Added an example to explicitly show how to perform a Rekey operation when the Vault cluster is using Auto Unseal. This is placed as the second example.
The existing example code combines with the PGP keys so added a simple example without the PGP keys.
* Document new force_rw_session parameter within pkcs11 seals
* documentation for key_id and hmac_key_id fields
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/configuration/seal/pkcs11.mdx
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify that backend authors can specify that all or no values are sealwrapped rather than the vague statement that all values _may_ be seal wrapped
* typo
Include recommendation to use Vault agent injector on OpenShift
instead of CSI due to production security constraints.
Additional instructions included for testing and development
clusters.
"algorithm_signer": "rsa-sha2-256"
to prevent /var/log/auth.log `userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]` due to vault defaulting to ssh-rsa which is insecure
* docs: add known issues section to 1.9.x upgrade guide
* minor rephrasing on oidc known issue
* use relative references for URLs
* Update website/content/docs/upgrading/upgrade-to-1.9.x.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* update known issues section for id token
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* auth/kubernetes: support for short-lived tokens
* Uplift new version of Kubernetes auth plugin that does not store the
service account token persistently to Vault storage.
* Update the documentation to recommend local token again when running
Vault inside cluster.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* Added changelog entry
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* clarification to changelog entry, executed go mod tidy
* clarifications and added targeted release version
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* add kv metadata patch command
* add changelog entry
* success tests for kv metadata patch flags
* add more kv metadata patch flags tests
* add kv metadata patch cas warning test
* add kv-v2 key metadata patch API docs
* add kv metadata patch to docs
* prevent unintentional field overwriting in kv metadata put cmd
* like create/update ops, prevent patch to paths ending in /
* fix kv metadata patch cmd in docs
* fix flag defaults for kv metadata put
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* fix TestKvMetadataPatchCommand_Flags test
* doc fixes
* go get vault-plugin-secrets-kv@master; go mod tidy
* docs: add a note regarding the backend => storage config key aliasing
This was missing from upgrade docs and implemented in #2456.
* Update website/content/docs/upgrading/upgrade-to-0.7.0.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Upgrade guidance updates from VLT-172
Trying to clarify some upgrade questions. Learn update to follow in
separate PR.
* Apply suggestions from code review
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
