Commit graph

15484 commits

Author SHA1 Message Date
Yoko Hyakuna c54d33608c
Update 'master key' -> 'root key' (#16226) 2022-07-06 16:03:08 -07:00
Jason O'Donnell 110f754d97
agent/template: fix exec parsing error for templates (#16231)
* agent/template: fix exec parsing error for templates

* changelog
2022-07-06 21:21:35 +01:00
akshya96 c70a2cd198
Minor grammar correction in help for login command (#16211)
* Minor grammar correction in help for login command

* Fix login command help

Co-authored-by: Pero P <ppejovic@users.noreply.github.com>
2022-07-06 09:17:11 -07:00
Violet Hynes 0c80ee5cf5
VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157)
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core

* Fix body handling

* Role resolution for rate limit quotas

* VAULT-6613 update precedence test

* Add changelog

* VAULT-6614 start of changes for roles in LCQs

* Expiration changes for leases

* Add role information to RequestAuth

* VAULT-6614 Test updates

* VAULT-6614 Add expiration test with roles

* VAULT-6614 fix comment

* VAULT-6614 Protobuf on OSS

* VAULT-6614 Add rlock to determine role code

* VAULT-6614 Try lock instead of rlock

* VAULT-6614 back to rlock while I think about this more

* VAULT-6614 Additional safety for nil dereference

* VAULT-6614 Use %q over %s

* VAULT-6614 Add overloading to plugin backends

* VAULT-6614 RLocks instead

* VAULT-6614 Fix return for backend factory
2022-07-05 13:02:00 -04:00
Loann Le 752c7374a9
vault documentation: updated examples to use volumes (#16175)
* updated examples to use volumes

* Update website/content/docs/platform/k8s/helm/examples/ha-with-consul.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/examples/standalone-tls.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-07-05 08:32:51 -07:00
Michael Hofer 96e52760e3
docs(seal): improve readability, fix master key occurrence and typos (#16220) 2022-07-01 10:21:49 -07:00
Cristian Iaroi 5727762ce5
Adding Vault HydrantID Pki Plugin (#16058)
repository: https://github.com/PaddyPowerBetfair/vault-plugin-hydrant-pki
raised issue: #16011
also updated docs (link to page for PR)
2022-07-01 07:55:17 -07:00
aphorise 8b5f7da595
Docs/ekm sql provider corrections and troubleshooting (#15968) 2022-07-01 10:47:03 +01:00
Alexander Scheel 60add7d2be
Document additional FIPS restrictions (#16208)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-30 16:14:07 -05:00
Alexander Scheel d4cdafc314
Document PKI root rotation, replacement paths (#16206)
See also: https://discuss.hashicorp.com/t/missing-pki-secret-engine-api-documentation-for-root-rotate-and-root-replace-endpoints/41215

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-30 10:45:49 -07:00
AnPucel 7a5d3e80dd
Developer Quickstart docs improvements (#16199)
- Make the dev quick start link readily available on the client library documentation page
- Move the full code samples to the top of the dev quickstart page so that they're easily accessible.
- Update the api/readme to have a link to the dev quickstart
2022-06-30 08:50:35 -07:00
AnPucel 3215cdbd32
Dynamic parameter for mountpaths in OpenApi Spec generation(#15835)
"generic_mount_paths" query parameter for OpenApiSpec generation
2022-06-30 07:43:04 -07:00
AnPucel ed9ae70822
Add curl commands to Dev Quickstart guide (#16176) 2022-06-29 15:50:48 -07:00
Jordan Reimer 8b7976f137
attempts to fix flaky token-expire-warning test (#16197) 2022-06-29 15:09:08 -07:00
Alexander Scheel d353245af3
Remove structs, mapstructure from PKI storage (#16190)
structs and mapstructure aren't really used within Vault much any more,
so we should start removing them. Luckily there was only one externally
accessible place where structs was used (AIA URLs config) so that was
easy to remove. The rest is mostly structure tag changes.

path_roles_tests.go relied on mapstructure in some places that broke,
but otherwise backend_test.go hasn't yet been modified to remove the
dependency on mapstructure. These didn't break as the underlying
CertBundle didn't get mapstructure support removed (as its in the SDK).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-29 15:05:31 -04:00
Hridoy Roy 2f14d60a4b
Port: Use Stored Hll to Compute New Clients For Current Month (#16184)
* port hll storage changes

