Commit Graph

16107 Commits

Author SHA1 Message Date
Alexander Scheel d67023c3b3
Add empty expiry crlConfig upgrade test (#17701)
* Add regression test for default CRL expiry

Also fixes a bug w.r.t. upgrading older entries and missing the Delta
Rebuild Interval field, setting it to the default.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog for earlier PR

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-27 11:20:12 -04:00
Bernhard Kaindl bf3749ff6d
website: Update api-docs for /ssh/sign/:name and /ssh/issue/:name (#17694)
Extend the documentation the API endpoint '/ssh/issue/:name' (added
in #15561 with v1.12.0) and '/ssh/issue/:name':

- Be more specific that the issued certificate uses the defaults
  given of the role at the given endpoint; and that it is subject
  to the limitations configured in this role.

- Note that the endpoint /ssh/issue/:name is available with v1.12+.

- Make it more clear that the generated credentials are only returned
  but not stored by Vault (not just the generated private key).
2022-10-27 07:56:08 -07:00
James Protzman a47848706e
Default crl expiry (#17693)
Ref: https://github.com/hashicorp/vault/issues/17642
2022-10-27 10:47:17 -04:00
Violet Hynes 6d9ea2862e
VAULT-8519 fix spurious "unknown or unsupported fields" warnings for JSON config (#17660)
* VAULT-8519 add tests for HCL unknown field bug

* VAULT-8519 upversion hcl

* VAULT-8519 include correct comitts in tag

* VAULT-8519 Add changelog
2022-10-27 10:28:03 -04:00
Mike Palmiotto a9dcc45f72
Tweak totp test to fix race failures (#17692) 2022-10-27 09:41:40 -04:00
Alexander Scheel 1733d2a3d6
Add support for PKCSv1_5_NoOID signatures (#17636)
* Add support for PKCSv1_5_NoOID signatures

This assumes a pre-hashed input has been provided to Vault, but we do
not write the hash's OID into the signature stream. This allows us to
generate the alternative PKCSv1_5_NoOID signature type rather than the
existing PKCSv1_5_DERnull signature type we presently use.

These are specified in RFC 3447 Section 9.2.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exclude new none type from PSS based tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for PKCS#1v1.5 signatures

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-27 08:26:20 -04:00
akshya96 1e189016e2
update protoc version to 3.21.7 oss (#17499)
* update protoc to 3.21.7

* adding changelog
2022-10-26 16:49:44 -07:00
Jordan Reimer 571851cee3
OIDC Alternate Path Bug (#17661)
* adds error handling to auth-jwt component for missing roles and fixes bug where role wasn't being retained when using alternate oidc mount path at login

* fixes jwt login bug from auth mount tabs and adds test

* updates okta-number-challenge success value to arg in template

* adds changelog entry

* fixes issues logging in manually with jwt

* reverts mistaken change
2022-10-26 15:34:43 -06:00
Mike Palmiotto cc96c6f470
Store login MFA secret with tokenhelper (#17040)
* Store login MFA secret with tokenhelper
* Clean up and refactor tokenhelper paths
* Refactor totp test code for re-use
* Add login MFA command tests
* Use longer sleep times and sha512 for totp test
* Add changelog
2022-10-26 17:02:26 -04:00
claire bontempo 63656d900a
add labels to file type inputs (#17677) 2022-10-26 16:35:15 -04:00
Alexander Scheel c81bec4d06
Clean up dev cert construction (#17657)
Vault's new TLS devvault mode has two nits with certificate
construction:

 1. The CA doesn't need to include any SANs, as these aren't checked.
    Technically this means the CA could be reused as a leaf certificate
    for the one specified IP SAN, which is less desirable.
 2. Add hostname to SANs in addition to CNs. This is a best practice, as
    (when the CN is a hostname), it is preferable to have everything in
    SANs as well.

