* Track the last PKI auto-tidy time ran for use across nodes
- If the interval time for auto-tidy is longer then say a regularly
scheduled restart of Vault, auto-tidy is never run. This is due to
the time of the last run of tidy is only kept in memory and
initialized on startup to the current time
- Store the last run of any tidy, to maintain previous behavior, to
a cluster local file, which is read in/initialized upon a mount
initialization.
* Add auto-tidy configuration fields for backing off at startup
* Add new auto-tidy fields to UI
* Update api docs for auto-tidy
* Add cl
* Update field description text
* Apply Claire's suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Implementing PR feedback from the UI team
* remove explicit defaults and types so we retrieve from backend, decouple enabling auto tidy from duration, move params to auto settings section
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* Make reception of an empty valid principals configurable based on a role flag.
Adds allow_empty_principals, which if true allows valid_principals on credential generation calls
to be empty.
* changelog
* Allow empty principals on unrelated unit test
* whitespace
* CMPv2 Documentation, and restructuring of Issuance Protocols into its own section for PKI.
* title
* CMPv2 API
* Add default path policy
* Update website/content/docs/secrets/pki/cmpv2.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/secrets/pki/cmpv2.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/secrets/pki/cmpv2.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/secrets/pki/cmpv2.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* respond to some PR feedback
* pr feedback
* Fix nav and add key_usage
* Update website/content/docs/secrets/pki/cmpv2.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/docs/secrets/pki/cmpv2.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/api-docs/secret/pki/issuance.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Docs fixes
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* add usePrivateIP params to determine if to use private ip dial option
Signed-off-by: aviv guiser <avivguiser@gmail.com>
* fix the connection_producer.go in mysql plugin
Signed-off-by: aviv guiser <avivguiser@gmail.com>
* Update sdk/database/helper/connutil/sql.go
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
---------
Signed-off-by: aviv guiser <avivguiser@gmail.com>
Signed-off-by: AvivGuiser <aviv.guiser@placer.ai>
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* Update cert metadata docs
- Add missing enterprise notices on parameters and titles
- Mention that the metadata parameter is a base64 encoded string
- Tweak the no_store_metadata description
- Update some entries within the PKI considerations page
* Add serial_number to read certificate metadata sample response
* Update fields sign-verbatim is affected by the specified role
* add note around CRL rotation not occuring on revoke if auto_rebuild is enabled
A note to clarify that revocation will not trigger a rotation of the CRL if auto_rebuild of the CRL is set to true/enabled.
* fix links
fix links
* Update pki.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update pki.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* PKI: Change sign-intermediate to truncate notAfter by default
- The PKI sign-intermediate API allowed an end-user to request a TTL
value that would extend beyond the signing issuer's notAfter. This would
generate an invalid CA chain when properly validated.
- We are now changing the default behavior to truncate the returned certificate
to the signing issuer's notAfter.
- End-users can get the old behavior by configuring the signing issuer's
leaf_not_after_behavior field to permit, and call sign-intermediary
with the new argument enforce_leaf_not_after_behavior to true. The
new argument could also be used to enforce an error instead of truncating
behavior if the signing issuer's leaf_not_after_behavior is set to err.
* Add cl
* Add cl and upgrade note
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Document tokenization DELETE
* typo
* Update website/content/api-docs/secret/transform.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Docs: New parameter for the K8s Secrets roles
* Fix: Apply text correction from review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
* PKI EST docs
Initial draft of the PKI EST setup and API docs for feedback
* Add missing enable_sentinel_parsing param to API docs
* Update grammar
* Some API doc feedback
* Note about dedicated auth mounts
* Additional PR feedback
---------
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
* Add note around OCSP GET request issue
- Fix some broken TOC links
- Add a note in the api-docs and in the considerations page
around Vault having issues with OCSP GET requests and that
POST requests should be preferred.
- Add existing known issue to all branches that are affected.
* Fix links to partial file for 1.12 and 1.13 upgrade docs
- Noticed that our documentation was out of date, we allow 8192
bit RSA keys to be used as an argument to the various PKI
issuer/key creation APIs.
- Augument some unit tests to verify this continues to work
