* operator generate-root -decode: allow token from stdin
Allow passing "-" as the value for -decode, causing the encoded token to
be read from stdin. This is intended to prevent leaking the encoded
token + otp into process logs in enterprise environments.
* add changelog entry for PR12881
* add check/test for empty decode value passed via stdin
* Add cluster name to oidc-provider path
* Move oidc-provider route up on router
* Return base url for changelog if no version
* OIDC Provider check on targetRouteName instead of transitionToTargetRoute
* restore dynamic provider segment on route
* Fix redirect after auth issue
* handle permission denied
* Let allowed_users template mix templated and non-templated parts (#10388)
* Add documentation
* Change test function names
* Add documentation
* Add changelog entry
* Update website docs regarding ssh role allowed_extensions parameter
- Add note within the upgrading to 1.9.0 about behaviour change
- Prefix the important note block within the main documentation about
signed ssh certificates that it applies pre-vault 1.9
- Update api docs for the allowed_extensions parameter within the ssh
role parameter.
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Uses a bufconn listener between consul-template and vault-agent when
caching is enabled and either templates or a listener is defined. This
means no listeners need to be defined in vault-agent for just
templating. Always routes consul-template through the vault-agent
cache (instead of only when persistent cache is enabled).
Uses a local transportDialer interface in config.Cache{}.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* Forbid ssh key signing with specified extensions when role allowed_extensions is not set
- This is a behaviour change on how we process the allowed_extensions role
parameter when it does not contain a value. The previous handling allowed
a client to override and specify any extension they requested.
- We now require a role to explicitly set this behaviour by setting the parameter
to a '*' value which matches the behaviour of other keys such as allowed_users
within the role.
- No migration of existing roles is provided either, so operators if they truly
want this behaviour will need to update existing roles appropriately.
* removed unpublished:true for sys/internal/* endpoints
* added changelog file
* updated change log and added placeholder summary as these endpoints are not mentioned in docs.
* added documentation for internal/ui/namspaces and resultant-acl
* updated log configs
* adds helper so only rows with values display
* adds changelog
* add argument to is-empty-value helper to check for default
* adds test to helper for added named argument
* Documentation for custom http response headers
* Adding more explanation of what custom headers are and when to use them
* Header in the config takes precedence
* Update website/content/docs/configuration/listener/tcp.mdx
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* Adding more information on how to use custom response headers
* adding an API link to the ui
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
- add new configuration option, ReadYourWrites, which enables a Client
to provide cluster replication states to every request. A curated set
of cluster replication states are stored in the replicationStateStore,
and is shared across clones.
* Disallow alias creation if entity/accessor combination exists
* Add changelog
* Address review comments
* Add handling to aliasUpdate, some field renaming
* Update tests to work under new entity-alias constraint
* Add check to entity merge, other review fixes
* Log duplicated accessors only once
* Fix flaky test
* Add note about new constraint to docs
* Update entity merge warn log
Nick Cabatoff