Commit graph

16029 commits

Author SHA1 Message Date
Loann Le a0ba3202a8
vault documentation: updated use cases doc (#16783)
* incorporated feedback

* added link
2022-08-18 15:00:12 -07:00
Angel Garbarino 3b5cdbb52c
Fixing flaky "oidc auth method" tests (#16774)
* fix

* clean up

* Cleanup
2022-08-18 15:22:03 -06:00
Max Coulombe fa29ed9e0b
* setting uploadurl explicitly empty (#16779) 2022-08-18 16:26:55 -04:00
Robert f7c20bc745
docs: add multi-host connection string info to postgres secrets API docs (#16780)
* Add multihost connection string information to postgres API docs

* Add note about replication manager
2022-08-18 14:38:30 -05:00
Angel Garbarino 9c71b19538
Confirm-action fixes (#16777)
* test and the fix

* pr fixes

* comment fix
2022-08-18 10:53:56 -06:00
John-Michael Faircloth d3c72080c4
update go-plugin to v1.4.5 (#16781) 2022-08-18 12:33:43 -04:00
Max Coulombe 905ddff609
Env Flag Filtering (#16683)
* added filtering for global flags

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-08-17 21:29:16 -04:00
Yoko Hyakuna 404edd4c08
Mount paths case-sensitivity (#16743)
* Add a callout note about case-sensitivity

* Update website/content/docs/commands/secrets/enable.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-17 09:57:47 -07:00
Yoko Hyakuna 224d2e9794
Fix typos (#16749) 2022-08-17 09:47:56 -07:00
Yoko Hyakuna 7193f380b6
Fix the referenced learn link (#16747) 2022-08-17 09:47:35 -07:00
Matt Schultz 14284c67f5
Update consul-template to v0.29.2. (#16764) 2022-08-17 11:24:40 -05:00
Hridoy Roy 7fb60a7617
oss port of vault-7225-bugfix (#16745) 2022-08-16 16:38:11 -07:00
Hridoy Roy 91ef527a1f
re-add namespace attribution to current month (#16473)
* re-add namespace attribution to current month

* delete cl

* parity with ent branch
2022-08-16 16:27:20 -07:00
Theron Voran 2ab297a24f
docs/vault-helm: updates for the v0.21.0 release (#16731)
Also added a partial for the helm version note.
2022-08-16 14:56:30 -07:00
Yoko Hyakuna 511e442909
Update the Vault Agent config example (#16751)
* Update the Vault Agent config example

* Update index.mdx

* Update the Vault Agent config example - edit

Small additions.

* Update the Vault Agent config example - edit2

Added IP note too.

* Minor fix: add missing 'Vault'

Co-authored-by: aphorise <aphorise@gmail.com>
2022-08-16 14:42:02 -07:00
Loann Le d5254b6a29
vault documentation: general doc cleanup (#16446)
* editorial work

* edited

* added resources

* rewrote use cases

* added links

* updated content

* Update website/content/docs/what-is-vault.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Suggested edits on Vault use cases (#16502)

* Suggested edits on Vault use cases

* Remove redundant sentense

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/use-cases.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* fixed spelling error

* fixed subject-verb agreement

* added missing comma

* incorporate feedback

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-16 14:08:32 -07:00
mickael-hc 3e4f7db237
dev docs: clarify internal and external token helpers (#13014)
* dev docs: clarify internal and external token helpers

* Add docs for DefaultTokenHelper
2022-08-16 16:48:24 -04:00
Jakob Beckmann 21a10e09b6
fix bug with allowed_users_template and add allowed_domains_template for SSH role (#16056)
* impr(ssh): fix bug with allowed_users_template and add allowed_domains_template field in SSH role configuration, closes #10943

* chore: add changelog entry
2022-08-16 14:59:29 -05:00
Alexander Scheel dc4965f27d
Fix naming of permitted_dns_domains in webui (#16739)
* Fix naming of permitted_dns_domains in webui

PKI has consistently used permitted_dns_domains since it was originally
introduced as a parameter. However, it appears the Web UI was updated to
add this field, but used an incorrect internal identifier
(permittedDnsNames rather than permittedDnsDomains).

