Commit Graph

15742 Commits

Author SHA1 Message Date
Steven Clark 7634f5a9a1
update semgrep to 0.106.0 (#16420)
* Update semgrep to 0.106.0

* Add required deps to build new semgrep dependency ujson

 - New Python dependency ujson for semgrep requires gcc, g++ and python3-dev.
 - python3-dev to pull in Python.h
2022-07-22 09:58:11 -04:00
Matt Schultz 31151671ab
Transform tokenization key auto-rotate docs (#16410)
* Document auto rotate fields for transform tokenization endpoints.

* Update Transform tokenization docs to mention key auto-rotation.
2022-07-21 15:48:58 -05:00
Jason O'Donnell d25a3526af
command/audit: improve audit enable type missing error message (#16409)
* command/audit: improve audit enable type missing error message

* changelog
2022-07-21 16:43:50 -04:00
Steven Zamborsky c0b0c4fde7
Add an "Important Note" regarding EKS CSR approval. (#16406) 2022-07-21 13:34:03 -07:00
Austin Gebauer 5fd479a55a
deps: updates google.golang.org/api via plugins (#16405) 2022-07-21 13:07:57 -07:00
Violet Hynes 8163271ee2
VAULT-7046 Allow trailing globbing at the end of a path suffix quota (#16386)
* VAULT-7046 OSS changes for trailing glob quotas

* VAULT-7046 allow glob of 'a*' to match 'a'

* VAULT-7046 Add changelog

* VAULT-7046 fix minor typo
2022-07-21 15:31:23 -04:00
Pratyoy Mukhopadhyay 77ca499c6e
oss changes (#16407) 2022-07-21 10:53:42 -07:00
Austin Gebauer 5062502756
auth/oidc: documents the client_nonce parameter (#16403) 2022-07-21 09:34:46 -07:00
Rachel Culpepper 133535fabe
add paths for import endpoints (#16401) 2022-07-21 11:19:13 -05:00
Austin Gebauer bafc630b12
auth/oidc: fix changelog entry for SecureAuth groups parsing (#16388) 2022-07-21 08:24:11 -07:00
Alexander Scheel aba72d7f7a
Add next-step warning on import without AIA URLs (#16392)
This tells the user that the next step should be to configure AIA URLs
on this newly imported issuer/mount point. Ideally this should occur
before any leaves are issued such that they have the correct
information.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-21 11:05:19 -04:00
Wojtek Czekalski d05e8d1222
Fix typo in the docs (#16323)
It's very confusing, `Volumes` are very similar to `volumes` and can cause confusion 😄
2022-07-21 10:42:46 -04:00
Francois BAYART 24b9fa39bc
Update s3.mdx (#13630)
fix IAM requirements to use KMS key
2022-07-21 10:41:33 -04:00
Jason Peng 08b0cf40d5
Update reload.mdx (#14207)
To match with the API version of docs- https://www.vaultproject.io/api-docs/system/plugins-reload-backend#sys-plugins-reload-backend.
2022-07-21 10:39:25 -04:00
Barak BD 164d37b11a
Add section for Engine V2 requests (#14381)
This may be a related issue: https://github.com/hashicorp/vault/issues/7161
2022-07-21 10:38:57 -04:00
Pratik Khasnabis 3e4f4fdd55
Change AWS to Azure in Tutorial section (#15206)
* Change AWS to Azure in Tutorial section

* trigger ci

Co-authored-by: taoism4504 <loann@hashicorp.com>
2022-07-21 10:36:27 -04:00
Austin Gebauer 7df39640e0
Update gopsutil to v3 to fix MacOS deprecation warnings (#16321)
* Update gopsutil to v3

* Adds v2 field names in host-info response to allow eventual deprecation in favor of v3 field names

* Map v3 to v2 field names to keep host-info api compat

* copy gopsutil license into source
2022-07-20 16:37:10 -07:00
Brian Kassouf d6bb62a0ab
Increase the allowed concurrent gRPC streams (#16327)
* Increase the allowed concurrent gRPC streams

* Add a env override for the max streams setting

* Add changelog

* go fmt

* fix builds on 32bit systems
2022-07-20 15:26:52 -04:00
Angel Garbarino c6b659c060
Fix replication test failure (#16380)
* fix

* fix
2022-07-20 13:24:15 -06:00
Christopher Swenson 81b702b918
Remove gox in favor of go build. (#16353)
Remove gox in favor of go build.