Neither of these are major changes.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-26 15:29:37 -04:00
Luis (LT) Carbonell 3425f8b36c
Add Paging Interface for LDAP Connection (#17640) 2022-10-26 14:05:53 -05:00
Alexander Scheel 1721cc9f75
Add PATCH support to Vault CLI (#17650)
* Add patch support to CLI

This is based off the existing write command, using the
JSONMergePatch(...) API client method rather than Write(...), allowing
us to update specific fields.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on PATCH support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-26 14:30:40 -04:00
Johan Brandhorst-Satzkorn 1dd9e1cb53
Fix rendering of custom response headers (#17652)
The double quote used broke syntax highlighting. Replace with a proper double quote.
2022-10-26 13:44:48 -04:00
Alexander Scheel a70ec814dd
Fix permissions on Docker testing (#17658)
This appears to be due to a CI change that resulted in different user
IDs between the host and the container image.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-26 13:20:12 -04:00
Theron Voran 7553ef2c4a
docs/vault-helm: update cert-manager example (#17651)
Use injector.webhook.annotations instead of the deprecated
injector.webhookAnnotations
2022-10-26 10:12:06 -07:00
Angel Garbarino f4f054f6f8
UI/vault 9268/pki component tests (#17609)
* wip

* work in progress

* pki-role-form-test

* clean up

* radio-select-ttl-or-string test

* clean up

* add yielded check

* 12 to 13

* add pki-key-usage test

* remove meep

* key-params test

* clean up

* clean up

* pr comments
2022-10-25 13:58:11 -06:00
Yoko Hyakuna 337a2b1915
Added 'Manually Revocable' to the table (#17646) 2022-10-24 18:57:28 -07:00
Yoko Hyakuna ba9f94166b
Fix a broken link (#17644) 2022-10-24 17:09:33 -07:00
Alexander Scheel 09939f0ba9
Add AD mode to Transit's AEAD ciphers (#17638)
* Allow passing AssociatedData factories in keysutil

This allows the high-level, algorithm-agnostic Encrypt/Decrypt with
Factory to pass in AssociatedData, and potentially take multiple
factories (to allow KMS keys to work). On AEAD ciphers with a relevant
factory, an AssociatedData factory will be used to populate the
AdditionalData field of the SymmetricOpts struct, using it in the AEAD
Seal process.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add associated_data to Transit Encrypt/Decrypt API

This allows passing the associated_data (the last AD in AEAD) to
Transit's encrypt/decrypt when using an AEAD cipher (currently
aes128-gcm96, aes256-gcm96, and chacha20-poly1305). We err if this
parameter is passed on non-AEAD ciphers presently.

This associated data can be safely transited in plaintext, without risk
of modifications. In the event of tampering with either the ciphertext
or the associated data, decryption will fail.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add to documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-24 13:41:02 -04:00
Violet Hynes 73f9b13762
VAULT-9451 Fix data race in entity merge (#17631) 2022-10-21 16:47:59 -04:00
Rowan Smith 85d759faf0
added note regarding persistence for log level changes (#17596) 2022-10-20 18:14:29 -07:00
Mike Baum a7020b3c19
[QT-182] Fix broken k8s workflow for vault-enterprise (#17629) 2022-10-20 16:58:09 -04:00
Austin Gebauer 5d0aab1099
auth/azure: documents auth support for VMSS flexible orchestration (#17540)
* auth/azure: documents auth support for VMSS flexible orchestration

* adds changelog
2022-10-20 12:36:29 -07:00
AnPucel ed1928ca61
Update vault to v1.8.1 (#17516)
* Update vault to v1.8.1

* Updating api/auth to use new version of api
2022-10-20 11:56:55 -07:00
Jaymala cd5a93fc28
Enos verify stable needs Artifactory variables (#17618)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-20 13:35:11 -04:00
Michele Degges a9440d052c
[CI-only] Update RedHat registry tag (#17610)
* [CI-only] Update RedHat registry tag

There are a few changes being made to RedHat's registry on October 20, 2022 that affect the way images need to be tagged prior to being pushed to the registry. This PR changes the tag to conform to the new standard. 

We have other work queued up in crt-workflows-common and actions-docker-build to support the other required changes. 