* changelog
2022-06-29 10:51:23 -07:00
Ciara Clements 7288bb3c57
changed "activate" to "active (#16189) 2022-06-29 10:10:53 -07:00
Nick Cabatoff 0893b427b1
Rewrite a confusing bit of policies docs re parameter constraints. (#16182) 2022-06-29 12:28:49 -04:00
Alexander Scheel 920ec37b21
Refactor PKI storage calls to take a shared struct (#16019)
This will allow us to refactor the storage functions to take additional
parameters (or backend-inferred values) in the future. In particular, as
we look towards adding a storage cache layer, we'll need to add this to
the backend, which is now accessible from all storage functions.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-29 12:00:44 -04:00
Hamid Ghaf fa754c7fa5
Replicate member_entity_ids and policies in identity/group across nodes identically (#16088)
* Replicate values of group member_entity_ids and policies across nodes identically

* Adding CL

* fixing tests
2022-06-28 19:54:24 -04:00
Chelsea Shaw 29cae725ce
UI OIDC auth type saved in localStorage not sessionStorage (#16170)
* Remove new instances of sessionStorage after localStorage change

* Add changelog
2022-06-28 11:04:24 -06:00
Alexander Scheel 75eedf1b97
Add warning on missing tidy targets (#16164)
When tidy is called without arguments, we kick off a tidy operation with
no targets. This results in nothing being done, though the user might
reasonably expect some results.

Throw a warning in this case, so the user knows not to expect anything.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-27 17:42:41 -04:00
Hridoy Roy 895e422c4c
move unused GetCoreConfigInternal to common file to prevent ent panics (#16165) 2022-06-27 14:41:56 -07:00
Christopher Swenson 3bc56cfcca
Synchronize access to database plugin gauge process close (#16163)
And only call it once.

This fixes a panic that can happen when the plugin `Cleanup` is called
twice.
2022-06-27 13:41:23 -07:00
Hridoy Roy b3959534c2
activity log refactoring port (#16162)
* activity log refactoring port

* changelog
2022-06-27 13:33:45 -07:00
akshya96 6164e5e7e1
documentation changes for limit parameter (#16161) 2022-06-27 13:29:14 -07:00
Christopher Swenson 80c5c56a40
docs/platform: Add brief GitHub Actions page (#16129)
I added a small example from the main docs along with some explanation,
and added links to the main docs and the tutorial.

I also took this opportunity to sort the platform left nav bar.
2022-06-27 09:47:26 -07:00
akshya96 42b13448f9
ActivityLog Implement HyperLogLog Store Functionality During Precomputation (#16146)
* adding hll for each month

* add changelog

* removing influxdb

* removing influxdb

* removing influxdb

* changing switch to if-else for semgrep
2022-06-27 09:38:32 -07:00
Christopher Swenson c57d053d28
Add database plugin metrics around connections (#16048)
Add database plugin metrics around connections

This is a replacement for #15923 that takes into account recent lock
cleanup.

I went ahead and added back in the hanging plugin test, which I meant to
add in #15944 but forgot.

I tested this by spinning up a statsd sink in the tests and verifying I
got a stream of metrics:

```
$ nc -u -l 8125 | grep backend
test.swenson-Q9Q0L72D39.secrets.database.backend.connections.count.pgx.5.:1.000000|g
test.swenson-Q9Q0L72D39.secrets.database.backend.connections.count.pgx.5.:0.000000|g
test.swenson-Q9Q0L72D39.secrets.database.backend.connections.count.pgx.5.:1.000000|g
test.swenson-Q9Q0L72D39.secrets.database.backend.connections.count.pgx.5.:0.000000|g
```

We have to rework the shared gauge code to work without a full
`ClusterMetricSink`, since we don't have access to the core metrics from
within a plugin.

This only reports metrics every 10 minutes by default, but it solves
some problems we would have had with the gauge values becoming stale and
needing to be re-sent.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-06-27 09:34:45 -07:00
Chris Capurso 9501d44ed5
Add endpoints to provide ability to modify logging verbosity (#16111)
* add func to set level for specific logger

* add endpoints to modify log level

* initialize base logger with IndependentLevels

* test to ensure other loggers remain unchanged

* add DELETE loggers endpoints to revert back to config

* add API docs page

* add changelog entry

* remove extraneous line

* add log level field to Core struct

* add godoc for getLogLevel

* add some loggers to c.allLoggers
2022-06-27 11:39:53 -04:00
Christopher Swenson 2e56c7fe0a
Update consul-template to latest for pkiCert fix (#16087)
Update consul-template to latest for pkiCert fix

So that we get the fixes in https://github.com/hashicorp/consul-template/pull/1590
and https://github.com/hashicorp/consul-template/pull/1591.