This triggers a warning from the backend about an unknown parameter, and
the domain restriction isn't added:

> Endpoint ignored these unrecognized parameters: [permitted_dns_names]

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-16 14:57:05 -05:00
jweissig 2cdfce9967
docs: Update required OpenShift version (#9738)
Helm 3 support was added in OpenShift 4.3 [1]. So, we might support 4.X but if we require Helm 3 then we need to start at 4.3. Just didn't want someone to try 4.0-4.2 and wonder why it wasn't working because Helm 3 isn't supported.

[1] https://www.openshift.com/blog/openshift-4-3-deploy-applications-with-helm-3
2022-08-16 15:45:06 -04:00
Eadinator 0424db473d
docs: k8s auth, differentiate between different identities in use (#9288) 2022-08-16 15:39:01 -04:00
Alexander Scheel 1e6730573c
Add proof possession revocation for PKI secrets engine (#16566)
* Allow Proof of Possession based revocation

Revocation by proof of possession ensures that we have a private key
matching the (provided or stored) certificate. This allows callers to
revoke certificate they own (as proven by holding the corresponding
private key), without having an admin create innumerable ACLs around
the serial_number parameter for every issuance/user.

We base this on Go TLS stack's verification of certificate<->key
matching, but extend it where applicable to ensure curves match, the
private key is indeed valid, and has the same structure as the
corresponding public key from the certificate.

This endpoint currently is authenticated, allowing operators to disable
the endpoint if it isn't desirable to use, via ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error message on ParseDERKey

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Leave revoke-with-key authenticated

After some discussion, given the potential for DoS (via submitting a lot
of keys/certs to validate, including invalid pairs), it seems best to
leave this as an authenticated endpoint. Presently in Vault, there's no
way to have an authenticated-but-unauthorized path (i.e., one which
bypasses ACL controls), so it is recommended (but not enforced) to make
this endpoint generally available by permissive ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API documentation on PoP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add acceptance tests for Proof of Possession

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exercise negative cases in PoP tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-16 14:01:26 -04:00
Chris van Meer d7da5da0f6
Removed the extra div around the radio button. (#16606) 2022-08-16 08:07:39 -05:00
Yoko Hyakuna 0926143363
Fix a typo -> 'authorised' should be 'authorized' (#16730) 2022-08-15 20:27:59 -07:00
akshya96 ba15b1f822
Remove extra empty lines from vault.log - Debug command (#16714)
* debug empty lines in vault.log

* minor grammar fix

* add changelog

* add fmt changes
2022-08-15 14:16:57 -07:00
Hridoy Roy 54444b9d2e
handle ssct errors in one other place (#16497) 2022-08-15 14:16:32 -07:00
Angel Garbarino 35af8d2626
UI/vault 7613/flaky test glimmerize confirm action (#16684)
* wip

* fix missing doc and therefor goose chase for what buttonClasses was

* glimmerize kmip role route which is the location of where the flaky test (some) are failing

* blah to un updated docs. Add a param, add to docs

* glimmerize header credential

* pr review changes

* fix super
2022-08-15 10:06:30 -06:00
Alexander Scheel b8cfb4dde5
Ignore EC PARAMETER blocks during issuer import (#16721)
* Ignore EC PARAMETER blocks during issuer import

While older versions of Vault supported sending this, we broke such
support in 1.11. Ignore them from the manage issuers endpoint (which is
aliased to the old /config/ca path) -- but keep erring in the import
keys paths. The latter is a new endpoint not aliased to anything and
only expects a single PEM block.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add regression test for EC PARAMs during import

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-15 08:59:10 -07:00
Alexander Scheel e388cfec64
Add BYOC-based revocation to PKI secrets engine (#16564)
* Refactor serial creation to common helper

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add BYOC revocation to PKI mount

This allows operators to revoke certificates via a PEM blob passed to
Vault. In particular, Vault verifies the signature on the certificate
from an existing issuer within the mount, ensuring that one indeed
issued this certificate. The certificate is then added to storage and
its serial submitted for revocation.

