From 70b4725de17fbf1adebc98e0cd70cb000c714e03 Mon Sep 17 00:00:00 2001
From: Christopher Swenson <christopher.swenson@hashicorp.com>
Date: Wed, 13 Sep 2023 09:25:56 -0700
Subject: [PATCH 1/4] auth/centrify: Centrify auth method is now deprecated

Slated for removal in 1.17
---
 changelog/xyz.txt                          |  3 +++
 helper/builtinplugins/registry.go          | 11 +++++++----
 website/content/docs/deprecation/index.mdx |  3 ++-
 3 files changed, 12 insertions(+), 5 deletions(-)
 create mode 100644 changelog/xyz.txt

diff --git a/changelog/xyz.txt b/changelog/xyz.txt
new file mode 100644
index 000000000000..391d6c6c4057
--- /dev/null
+++ b/changelog/xyz.txt
@@ -0,0 +1,3 @@
+```release-note:deprecation
+auth/centrify: Centrify plugin is deprecated as of 1.15, slated for removal in 1.17
+```
diff --git a/helper/builtinplugins/registry.go b/helper/builtinplugins/registry.go
index 906494e8ab94..d4c114699569 100644
--- a/helper/builtinplugins/registry.go
+++ b/helper/builtinplugins/registry.go
@@ -104,10 +104,13 @@ func newRegistry() *registry {
 				Factory:           removedFactory,
 				DeprecationStatus: consts.Removed,
 			},
-			"approle":    {Factory: credAppRole.Factory},
-			"aws":        {Factory: credAws.Factory},
-			"azure":      {Factory: credAzure.Factory},
-			"centrify":   {Factory: credCentrify.Factory},
+			"approle": {Factory: credAppRole.Factory},
+			"aws":     {Factory: credAws.Factory},
+			"azure":   {Factory: credAzure.Factory},
+			"centrify": {
+				Factory:           credCentrify.Factory,
+				DeprecationStatus: consts.Deprecated,
+			},
 			"cert":       {Factory: credCert.Factory},
 			"cf":         {Factory: credCF.Factory},
 			"gcp":        {Factory: credGcp.Factory},
diff --git a/website/content/docs/deprecation/index.mdx b/website/content/docs/deprecation/index.mdx
index a6c5c8a515f5..88053598861e 100644
--- a/website/content/docs/deprecation/index.mdx
+++ b/website/content/docs/deprecation/index.mdx
@@ -8,7 +8,7 @@ description: |-
 
 # Feature deprecation notice and plans
 
-This announcement page is maintained and updated periodically to communicate important decisions made concerning End of Support(EoS) for Vault features as well as features we have removed or disabled from the product. We document the removal of features, enable the community with a plan and timeline for eventual deprecations, and supply alternative paths to explore and evaluate to minimize business disruptions. If you have questions or concerns about a deprecated feature, please create a topic on [the community forum](https://discuss.hashicorp.com/c/vault/30) or raise a ticket with your support team. Please refer to the [FAQ](/vault/docs/deprecation/faq) page for frequently asked questions concerning Vault feature deprecations.
+This announcement page is maintained and updated periodically to communicate important decisions made concerning End of Support (EoS) for Vault features as well as features we have removed or disabled from the product. We document the removal of features, enable the community with a plan and timeline for eventual deprecations, and supply alternative paths to explore and evaluate to minimize business disruptions. If you have questions or concerns about a deprecated feature, please create a topic on [the community forum](https://discuss.hashicorp.com/c/vault/30) or raise a ticket with your support team. Please refer to the [FAQ](/vault/docs/deprecation/faq) page for frequently asked questions concerning Vault feature deprecations.
 
 **Deprecation Announcement**: This indicates the release version during which the announcement was made to deprecate a feature.
 
@@ -35,6 +35,7 @@ This announcement page is maintained and updated periodically to communicate imp
 | SHA-1 certificate signing | v1.11             | v1.11          | v1.12           | Go version 1.18 removes support for SHA-1 by default. As Vault updates its Go version to 1.18, you should plan to move off SHA-1 for certficate signing. Operators can set a Go [environmental variable](/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1) to restore SHA-1 support if they need to continue using SHA-1. It is unknown at this time when Go will remove the environmental variable support. Therefore, we highly encourage you to migrate off of SHA-1 for certificate signing. |[FAQ](/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)|
 | Consul secrets engine parameter changes  | v1.11     | N/A     | N/A     | The `policies` parameter on the Consul secrets engine has been changed in favor of `consul_policies`. The `token_type` and `policy` parameters have been deprecated as the latest versions of Consul no longer support the older ACL system they were used for. | [Consul secrets engine API documentation](/vault/api-docs/secret/consul) |
 | Vault Agent API proxy support | v1.14 | v1.16 | v1.17 | Migrate to [Vault Proxy](/vault/docs/proxy/index) by v1.17|
+| Centrify Auth Method | v1.15 | v1.17 | v1.17 | Use separate plugin binary, but support will not be available due to lack of updated Centrify libraries. | |
 
 *If you use **Standalone DB Engines** or **AppID (Community)**, you should actively plan to migrate away from their usage. If you use these features and upgrade to Release 1.12, Vault will log error messages and shut down, and any attempts to add new mounts will result in an error.
 This behavior may temporarily be overridden when starting the Vault server by using the `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` environment variable until they are officially removed in Vault version 1.13.

