of the operation).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for cancellation, pause

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API docs on pause_duration, /tidy-cancel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add lock releasing around tidy pause

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Reset cancel guard, return errors

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 11:36:12 -07:00
John-Michael Faircloth 96b97017b1
docs: update plugin docs for secrets/auth multiplexing (#16923)
* docs: update plugin docs for secrets/auth multiplexing

* update index

* update plugin development

* fix spacing in code snippet

* update links to multiplexing resources

* add note on sdk version and update db example text

* Update website/content/docs/plugins/plugin-architecture.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* reword index intro

* Update website/content/docs/plugins/plugin-development.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/plugins/plugin-development.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* remove word and fix code format

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-31 11:21:20 -07:00
Viacheslav Vasilyev d0b7362e36
OpenLDAP secrets documentation, reflect some other objects may have userPassword (#8918)
* Update index.mdx

* Docs: OpenLDAP userPassword clarity

corrected grammar slightly

Co-authored-by: aphorise <aphorise@gmail.com>
2022-08-31 09:58:25 -07:00
Zalary Young bed027db81
adds note about aws kms_key_id alias (#10693)
Co-authored-by: zalary <zalary@hashicorp.com>
2022-08-31 09:35:06 -07:00
Trishank Karthik Kuppusamy 303f59dce3
Allow configuring the possible salt lengths for RSA PSS signatures (#16549)
* accommodate salt lengths for RSA PSS

* address feedback

* generalise salt length to an int

* fix error reporting

* Revert "fix error reporting"

This reverts commit 8adfc15fe3303b8fdf9f094ea246945ab1364077.

* fix a faulty check

* check for min/max salt lengths

* stringly-typed HTTP param

* unit tests for sign/verify HTTP requests

also, add marshaling for both SDK and HTTP requests

* randomly sample valid salt length

* add changelog

* add documentation
2022-08-31 12:27:03 -04:00
Violet Hynes 2fb4ed211d
VAULT-7707 Add docs around making mass amounts of lease count quotas via automation (#16950)
* VAULT-7707 Add docs around making mass amounts of lease count quotas via automation

* VAULT-7707 Changelog

* VAULT-7707 add word

* VAULT-7707 Update some small wordings

* VAULT-7707 use a real em dash
2022-08-31 11:50:01 -04:00
Nick Cabatoff 1997fbb73f
Point people in the right direction for tokens used in transit autounseal. (#16951) 2022-08-31 10:37:25 -04:00
Steven Clark b21e06b917
Add remove_roots_from_chain to sign and issue pki apis (#16935)
* Add remove_roots_from_chain flag to sign and issue pki apis

 - Add a new flag to allow end-users to control if we return the
   root/self-signed CA certificate within the list of certificates in
   ca_chain field on issue and sign api calls.

* Add cl

* PR feedback
2022-08-31 09:51:26 -04:00
Andy Assareh 0a0efd47a4
Doc only: Dead Server Cleanup added in Vault 1.7 (#14297) 2022-08-31 08:34:47 -04:00
Sean Ellefson 11e53a956b
Added missing _ character to parameter (#14441) 2022-08-31 08:32:42 -04:00
Alexander Scheel a5fafd8163
Add ability to perform automatic tidy operations (#16900)
* Add ability to perform automatic tidy operations

This enables the PKI secrets engine to allow tidy to be started
periodically by the engine itself, avoiding the need for interaction.
This operation is disabled by default (to avoid load on clusters which
don't need tidy to be run) but can be enabled.

In particular, a default tidy configuration is written (via
/config/auto-tidy) which mirrors the options passed to /tidy. Two
additional parameters, enabled and interval, are accepted, allowing
auto-tidy to be enabled or disabled and controlling the interval
(between successful tidy runs) to attempt auto-tidy.

Notably, a manual execution of tidy will delay additional auto-tidy
operations. Status is reported via the existing /tidy-status endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent race during parallel testing

We modified the RollbackManager's execution window to allow more
faithful testing of the periodicFunc. However, the TestAutoRebuild and
the new TestAutoTidy would then race against each other for modifying
the period and creating their clusters (before resetting to the old
value).