This allows certificates generated with no_store=true to be submitted
for revocation afterwards, given a full copy of the certificate. As a
consequence, all roles can now safely move to no_store=true (if desired
for performance) and revocation can be done on a case-by-case basis.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on BYOC revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PEM length check to BYOC import

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for BYOC

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Guard against legacy CA bundle usage

This prevents usage of the BYOC cert on a hybrid 1.10/1.12 cluster with
an non-upgraded CA issuer bundle.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-15 08:50:57 -05:00
Anton Averchenkov 6d45a421ff
Add a sentinel error for missing KV secrets (#16699) 2022-08-12 19:29:42 -04:00
Loann Le 67f2f4ea2d
vault documentation: doc cleanup effort-batch4 (#16711)
* cleanup effort

* modified text

* Update website/content/docs/internals/integrated-storage.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-12 15:39:58 -07:00
Stuart Purgavie d17a32bad3
Update internal-ui-mounts.mdx (#16399)
* Update internal-ui-mounts.mdx

For sys/internal/ui/mounts:
Make it clear that this endpoint is not only being leveraged on the Web UI, but is also leveraged in other places such as `command/kv_helpers.go` for example. Also update response to standard Vault API response JSON, not just `data` portion of response, and include options data present on KV v2 mounts.

For sys/internal/ui/mounts/:path:
Add initial version of this endpoint family.

* docs(website/content/api-docs/system/internal): backwards compatibility disclaimer

* realign MD table

* restrict response sample to data portion to be in line with other docs

* docs(website/content/api-docs/system/internal): ui/mounts calling mode notes
2022-08-12 11:10:56 -07:00
Steven Clark 29099f2ef9
Do not mask RSA verification misuse errors as verification failures (#16695)
- Found by @trishankatdatadog in PR #16549, we were masking errors
   coming out of the rsa verification calls as verfication errors and
   not returning when they were usage errors.
2022-08-12 13:53:25 -04:00
mallika-hc 9e340ed7f8
Update health.mdx (#16645)
* Update health.mdx

Added sample request and response for customizing the status code being returned from the sys/health endpoint

* Update website/content/api-docs/system/health.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-12 10:39:51 -07:00
mallika-hc 4c0ccf28ec
Update replication-dr.mdx (#16665)
Updated the Revoke DR Secondary token section with detail about from where the command needs to be run
2022-08-12 09:10:40 -07:00
Jason O'Donnell c97b982043
secret/database: fix bug where too many wal deletes are deferred (#16686)
* secret/database: fix bug where too many wal deletes are deferred

* changelog

* Update changelog/16686.txt

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-08-11 16:22:53 -04:00
claire labry eed4bdb050
add a note clarifying to leave website event in oss only (#16687) 2022-08-11 14:41:15 -05:00
John-Michael Faircloth bb58775bb5
secrets/auth: fix bug with aliased backends (#16673)
* secrets/auth: fix bug with aliased backends

* add changelog

* update changelog to include affected backends
2022-08-10 20:02:05 -05:00
Austin Gebauer 7bda58a1fd
secrets/db: update documentation on password policies (#16679) 2022-08-10 17:52:20 -07:00
Calvin Leung Huang 42de4a40b2
docs: update agent template certificate section (#16573)
* docs: update agent template certificate section

* extend template language section

* make recommendation to use pkiCert over secret
2022-08-10 19:38:56 -04:00
John-Michael Faircloth dd4fb82b5d
unit test: remove postgres dependecy from testing.go (#16675) 2022-08-10 17:01:24 -05:00
Tom Proctor 2d167b3427
Docs: Update Vault CSI Provider SecretProviderClass config options (#16506) 2022-08-10 21:30:20 +01:00
linda9379 5cd1a12178
UI Support for Okta Number Challenge (#15998)
* Imported uuid library for initial commit to push a clean branch.

* Removed import statement in auth-form file since it was causing UI tests to fail as the import was not being used.

* Added nonce field to payload for okta sign in. (#16001)

* Added nonce field to payload for okta sign in.

* Added missing yarn package for uuid

* Fixed failing ui tests in cluster-test file to take into account of nonce field in the payload of okta login

* Removed uuid library and used crypto.randomUUID() to generate unique uuid values instead

* Fixed indent in package.json

* Removed uuid library since decided to use crypto.randomUUID() instead to generate unique uuid values

* Create polling function for correct answer in okta number challenge (#16070)

* Implemented polling function to get correct answer for okta number challenge.

* Disabled polling function for testing as it was causing acceptance test to fail in auth-test.js

* Changed API call to be the auth mount path instead of being static and created a variable to store the oktaNumberChallengeAnswer to be used later for the display screens

* Create component for okta number challenge screen (#16195)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Added periods to parameter descriptions and made parameters optional

* Removed optional parameters from calling AuthForm component if authMethod is not Okta

* Implement error handling and screens for okta number challenge (#16276)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Temporary changes to include error screen in okta number challenge

* Created error screen tests and made minor fixes

* Fixed error for wrong parameter name being passed in

* Fixed linting issues causing ui tests to fail

* Added periods at the end of param descriptions

* Imported uuid library for initial commit to push a clean branch.