From 30111287fc822f0544540de217bff8eea4f414f8 Mon Sep 17 00:00:00 2001
From: Christopher Swenson <christopher.swenson@hashicorp.com>
Date: Wed, 13 Sep 2023 09:28:28 -0700
Subject: [PATCH 2/4] Move changelog

---
 changelog/{xyz.txt => 23050.txt} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename changelog/{xyz.txt => 23050.txt} (100%)

diff --git a/changelog/xyz.txt b/changelog/23050.txt
similarity index 100%
rename from changelog/xyz.txt
rename to changelog/23050.txt

From 6877f9168ddbbc3a8c943afdd3c4c87145387fae Mon Sep 17 00:00:00 2001
From: Christopher Swenson <christopher.swenson@hashicorp.com>
Date: Wed, 13 Sep 2023 14:03:23 -0700
Subject: [PATCH 3/4] Remove extra comment about libraries

---
 website/content/docs/deprecation/index.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/content/docs/deprecation/index.mdx b/website/content/docs/deprecation/index.mdx
index 88053598861e..9e9bc58d8705 100644
--- a/website/content/docs/deprecation/index.mdx
+++ b/website/content/docs/deprecation/index.mdx
@@ -35,7 +35,7 @@ This announcement page is maintained and updated periodically to communicate imp
 | SHA-1 certificate signing | v1.11             | v1.11          | v1.12           | Go version 1.18 removes support for SHA-1 by default. As Vault updates its Go version to 1.18, you should plan to move off SHA-1 for certficate signing. Operators can set a Go [environmental variable](/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1) to restore SHA-1 support if they need to continue using SHA-1. It is unknown at this time when Go will remove the environmental variable support. Therefore, we highly encourage you to migrate off of SHA-1 for certificate signing. |[FAQ](/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)|
 | Consul secrets engine parameter changes  | v1.11     | N/A     | N/A     | The `policies` parameter on the Consul secrets engine has been changed in favor of `consul_policies`. The `token_type` and `policy` parameters have been deprecated as the latest versions of Consul no longer support the older ACL system they were used for. | [Consul secrets engine API documentation](/vault/api-docs/secret/consul) |
 | Vault Agent API proxy support | v1.14 | v1.16 | v1.17 | Migrate to [Vault Proxy](/vault/docs/proxy/index) by v1.17|
-| Centrify Auth Method | v1.15 | v1.17 | v1.17 | Use separate plugin binary, but support will not be available due to lack of updated Centrify libraries. | |
+| Centrify Auth Method | v1.15 | v1.17 | v1.17 | Use separate plugin binary, but support will not be available. | |
 
 *If you use **Standalone DB Engines** or **AppID (Community)**, you should actively plan to migrate away from their usage. If you use these features and upgrade to Release 1.12, Vault will log error messages and shut down, and any attempts to add new mounts will result in an error.
 This behavior may temporarily be overridden when starting the Vault server by using the `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` environment variable until they are officially removed in Vault version 1.13.

From 5a4d936318b9fc69edfd907ee8acd923206cb55d Mon Sep 17 00:00:00 2001
From: Christopher Swenson <christopher.swenson@hashicorp.com>
Date: Wed, 13 Sep 2023 14:19:48 -0700
Subject: [PATCH 4/4] Say external plugin instead of separate binary

---
 website/content/docs/deprecation/index.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/content/docs/deprecation/index.mdx b/website/content/docs/deprecation/index.mdx
index 9e9bc58d8705..15e5dc398710 100644
--- a/website/content/docs/deprecation/index.mdx
+++ b/website/content/docs/deprecation/index.mdx
@@ -35,7 +35,7 @@ This announcement page is maintained and updated periodically to communicate imp
 | SHA-1 certificate signing | v1.11             | v1.11          | v1.12           | Go version 1.18 removes support for SHA-1 by default. As Vault updates its Go version to 1.18, you should plan to move off SHA-1 for certficate signing. Operators can set a Go [environmental variable](/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1) to restore SHA-1 support if they need to continue using SHA-1. It is unknown at this time when Go will remove the environmental variable support. Therefore, we highly encourage you to migrate off of SHA-1 for certificate signing. |[FAQ](/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)|
 | Consul secrets engine parameter changes  | v1.11     | N/A     | N/A     | The `policies` parameter on the Consul secrets engine has been changed in favor of `consul_policies`. The `token_type` and `policy` parameters have been deprecated as the latest versions of Consul no longer support the older ACL system they were used for. | [Consul secrets engine API documentation](/vault/api-docs/secret/consul) |
 | Vault Agent API proxy support | v1.14 | v1.16 | v1.17 | Migrate to [Vault Proxy](/vault/docs/proxy/index) by v1.17|
-| Centrify Auth Method | v1.15 | v1.17 | v1.17 | Use separate plugin binary, but support will not be available. | |
+| Centrify Auth Method | v1.15 | v1.17 | v1.17 | Use as an external plugin, but support will not be available. | |
 
 *If you use **Standalone DB Engines** or **AppID (Community)**, you should actively plan to migrate away from their usage. If you use these features and upgrade to Release 1.12, Vault will log error messages and shut down, and any attempts to add new mounts will result in an error.
 This behavior may temporarily be overridden when starting the Vault server by using the `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` environment variable until they are officially removed in Vault version 1.13.