This changeset adds a lock around this, preventing the races.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use tidyStatusLock to gate lastTidy time

This prevents a data race between the periodic func and the execution of
the running tidy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add read lock around tidyStatus gauges

When reading from tidyStatus for computing gauges, since the underlying
values aren't atomics, we really should be gating these with a read lock
around the status access.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-30 15:45:54 -04:00
Ivan Buymov 99213c2616
Add retry policy and fix documentation for Cassandra storage backend (#10467)
* add simple_retry policy and initial_connection_timeout options,
fix docs for connection_timeout

* Cassandra: policy fix - added changelog.

Co-authored-by: Mehdi Ahmadi <aphorise@gmail.com>
2022-08-30 11:00:48 -07:00
Milena Zlaticanin cf332842cc
update azure docs (#16819) 2022-08-29 14:55:37 -05:00
Gabriel Santos ff5ff849fd
PKI - Honor header If-Modified-Since if present (#16249)
* honor header if-modified-since if present

* pathGetIssuerCRL first version

* check if modified since for CA endpoints

* fix date comparison for CA endpoints

* suggested changes and refactoring

* add writeIssuer to updateDefaultIssuerId and fix error

* Move methods out of storage.go into util.go

For the most part, these take a SC as param, but aren't directly storage
relevant operations. Move them out of storage.go as a result.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use UTC timezone for storage

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rework path_fetch for better if-modified-since handling

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Invalidate all issuers, CRLs on default write

When the default is updated, access under earlier timestamps will not
work as we're unclear if the timestamp is for this issuer or a previous
issuer. Thus, we need to invalidate the CRL and both issuers involved
(previous, next) by updating their LastModifiedTimes.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for If-Modified-Since

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly invalidate default issuer changes

When the default issuer changes, we'll have to mark the invalidation on
PR secondary clusters, so they know to update their CRL mapping as well.
The swapped issuers will have an updated modification time (which will
eventually replicate down and thus be correct), but the CRL modification
time is cluster-local information and thus won't be replicated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* make fmt

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor sendNotModifiedResponseIfNecessary

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on if-modified-since

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-29 15:28:47 -04:00
Alexander Scheel e03fb14be4
Support for generating Delta CRLs (#16773)
* Allow generation of up-to-date delta CRLs

While switching to periodic rebuilds of CRLs alleviates the constant
rebuild pressure on Vault during times of high revocation, the CRL
proper becomes stale. One response to this is to switch to OCSP, but not
every system has support for this. Additionally, OCSP usually requires
connectivity and isn't used to augment a pre-distributed CRL (and is
instead used independently).

By generating delta CRLs containing only new revocations, an existing
CRL can be supplemented with newer revocations without requiring Vault
to rebuild all complete CRLs. Admins can periodically fetch the delta
CRL and add it to the existing CRL and applications should be able to
support using serials from both.

Because delta CRLs are emptied when the next complete CRL is rebuilt, it
is important that applications fetch the delta CRL and correlate it to
their complete CRL; if their complete CRL is older than the delta CRL's
extension number, applications MUST fetch the newer complete CRL to
ensure they have a correct combination.

This modifies the revocation process and adds several new configuration
options, controlling whether Delta CRLs are enabled and when we'll
rebuild it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for delta CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on delta CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback: fix several bugs

Thanks Steve!

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly invoke periodic func on active nodes

We need to ensure we read the updated config (in case of OCSP request
handling on standby nodes), but otherwise want to avoid CRL/DeltaCRL
re-building.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-29 11:37:09 -04:00
aphorise dbf762b488
Docs: API generate-recovery-token unhidden. (#16213) 2022-08-29 09:02:47 -04:00
Brian Shumate 534142ff46
Docs: Update Internals > Telemetry (#9323)
* Docs: Update Internals > Telemetry

- More clarification and detail around vault.core.leadership_lost

* Update website/pages/docs/internals/telemetry.mdx

Co-authored-by: Mark Gritter <mgritter@hashicorp.com>

* Docs: Telemetry vault.core.leadership_lost

Improved text reading.