This PR should be merged to `main` and all release branches on or after October 20, 2022, and MUST be merged before your next production release. Otherwise, the automation to push to the RedHat registry will not work.

----

A detailed list of changes shared from RedHat (as an FYI):

The following changes will occur for container certification projects that leverage the Red Hat hosted registry [[registry.connect.redhat.com](http://registry.connect.redhat.com/)] for image distribution:

- All currently published images are migrating to a NEW, Red Hat hosted quay registry. Partners do not have to do anything for this migration, and this will not impact customers. The registry will still utilize [registry.connect.redhat.com](http://registry.connect.redhat.com/) as the registry URL.

- The registry URL currently used to push, tag, and certify images, as well as the registry login key, will change. You can see these changes under the “Images” tab of the container certification project. You will now see a [quay.io](http://quay.io/) address and will no longer see [scan.connect.redhat.com](http://scan.connect.redhat.com/).

- Partners will have the opportunity to auto-publish images by selecting “Auto-publish” in the Settings tab of your certification project. This will automatically publish images that pass all certification tests.

- For new container image projects, partners will have the option to host within their own chosen image registry while using [registry.connect.redhat.com](http://registry.connect.redhat.com/) as a proxy address. This means the end user can authenticate to the Red Hat registry to pull a partner image without having to provide additional authentication to the partner’s registry.

* docker: update redhat_tag

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
2022-10-20 10:32:06 -07:00
claire bontempo 8a378af08a
fix typos (#17620) 2022-10-20 09:54:54 -07:00
Tom Proctor 826b792fee
Add plugin versioning to 1.12.0 release notes (#17617) 2022-10-20 15:24:53 +01:00
Angel Garbarino da5abfdfbe
PKI role create: fix issue with setting default key_bits on init and when key_type changes (#17613)
* working

* fix issue with signature bits

* fix ember upgrade change

* clean up

* fix signature bits to number

* default value in model

* fix language
2022-10-19 15:28:43 -06:00
Scott Miller 473d3c26b3
Intercept key_id from generic configmap and turn it into a wrapperv2 option (#17612)
* Intercept key_id from generic configmap and turn it into a wrapperv2 option

* changelog

* Doubled append

* Only convert key_id to an opt in OCI
2022-10-19 15:42:56 -05:00
Heather Simon e658babb3c
Create remove-labels.yml (#17611) 2022-10-19 12:46:38 -07:00
divyaac a1548f0f2b
Edit Telemetry Docs (#17209) 2022-10-19 12:13:32 -07:00
Mike Baum b4da17a01c
Add an enos scenario to test vault docker images using k8s/kind/helm (#17515)
* Added a scenario to test docker artifacts using the vault helm chart and a kind cluster
* Addedt enos-k8s github workflow
2022-10-19 14:26:31 -04:00
Jaymala 0285dccfd1
Download Enos test artifact only for CRT runs (#17603)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-19 12:01:38 -04:00
Yoko Hyakuna 46cd8069be
[Release Notes] Add a note about storage support for VE (#17597)
* Add a note about storage support

* Add a row for VE storage backend
2022-10-19 08:26:24 -07:00
Bryce Kalow 3f25394b89
fixes more broken links (#17592) 2022-10-19 10:24:53 -04:00
Kapil Arora 2ab8b7fa23
Updated Name reported by k8s auth (#15507)
Since 1.9 k8s auth method supports setting  Name reported by auth method to Service Account name which is not reflected in this doc

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-10-19 11:15:54 +01:00
Rowan Smith 1c0f7ec491
Update aws.mdx (#16075)
* Update aws.mdx

* Update aws.mdx

* Update website/content/docs/auth/aws.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-10-18 22:09:21 -07:00
Calvin Leung Huang 9e6256178e
database/snowflake: update plugin to v0.6.1 (#17593)
* database/snowflake: update plugin to v0.6.1

* add changelog entry
2022-10-18 15:49:37 -07:00
Bryce Kalow cc5db86fe1
reset redirects array (#17585) 2022-10-18 15:18:22 -04:00
HashiBot 6ba1362a6d
chore: Update Digital Team Files (#17589)
* Update generated scripts (should-build.sh)

