From a2ea0b5502504bf50960437cbf84ad3739cd9489 Mon Sep 17 00:00:00 2001 From: Chris Hoffman <99742+chrishoffman@users.noreply.github.com> Date: Fri, 24 Jan 2020 19:18:22 -0500 Subject: [PATCH 1/3] Adding pricing module note for enterprise features (#8217) * adding pricing module note for enterprise features * fixing incorrectly committed go.mod --- website/pages/docs/enterprise/control-groups/index.mdx | 3 +++ website/pages/docs/enterprise/entropy-augmentation/index.mdx | 3 +++ website/pages/docs/enterprise/hsm/index.mdx | 5 ++--- website/pages/docs/enterprise/mfa/index.mdx | 3 +++ website/pages/docs/enterprise/namespaces/index.mdx | 2 ++ website/pages/docs/enterprise/performance-standby/index.mdx | 3 +++ website/pages/docs/enterprise/replication/index.mdx | 4 ++++ website/pages/docs/enterprise/sealwrap/index.mdx | 3 +++ website/pages/docs/enterprise/sentinel/index.mdx | 3 +++ website/pages/docs/secrets/kmip/index.mdx | 3 +++ 10 files changed, 29 insertions(+), 3 deletions(-) diff --git a/website/pages/docs/enterprise/control-groups/index.mdx b/website/pages/docs/enterprise/control-groups/index.mdx index d401b72757d1..11b7d740f7bb 100644 --- a/website/pages/docs/enterprise/control-groups/index.mdx +++ b/website/pages/docs/enterprise/control-groups/index.mdx @@ -7,6 +7,9 @@ description: Vault Enterprise has support for Control Group Authorization. # Vault Enterprise Control Group Support +-> **Note**: This feature requires [Vault Enterprise](https://www.hashicorp.com/products/vault/) +with the Governance And Policy Module. + Vault Enterprise has support for Control Group Authorization. Control Groups add additional authorization factors to be required before satisfying a request. diff --git a/website/pages/docs/enterprise/entropy-augmentation/index.mdx b/website/pages/docs/enterprise/entropy-augmentation/index.mdx index dae40f84cb3e..0d24a62a8062 100644 --- a/website/pages/docs/enterprise/entropy-augmentation/index.mdx +++ b/website/pages/docs/enterprise/entropy-augmentation/index.mdx @@ -9,6 +9,9 @@ description: |- # Entropy Augmentation +-> **Note**: This feature requires [Vault Enterprise](https://www.hashicorp.com/products/vault/) +with the Governance & Policy Module. + Vault Enterprise features a mechanism to sample entropy (or randomness for cryptographic operations) from external cryptographic modules via the [seals](/docs/configuration/seal) interface. While the system entropy used by Vault is more than capable of diff --git a/website/pages/docs/enterprise/hsm/index.mdx b/website/pages/docs/enterprise/hsm/index.mdx index 4a4924fe7fab..a00e0f0ef949 100644 --- a/website/pages/docs/enterprise/hsm/index.mdx +++ b/website/pages/docs/enterprise/hsm/index.mdx @@ -9,9 +9,8 @@ description: >- # Vault Enterprise HSM Support -HSM support is a feature of [Vault -Enterprise](https://www.hashicorp.com/vault) that takes advantage of HSMs -to provide three pieces of special functionality: +-> **Note**: This feature requires [Vault Enterprise](https://www.hashicorp.com/products/vault/) +with the Governance & Policy Module. - Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares diff --git a/website/pages/docs/enterprise/mfa/index.mdx b/website/pages/docs/enterprise/mfa/index.mdx index b94a89d13451..110987b14c0e 100644 --- a/website/pages/docs/enterprise/mfa/index.mdx +++ b/website/pages/docs/enterprise/mfa/index.mdx @@ -9,6 +9,9 @@ description: >- # Vault Enterprise MFA Support +-> **Note**: This feature requires [Vault Enterprise](https://www.hashicorp.com/products/vault/) +with the Governance & Policy Module. + Vault Enterprise has support for Multi-factor Authentication (MFA), using different authentication types. MFA is built on top of the Identity system of Vault. diff --git a/website/pages/docs/enterprise/namespaces/index.mdx b/website/pages/docs/enterprise/namespaces/index.mdx index