* RSA3072 implementation in transit secrets engine
* moved new KeyType at the end of the list
So already stored keys still work properly
Co-authored-by: Jim Kalafut <jim@kalafut.net>
* adding support for TLS 1.3 for TCP listeners
* removed test as CI uses go 1.12
* removed Cassandra support, added deprecation notice
* re-added TestTCPListener_tls13
* rename UseAutoAuthForce to ForceAutoAuth, because I think it reads better
* Document 'ForceAuthAuthToken' option for Agent Cache
* Update website/pages/docs/agent/caching/index.mdx
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* Add additional tests around use_auto_auth=force and add documentation
* remove note, it's no longer correct
Co-authored-by: Jim Kalafut <jim@kalafut.net>
* Guard against using Raft as a seperate HA Storage
* Document that Raft cannot be used as a seperate ha_storage backend at this time
* remove duplicate imports from updating with master
* Mark deprecated plugins as deprecated
* Add redaction capability to database plugins
* Add x509 client auth
* Update vendored files
* Add integration test for x509 client auth
* Remove redaction logic pending further discussion
* Update vendored files
* Minor updates from code review
* Updated docs with x509 client auth
* Roles are required
* Disable x509 test because it doesn't work in CircleCI
* Add timeouts for container lifetime
* Fix typos
* Update Oracle DB secrets docs to show support for Static Roles
* Add warning about username case sensitivity
* Remove warning about casing
* Fix typo
Co-Authored-By: Becca Petrin <beccapetrin@gmail.com>
Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
* Adding a new replication metric (WAL GC counter)
Adding a new line about the vault.replication.wal.gc metric
* Update website/pages/docs/internals/telemetry.mdx
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Add specification about AWS IAM Unique Identifiers
We experienced an issue where IAM roles resources were re-provisioned with the same ARNs and no change had been made to our vault role configuration but users lost access with `-method=aws`. It wasn't immediately clear to us how IAM Unique Identifiers where being used to avoid the same situations outlined in the AWS documentation. We eventually concluded that re-provisioning the roles in our auth/aws/auth would fetch the new IAM Unique Identifiers.
I hope that this small amendment helps people avoid this problem in the future.
Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case.
Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
* Improve standalone with TLS example
- Documented creating a key & cert for serving Vault endpoints
- Removed unneeded configuration in custom values.yaml
- Updated examples to 1.3.0
* Add 127.0.0.1 to CSR
* Grammar & minor formatting
* Add additional DNS entry for CSR
* Split examples into individual pages
* Add Kubernetes Auth Method example
* Remove old examples file
* Fix rebase fail
* Remove global section of yaml files that aren't needed
* Fix minor typos
* Fix typos that didn't get carried over from previous PR
* Re-copy from previous examples file to resolve rebase issues
* update dependencies
Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
* add secrets/postgresql redirect
* change name of old path
* ensure deprecated pages are not indexed by search engines
* remove deprecated page from navigation
* Improve standalone with TLS example
- Documented creating a key & cert for serving Vault endpoints
- Removed unneeded configuration in custom values.yaml
- Updated examples to 1.3.0
* Add 127.0.0.1 to CSR
* Grammar & minor formatting
* Add additional DNS entry for CSR
* Fix typos, formatting, and other minor issues
* Use correct header depth for Helm Configuration
Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Add note about needing to do this on each node
Specifically calling this out will heed off operators doing this on a single node and thinking it is a bug that it didn't propagate to the other nodes, secondaries, etc.
* Updated to reflect not needing to do registration on each
* Add example of field output
Ordering matters here and its a constant question both from customers and new folks. This will help to show the right syntax.
* minor update to spelling and force unit test rerun
* Update example actually in example area
* Clarify last example is only unix example
* removing Unix specific example
* index.html.md
Vault Integration Program Refresh for CY 2020, major updates edits from Vault PM and Alliance
* fixing formatting and links
* a few more formatting updates
* Patch- Fix Typo
* Hashicorp -> HashiCorp
* embedding images
* remove checkboxes since they do not render correctly
Co-authored-by: Chris Hoffman <99742+chrishoffman@users.noreply.github.com>
Co-authored-by: Chris Griggs <cgriggs@hashicorp.com>
* Split helm docs to multiple pages under Helm Chart
- Fixed some minor formatting typos
- Added a note at the beginning of most of the pages indicating
incompatibility with helm 3
* Remove duplicate examples
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.
Allow single star in allowed_other_sans to match any OtherName. Update documentation to clarify globbing behaviour.
