diff --git a/changelog/51986.fixed.md b/changelog/51986.fixed.md new file mode 100644 index 000000000000..2ac8623e8594 --- /dev/null +++ b/changelog/51986.fixed.md @@ -0,0 +1 @@ +Fixed Salt master does not renew token diff --git a/changelog/57561.fixed.md b/changelog/57561.fixed.md new file mode 100644 index 000000000000..57ca72619ee6 --- /dev/null +++ b/changelog/57561.fixed.md @@ -0,0 +1 @@ +Fixed vault module fetching more than one secret in one run with single-use tokens diff --git a/changelog/58174.fixed.md b/changelog/58174.fixed.md new file mode 100644 index 000000000000..e20599211094 --- /dev/null +++ b/changelog/58174.fixed.md @@ -0,0 +1 @@ +Fixed Vault verify option to work on minions when only specified in master config diff --git a/changelog/58580.fixed.md b/changelog/58580.fixed.md new file mode 100644 index 000000000000..b86d0ac8d4b1 --- /dev/null +++ b/changelog/58580.fixed.md @@ -0,0 +1 @@ +Fixed vault command errors configured locally diff --git a/changelog/60779.fixed.md b/changelog/60779.fixed.md new file mode 100644 index 000000000000..597117d1f18e --- /dev/null +++ b/changelog/60779.fixed.md @@ -0,0 +1 @@ +Fixed sdb.get_or_set_hash with Vault single-use tokens diff --git a/changelog/62380.fixed.md b/changelog/62380.fixed.md new file mode 100644 index 000000000000..839ec661d1a5 --- /dev/null +++ b/changelog/62380.fixed.md @@ -0,0 +1 @@ +Fixed Vault session storage to allow unlimited use tokens diff --git a/changelog/62823.added.md b/changelog/62823.added.md new file mode 100644 index 000000000000..cdce46c5b4e8 --- /dev/null +++ b/changelog/62823.added.md @@ -0,0 +1 @@ +Added Vault AppRole and identity issuance to minions diff --git a/changelog/62825.added.md b/changelog/62825.added.md new file mode 100644 index 000000000000..8935d16d2373 --- /dev/null +++ b/changelog/62825.added.md @@ -0,0 +1 @@ +Added Vault AppRole auth mount path configuration option diff --git a/changelog/62828.added.md b/changelog/62828.added.md new file mode 100644 index 000000000000..d848300f676b --- /dev/null +++ b/changelog/62828.added.md @@ -0,0 +1 @@ +Added distribution of Vault authentication details via response wrapping diff --git a/changelog/63406.added.md b/changelog/63406.added.md new file mode 100644 index 000000000000..25e0a5341df9 --- /dev/null +++ b/changelog/63406.added.md @@ -0,0 +1 @@ +Added Vault token lifecycle management diff --git a/changelog/63440.added.md b/changelog/63440.added.md new file mode 100644 index 000000000000..a3fdd865d755 --- /dev/null +++ b/changelog/63440.added.md @@ -0,0 +1 @@ +Added Vault lease management utility diff --git a/changelog/64096.added.md b/changelog/64096.added.md new file mode 100644 index 000000000000..567ec1287df6 --- /dev/null +++ b/changelog/64096.added.md @@ -0,0 +1 @@ +Added patch option to Vault SDB driver diff --git a/changelog/64379.added.md b/changelog/64379.added.md new file mode 100644 index 000000000000..7e232ad85e0c --- /dev/null +++ b/changelog/64379.added.md @@ -0,0 +1 @@ +Added inline specification of trusted CA root certificate for Vault diff --git a/doc/_ext/vaultpolicylexer.py b/doc/_ext/vaultpolicylexer.py new file mode 100644 index 000000000000..ca1fd4247f86 --- /dev/null +++ b/doc/_ext/vaultpolicylexer.py @@ -0,0 +1,26 @@ +from pygments.lexer import bygroups, inherit +from pygments.lexers.configs import TerraformLexer +from pygments.token import Keyword, Name, Punctuation, Whitespace + + +class VaultPolicyLexer(TerraformLexer): + aliases = ["vaultpolicy"] + filenames = ["*.hcl"] + mimetypes = ["application/x-hcl-policy"] + + tokens = { + "basic": [ + inherit, + ( + r"(path)(\s+)(\".*\")(\s+)(\{)", + bygroups( + Keyword.Reserved, Whitespace, Name.Variable, Whitespace, Punctuation + ), + ), + ], + } + + +def setup(app): + app.add_lexer("vaultpolicy", VaultPolicyLexer) + return {"parallel_read_safe": True} diff --git a/doc/conf.py b/doc/conf.py index 2d8279e61657..235a6967f503 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -159,6 +159,7 @@ "saltrepo", "myst_parser", "sphinxcontrib.spelling", + "vaultpolicylexer", #'saltautodoc', # Must be AFTER autodoc ] diff --git a/doc/topics/releases/templates/3007.0.md.template b/doc/topics/releases/templates/3007.0.md.template index bfaa59defbad..6e6d36dc1900 100644 --- a/doc/topics/releases/templates/3007.0.md.template +++ b/doc/topics/releases/templates/3007.0.md.template @@ -24,6 +24,54 @@ A new ``package`` grain was added in 3007.0 This detects how Salt was installed the directory. If you are building packages of Salt you need to ensure this file is set to the correct package type that you are building. The options are ``pip``, ``onedir``, or ``system``. By default this file is already set to ``pip``. +## Improved Vault integration +This release features a much deeper integration with HashiCorp Vault, for which +many parts of the implementation core were improved. Among other things, the Salt +daemons now attempt to renew/revoke their access tokens and can manage long-lived leases, +while the Salt master now distributes authentication secrets using response wrapping. +An important new feature concerns the way Vault policies can be managed. + +In versions before 3006, the Salt master only issued tokens to minions, whose policies +could be templated with the minion ID and (insecure) grain values. +3006 introduced secure templating of those policies with pillar values, as well as +templating of Vault external pillar paths with pillar values. These improvements reduced the +overhead of managing Vault policies securely. + +In addition, the Salt master can now be configured to issue AppRoles +to minions and manage their metadata using a similar templating approach. +Since this metadata can be taken advantage of in templated policies on the Vault side, +the need for many boilerplate policies is reduced even further: +{%- raw %} + +```vaultpolicy + path "salt/data/minions/{{identity.entity.metadata.minion-id}}" { + capabilities = ["create", "read", "write", "delete", "patch"] + } + + path "salt/data/roles/{{identity.entity.metadata.role}}" { + capabilities = ["read"] + } +``` +{%- endraw %} + +Although existing configurations will keep working without intervention after upgrading +the Salt master, it is strongly recommended to adjust the `peer_run` configuration to +include the new issuance endpoints in order to avoid unnecessary overhead: + +```yaml +peer_run: + .*: + - vault.get_config + - vault.generate_new_token +``` + +Please see the [Vault execution module docs](https://docs.saltproject.io/en/3007.0/ref/modules/all/salt.modules.vault.html) for +details and setup instructions regarding AppRole issuance. + +.. note:: + The Vault modules are being moved to a [Salt extension](https://github.com/salt-extensions/saltext-vault), but this improvement + has still been merged into core for a smoother transition. +