* docs: correct auth jwt role requirements
* remove upgrade guide to be added in separate PR
* Revert "remove upgrade guide to be added in separate PR"
This reverts commit 6554d3ff63.
* update required details for bound audience
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* fix formatting to match the existing format of the file
* add 1.16 known issues
* add 1.17 upgrade guide note
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* docs: note vle is not supported with aws snapstart
* Update website/content/docs/platform/aws/lambda-extension.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Allow setting of Consul ServiceMeta tags from config file
probably a bad idea, let's see how it works
scaffold tests
* kick circleci
* Add links to consul docs
Co-authored-by: Violet Hynes <a.xenasis@gmail.com>
* add changelog note
* use relative developer docs links
* address feedback
* please linter
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* docs: document known issue sending sighup to ent standby node
* be more specific with cause of panic
* add partial to upgrade guides for 1.14, 1.15, 1.16
* Update cert metadata docs
- Add missing enterprise notices on parameters and titles
- Mention that the metadata parameter is a base64 encoded string
- Tweak the no_store_metadata description
- Update some entries within the PKI considerations page
* Add serial_number to read certificate metadata sample response
* Update fields sign-verbatim is affected by the specified role
* Point to the pricing page rather than the product page
* Empty-Commit
* Add 'appropriate' to the license statement
* Use the partial to mention about VE license
* Minor fix
* add newline
* Revert "add newline"
This reverts commit 64615cba08.
---------
Co-authored-by: Nels Andereck <nels.andereck@hashicorp.com>
* Document enabling config
* Fix nav data JSON after disabling over-zealous prettifier
* Address review feedback
* Add warning about reloading config during overload
* Bad metrics links
* Another bad link
* Add upgrade note about deprecation
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* PKI: Change sign-intermediate to truncate notAfter by default
- The PKI sign-intermediate API allowed an end-user to request a TTL
value that would extend beyond the signing issuer's notAfter. This would
generate an invalid CA chain when properly validated.
- We are now changing the default behavior to truncate the returned certificate
to the signing issuer's notAfter.
- End-users can get the old behavior by configuring the signing issuer's
leaf_not_after_behavior field to permit, and call sign-intermediary
with the new argument enforce_leaf_not_after_behavior to true. The
new argument could also be used to enforce an error instead of truncating
behavior if the signing issuer's leaf_not_after_behavior is set to err.
* Add cl
* Add cl and upgrade note
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* document known issue for azure secrets engine failing on role creation
* fix empty space
* remove new line
* add workaround
* remove space
---------
Co-authored-by: Tony Wittinger <anwittin@users.noreply.github.com>
* Add missing delegated_auth_accessors config field to /sys/mounts/<path> response
- The field hadn't been properly populated in the JSON struct being returned
through the API response, but had been properly set in the stored structs
in the backend.
- Add missing update to the command tune docs for the -delegated-auth-accessors
option that existed
- Add -delegated-auth-accessors to the secret enable vault command along with
a docs update
* Add cl
* Fix documentation, using a comma separated list does not work
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Drop plural on doc update
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
per customer request in support ticket #141025 I've updated the description of tls_disable_client_certs to provide clarification.
previous pr for this change was approved but needed to be resubmitted because of problems with my GH account. See #26601
* Update kmip.mdx
Added "performance standby" to the servers the KMIP client can connect to
---------
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
* Docs- Update info on key rotation
Added a sentence about needing to seal-rewrap if you want to disable or delete old key.
* rectified the url for seal-rewrap
rectified the url for seal-rewrap
* fixed some grammar
* Update website/content/docs/configuration/seal/pkcs11.mdx
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
There was inconsistency in the capitalization of auto unseal in this doc. The initial heading had it right. It shouldn't be capitalized according to the documentation style guidance for feature capitalization. Also, high availability doesn't need to be capitalized.
Change warning to tag syntax so it's clear what should be part of the aside
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Added a note about seal-rewrap in the steps to perform seal migration post Vault 1.5.1
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Due to the reported issue under https://github.com/hashicorp/vault/pull/24441, we identified that there are users issuing step-down during the upgrade, which is unintended.
