Document secondary activation public key endpoints/params (#7810)

CHANGELOG.md

@@ -1,5 +1,13 @@
 ## 1.3 (unreleased)
 
+CHANGES:
+
+* Secondary cluster activation: There has been a change to the way that activating
+  performance and DR secondary clusters works when using public keys for
+  encryption of the parameters rather than a wrapping token. This flow was
+  experimental and never documented. It is now officially supported and
+  documented but is not backwards compatible with older Vault releases.
+
 IMPROVEMENTS:
 
 * metrics: Upgrade DataDog library to improve performance [GH-7794]
@@ -15,6 +23,7 @@ BUG FIXES:
 ## 1.3-beta1 (October 30th, 2019)
 
 CHANGES:
+
  * Cluster cipher suites: On its cluster port, Vault will no longer advertise
    the full TLS 1.2 cipher suite list by default. Although this port is only
    used for Vault-to-Vault communication and would always pick a strong cipher,

website/source/api/system/replication/replication-dr.html.md

@@ -161,6 +161,10 @@ identifier can later be used to revoke a DR secondary's access.
 - `ttl` `(string: "30m")` – Specifies the TTL for the secondary activation
   token.
 
+- `secondary_public_key` `(string: "")` – Specifies the secondary's generated
+  public key, if using encryption rather than response wrapping to protect the
+  secondary credentials. (Vault 1.3+)
+
 ### Sample Payload
 
 ```json
@@ -230,6 +234,27 @@ $ curl \
     http://127.0.0.1:8200/v1/sys/replication/dr/primary/revoke-secondary
 ```
 
+## Fetch DR Secondary Public Key
+
+(Vault 1.3+)
+
+This endpoint allows fetching a public key that is used to encrypt the returned
+credential information (instead of using a response wrapped token). This avoids
+needing to make an API call to the primary during activation.
+
+| Method   | Path                         |
+| :--------------------------- | :--------------------- |
+| `POST`   | `/sys/replication/dr/secondary/generate-public-key` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/dr/secondary/generate-public-key
+```
+
 ## Enable DR Secondary
 
 This endpoint enables replication on a DR secondary using a DR secondary activation
@@ -243,7 +268,8 @@ token.
 
 ### Parameters
 
-- `token` `(string: <required>)` – Specifies the secondary activation token fetched from the primary.
+- `token` `(string: <required>)` – Specifies the secondary activation token
+  fetched from the primary.
 
 - `primary_api_addr` `(string: "")` – Set this to the API address (normal Vault
   address) to override the value embedded in the token. This can be useful if

website/source/api/system/replication/replication-performance.html.md

@@ -169,6 +169,10 @@ identifier can later be used to revoke a secondary's access.
 - `ttl` `(string: "30m")` – Specifies the TTL for the secondary activation
   token.
 
+- `secondary_public_key` `(string: "")` – Specifies the secondary's generated
+  public key, if using encryption rather than response wrapping to protect the
+  secondary credentials. (Vault 1.3+)
+
 ### Sample Payload
 
 ```json
@@ -328,6 +332,27 @@ $ curl \
     http://127.0.0.1:8200/v1/sys/replication/performance/primary/mount-filter/us-east-1
 ```
 
+## Fetch Performance Secondary Public Key
+
+(Vault 1.3+)
+
+This endpoint allows fetching a public key that is used to encrypt the returned
+credential information (instead of using a response wrapped token). This avoids
+needing to make an API call to the primary during activation.
+
+| Method   | Path                         |
+| :--------------------------- | :--------------------- |
+| `POST`   | `/sys/replication/performance/secondary/generate-public-key` |
+
+### Sample Request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/replication/performance/secondary/generate-public-key
+```
+
 ## Enable Performance Secondary
 
 This endpoint enables performance replication on a secondary using a secondary activation
@@ -341,7 +366,8 @@ token.
 
 ### Parameters
 
-- `token` `(string: <required>)` – Specifies the secondary activation token fetched from the primary.
+- `token` `(string: <required>)` – Specifies the secondary activation token
+  fetched from the primary.
 
 - `primary_api_addr` `(string: "")` – Set this to the API address (normal Vault
   address) to override the value embedded in the token. This can be useful if