* Fix a transit deadlock caused by indefinite lock holding in key autorotation.
* Move down manual policy locking in transit autorotation to avoid NPE.
* Wrap conditional transit key autorotation in a function to allow for cleaner policy lock management.
* Remove a dnagling continue statement from transit key autorotation.
Include recommendation to use Vault agent injector on OpenShift
instead of CSI due to production security constraints.
Additional instructions included for testing and development
clusters.
* adds serializer
* removes all 1.11 related work to monthly/new client counting
* move from new-init-activity to activity
* merge setup changes add monthly model/adapter
* delete new-init-activity files
* add graph to current month view
* influxdb v1 client has been split into a separate module from the main influxdb
code base. This changes uses the correct client, which also allows us to
get updates and avoids confusing some vulnerability scanners that flagged
previous version incorrectly.
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* check for nil signing key on rotation
* add changelog
* Update nil signing key handling
- bypass setting ExpireAt if signing key is nil in rotate
- return err if singing key is nil in signPayload
* add comment; update error msg on signPayload; refactor UT
* Add support for client certificates to -output-curl-string
I did not write tests for this feature as -output-curl-string was not
already tested and this is a simple change. Because the name of the
certificates would be lost once loaded I added fields to Config to keep
track of them. I did not add a public method for the user to set them
explicitely as I don't think anyone would need this functionnality
outside of the Vault CLI.
Closes https://github.com/hashicorp/vault/issues/13376
* Add changelog
* Add lock in ConfigureTLS
* Fix upndomain bug causing alias name to change
* Fix nil map
* Add changelog
* revert
* Update changelog
* Add test for alias metadata name
* Fix code comment
* Accept both -f and --force in the web terminal
This aligns the behavior of the web terminal with the `vault write ...`
command to make it a bit more user friendly.
* Add changelog
* Use === instead of ==
* Add auto_rotate_interval field to transit key creation path.
* Add auto_rotate_interval field to transit key config update path.
* Implement transit automatic key rotation on an hourly interval.
* Fixes transit key autorotation key listing typo.
* Add unit tests for transit key autorotation.
* Add unit tests for transit key creation with autorotation interval.
* Add unit tests for transit key config update with autorotation interval.
* Document new auto_rotate_interval fields in key creation and key config update endpoints.
* Add changelog for transit key autorotation.
* Wrap individual transit key autorotation in a policy lock.
* Add a safeguard to transit key autorotation to ensure only one execution happens simultaneously.
"algorithm_signer": "rsa-sha2-256"
to prevent /var/log/auth.log `userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]` due to vault defaulting to ssh-rsa which is insecure
* docs: add known issues section to 1.9.x upgrade guide
* minor rephrasing on oidc known issue
* use relative references for URLs
* Update website/content/docs/upgrading/upgrade-to-1.9.x.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* update known issues section for id token
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
In doing some testing I found that the listener clusteraddr isn't really used, or at least isn't as important as the top-level clusteraddr setting. As such, go-sockaddr templating needs to be implemented for the top-level `cluster_addr` setting or it's unusable for HA.
Also fix a nil pointer panic I discovered at the same time.
* makes more mock data
* sort month by clients
* fix mock data
* fix typo
* adds serializer for payload to format data for charts
* remove console logs
* change key from month_year to timestamp
* add comments/todos
* change dates to UTC iso timestamp
* revert serializer changes - moving to a new PR
* fire off network for query with Start time from license and return endDate and display
* startDate
* comment change
* saving wip
* change from startDate to startTime
* comment cleanup
* Address comments
* fixing small comments
The auth/token/revoke will not error out if the token does not exists, it
always tries to revoke the token and return success to the client whether
or not the token exists. This makes the behavior of
auth/token/revoke-accessor coherent with this and remove the need to
check whether the token still exists.