mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-17 12:07:02 +02:00
8ea8598b63
* Allow tidy to backup legacy CA bundles
With the new tidy_move_legacy_ca_bundle option, we'll use tidy to move
the legacy CA bundle from /config/ca_bundle to /config/ca_bundle.bak.
This does two things:
1. Removes ca_bundle from the hot-path of initialization after initial
migration has completed. Because this entry is seal wrapped, this
may result in performance improvements.
2. Allows recovery of this value in the event of some other failure
with migration.
Notably, this cannot occur during migration in the unlikely (and largely
unsupported) case that the operator immediately downgrades to Vault
<1.11.x. Thus, we reuse issuer_safety_buffer; while potentially long,
tidy can always be run manually with a shorter buffer (and only this
flag) to manually move the bundle if necessary.
In the event of needing to recover or undo this operation, it is
sufficient to use sys/raw to read the backed up value and subsequently
write it to its old path (/config/ca_bundle).
The new entry remains seal wrapped, but otherwise isn't used within the
code and so has better performance characteristics.
Performing a fat deletion (DELETE /root) will again remove the backup
like the old legacy bundle, preserving its wipe characteristics.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation about new tidy parameter
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for migration scenarios
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clean up time comparisons
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
|
||
|---|---|---|
| .. | ||
| databases | ||
| identity | ||
| key-management | ||
| kv | ||
| ad.mdx | ||
| alicloud.mdx | ||
| aws.mdx | ||
| azure.mdx | ||
| cassandra.mdx | ||
| consul.mdx | ||
| cubbyhole.mdx | ||
| gcp.mdx | ||
| gcpkms.mdx | ||
| index.mdx | ||
| kmip.mdx | ||
| kubernetes.mdx | ||
| ldap.mdx | ||
| mongodbatlas.mdx | ||
| nomad.mdx | ||
| pki.mdx | ||
| rabbitmq.mdx | ||
| ssh.mdx | ||
| terraform.mdx | ||
| totp.mdx | ||
| transform.mdx | ||
| transit.mdx | ||