c7b734be48e3..daf45c664459 100644 --- a/website/pages/docs/enterprise/namespaces/index.mdx +++ b/website/pages/docs/enterprise/namespaces/index.mdx @@ -11,6 +11,8 @@ description: >- ## Overview +-> **Note**: This feature is available in all versions of [Vault Enterprise](https://www.hashicorp.com/products/vault/). + Many organizations implement Vault as a "service", providing centralized management for teams within an organization while ensuring that those teams operate within isolated environments known as _tenants_. diff --git a/website/pages/docs/enterprise/performance-standby/index.mdx b/website/pages/docs/enterprise/performance-standby/index.mdx index a22277968313..06ce74367305 100644 --- a/website/pages/docs/enterprise/performance-standby/index.mdx +++ b/website/pages/docs/enterprise/performance-standby/index.mdx @@ -7,6 +7,9 @@ description: Performance Standby Nodes - Vault Enterprise # Performance Standby Nodes +-> **Note**: This feature requires [Vault Enterprise](https://www.hashicorp.com/products/vault/) +with the Multi-Datacenter & Scale Module. + Vault supports a multi-server mode for high availability. This mode protects against outages by running multiple Vault servers. High availability mode is automatically enabled when using a data store that supports it. You can diff --git a/website/pages/docs/enterprise/replication/index.mdx b/website/pages/docs/enterprise/replication/index.mdx index 4b122f77a217..e02aa31d7a17 100644 --- a/website/pages/docs/enterprise/replication/index.mdx +++ b/website/pages/docs/enterprise/replication/index.mdx @@ -12,6 +12,10 @@ description: >- ## Overview +-> **Note**: All versions of [Vault Enterprise](https://www.hashicorp.com/products/vault/) +have support for Disaster Recovery replication. Performance Replication requires the +Multi-Datacenter & Scale module. + Many organizations have infrastructure that spans multiple datacenters. Vault provides the critical services of identity management, secrets storage, and policy management. This functionality is expected to be highly available and diff --git a/website/pages/docs/enterprise/sealwrap/index.mdx b/website/pages/docs/enterprise/sealwrap/index.mdx index cae54c752d92..b7ca1c5270a3 100644 --- a/website/pages/docs/enterprise/sealwrap/index.mdx +++ b/website/pages/docs/enterprise/sealwrap/index.mdx @@ -9,6 +9,9 @@ description: |- # Seal Wrap +-> **Note**: This feature requires [Vault Enterprise](https://www.hashicorp.com/products/vault/) +with the Governance & Policy Module. + Vault Enterprise features a mechanism to wrap values with an extra layer of encryption for supporting [seals](/docs/configuration/seal). This adds an extra layer of protection and is useful in some compliance and regulatory diff --git a/website/pages/docs/enterprise/sentinel/index.mdx b/website/pages/docs/enterprise/sentinel/index.mdx index 5a0609f0d376..722a34a5cf04 100644 --- a/website/pages/docs/enterprise/sentinel/index.mdx +++ b/website/pages/docs/enterprise/sentinel/index.mdx @@ -7,6 +7,9 @@ description: An overview of how Sentinel interacts with Vault Enterprise. # Overview +-> **Note**: This feature requires [Vault Enterprise](https://www.hashicorp.com/products/vault/) +with the Governance & Policy Module. + Vault Enterprise integrates HashiCorp Sentinel to provide a rich set of access control functionality. Because Vault is a security-focused product trusted with high-risk secrets and assets, and because of its default-deny stance, diff --git a/website/pages/docs/secrets/kmip/index.mdx b/website/pages/docs/secrets/kmip/index.mdx index 40baa16e1b21..2950efe542d3 100644 --- a/website/pages/docs/secrets/kmip/index.mdx +++ b/website/pages/docs/secrets/kmip/index.mdx @@ -9,6 +9,9 @@ description: |- # KMIP Secrets Engine +-> **Note**: This secret engine requires [Vault Enterprise](https://www.hashicorp.com/products/vault/) +with the Advanced