We modified the documentation to make it clear that step-down should not be attempted, in addition rephrased the sentence with "step-down" word and exclude that term to avoid confusion.
It's not immediately obvious that the demo policy needs to be created beforehand and does not exist if only the tutorial steps are followed. Prompted by support ticket ZD-143426.
* Initial drafting and deprecation info cleanup
* Adding more notes about deprecations and plans. (#26618)
* move deprecation notice to a partial for reuse elsewhere
* Add redirect for deleted FAQ
---------
Co-authored-by: Meggie <meggie@hashicorp.com>
* Replace 'HCP Vault' with 'HCP Vault Dedicated'
* Replace 'HCP Vault' with 'HCP Vault Dedicated' where applicable
* Replace 'Terraform Cloud' with 'HCP Terraform'
* Minor format fixes
* Update the side-nav title to 'HCP Terraform'
* Undo changes to Terraform Cloud secrets engine
Add image and tighten language around LTS maintenance vs standard maintenance
Replace "support" with "maintenance" in the image alt text
Apply feedback
Adds an agent injector example showing annotations for cross namespace
secret sharing.
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* first commit to move article from waf to vault docs
* Apply suggestions from code review
Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>
* Update transform.mdx
Updated the description and moved image.
* updated resources
* passive voice fix
* passive voice fix
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update documentation for namespace/mount entry size limit
* Clarify defaults
* Better wording for storage size partial that appears on different pages
* Active voice!
* No this
* Fix confusing terminology
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* add option for decoders to handle different proxies
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* add option for decoders to handle different proxies
* fix tests
* fix typo
---------
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Adding a howto guide for enabling the encrypted Vault client cache
storage for helm and OperatorHub installs. Add more detail about
client caching to the main Vault source page, with a link to the
guide.
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Start import docs
* Use hideClipboard block on output
* Reorganize mappings and source docs
* Change experimental to alpha
* Change list tag to alpha
* Apply suggestions from code review
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Move secret write access conditions info to each destination page, reword index to match
* Add condition info for GCP
* Remove unrelated note copied from AWS
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Link to individual access control sections, rename section titles, make tip more specific
* Add image showing where to add IAM Conditions
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* starting on docs
* add docs for raft-wal
* some tweaks
* Apply suggestions from code review
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* Edits for Raft WAL (#26123)
* not just one filename
* update file pattern for wal files
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
This adds a short doc describing the basic process
of adding event notifications to a plugin as well
as some examples and best practices.
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
* Add a configuration flag for enabling multiseal (Seal HA), CE side
* imports
* no quotes
* get rid of dep on ent config
* Abstract enableMultiSeal for a build time switch
* license headers
* wip
* gate physical seal gen fetch by a param
* docs tweak, remove core flag
* updates from the ent pr
* update stub
* update test fixtures for enable_multiseal
* use accessor
* add a test fixture for non-multiseal diagnose
* remove debugging crtuch
* Do handle phys seal gen info even if multiseal is off, in order to facilitate enable/disable safeties
* more enabled flag handling
* Accept seal gen info if we were previously disabled, and persist it
* update unit test
* Validation happens postUnseal, so this test is invalid
* Dont continue setting conf if seal loading fails during SIGHUP
* Update website/content/docs/configuration/seal/seal-ha.mdx
Thanks, that does sound much clearer
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* use validation if previous gen was enabled
* unit test update
* stub SetMultisealEnabled
* bring over more changes from ent
* this was an unfix
---------
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Changed the wording of "For integrated storage users, Vault needs to be upgraded to 1.13 will enable this feature by default." to be more clear and concise to "For integrated storage users, upgrading Vault to 1.13 will enable this feature by default."
