Commit Graph

15571 Commits

Author SHA1 Message Date
John-Michael Faircloth a5349bd1ef
Revert "AutoMTLS for secrets/auth plugins (#15671)" (#16377)
This reverts commit 39bcd5c71529f5f4eb61aae68b17d06d192ea55f.
2022-07-20 10:36:23 -05:00
Violet Hynes 047b3106ff
VAULT-6727 Adjust cert and approle role resolution, add more tests (#16341)
* VAULT-6727 Adjust cert and approle role resolution, add more tests

* VAULT-6727 Add new test
2022-07-20 09:24:06 -04:00
Loann Le 58a646c726
updated note (#16372) 2022-07-19 16:52:41 -07:00
Andy Assareh 1313a53702
formatting issue - missing list bullet (#16352) 2022-07-19 15:51:36 -07:00
Loïc Saint-Roch 3d978605f8
Add HashiBox to community tools (#16150) 2022-07-19 11:37:58 -07:00
Rodolfo Castelo Méndez b44d0ab1df
Information about aws_s3_server_side_encryption (#16253)
Add when cannot use the combination of parameters.
2022-07-19 11:18:19 -07:00
Jakob Beckmann d72064cb81
[Kubernetes Secret Engine]: Role namespace configuration possible via LabelSelector (#16240)
* docs(#16222): add documentation for changes in PR hashicorp/vault-plugin-secrets-kubernetes#10

* docs(#16222): add changelog entry

* docs(#16222): improve documentation to make the use case of setting both allowed_kubernetes_namespaces and allowed_kubernetes_namespace_selector parameters for role configuration
2022-07-19 13:11:45 -05:00
Tom Proctor 460388d957
Docs: Add release notes for MSSQL TDE (#16326) 2022-07-19 11:52:59 +01:00
Austin Gebauer 1a71678954
docs/plugin-portal: adds missing HashiCorp supported plugins (#16346) 2022-07-18 22:42:49 -07:00
Mạnh Tử 6b3cc4adc0
docs(plugin-portal): added Harbor Robot Account plugin (#16320) 2022-07-18 18:03:32 -07:00
Yoko Hyakuna 745ea70434
Fix the contribution guide link (#16344) 2022-07-18 16:37:31 -07:00
John-Michael Faircloth 7e170e7d87
AutoMTLS for secrets/auth plugins (#15671)
* use automtls for v5 secrets/auth plugins

* add automtls env guard

* start backend without metadata mode

* use PluginClientConfig for backend's NewPluginClient param

refactor

* - fix pluginutil test
- do not expect plugin to be unloaded in UT
- fix pluginutil tests --need new env var
- use require in UT
- fix lazy load test

* add changelog

* prioritize automtls; improve comments

* user multierror; refactor pluginSet for v4 unit test

* add test cases for v4 and v5 plugin versions

* remove unnecessary call to AutoMTLSSupported

* update comment on pluginSets

* use runconfig directly in sdk newpluginclient

* use automtls without metadatamode for v5 backend plugin registration

* use multierror for plugin runconfig calls

* remove some unnecessary code
2022-07-18 16:25:18 -05:00
Chris Capurso 3581811289
Update go to version 1.17.12 (#16336)
* update to go 1.17.12

* update changelog entry

* update readme
2022-07-18 16:28:47 -04:00
Mike Palmiotto 439e35f50f
Vault 6773/raft rejoin nonvoter (#16324)
* raft: Ensure init before setting suffrage

As reported in https://hashicorp.atlassian.net/browse/VAULT-6773:

	The /sys/storage/raft/join endpoint is intended to be unauthenticated. We rely
	on the seal to manage trust.

	It’s possible to use multiple join requests to switch nodes from voter to
	non-voter. The screenshot shows a 3 node cluster where vault_2 is the leader,
	and vault_3 and vault_4 are followers with non-voters set to false.  sent two
	requests to the raft join endpoint to have vault_3 and vault_4 join the cluster
	with non_voters:true.

This commit fixes the issue by delaying the call to SetDesiredSuffrage until after
the initialization check, preventing unauthenticated mangling of voter status.

Tested locally using
https://github.com/hashicorp/vault-tools/blob/main/users/ncabatoff/cluster/raft.sh
and the reproducer outlined in VAULT-6773.