* Update generated website Makefile

* Update generated scripts (website-start.sh)

* Update generated scripts (website-build.sh)
2022-10-18 15:18:12 -04:00
Jaymala f7fcf0fa7f
Enos verify updates (#17586)
* Enos verify updates

- Update repo dispatch types
- Run Enos verify only on release branches

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update as per review

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-18 15:14:18 -04:00
Peter Wilson 19d220cb82
Fixed typo in USAGE line (#17582) 2022-10-18 20:08:25 +01:00
Bryce Kalow 34339ec9a8
website: fixes redirected links (#17574)
* fixes redirected links

* fix broken link to key wrapping guide
2022-10-18 14:06:27 -04:00
Jordan Reimer be632db682
Ember Upgrade to 4.4 (#17086)
* runs ember-cli-update to 4.4.0

* updates yarn.lock

* updates dependencies causing runtime errors (#17135)

* Inject Store Service When Accessed Implicitly (#17345)

* adds codemod for injecting store service

* adds custom babylon parser with decorators-legacy plugin for jscodeshift transforms

* updates inject-store-service codemod to only look for .extend object expressions and adds recast options

* runs inject-store-service codemod on js files

* replace query-params helper with hash (#17404)

* Updates/removes dependencies throwing errors in Ember 4.4 (#17396)

* updates ember-responsive to latest

* updates ember-composable-helpers to latest and uses includes helper since contains was removed

* updates ember-concurrency to latest

* updates ember-cli-clipboard to latest

* temporary workaround for toolbar-link component throwing errors for using params arg with LinkTo

* adds missing store injection to auth configure route

* fixes issue with string-list component throwing error for accessing prop in same computation

* fixes non-iterable query params issue in mfa methods controller

* refactors field-to-attrs to handle belongsTo rather than fragments

* converts mount-config fragment to belongsTo on auth-method model

* removes ember-api-actions and adds tune method to auth-method adapter

* converts cluster replication attributes from fragment to relationship

* updates ember-data, removes ember-data-fragments and updates yarn to latest

* removes fragments from secret-engine model

* removes fragment from test-form-model

* removes commented out code

* minor change to inject-store-service codemod and runs again on js files

* Remove LinkTo positional params (#17421)

* updates ember-cli-page-object to latest version

* update toolbar-link to support link-to args and not positional params

* adds replace arg to toolbar-link component

* Clean up js lint errors (#17426)

* replaces assert.equal to assert.strictEqual

* update eslint no-console to error and disables invididual intended uses of console

* cleans up hbs lint warnings (#17432)

* Upgrade bug and test fixes (#17500)

* updates inject-service codemod to take arg for service name and runs for flashMessages service

* fixes hbs lint error after merging main

* fixes flash messages

* updates more deps

* bug fixes

* test fixes

* updates ember-cli-content-security-policy and prevents default form submission throwing errors

* more bug and test fixes

* removes commented out code

* fixes issue with code-mirror modifier sending change event on setup causing same computation error

* Upgrade Clean Up (#17543)

* updates deprecation workflow and filter

* cleans up build errors, removes unused ivy-codemirror and sass and updates ember-cli-sass and node-sass to latest

* fixes control groups test that was skipped after upgrade

* updates control group service tests

* addresses review feedback

* updates control group service handleError method to use router.currentURL rather that transition.intent.url

* adds changelog entry
2022-10-18 09:46:02 -06:00
Violet Hynes 296297e53f
Fix format strings missing an argument (#17581) 2022-10-18 10:57:20 -04:00
Bernd Straehle 392fad9365
Rename "Google Apigee" to "Apigee" (#17561) 2022-10-18 15:07:39 +01:00
Mike Wickett 33679fdd39
fix broken link to transit key wrap (#17566) 2022-10-18 09:54:29 -04:00
Tom Proctor 455f1f6073
CLI: Fix secrets list -detailed headings (#17577) 2022-10-18 14:46:11 +01:00