This pulls in a logic change in the autopilot library that helps us to avoid increasing the quorum when reconciling in presence of an unhealthy voter, when the overall number of voters is odd.
* Allow a Vault operator to list, read and update PKI ACME accounts
- This allows an operator to list the ACME account key ids, read
the ACME account getting all the various information along with
the account's associated orders and update the ACME account's
status to either valid or revoked
* Add tests for new ACME management APIs
* Update PKI api-docs
* Add cl
* Add missing error handling and a few more test assertions
* PR feedback
* Fix Note tags within the website
* Apply suggestions from docscode review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/pki/issuance.mdx
* Update website/content/api-docs/secret/pki/issuance.mdx
* Update website/content/api-docs/secret/pki/issuance.mdx
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* More CE changes for hybrid wireup
* remove unused func
* undo reintroduction of loss of omitempty
* Add ent hooks and handle unsupported keys correctly
* tidy import
* Fix ent encode test logic
* CE side changes to key policy engine for ML-DSA/Hybrid support
* fix ce mismatch for verify
* restore omitempty
* unnecessary
* Perform code reuse of ed25519 validation differently
* make parts of export testing ent only
* license
* add open api params
* support pki name constraints
* fix conditional
* revert helptextwsubtext
* fix typo
* add name constraints to sign intermediate form
* add changelog
* update test
Sort CA chain into root and intermediates on VerifyCertificate.
In order for the Certificate.Verify method to work correctly, the certificates
in the CA chain need to be sorted into separate root and intermediate
certificate pools.
Add unit tests to verify that name constraints in both the root and intermediate
certificates are checked.
Support all fields of the name constraints extension when generating CA certs.
The PKI secrets engine only provided parameter permitted_dns_domains to create
the name constraints extension when generating CA certificates.
Add the following parameters to provide full support for the extension:
* permitted_email_addresses
* permitted_ip_ranges
* permitted_uri_domains
* excluded_dns_domains
* excluded_email_addresses
* excluded_ip_ranges
* excluded_uri_domains
Specifying any combination of these parameters will trigger the creation of the
name constraints extension as per RFC 5280 section 4.2.1.10.
* [VAULT-19467] Vault UI Breadcrumb Title Case
* should use Title Case
* update changelog
* rename changelog
* update tests
* more test updates
* update tests
---------
Co-authored-by: Tony Wittinger <anwittin@users.noreply.github.com>
Various different CI jobs need Go modules in order to build or test
Vault. To speed this up in CI we cache them in Github Actions.
The caching requires downloading all modules first in order to upload
them to the actions cache, which is performed by calling the
`go-mod-download` Make target. This target will iterate over the
directory tree and download Go modules in all directories that include
a `go.mod` file.
There are two small problems with this approach that we resolved with
this PR:
* Our `go-mod-download` target would download modules for all
`go.mod`'s present in the directory tree, regardless of whether or not
they are required to build or test Vault. Only downloading those
required results in slightly smaller caches.
* `tools/pipeline` is intentionally a separate Go module so as to not
require its modules in order to build Vault, however, our
`go-mod-download` downloading all modules requires the workflow
environment to include auth credentials for internal modules. If a
community contributed PRs modifies a `go.mod`, which in turn requires
a new cache, the PR will always fail because it cannot download
modules that require secrets.
Now we avoid installing our `tools/pipeline` modules when generating our
module cache which should allow community contributed PRs to execute
build and Go tests, while skipping enos workflows which already required
secrets and were thus skipped.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* Update the page description for SEO improvement
* Update the description for SEO improvement
* Update the description
* Update website/content/docs/secrets/transform/ff3-tweak-details.mdx
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
* Fixing a typo
* Incorporate review feedback
---------
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
* transfer over all changes from original pr
* changelog
* add serialize catch for no empty string environment
* move ttl format logic to parent route
* Update 29047.txt
* clean up some comments
* Update changelog/29047.txt
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update changelog/29047.txt
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/components/secret-engine/configure-azure.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* first round of addressing pr comments, holding off on the issue save flow for error messaging to keep separate
* Update CODEOWNERS
merge issue
* small clean up tasks
* updates
* test coverage
* small cleanup
* small clean up
* clean up
* clean up getters on model
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