* raft: Return join err on failure

This is necessary to correctly distinguish errors returned from the Join
workflow. Previously, errors were being masked as timeouts.

* raft: Default autopilot parameters in teststorage

Change some defaults so we don't have to pass in parameters or set them
in the originating tests. These storage types are only used in two
places:

1) Raft HA testing
2) Seal migration testing

Both consumers have been tested and pass with this change.

* changelog: Unauthn voter status change bugfix
2022-07-18 14:37:12 -04:00
Robert 8169940284
docs: fix consul secrets feature version (#16304)
* Move consul_namespace into Consul v1.7 instead of v1.8
2022-07-18 13:03:45 -05:00
VAL 12e7c4553c
Update to use latest api version (#16329) 2022-07-18 10:36:50 -07:00
Mike Palmiotto f2705c1d66
Fix agent use_auto_auth_token force test (#16313)
Update the test to fix a copy-paste error.
2022-07-15 19:12:59 -04:00
Nestor Reyes e3ce0f0d1d
Update policies.mdx (#16312)
548 From "builtin" to "built-in" to be consistent with the previous sentence. 

589 from "can not" to "cannot"
2022-07-15 15:28:49 -07:00
Kit Haines a4b5813817
append slash to consul path in doc (#15260)
Co-authored-by: Chulki Lee <chulki.lee@gmail.com>
2022-07-14 12:27:31 -07:00
Alexander Scheel 0113f8c586
Update localhost:3000 links to be correct (#16301)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-14 12:08:28 -07:00
Yoko Hyakuna cf0cb3be49
Update the policy examples (#16297)
* Update the policy examples

* Adjusted the examples
2022-07-14 08:01:22 -07:00
Loann Le e6b24b09f0
update sys-mfa-doc (#16291) 2022-07-13 10:36:52 -07:00
mickael-hc 10bc778488
update changelog with recent security entries (#16239) 2022-07-13 13:23:02 -04:00
Yoko Hyakuna 485b7b0abe
Remove the callout note about Ent (#16288) 2022-07-13 09:00:11 -07:00
Alexander Scheel 662395be90
Back out panic message, add new warning to FIPS docs (#16243)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-12 17:05:45 -04:00
VAL 90bef11019
Fix import statements for auth submodules (#16278) 2022-07-12 12:06:44 -07:00
Lucy Davinhart || Strawb System ebd0da3201
Clarification for local mounts in the context of DR (#16218)
* Clarification for local mounts in the context of DR

The docs were unclear on this point, so @russparsloe and I looked into it.

Local mounts are indeed replicated to DR secondaries.

This is the opposite of what it says on https://developer.hashicorp.com/vault/tutorials/enterprise/performance-replication#disaster-recovery 
> Local backend mounts are not replicated and their use will require existing DR mechanisms if DR is necessary in your implementation.
So that page will also need updating

* changelog

* fix changelog syntax for local mount with DR (#16218)
2022-07-12 10:17:12 -07:00
Austin Gebauer 4dda00ee1a
auth/oidc: Adds documentation for SecureAuth IdP (#16274) 2022-07-12 08:11:55 -07:00
Vishal Nayak c9e17d6219
Document autopilot config differences at a high level (#15000)
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-07-11 14:37:44 -07:00
Joel Kenny 2f1502556a
docs/configuration: document CockroachDB HA mode (#16202)
HA support for CockroachDB was added in #12965. This commit updates the docs
to reflect that support.
2022-07-11 12:00:51 -07:00
Hridoy Roy 573e01af1d
Throw SSCT Error In Some Cases (#16270)
* throw the ssct error if it signifies that the server needs to take an action

* use errors.Is instead of checking string comparison
2022-07-11 11:12:02 -07:00
Austin Gebauer 647c2eba42
auth/oidc: splits IdP setup guides into separate pages (#16167) 2022-07-11 10:20:24 -07:00
Chris Capurso 068a413311
remove GetCoreConfigInternal from logger API tests (#16263) 2022-07-08 19:23:18 +02:00
Austin Gebauer c00e605b48
secrets/k8s: updates API docs for kubernetes_host with correct env var (#16251) 2022-07-08 08:52:42 -07:00
Steven Clark d04b143bd5
pki: When a role sets key_type to any ignore key_bits value when signing a csr (#16246)
* pki: When a role sets key_type to any ignore key_bits value when signing