* move ServiceDiscovery into methods
* add ServiceDiscoveryFactory
* add serviceDiscovery field to vault.Core
* refactor ConsulServiceDiscovery into separate struct
* cleanup
* revert accidental change to go.mod
* cleanup
* get rid of un-needed struct tags in vault.CoreConfig
* add service_discovery parser
* add ServiceDiscovery to config
* cleanup
* cleanup
* add test for ConfigServiceDiscovery to Core
* unit testing for config service_discovery stanza
* cleanup
* get rid of un-needed redirect_addr stuff in service_discovery stanza
* improve test suite
* cleanup
* clean up test a bit
* create docs for service_discovery
* check if service_discovery is configured, but storage does not support HA
* tinker with test
* tinker with test
* tweak docs
* move ServiceDiscovery into its own package
* tweak a variable name
* fix comment
* rename service_discovery to service_registration
* tweak service_registration config
* Revert "tweak service_registration config"
This reverts commit 5509920a8ab4c5a216468f262fc07c98121dce35.
* simplify naming
* refactor into ./serviceregistration/consul
* physical/posgresql: add ability to use CONNECTION_URL environment variable instead of requiring it to be configured in the Vault config file.
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* storage/postgresql: update configuration documentation for postgresql storage backend to include connection_url configuration via the PG_CONNECTION_URL environment variable
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: add a configuration file and tests for getting the connection_url from the config file or environment
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: update postgresql backend to pull the required connection_url from the PG_CONNECTION_URL environment variable if it exists, otherwise, fallback to using the config file
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: remove configure*.go files and prefer the postgresql*.go files
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: move and simplify connectionURL function
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: update connectionURL test to use an unordered map instead of slice to avoid test flakiness
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* physical/postgresql: update config env to be prefixed with VAULT_ - VAULT_PG_CONNECTION_URL
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
* docs/web: update postgresql backend docs to use updated, VAULT_ prefixed config env
Signed-off-by: Colton McCurdy <mccurdyc22@gmail.com>
Continues https://github.com/hashicorp/vault/pull/6459 and cleans up
some spots that should have been deleted, but due to markdown
formatting, weren't rendering anyway.
> Remove response code info from non-overview API docs as it can be
> misinterpreted and is always the same anyways.
* link to template docs from Agent docs
* fix docs link
* fix metadata in template index page
* fix formatting that caused template index to render blank
* Update parameter names to match URL placeholders
* Fix incorrect parameter quoting
Without the separated quoting, the entire `ec2_alias (string: "role_id")` string becomes an anchor link.
* Fix default value for userattr
vault/sdk/helper/ldaputil/config.go shows userattr has a default value of "cn"
* Fix default value for url
Documentation says it's required, but vault/sdk/helper/ldaputil/config.go shows that url has a default value.
* Fix default value for url
Documentation says it's required, but vault/sdk/helper/ldaputil/config.go shows that url has a default value.
* website: various updates
* Expose /docs and /intro views using documentation-style
layout for index pages
* Add [Use Case] Secrets Management page
* Add [Use Case] Data Encryption page
* Add [Use Case] Identity Based Access page
* Update redirects file removing `/intro` routes redirecting to
`learn.hashicorp`
* Hide MegaNav on mobile
* website: route /api straight to documentation
* Bybass index page and jump straight to content
* Fix unordered imports
* Allow Raft node ID to be set via the environment variable `VAULT_RAFT_NODE_ID`
* Allow Raft path to be set via the environment variable `VAULT_RAFT_PATH`
* Prioritize the environment when fetching the Raft configuration values
Values in environment variables should override the config as per the
documentation as well as common sense.
The example request for "Generate Intermediate" was type "internal", but the example response contained the private key, which "internal" doesn't do. This patch fixes the example request to be type "exported" to match the example response.