* Update website/pages/docs/internals/telemetry.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Docs: Telemetry vault.core.leadership_lost clarity.

Co-authored-by: Mark Gritter <mgritter@hashicorp.com>
Co-authored-by: aphorise <aphorise@gmail.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-26 16:48:38 -07:00
Loann Le 53477ea6f7
vault documentation: doc cleanup effort-batch5 (#16913)
* clean up efforts

* clean up effort

* Update website/content/docs/internals/telemetry.mdx

* Update website/content/docs/internals/telemetry.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/telemetry.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/telemetry.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-26 15:48:56 -07:00
Alexander Scheel 43e722c69a
Let PKI tidy associate revoked certs with their issuers (#16871)
* Refactor tidy steps into two separate helpers

This refactors the tidy go routine into two separate helpers, making it
clear where the boundaries of each are: variables are passed into these
method and concerns are separated. As more operations are rolled into
tidy, we can continue adding more helpers as appropriate. Additionally,
as we move to make auto-tidy occur, we can use these as points to hook
into periodic tidying.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor revInfo checking to helper

This allows us to validate whether or not a revInfo entry contains a
presently valid issuer, from the existing mapping. Coupled with the
changeset to identify the issuer on revocation, we can begin adding
capabilities to tidy to update this association, decreasing CRL build
time and increasing the performance of OCSP.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor issuer fetching for revocation purposes

Revocation needs to gracefully handle using the old legacy cert bundle,
so fetching issuers (and parsing them) needs to be done slightly
differently than other places. Refactor this from revokeCert into a
common helper that can be used by tidy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow tidy to associate revoked certs, issuers

When revoking a certificate, we need to associate the issuer that signed
its certificate back to the revInfo entry. Historically this was
performed during CRL building (and still remains so), but when running
without CRL building and with only OCSP, performance will degrade as the
issuer needs to be found each time.

Instead, allow the tidy operation to take over this role, allowing us to
increase the performance of OCSP and CRL in this scenario, by decoupling
issuer identification from CRL building in the ideal case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for tidy updates

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on new tidy parameter, metrics

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor tidy config into shared struct

Finish adding metrics, status messages about new tidy operation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-26 10:13:45 -07:00
conor-mccullough d5508cc80f
The "DELETE API" links to a nonexistent subsection of the /sys/license/status page from 1.11.x onwards. Not sure if the suggestion to restart the service should remain in this edit - I found a restart of all Vault servers cleared this message where other attempts failed - happy to remove it if preferred, though. (#16895) 2022-08-26 09:07:10 -07:00
Brian Shumate b07c2d7e6d
Docs: Update Sentinel index (#11580)
- Remove doubled "tokens"

Co-authored-by: Mehdi Ahmadi <aphorise@gmail.com>
2022-08-26 11:28:18 -04:00
aphorise 2005b92a2a
Docs: Agent parameters: error_on_missing_key & exit_on_retry_failure (#14902)
* Agent parameters:  &  example corrected and another added with inter-links between agent-template and agent-config pages.

* Agent parameters - typo in template_config description / text.
2022-08-26 11:27:36 -04:00
aphorise 68ac26c2b2
Docs: Integrated Storage & Raft protocol clarity - minor edit. (#16828) 2022-08-26 11:24:59 -04:00
andrea-berling 7b7e590d3e
Update google-cloud-storage backend documentation (#14455)
* Update google-cloud-storage backend documentation

Add mentions the environment variables that can be used to configure the backend instead of using the stanza parameters

* Add changelog file

* Fix some typos

* Update website/content/docs/configuration/storage/google-cloud-storage.mdx

Commit suggestion #1

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/configuration/storage/google-cloud-storage.mdx

Commit suggestion #2

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/configuration/storage/google-cloud-storage.mdx

Commit suggestion #3

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-26 09:59:40 -05:00
Brian Shumate 1e9d4c8e72
Audit device: Clarifications based on feedback (#16881)
- Update blocked audit device to use feedback from #6484
- This PR supersedes #6484
2022-08-26 09:19:49 -04:00