 - Bypass the validation for the role's key_bits value when signing CSRs
   if the key_type is set to any. We still validate the key is at least
   2048 for RSA backed CSRs as we did in 1.9.x and lower.
2022-07-08 10:56:15 -04:00
Loann Le e942fae6cc
Vault documentation: added info about new policy flag (#16244)
* added info about new policy flag

* updated wording
2022-07-07 12:54:27 -07:00
Loann Le 9ebaab28c2
added content for network guidance (#16242) 2022-07-07 11:18:45 -07:00
Yoko Hyakuna c54d33608c
Update 'master key' -> 'root key' (#16226) 2022-07-06 16:03:08 -07:00
Jason O'Donnell 110f754d97
agent/template: fix exec parsing error for templates (#16231)
* agent/template: fix exec parsing error for templates

* changelog
2022-07-06 21:21:35 +01:00
akshya96 c70a2cd198
Minor grammar correction in help for login command (#16211)
* Minor grammar correction in help for login command

* Fix login command help

Co-authored-by: Pero P <ppejovic@users.noreply.github.com>
2022-07-06 09:17:11 -07:00
Violet Hynes 0c80ee5cf5
VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157)
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core

* Fix body handling

* Role resolution for rate limit quotas

* VAULT-6613 update precedence test

* Add changelog

* VAULT-6614 start of changes for roles in LCQs

* Expiration changes for leases

* Add role information to RequestAuth

* VAULT-6614 Test updates

* VAULT-6614 Add expiration test with roles

* VAULT-6614 fix comment

* VAULT-6614 Protobuf on OSS

* VAULT-6614 Add rlock to determine role code

* VAULT-6614 Try lock instead of rlock

* VAULT-6614 back to rlock while I think about this more

* VAULT-6614 Additional safety for nil dereference

* VAULT-6614 Use %q over %s

* VAULT-6614 Add overloading to plugin backends

* VAULT-6614 RLocks instead

* VAULT-6614 Fix return for backend factory
2022-07-05 13:02:00 -04:00
Loann Le 752c7374a9
vault documentation: updated examples to use volumes (#16175)
* updated examples to use volumes

* Update website/content/docs/platform/k8s/helm/examples/ha-with-consul.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/examples/standalone-tls.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/run.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-07-05 08:32:51 -07:00
Michael Hofer 96e52760e3
docs(seal): improve readability, fix master key occurrence and typos (#16220) 2022-07-01 10:21:49 -07:00
Cristian Iaroi 5727762ce5
Adding Vault HydrantID Pki Plugin (#16058)
repository: https://github.com/PaddyPowerBetfair/vault-plugin-hydrant-pki
raised issue: #16011
also updated docs (link to page for PR)
2022-07-01 07:55:17 -07:00
aphorise 8b5f7da595
Docs/ekm sql provider corrections and troubleshooting (#15968) 2022-07-01 10:47:03 +01:00
Alexander Scheel 60add7d2be
Document additional FIPS restrictions (#16208)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-30 16:14:07 -05:00
Alexander Scheel d4cdafc314
Document PKI root rotation, replacement paths (#16206)
See also: https://discuss.hashicorp.com/t/missing-pki-secret-engine-api-documentation-for-root-rotate-and-root-replace-endpoints/41215

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-30 10:45:49 -07:00
AnPucel 7a5d3e80dd
Developer Quickstart docs improvements (#16199)
- Make the dev quick start link readily available on the client library documentation page
- Move the full code samples to the top of the dev quickstart page so that they're easily accessible.
- Update the api/readme to have a link to the dev quickstart
2022-06-30 08:50:35 -07:00
AnPucel 3215cdbd32
Dynamic parameter for mountpaths in OpenApi Spec generation(#15835)
"generic_mount_paths" query parameter for OpenApiSpec generation
2022-06-30 07:43:04 -07:00
AnPucel ed9ae70822
Add curl commands to Dev Quickstart guide (#16176) 2022-06-29 15:50:48 -07:00