Data Protection Module. + The KMIP secrets engine allows Vault to act as a [Key Management Interoperability Protocol](#kmip-spec) (KMIP) server provider and handle the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows From 267665ecc0aca4140b5e009778d975f811b84ee9 Mon Sep 17 00:00:00 2001 From: Michel Vocks Date: Mon, 27 Jan 2020 11:25:52 +0100 Subject: [PATCH 2/3] Fix redoing redirect response raft snapshot cli (#8211) * Fix redoing redirect response raft snapshot cli * Removed unnecessary lines of code * go mod vendor --- api/sys_raft.go | 24 +++++++++++++++++++ .../hashicorp/vault/api/sys_raft.go | 24 +++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/api/sys_raft.go b/api/sys_raft.go index e1106a0671cd..908a3c4f1131 100644 --- a/api/sys_raft.go +++ b/api/sys_raft.go @@ -2,6 +2,7 @@ package api import ( "context" + "fmt" "io" "net/http" @@ -95,6 +96,29 @@ func (c *Sys) RaftSnapshot(snapWriter io.Writer) error { return nil } + // Check for a redirect, only allowing for a single redirect + if resp.StatusCode == 301 || resp.StatusCode == 302 || resp.StatusCode == 307 { + // Parse the updated location + respLoc, err := resp.Location() + if err != nil { + return err + } + + // Ensure a protocol downgrade doesn't happen + if req.URL.Scheme == "https" && respLoc.Scheme != "https" { + return fmt.Errorf("redirect would cause protocol downgrade") + } + + // Update the request + req.URL = respLoc + + // Retry the request + resp, err = c.c.config.HttpClient.Do(req) + if err != nil { + return err + } + } + result = &Response{Response: resp} if err := result.Error(); err != nil { return err diff --git a/vendor/github.com/hashicorp/vault/api/sys_raft.go b/vendor/github.com/hashicorp/vault/api/sys_raft.go index e1106a0671cd..908a3c4f1131 100644 --- a/vendor/github.com/hashicorp/vault/api/sys_raft.go +++ b/vendor/github.com/hashicorp/vault/api/sys_raft.go @@ -2,6 +2,7 @@ package api import ( "context" + "fmt" "io" "net/http" @@ -95,6 +96,29 @@ func (c *Sys) RaftSnapshot(snapWriter io.Writer) error { return nil } + // Check for a redirect, only allowing for a single redirect + if resp.StatusCode == 301 || resp.StatusCode == 302 || resp.StatusCode == 307 { + // Parse the updated location + respLoc, err := resp.Location() + if err != nil { + return err + } + + // Ensure a protocol downgrade doesn't happen + if req.URL.Scheme == "https" && respLoc.Scheme != "https" { + return fmt.Errorf("redirect would cause protocol downgrade") + } + + // Update the request + req.URL = respLoc + + // Retry the request + resp, err = c.c.config.HttpClient.Do(req) + if err != nil { + return err + } + } + result = &Response{Response: resp} if err := result.Error(); err != nil { return err From 9de6ed66eebe15717284832ed55dda73bcafcc26 Mon Sep 17 00:00:00 2001 From: Daniel Spangenberg Date: Mon, 27 Jan 2020 14:54:59 +0100 Subject: [PATCH 3/3] Clarify the k8s helm run docs (#8235) --- website/pages/docs/platform/k8s/helm/run.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/pages/docs/platform/k8s/helm/run.mdx b/website/pages/docs/platform/k8s/helm/run.mdx index b4c0e1d073ae..e27c3a32054e 100644 --- a/website/pages/docs/platform/k8s/helm/run.mdx +++ b/website/pages/docs/platform/k8s/helm/run.mdx @@ -76,8 +76,8 @@ configured to auto-unseal using KMS providers such as [Google Cloud Platform](/docs/platform/k8s/helm/run#google-kms-auto-unseal). This allows the pods to auto unseal if they're rescheduled in Kubernetes. -If standalone or HA mode are being used, the Vault pods must be initialized and unsealed. -For standalone deployments, only one of the Vault pods needs to be initialized. +If standalone is used, the Vault pod must be initialized and unsealed. +For HA deployments, only one of the Vault pods needs to be initialized and, all Vault pods need to be unsealed. ```sh $ kubectl exec -ti vault-0 -- vault operator init