Use vault auth enable instead of vault write, because I think it is more appropriate or the "new way"
Co-authored-by: Marc Boudreau <marc.boudreau@hashicorp.com>
* Update index.mdx
The link (https://developer.hashicorp.com/vault/docs/proxy/index) in this page https://developer.hashicorp.com/vault/docs/deprecation does not point anywhere
* Use relative link
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
---------
Co-authored-by: Jose Merchan <jose.merchan@hashicorp.com>
Co-authored-by: Violet Hynes <a.xenasis@gmail.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Update migration-guide.mdx
Add a note about lazy vs automatic
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Provide example in note
Thought it might be useful to have an example of when the difference in behaviour is an issue
* Update website/content/docs/secrets/ad/migration-guide.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* allows use of pre-hashed passwords with userpass backend
* Remove unneeded error
* Single error check after switch
* use param name quoted in error message
* updated test for quoted param in error
* white space fixes for markdown doc
* More whitespace fixes
* added changelog
* Password/pre-hashed password are only required on 'create' operation
* docs indentation
* Update website/content/docs/auth/userpass.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Updated docs
* Check length of hash too
* Update builtin/credential/userpass/path_user_password_test.go
:)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* PKI EST docs
Initial draft of the PKI EST setup and API docs for feedback
* Add missing enable_sentinel_parsing param to API docs
* Update grammar
* Some API doc feedback
* Note about dedicated auth mounts
* Additional PR feedback
---------
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
* Do not refresh seal-wrapped values when there are unhealthy seals.
Modify Access.IsUpToDate() to consider entries as being up-to-date when one or
more encryption wrappers fail to encrypt the test value, since re-wrapping the
value would result in the loss of the ciphertext for the unhealthy wrappers.
In addition, make Access.IsUpToDate() return true is the key set ID has not been
populated and the caller has not forced key ID refresh.
Make Access.Encrypt() return an error for any encryption wrapper that is skipped
due to being unhealthy.
* Update Seal HA documentation.
Mention that the barrier key and the recovery keys cannot be rotated while there
are unhealthy seals.
Document environment variable VAULT_SEAL_REWRAP_SAFETY.
Also describes how to customize an operator install from OperatorHub
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Extra information about how to escape an @ as the first char in kv value
* Update website/content/docs/commands/index.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add note around OCSP GET request issue
- Fix some broken TOC links
- Add a note in the api-docs and in the considerations page
around Vault having issues with OCSP GET requests and that
POST requests should be preferred.
- Add existing known issue to all branches that are affected.
* Fix links to partial file for 1.12 and 1.13 upgrade docs
* update proxy auto-auth
recommmend 1 proxy per application when using auto-auth
* Update website/content/docs/agent-and-proxy/proxy/apiproxy.mdx
* Update website/content/docs/agent-and-proxy/proxy/apiproxy.mdx
* add feedback from @violethynes
cannot commit the suggestions due to them being marked as "outdated"
* Make the encryption tracking persistence timeout configurable via env
* docs
* changelog
* Update vault/barrier_aes_gcm.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* use ParseDurationSecond
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This removes the WebSockets endpoint for events
(which will be moved to the Enterprise repo) and
disables tests that rely on it unless they are
running in Enterprise.
It also updates documentation to document that
events are only available in Vault Enterprise.
* + added docs on how to grant & restrict access
* Update website/content/docs/sync/index.mdx
* + added small precision on where Vault's responsibility ends
* Update website/content/docs/sync/index.mdx
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
---------
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* document known issue to release notes and upgrade guide for 1.16.0
* add link to new pages in docs-nav-data.json
* Update website/content/docs/release-notes/1.16.0.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/known-issues/1_16-default-policy-needs-to-be-updated.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/known-issues/1_16-default-policy-needs-to-be-updated.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/known-issues/1_16-default-policy-needs-to-be-updated.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/known-issues/1_16-default-policy-needs-to-be-updated.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/known-issues/1_16-default-policy-needs-to-be-updated.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* use active voice
* changing the affected version
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* prevent deadlock
* rollbacks not done for sync invalidate
* add check for the path before deleting
* revert sync invalidation doesn't do rollbacks
* add known issue
* changelog
* fix formatting issue
The large paragraph is hard to read and it's easy to miss crucial details around when membership in an external group will be updated.
Membership isn't updated when the configuration of the external group is changed, which can be counterintuitive.