* Removed import statement in auth-form file since it was causing UI tests to fail as the import was not being used.

* Removed uuid library since decided to use crypto.randomUUID() instead to generate unique uuid values

* Added nonce field to payload for okta sign in. (#16001)

* Added nonce field to payload for okta sign in.

* Added missing yarn package for uuid

* Fixed failing ui tests in cluster-test file to take into account of nonce field in the payload of okta login

* Removed uuid library and used crypto.randomUUID() to generate unique uuid values instead

* Fixed indent in package.json

* Create polling function for correct answer in okta number challenge (#16070)

* Implemented polling function to get correct answer for okta number challenge.

* Disabled polling function for testing as it was causing acceptance test to fail in auth-test.js

* Changed API call to be the auth mount path instead of being static and created a variable to store the oktaNumberChallengeAnswer to be used later for the display screens

* Create component for okta number challenge screen (#16195)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Added periods to parameter descriptions and made parameters optional

* Removed optional parameters from calling AuthForm component if authMethod is not Okta

* Implement error handling and screens for okta number challenge (#16276)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Temporary changes to include error screen in okta number challenge

* Created error screen tests and made minor fixes

* Fixed error for wrong parameter name being passed in

* Fixed linting issues causing ui tests to fail

* Added periods at the end of param descriptions

* UI/vault 7312/fix vault enterprise error for okta number challenge (#16568)

* Fixed bug with okta not working when selecting okta tab after being on other tab

* Fixed vault enterprise errors

* Fixed error when logging in with Okta in 'Other' tab

* Removed namespace parameter in option to use the default

* Added changelog
2022-08-10 15:46:04 -04:00
Michele Degges 5c4b1cc4ac
[CI-only] Use pattern matching for release_branches (#16375)
Pattern matching was [recently added](https://github.com/hashicorp/crt-orchestrator/pull/51) so that teams no longer have to explicitly list every branch that should trigger the CRT pipeline. This simplifies release preparation- anytime a new release branch is created, it will produce releasable artifacts and exercise the full pipeline.
2022-08-10 11:25:10 -07:00
Christopher Swenson c7c9abff32
Update OSS workflow so not all issues get put in the UI board (#16666)
If we don't guard against pull_request being null, we do a lot of extra
checkout and path filtering, and it ends up putting everything in the UI
board.

I tested this in another repo, and it seems to behave correctly.
2022-08-10 08:53:45 -07:00
Violet Hynes 398d51bb3d
VAULT-6818 Docs for entity merge functionality (#16593)
* VAULT-6818 Docs for entity merge functionality

* VAULT-6818 Elaborate more on what happens to non-kept aliases
2022-08-10 09:10:10 -04:00
Violet Hynes 4850a3ff0e
VAULT-6818 - Restrict ability to merge entities with mount-accessor-conflicting aliases unless one is explicitly chosen to be kept (#16539)
* VAULT-6818 delete unmerged entity aliases instead of orphaning them

* VAULT-6818 Prevent merge with clashing aliases, allow for resolution of clashing entity aliases

* VAULT-6818 Small updates

* VAULT-6818 Restrict to only one clash merge at once

* VAULT-6818 changelog

* VAULT-6818 use strutil package instead of slices

* VAULT-6818 Update variable names for clarity

* VAULT-6818 Update test

* VAULT-6818 update error message

* VAULT-6818 Use helper method

* VAULT-6818 validate entityIds

* VAULT-6818 group imports better

* VAULT-6818 use change instead of bug

* VAULT-6818 use multierror instead of custom struct

* VAULT-6818 Use multierror properly

* VAULT-6818 Small refactor based on feedback
2022-08-10 09:10:02 -04:00
claire bontempo a1cef4a72a
UI/ fix tooltip submitting form (#16659)
* fix tooltip submitting form

* add changelog

* add changelog actually
2022-08-09 20:51:29 -07:00
Christopher Swenson 8b1a9da460
Update project auto-triage to use new token (#16660) 2022-08-09 19:29:39 -04:00
Loann Le 6d3cd5249e
modified wording (#16655) 2022-08-09 15:09:49 -07:00