* Document enabling config
* Fix nav data JSON after disabling over-zealous prettifier
* Address review feedback
* Add warning about reloading config during overload
* Bad metrics links
* Another bad link
* Add upgrade note about deprecation
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
per customer request in support ticket #141025 I've updated the description of tls_disable_client_certs to provide clarification.
previous pr for this change was approved but needed to be resubmitted because of problems with my GH account. See #26601
* Docs- Update info on key rotation
Added a sentence about needing to seal-rewrap if you want to disable or delete old key.
* rectified the url for seal-rewrap
rectified the url for seal-rewrap
* fixed some grammar
* Update website/content/docs/configuration/seal/pkcs11.mdx
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Replace 'HCP Vault' with 'HCP Vault Dedicated'
* Replace 'HCP Vault' with 'HCP Vault Dedicated' where applicable
* Replace 'Terraform Cloud' with 'HCP Terraform'
* Minor format fixes
* Update the side-nav title to 'HCP Terraform'
* Undo changes to Terraform Cloud secrets engine
* Update documentation for namespace/mount entry size limit
* Clarify defaults
* Better wording for storage size partial that appears on different pages
* Active voice!
* No this
* Fix confusing terminology
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* add option for decoders to handle different proxies
* Add support for x_forwarded_for_client_cert_header
* add changelog entry
* add tests for a badly and properly formatted certs
* both conditions should be true
* handle case where r.TLS is nil
* prepend client_certs to PeerCertificates list
* add option for decoders to handle different proxies
* fix tests
* fix typo
---------
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* starting on docs
* add docs for raft-wal
* some tweaks
* Apply suggestions from code review
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* Edits for Raft WAL (#26123)
* not just one filename
* update file pattern for wal files
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add a configuration flag for enabling multiseal (Seal HA), CE side
* imports
* no quotes
* get rid of dep on ent config
* Abstract enableMultiSeal for a build time switch
* license headers
* wip
* gate physical seal gen fetch by a param
* docs tweak, remove core flag
* updates from the ent pr
* update stub
* update test fixtures for enable_multiseal
* use accessor
* add a test fixture for non-multiseal diagnose
* remove debugging crtuch
* Do handle phys seal gen info even if multiseal is off, in order to facilitate enable/disable safeties
* more enabled flag handling
* Accept seal gen info if we were previously disabled, and persist it
* update unit test
* Validation happens postUnseal, so this test is invalid
* Dont continue setting conf if seal loading fails during SIGHUP
* Update website/content/docs/configuration/seal/seal-ha.mdx
Thanks, that does sound much clearer
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* use validation if previous gen was enabled
* unit test update
* stub SetMultisealEnabled
* bring over more changes from ent
* this was an unfix
---------
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Do not refresh seal-wrapped values when there are unhealthy seals.
Modify Access.IsUpToDate() to consider entries as being up-to-date when one or
more encryption wrappers fail to encrypt the test value, since re-wrapping the
value would result in the loss of the ciphertext for the unhealthy wrappers.
In addition, make Access.IsUpToDate() return true is the key set ID has not been
populated and the caller has not forced key ID refresh.
Make Access.Encrypt() return an error for any encryption wrapper that is skipped
due to being unhealthy.
* Update Seal HA documentation.
Mention that the barrier key and the recovery keys cannot be rotated while there
are unhealthy seals.
Document environment variable VAULT_SEAL_REWRAP_SAFETY.
* Seal HA documentation updates
* anchor
* rel link
* remove beta
* try again on internal link
* still trying to get this internal redirect to work
* try without path
* docs(web repl): add initial docs about the UI REPL
* feature(repl): add link to the new docs in the REPL
* chore(repl): Web CLI or Broweser CLI -> Web REPL
* Use Hds::Link::Inline instead of DocLink
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/console/ui-panel.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update website/content/docs/commands/web.mdx
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update website/content/docs/commands/web.mdx
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Fix typos and update phrasing.
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* docs(web repl): add a refrence to the repl docs on the ui config page
* Update KV version 2 reference
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* fix linting
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* server: fix bug where deadlock detection was on for expiration and quotas
* trim spaces
* Add tests
* Use trimspace and lower
* Update test
* changelog
* fix config parsing
* CI: Pre-emptively delete logs dir after cache restore in test-collect-reports (#23600)
* Fix OktaNumberChallenge (#23565)
* remove arg
* changelog
* exclude changelog in verifying doc/ui PRs (#23601)
* Audit: eventlogger sink node reopen on SIGHUP (#23598)
* ensure nodes are asked to reload audit files on SIGHUP
* added changelog
* Capture errors emitted from all nodes during proccessing of audit pipelines (#23582)
* Update security-scan.yml
* Listeners: Redaction only for TCP (#23592)
* redaction should only work for TCP listeners, also fix bug that allowed custom response headers for unix listeners
* fix failing test
* updates from PR feedback
* fix panic when unlocking unlocked user (#23611)
* VAULT-18307: update rotation period for aws static roles on update (#23528)
* add disable_replication_status_endpoints tcp listener config parameter
* add wrapping handler for disabled replication status endpoints setting
* adapt disable_replication_status_endpoints configuration parsing code to refactored parsing code
* refactor configuration parsing code to facilitate testing
* fix a panic when parsing configuration
* update refactored configuration parsing code
* fix merge corruption
* add changelog file
* document new TCP listener configuration parameter
* make sure disable_replication_status_endpoints only has effect on TCP listeners
* use active voice for explanation of disable_replication_status_endpoints
* fix minor merge issue
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
Co-authored-by: Mark Collao <106274486+mcollao-hc@users.noreply.github.com>
Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
Co-authored-by: kpcraig <3031348+kpcraig@users.noreply.github.com>
* wip
* Initial draft of Seal HA docs
* nav data
* Fix env var name
* title
* Note partially wrapped values and disabled seal participation
* Update website/data/docs-nav-data.json
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* correct initial upgrade limitation
* Add note about shamir seals and migration
* fix nav json
* snapshot note
* availability note
* seal-backend-status
* Add a couple more clarifying statements
* header typo
* correct initial upgrade wording
* Update website/content/docs/configuration/seal/seal-ha.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/docs/concepts/seal.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add note to outline correspondence with Consul config
Calling out corresponding parameter for Vault's integrated storage `max_entry_size` with Consul's `kv_max_value_size`.
* Update website/content/docs/configuration/storage/raft.mdx
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Chroot Listener Docs
* Update website/content/docs/configuration/listener/tcp.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Update website/content/docs/configuration/listener/tcp.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Update website/content/docs/configuration/listener/tcp.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Added a statement on what happens when namespace does not exist
* Information on what will happen if a namespace is provided through the CLI or the header
* Changed from specified value to default value
* Edit typo
* Edited docs with clarification on appending
* Edited docs
* Update website/content/docs/configuration/listener/tcp.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* best-practice: prom format by header
* move config related doc closer to config example
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* updated the clarification note for performance_multiplier
* Put some original text related to performance_multiplier back.
* Update website/content/docs/configuration/storage/raft.mdx
Force committing TW suggestions as PR appears abandoned
* Update website/content/docs/configuration/storage/raft.mdx
Force committing TW suggestions as PR appears abandoned
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* When support for service tags was added, the only way we had to parse
and dedup a list of strings also forced them to be lowercase. Now there's
another helper func that doesn't smash the case so use that instead.
* update Consul 'service_tag' documentation to include case sensitivity
* added upgrade guide for 1.15
* test for service tags
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
