open-vault/website/content/api-docs/secret
Alexander Scheel 5a2ee4ca7a
Add automatic tidy of expired issuers (#17823)
* Add automatic tidy of expired issuers

To aid PKI users like Consul, which periodically rotate intermediates,
and provided a little more consistency with older versions of Vault
which would silently (and dangerously!) replace the configured CA on
root/intermediate generation, we introduce an automatic tidy of expired
issuers.

This includes a longer safety buffer (1 year) and logging of the
relevant issuer information prior to deletion (certificate contents, key
ID, and issuer ID/name) to allow admins to recover this value if
desired, or perform further cleanup of keys.

From my PoV, removal of the issuer is thus a relatively safe operation
compared to keys (which I do not feel comfortable removing) as they can
always be re-imported if desired. Additionally, this is an opt-in tidy
operation, not enabled by default. Lastly, most major performance
penalties comes with lots of issuers within the mount, not as much
large numbers of keys (as only new issuer creation/import operations are
affected, unlike LIST /issuers which is a public, unauthenticated
endpoint).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on tidy of issuers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Restructure logging

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing fields to expected tidy output

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-10 10:53:26 -05:00
..
databases website: fixes redirected links (#17574) 2022-10-18 14:06:27 -04:00
identity website: content updates for developer (#17035) 2022-09-22 08:11:04 -07:00
key-management Fix missing quote in docs (#14277) 2022-02-25 09:02:08 -08:00
kv Fix a broken link (#17644) 2022-10-24 17:09:33 -07:00
ad.mdx VAULT-6091 Document Duration Format String (#15920) 2022-06-13 08:51:07 -04:00
alicloud.mdx feat(website): migrates nav data format and updates docs pages (#11242) 2021-04-06 13:49:04 -04:00
aws.mdx Docs: API AWS Secrets Formatting (#16797) 2022-08-25 15:11:56 -07:00
azure.mdx website: fixes redirected links (#17574) 2022-10-18 14:06:27 -04:00
cassandra.mdx website: content updates for developer (#17035) 2022-09-22 08:11:04 -07:00
consul.mdx website: fixes redirected links (#17574) 2022-10-18 14:06:27 -04:00
cubbyhole.mdx Replace docs references to PUT with POST (#14270) 2022-02-25 06:52:24 -08:00
gcp.mdx website: fixes redirected links (#17574) 2022-10-18 14:06:27 -04:00
gcpkms.mdx feat(website): migrates nav data format and updates docs pages (#11242) 2021-04-06 13:49:04 -04:00
index.mdx feat(website): migrates nav data format and updates docs pages (#11242) 2021-04-06 13:49:04 -04:00
kmip.mdx Add new KMIP backend operation parameters to API documentation. (#16107) 2022-06-22 13:28:03 -04:00
kubernetes.mdx [Kubernetes Secret Engine]: Role namespace configuration possible via LabelSelector (#16240) 2022-07-19 13:11:45 -05:00
ldap.mdx secrets/ldap: updates API documentation (#17448) 2022-10-07 08:50:37 -05:00
mongodbatlas.mdx secrets/mongodbatlas: adds missing organization_id to API docs (#15624) 2022-05-26 08:08:29 -07:00
nomad.mdx website: content updates for developer (#17035) 2022-09-22 08:11:04 -07:00
pki.mdx Add automatic tidy of expired issuers (#17823) 2022-11-10 10:53:26 -05:00
rabbitmq.mdx RabbitMQ - Add username customization (#11899) 2021-06-22 14:50:46 -05:00
ssh.mdx Clarify ssh/public_key response, recommend -format=raw (#17745) 2022-10-31 11:14:49 -04:00
terraform.mdx website: content updates for developer (#17035) 2022-09-22 08:11:04 -07:00
totp.mdx Rename master key -> root key in docs (#14542) 2022-03-16 22:01:38 -07:00
transform.mdx Document the deletion_allowed transform flag (#17544) 2022-10-13 16:31:07 -05:00
transit.mdx docs: in transit secret engine docs, specify order with batch_input param (#17770) 2022-11-03 08:50:47 -05:00