`gox` hasn't had a release to update it in many years, so is missing
support for many modern systems, like `darwin/arm64`.

In any case, we only use it for dev builds, where we don't even use
the ability of it to build for multiple platforms. Release builds use
`go build` now.

So, this switches to `go build` everywhere.

I pulled this down and tested it in Windows as well. (Side note: I
couldn't get `gox` to work in Windows, so couldn't build before this
change.)
2022-07-20 10:44:41 -07:00
Florent Tatard 9dc861a8b3
Missing word (#16269)
Can't believe this went unnoticed for 5 years :)
2022-07-20 08:54:10 -07:00
John-Michael Faircloth a5349bd1ef
Revert "AutoMTLS for secrets/auth plugins (#15671)" (#16377)
This reverts commit 39bcd5c71529f5f4eb61aae68b17d06d192ea55f.
2022-07-20 10:36:23 -05:00
Violet Hynes 047b3106ff
VAULT-6727 Adjust cert and approle role resolution, add more tests (#16341)
* VAULT-6727 Adjust cert and approle role resolution, add more tests

* VAULT-6727 Add new test
2022-07-20 09:24:06 -04:00
Loann Le 58a646c726
updated note (#16372) 2022-07-19 16:52:41 -07:00
Andy Assareh 1313a53702
formatting issue - missing list bullet (#16352) 2022-07-19 15:51:36 -07:00
Loïc Saint-Roch 3d978605f8
Add HashiBox to community tools (#16150) 2022-07-19 11:37:58 -07:00
Rodolfo Castelo Méndez b44d0ab1df
Information about aws_s3_server_side_encryption (#16253)
Add when cannot use the combination of parameters.
2022-07-19 11:18:19 -07:00
Jakob Beckmann d72064cb81
[Kubernetes Secret Engine]: Role namespace configuration possible via LabelSelector (#16240)
* docs(#16222): add documentation for changes in PR hashicorp/vault-plugin-secrets-kubernetes#10

* docs(#16222): add changelog entry

* docs(#16222): improve documentation to make the use case of setting both allowed_kubernetes_namespaces and allowed_kubernetes_namespace_selector parameters for role configuration
2022-07-19 13:11:45 -05:00
Tom Proctor 460388d957
Docs: Add release notes for MSSQL TDE (#16326) 2022-07-19 11:52:59 +01:00
Austin Gebauer 1a71678954
docs/plugin-portal: adds missing HashiCorp supported plugins (#16346) 2022-07-18 22:42:49 -07:00
Mạnh Tử 6b3cc4adc0
docs(plugin-portal): added Harbor Robot Account plugin (#16320) 2022-07-18 18:03:32 -07:00
Yoko Hyakuna 745ea70434
Fix the contribution guide link (#16344) 2022-07-18 16:37:31 -07:00
John-Michael Faircloth 7e170e7d87
AutoMTLS for secrets/auth plugins (#15671)
* use automtls for v5 secrets/auth plugins

* add automtls env guard

* start backend without metadata mode

* use PluginClientConfig for backend's NewPluginClient param

refactor

* - fix pluginutil test
- do not expect plugin to be unloaded in UT
- fix pluginutil tests --need new env var
- use require in UT
- fix lazy load test

* add changelog

* prioritize automtls; improve comments

* user multierror; refactor pluginSet for v4 unit test

* add test cases for v4 and v5 plugin versions

* remove unnecessary call to AutoMTLSSupported

* update comment on pluginSets

* use runconfig directly in sdk newpluginclient

* use automtls without metadatamode for v5 backend plugin registration

* use multierror for plugin runconfig calls

* remove some unnecessary code
2022-07-18 16:25:18 -05:00
Chris Capurso 3581811289
Update go to version 1.17.12 (#16336)
* update to go 1.17.12

* update changelog entry

* update readme
2022-07-18 16:28:47 -04:00
Mike Palmiotto 439e35f50f
Vault 6773/raft rejoin nonvoter (#16324)
* raft: Ensure init before setting suffrage

As reported in https://hashicorp.atlassian.net/browse/VAULT-6773:

	The /sys/storage/raft/join endpoint is intended to be unauthenticated. We rely
	on the seal to manage trust.

