* Seal HA documentation updates
* anchor
* rel link
* remove beta
* try again on internal link
* still trying to get this internal redirect to work
* try without path
* VAULT-21427 change ui references from K/V to KV
* references in docs/
* website json data
* go command errors
* replace Key/Value with Key Value
* add changelog
* update test
* update secret list header badge
* two more test updates
* wip
* Initial draft of Seal HA docs
* nav data
* Fix env var name
* title
* Note partially wrapped values and disabled seal participation
* Update website/data/docs-nav-data.json
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* correct initial upgrade limitation
* Add note about shamir seals and migration
* fix nav json
* snapshot note
* availability note
* seal-backend-status
* Add a couple more clarifying statements
* header typo
* correct initial upgrade wording
* Update website/content/docs/configuration/seal/seal-ha.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/docs/concepts/seal.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add `subscribe` capability to policies
... and `subscribe_event_types` to the policy body.
These are not currently enforced in the events system (as that
will require populating the full secrets path in the event).
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Clarify Tokens use and structure recommendation
* Update website/content/docs/concepts/tokens.mdx
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Fix sudo paths missing from OpenAPI and docs
Various sudo (a.k.a. root-protected) paths are implemented in
non-standard ways, and as a result:
* are not declared as x-vault-sudo in the OpenAPI spec
* and as a result of that, are not included in the hardcoded patterns
powering the Vault CLI `-output-policy` flag
* and in some cases are missing from the table of all sudo paths in the
docs too
Fix these problems by:
* Adding `seal` and `step-down` to the list of root paths for the system
backend. They don't need to be there for enforcement, as those two
special endpoints bypass the standard request handling code, but they
do need to be there for the OpenAPI generator to be able to know they
require sudo.
The way in which those two endpoints do things differently can be
observed in the code search results for `RootPrivsRequired`:
https://github.com/search?q=repo%3Ahashicorp%2Fvault%20RootPrivsRequired&type=code
* Fix the implementation of `auth/token/revoke-orphan` to implement
endpoint sudo requirements in the standard way. Currently, it has an
**incorrect** path declared in the special paths metadata, and then
compensates with custom code throwing an error within the request
handler function itself.
* changelog
* As discussed in PR, delete test which is just testing equality of a constant
* Restore sudo check as requested, and add comment
* Update vault/token_store.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
---------
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* VAULT-15546 First pass at Vault Proxy docs
* VAULT-15546 correct errors
* VAULT-15546 fully qualify paths
* VAULT-15546 remove index
* VAULT-15546 Some typos and clean up
* VAULT-15546 fix link
* VAULT-15546 Add redirects so old links stay working
* VAULT-15546 more explicit redirects
* VAULT-15546 typo fixes
* Suggestions for Vault Agent & Vault Proxy docs (#20612)
* Rename 'agentandproxy' to 'agent-and-proxy' for better URL
* Update the index pages for each section
* VAULT-15546 fix link typo
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* Add a stronger warning about the usage of recovery keys
* Update website/content/docs/concepts/seal.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Keep the mitigation text in the warning box
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
This article seems to use the terms "shares" and "shards" interchangeably to describe the parts in which the secret is split under SSS.
While both seem to be correct, sticking to one term would save a newbie reader (like myself) the confusion.
Since the Wikipedia article that's linked in this article only mentions "shares" and the CLI flags (for recovery keys) also use `-shares`, I opted for that.
Since 1.9 k8s auth method supports setting Name reported by auth method to Service Account name which is not reflected in this doc
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