I tested manually that this no longer causes `pkiCert` to get into an
infinite failure loop when the cert expires, and that the key and CA certificate are also accessible.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-06-27 08:39:36 -07:00
Alexander Scheel bf657b43ae
Clarify LIST /certs doesn't include imports (#16144)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-24 15:25:10 -05:00
Alexander Scheel 327963af03
Return errors on short PEM bundles (keys, issuers) (#16142)
* Return errors on short PEM bundles (keys, issuers)

When users pass the path of the bundle to the API, rather than the
contents of the bundle (say, by omitting the `@` symbol on a Vault CLI
request), give a better error message indicating to the user what the
potential problem might be. While a larger bound for certificates was
given (75 bytes, likely 100 would be fine as well), a smaller bound had
to be chosen for keys as there's less standard DER encoding data around
them.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-24 15:32:56 -04:00
Calvin Leung Huang 08f148ba42
secrets/ad: update plugin to v0.13.1 (#16140) 2022-06-24 12:04:01 -07:00
claire bontempo b9f4934144
create util (#16130) 2022-06-24 11:57:19 -06:00
Rachel Culpepper f4758a9282
Specify the size of the ephemeral key for transit imports (#16135)
* specify the size of the ephemeral key

* specify aes key size in api docs
2022-06-24 10:28:09 -05:00
Violet Hynes 5d21fa1e8f
VAULT-6613 Missed a part of OSS for rate limit role quotas (#16132)
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core

* Fix body handling

* Role resolution for rate limit quotas

* VAULT-6613 update precedence test

* Add changelog

* Handle body error

* VAULT-6613 Return early if error with json parsing

* VAULT-6613 add to teardown function
2022-06-24 09:45:53 -04:00
Violet Hynes d57fea2cd1
VAULT-6613 Add role support for rate limit quotas (OSS Changes) (#16115)
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core

* Fix body handling

* Role resolution for rate limit quotas

* VAULT-6613 update precedence test

* Add changelog

* Handle body error

* VAULT-6613 Return early if error with json parsing
2022-06-24 08:58:02 -04:00
Austin Gebauer 686a9fa39c
secrets/k8s: fix api docs for generated_role_rules json (#16127) 2022-06-23 13:05:06 -07:00
Josh Black 2ee2b6ed7c
Return a 403 for a bad SSCT instead of 500 (#16112) 2022-06-23 13:01:20 -07:00
claire bontempo c88df178c3
add waitUntil (#16072) 2022-06-23 11:19:27 -07:00
Alexander Scheel eeb4029eb1
Add signature_bits to sign-intermediate, sign-verbatim (#16124)
* Add signature_bits to sign-intermediate

This endpoint was lacking the signature_bits field like all the other
endpoints. Notably, in #15478, the ability to customize the intermediate
CSR's signature bits was removed without checking for the ability to
customize the final (root-signed) intermediate certificate's value.

This adds in that missing ability, bringing us parity with root
generation and role-based signing.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add signature_bits to sign-verbatim

This endpoint was also lacking the signature_bits field, preventing
other signature hash functions from being utilized here.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-23 14:07:27 -04:00
Jason Sturges 16c5d5ba11
Fix typo in remount (#16100)
"utlizie" => "utilize"
2022-06-22 17:28:10 -07:00
Justin Clayton 88ebc43055
minor typo fix (#16114)
Consult -> Consul
2022-06-22 14:52:42 -07:00
Jason O'Donnell f957573108
Fix bug where id not existing in multiplexing map causes panic (#16094)
* multiplexing: guard against connection panic

* changelog

* Update vault/plugin_catalog.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-06-22 14:29:25 -04:00
Victor Rodriguez 7f6e281893
Add new KMIP backend operation parameters to API documentation. (#16107)
The KMIP backend has four new parameters for the API call to create or update a
role:

  - operation_decrypt
  - operation_encrypt
  - operation_import
  - operation_query
2022-06-22 13:28:03 -04:00
Tom Proctor 770a57bdf0
Docs: Fix typo for Lambda extension env var config (#16108) 2022-06-22 17:28:31 +01:00
Rowan Smith 5815f6968e
fix typo in release notes (#16099)
cont > count
2022-06-22 10:39:43 -04:00
Violet Hynes 1aefd297e9
Add role resolution operations to cert and aws auth types (VAULT-6612) (#16079)
* VAULT-6612 Initial scaffolding for role determination

* VAULT-6612 Simplify code

* Fix fmt error that somehow happened

* VAULT-6612 Refactor resolve role response

* VAULT-6612 AWS Role resolution

* VAULT-6612 add Iam test

* VAULT-6612 Add cert role resolve operation

* Address comments

* Update builtin/credential/cert/path_login_test.go

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2022-06-22 08:53:00 -04:00
Tom Proctor caf00b9f3c
OIDC/Kubernetes docs: Improve instructions for setting bound_audiences (#16080) 2022-06-22 09:27:19 +01:00