	It’s possible to use multiple join requests to switch nodes from voter to
	non-voter. The screenshot shows a 3 node cluster where vault_2 is the leader,
	and vault_3 and vault_4 are followers with non-voters set to false.  sent two
	requests to the raft join endpoint to have vault_3 and vault_4 join the cluster
	with non_voters:true.

This commit fixes the issue by delaying the call to SetDesiredSuffrage until after
the initialization check, preventing unauthenticated mangling of voter status.

Tested locally using
https://github.com/hashicorp/vault-tools/blob/main/users/ncabatoff/cluster/raft.sh
and the reproducer outlined in VAULT-6773.

* raft: Return join err on failure

This is necessary to correctly distinguish errors returned from the Join
workflow. Previously, errors were being masked as timeouts.

* raft: Default autopilot parameters in teststorage

Change some defaults so we don't have to pass in parameters or set them
in the originating tests. These storage types are only used in two
places:

1) Raft HA testing
2) Seal migration testing

Both consumers have been tested and pass with this change.

* changelog: Unauthn voter status change bugfix
2022-07-18 14:37:12 -04:00
Robert 8169940284
docs: fix consul secrets feature version (#16304)
* Move consul_namespace into Consul v1.7 instead of v1.8
2022-07-18 13:03:45 -05:00
VAL 12e7c4553c
Update to use latest api version (#16329) 2022-07-18 10:36:50 -07:00
Mike Palmiotto f2705c1d66
Fix agent use_auto_auth_token force test (#16313)
Update the test to fix a copy-paste error.
2022-07-15 19:12:59 -04:00
Nestor Reyes e3ce0f0d1d
Update policies.mdx (#16312)
548 From "builtin" to "built-in" to be consistent with the previous sentence. 

589 from "can not" to "cannot"
2022-07-15 15:28:49 -07:00
Kit Haines a4b5813817
append slash to consul path in doc (#15260)
Co-authored-by: Chulki Lee <chulki.lee@gmail.com>
2022-07-14 12:27:31 -07:00
Alexander Scheel 0113f8c586
Update localhost:3000 links to be correct (#16301)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-14 12:08:28 -07:00
Yoko Hyakuna cf0cb3be49
Update the policy examples (#16297)
* Update the policy examples

* Adjusted the examples
2022-07-14 08:01:22 -07:00
Loann Le e6b24b09f0
update sys-mfa-doc (#16291) 2022-07-13 10:36:52 -07:00
mickael-hc 10bc778488
update changelog with recent security entries (#16239) 2022-07-13 13:23:02 -04:00
Yoko Hyakuna 485b7b0abe
Remove the callout note about Ent (#16288) 2022-07-13 09:00:11 -07:00
Alexander Scheel 662395be90
Back out panic message, add new warning to FIPS docs (#16243)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-12 17:05:45 -04:00
VAL 90bef11019
Fix import statements for auth submodules (#16278) 2022-07-12 12:06:44 -07:00
Lucy Davinhart || Strawb System ebd0da3201
Clarification for local mounts in the context of DR (#16218)
* Clarification for local mounts in the context of DR

The docs were unclear on this point, so @russparsloe and I looked into it.

Local mounts are indeed replicated to DR secondaries.

This is the opposite of what it says on https://developer.hashicorp.com/vault/tutorials/enterprise/performance-replication#disaster-recovery 
> Local backend mounts are not replicated and their use will require existing DR mechanisms if DR is necessary in your implementation.
So that page will also need updating

* changelog

* fix changelog syntax for local mount with DR (#16218)
2022-07-12 10:17:12 -07:00
Austin Gebauer 4dda00ee1a
auth/oidc: Adds documentation for SecureAuth IdP (#16274) 2022-07-12 08:11:55 -07:00
Vishal Nayak c9e17d6219
Document autopilot config differences at a high level (#15000)
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-07-11 14:37:44 -07:00