* Vault Agent Template: parse templates (#7540)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* Update command/agent/config/config.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* return the decode error instead of swallowing it
* Update command/agent/config/config_test.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* go mod tidy
* change error checking style
* Add agent template doc
* TemplateServer: render secrets with Consul Template (#7621)
* add template config parsing, but it's wrong b/c it's not using mapstructure
* parsing consul templates in agent config
* add additional test to configuration parsing, to cover basics
* another test fixture, rework simple test into table
* refactor into table test
* rename test
* remove flattenKeys and add other test fixture
* add template package
* WIP: add runner
* fix panic, actually copy templates, etc
* rework how the config.Vault is created and enable reading from the environment
* this was supposed to be a part of the prior commit
* move/add methods to testhelpers for converting some values to pointers
* use new methods in testhelpers
* add an unblock channel to block agent until a template has been rendered
* add note
* unblock if there are no templates
* cleanups
* go mod tidy
* remove dead code
* simple test to starT
* add simple, empty templates test
* Update package doc, error logs, and add missing close() on channel
* update code comment to be clear what I'm referring to
* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only
* Update command/agent.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* update with test
* Add README and doc.go to the command/agent directory (#7503)
* Add README and doc.go to the command/agent directory
* Add link to website
* address feedback for agent.go
* updated with feedback from Calvin
* Rework template.Server to export the unblock channel, and remove it from the NewServer function
* apply feedback from Nick
* fix/restructure rendering test
* Add pointerutil package for converting types to their pointers
* Remove pointer helper methods; use sdk/helper/pointerutil instead
* update newRunnerConfig to use pointerutil and empty strings
* only wait for unblock if template server is initialized
* drain the token channel in this test
* conditionally send on channel
This typo is related to https://github.com/hashicorp/vault/issues/7603 . The typo was causing issues with getting this working correctly when following the guide. I imagine any other newbie to this plugin will have the same struggle. I had to delve into the source code to figure it out
* document the require_request_header option in Agent
* document the require_request_header option in Agent
* document the require_request_header option in Agent
* document the require_request_header option in Agent
* minor tweaks to docs
Currently whenever we start a new C* session in the database plugin, we
run `LIST ALL` to determine whether we are a superuser, or otherwise
have permissions on roles. This is a fairly sensible way of checking
this, except it can be really slow when you have a lot of roles (C*
isn't so good at listing things). It's also really intensive to C* and
leads to a lot of data transfer. We've seen timeout issues when doing
this query, and can of course raise the timeout, but we'd probably
prefer to be able to switch it off.
* secrets/aws: Support permissions boundaries on iam_user creds
This allows configuring Vault to attach a permissions boundary policy to
IAM users that it creates, configured on a per-Vault-role basis.
* Fix indentation of policy in docs
Use spaces instead of tabs
A Vault Enterprise Pro customer in Japan has tried to get Vault DR replication working using Google Cloud Storage.
They were frustrated to learn that GCS may not have support for transactional updates which has resulted in a lot of wasted time.
The complaint was that this was not clear from our documentation.
This note may help customers to understand sooner that not all highly available backends support transactional updates.
Fixed malformed json example (removed extra comma). Here's the payload parse error I was running into with the example.
```
{
"rotation_period":"12h",
"verification_ttl":43200,
}
```
Vault does not like this JSON.
```
curl -s \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload-2.json \
http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001 | jq
{
"errors": [
"failed to parse JSON input: invalid character '}' looking for beginning of object key string"
]
}
```
Vaulted is no longer maintained according to the readme.
https://github.com/chiefy/vaulted#vaulted
"No Longer Being Maintained Use node-vault for future support of Vault features!"
* secret/aws: Pass policy ARNs to AssumedRole and FederationToken roles
AWS now allows you to pass policy ARNs as well as, and in addition to,
policy documents for AssumeRole and GetFederationToken (see
https://aws.amazon.com/about-aws/whats-new/2019/05/session-permissions/).
Vault already collects policy ARNs for iam_user credential types; now it
will allow policy ARNs for assumed_role and federation_token credential
types and plumb them through to the appropriate AWS calls.
This brings along a minor breaking change. Vault roles of the
federation_token credential type are now required to have either a
policy_document or a policy_arns specified. This was implicit
previously; a missing policy_document would result in a validation error
from the AWS SDK when retrieving credentials. However, it would still
allow creating a role that didn't have a policy_document specified and
then later specifying it, after which retrieving the AWS credentials
would work. Similar workflows in which the Vault role didn't have a
policy_document specified for some period of time, such as deleting the
policy_document and then later adding it back, would also have worked
previously but will now be broken.
The reason for this breaking change is because a credential_type of
federation_token without either a policy_document or policy_arns
specified will return credentials that have equivalent permissions to
the credentials the Vault server itself is using. This is quite
dangerous (e.g., it could allow Vault clients access to retrieve
credentials that could modify Vault's underlying storage) and so should
be discouraged. This scenario is still possible when passing in an
appropriate policy_document or policy_arns parameter, but clients should
be explicitly aware of what they are doing and opt in to it by passing
in the appropriate role parameters.
* Error out on dangerous federation token retrieval
The AWS secrets role code now disallows creation of a dangerous role
configuration; however, pre-existing roles could have existed that would
trigger this now-dangerous code path, so also adding a check for this
configuration at credential retrieval time.
* Run makefmt
* Fix tests
* Fix comments/docs