From 032fb9476e881407b9b54ce09329de61f875cec1 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 5 Apr 2021 15:13:25 -0400 Subject: [PATCH 01/10] docs: add persistent cache --- .../agent/{caching.mdx => caching/index.mdx} | 81 +++ .../agent/caching/persistent-caches/index.mdx | 10 + .../caching/persistent-caches/kubernetes.mdx | 26 + website/data/docs-navigation.js | 463 ++++++++++++++++++ 4 files changed, 580 insertions(+) rename website/content/docs/agent/{caching.mdx => caching/index.mdx} (78%) create mode 100644 website/content/docs/agent/caching/persistent-caches/index.mdx create mode 100644 website/content/docs/agent/caching/persistent-caches/kubernetes.mdx create mode 100644 website/data/docs-navigation.js diff --git a/website/content/docs/agent/caching.mdx b/website/content/docs/agent/caching/index.mdx similarity index 78% rename from website/content/docs/agent/caching.mdx rename to website/content/docs/agent/caching/index.mdx index 0651855b4af..08bf44f30d7 100644 --- a/website/content/docs/agent/caching.mdx +++ b/website/content/docs/agent/caching/index.mdx @@ -56,6 +56,30 @@ overrides the default behavior described above in [Using Auth-Auth Token](/docs/agent/caching#using-auto-auth-token), and instead ignores any existing Vault token in the request and instead uses the auto-auth token. +## Persistent Cache + +Vault Agent supports creating and restoring tokens and leases from a persistent cache +file. The persistent cache is a BoltDB file that includes tuples encrypted by a generated +encryption key. The encrypted tuples include the Vault token used to retrieve secrets, +leases for tokens and secrets, and secret values. + +-> **Note:** Vault Agent Caching persistent cache will only restore _leased_ secrets. Secrets +that are not renewable, such as KV v2, will not be persisted. + +In order to use Vault Agent persistent cache, auto-authentication must be used. During the restoration +of the cache, Vault Agent will pre-populate auto-authentication with the persisted token. This token +is required to renew restored leases. If the token has expired, the cached leases will be evicted and +secrets will need to be retrieved from Vault. + +If Vault Agent templating is enabled alongside of the persistent cache, Vault Agent will automatically +route templating requests through the cache. This ensures template requests are cached and restored properly. + +At the time of this writing, Vault Agent persistent cache is only supported in a Kubernetes +environment. In the future the persistent cachce will be expanded to include other environments. + +For more information about the Vault Agent persistent cache, see the sidebar for specific persistent +cache types. + ## Cache Evictions The eviction of cache entries pertaining to secrets will occur when the agent @@ -174,6 +198,25 @@ The top level `cache` block has the following configuration entries: forward the request to the Vault server. If set to `"force"` Agent will use the auto-auth token, overwriting the attached Vault token if set. +- `persist` `(object: optional)` - Configuration for the persistent cache. + +### Configuration (Persist) + +These are common configuration values that live within the `persist` block: + +- `type` `(string: required)` - The type of the persistent cahce to use, + e.g. `kubernetes`. _Note_: when using HCL this can be used as the key for + the block, e.g. `persist "kubernetes" {...}`. + +- `path` `(string: required)` - The path on disk where the persistent cache file + should be created or restored from. + +- `keep_after_import` `(bool: optional)` - When set to true, a restored cache file + is not deleted. Defaults to `false`. + +- `exit_on_err` `(bool: optional)` - When set to true, if any errors occur during + a persitent cache restore, Vault Agent will exit with an error. Defaults to `true`. + ## Configuration (`listener`) - `listener` `(array of objects: required)` - Configuration for the listeners. @@ -240,6 +283,44 @@ vault { } ``` +### Persistent Cache Example Configuration + +An example configuration, with very contrived values, follows: + +```javascript +auto_auth { + method { + type = "kubernetes" + config = { + role = "foobar" + } + } + + sink { + type = "file" + config = { + path = "/tmp/file-foo" + } + } +} + +cache { + use_auto_auth_token = true + persist "kubernetes" { + path = "/vault/agent-cache" + } +} + +listener "tcp" { + address = "127.0.0.1:8200" + tls_disable = true +} + +vault { + address = "http://127.0.0.1:8200" +} +``` + ## Learn Refer to the [Vault Agent diff --git a/website/content/docs/agent/caching/persistent-caches/index.mdx b/website/content/docs/agent/caching/persistent-caches/index.mdx new file mode 100644 index 00000000000..cd9293c1ded --- /dev/null +++ b/website/content/docs/agent/caching/persistent-caches/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Vault Agent Persistent Cache Types +sidebar_title: Persistent Cache +description: Persistent Cache Types for Vault Agent Caching +--- + +# Vault Agent Persistent Cache Types + +Please see the sidebar for available types and their usage/configuration. diff --git a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx new file mode 100644 index 00000000000..cfbd70c40eb --- /dev/null +++ b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx @@ -0,0 +1,26 @@ +--- +layout: docs +page_title: Vault Agent Kubernetes Persistent Cache +sidebar_title: Kubernetes +description: Kubernetes Persistent Cache for Vault Agent Caching +--- + +# Vault Agent Kubernetes Persistent Cache + +The `kubernetes` persistent cache configures Vault Agent persistent caching specifically for +Kubernetes environments. This type of persistent cache requires a Kubernetes service account +token. The service account token is used during encryption and decryption of the persistent cache +as an additional integrity check. + +The Vault Agent persistent cache file in Kubernetes should only be used for handing off Vault tokens +and leases between initialization and sidecar Vault Agent containers. This cache file should be shared +using a memory volume between the Vault Agent containers. + +If the Vault Agent Injector for Kubernetes is being used, the persistent cache is automatically configured +and used if the annotation `vault.hashicorp.com/agent-cache-enable: true` is set. + +## Configuration + +- `service_account_token_file` `(string: optional)` - When type is set to `kubernetes`, + this configures the path on disk where the Kubernetes service account token can be found. + Defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. \ No newline at end of file diff --git a/website/data/docs-navigation.js b/website/data/docs-navigation.js new file mode 100644 index 00000000000..71b2d9cb8a5 --- /dev/null +++ b/website/data/docs-navigation.js @@ -0,0 +1,463 @@ +// The root folder for this documentation category is `pages/docs` +// +// - A string refers to the name of a file +// - A "category" value refers to the name of a directory +// - All directories must have an "index.mdx" file to serve as +// the landing page for the category + +export default [ + 'install', + { + category: 'internals', + content: [ + 'architecture', + 'high-availability', + 'integrated-storage', + 'security', + 'telemetry', + 'token', + 'rotation', + 'replication', + 'plugins', + 'limits', + ], + }, + { + category: 'concepts', + content: [ + 'dev-server', + 'seal', + 'lease', + 'auth', + 'tokens', + 'response-wrapping', + 'policies', + 'password-policies', + 'username-templating', + 'ha', + { + category: 'integrated-storage', + content: ['autopilot'], + }, + 'pgp-gpg-keybase', + 'recovery-mode', + 'resource-quotas', + 'client-count', + 'transform', + ], + }, + { + category: 'configuration', + content: [ + { + category: 'listener', + content: ['tcp'], + }, + 'replication', + { + category: 'seal', + content: [ + 'alicloudkms', + 'awskms', + 'azurekeyvault', + 'gcpckms', + 'ocikms', + 'pkcs11', + 'transit', + ], + }, + 'sentinel', + { + category: 'service-registration', + content: ['consul', 'kubernetes'], + }, + { + category: 'storage', + content: [ + 'aerospike', + 'azure', + 'cassandra', + 'cockroachdb', + 'consul', + 'couchdb', + 'dynamodb', + 'etcd', + 'filesystem', + 'foundationdb', + 'google-cloud-spanner', + 'google-cloud-storage', + 'in-memory', + 'manta', + 'mssql', + 'mysql', + 'oci-object-storage', + 'postgresql', + 'raft', + 's3', + 'swift', + 'zookeeper', + ], + }, + 'telemetry', + 'ui', + 'entropy-augmentation', + ], + }, + { + category: 'commands', + content: [ + 'agent', + { + category: 'audit', + content: ['disable', 'enable', 'list'], + }, + { + category: 'auth', + content: ['disable', 'enable', 'help', 'list', 'tune'], + }, + 'debug', + 'delete', + { + category: 'kv', + content: [ + 'delete', + 'destroy', + 'enable-versioning', + 'get', + 'list', + 'metadata', + 'patch', + 'put', + 'rollback', + 'undelete', + ], + }, + { + category: 'lease', + content: ['renew', 'revoke'], + }, + 'list', + 'login', + 'monitor', + 'namespace', + { + category: 'operator', + content: [ + 'generate-root', + 'init', + 'key-status', + 'migrate', + 'raft', + 'rekey', + 'rotate', + 'seal', + 'step-down', + 'unseal', + 'usage', + ], + }, + 'path-help', + { + category: 'plugin', + content: ['deregister', 'info', 'list', 'register', 'reload'], + }, + { + category: 'policy', + content: ['delete', 'fmt', 'list', 'read', 'write'], + }, + 'read', + { + category: 'secrets', + content: ['disable', 'enable', 'list', 'move', 'tune'], + }, + 'server', + 'ssh', + 'status', + { + category: 'token', + content: ['capabilities', 'create', 'lookup', 'renew', 'revoke'], + }, + 'unwrap', + 'version', + 'write', + 'token-helper', + ], + }, + { + category: 'agent', + content: [ + { + category: 'autoauth', + content: [ + { + category: 'methods', + content: [ + 'alicloud', + 'approle', + 'aws', + 'azure', + 'cert', + 'cf', + 'gcp', + 'jwt', + 'kerberos', + 'kubernetes', + ], + }, + { + category: 'sinks', + content: ['file'], + }, + ], + }, + { + category: 'caching', + content: [ + { + category: 'persistent-caches', + content: [ + 'kubernetes', + ], + }, + ], + }, + 'template', + 'winsvc', + ], + }, + '----------------', + { + category: 'secrets', + content: [ + 'ad', + 'alicloud', + 'aws', + 'azure', + 'consul', + 'cubbyhole', + { + category: 'databases', + content: [ + 'cassandra', + 'couchbase', + 'elasticdb', + 'hanadb', + 'influxdb', + 'mongodb', + 'mongodbatlas', + 'mssql', + 'mysql-maria', + 'oracle', + 'postgresql', + 'redshift', + 'snowflake', + 'custom', + ], + }, + 'gcp', + 'gcpkms', + { + category: 'key-management', + content: ['azurekeyvault', 'awskms'], + }, + 'kmip', + { + category: 'kv', + content: ['kv-v1', 'kv-v2'], + }, + 'identity', + 'mongodbatlas', + 'nomad', + 'openldap', + 'pki', + 'rabbitmq', + { + category: 'ssh', + content: [ + 'signed-ssh-certificates', + 'one-time-ssh-passwords', + 'dynamic-ssh-keys', + ], + }, + 'terraform', + 'totp', + { category: 'transform', content: ['tokenization'] }, + 'transit', + 'venafi', + ], + }, + { + category: 'auth', + content: [ + 'approle', + 'alicloud', + 'aws', + 'azure', + 'cf', + 'github', + 'gcp', + 'jwt', + 'kerberos', + 'kubernetes', + 'ldap', + 'oci', + 'okta', + 'radius', + 'cert', + 'token', + 'userpass', + '---------', + 'app-id', + 'mfa', + ], + }, + { + category: 'audit', + content: ['file', 'syslog', 'socket'], + }, + 'plugin', + 'plugin-portal', + '----------------', + 'what-is-vault', + 'use-cases', + 'partnerships', + '----------------', + { + category: 'platform', + content: [ + { + category: 'k8s', + content: [ + { + category: 'helm', + content: [ + 'run', + 'openshift', + 'configuration', + { + category: 'examples', + content: [ + 'development', + 'standalone-load-balanced-ui', + 'standalone-tls', + 'standalone-audit', + 'external', + 'kubernetes-auth', + 'ha-with-consul', + 'ha-with-raft', + 'enterprise-with-raft', + 'enterprise-dr-with-raft', + 'enterprise-perf-with-raft', + 'injector-tls', + ], + }, + ], + }, + { + category: 'injector', + content: ['annotations', 'installation', 'examples'], + }, + { + category: 'csi', + content: ['configurations', 'examples', 'installation'], + }, + ], + }, + { + category: 'aws-mp', + content: ['run'], + }, + ], + }, + '----------------', + { + category: 'upgrading', + content: [ + 'plugins', + 'upgrade-to-0.5.0', + 'upgrade-to-0.5.1', + 'upgrade-to-0.6.0', + 'upgrade-to-0.6.1', + 'upgrade-to-0.6.2', + 'upgrade-to-0.6.3', + 'upgrade-to-0.6.4', + 'upgrade-to-0.7.0', + 'upgrade-to-0.8.0', + 'upgrade-to-0.9.0', + 'upgrade-to-0.9.1', + 'upgrade-to-0.9.2', + 'upgrade-to-0.9.3', + 'upgrade-to-0.9.6', + 'upgrade-to-0.10.0', + 'upgrade-to-0.10.2', + 'upgrade-to-0.10.4', + 'upgrade-to-0.11.0', + 'upgrade-to-0.11.2', + 'upgrade-to-0.11.6', + 'upgrade-to-1.0.0', + 'upgrade-to-1.1.0', + 'upgrade-to-1.1.1', + 'upgrade-to-1.1.2', + 'upgrade-to-1.2.0', + 'upgrade-to-1.2.1', + 'upgrade-to-1.2.4', + 'upgrade-to-1.2.5', + 'upgrade-to-1.2.6', + 'upgrade-to-1.2.7', + 'upgrade-to-1.3.0', + 'upgrade-to-1.3.2', + 'upgrade-to-1.3.3', + 'upgrade-to-1.3.4', + 'upgrade-to-1.3.5', + 'upgrade-to-1.3.8', + 'upgrade-to-1.3.9', + 'upgrade-to-1.3.10', + 'upgrade-to-1.4.0', + 'upgrade-to-1.4.1', + 'upgrade-to-1.4.4', + 'upgrade-to-1.4.5', + 'upgrade-to-1.4.6', + 'upgrade-to-1.5.0', + 'upgrade-to-1.5.1', + 'upgrade-to-1.5.2', + 'upgrade-to-1.5.3', + 'upgrade-to-1.6.0', + 'upgrade-to-1.6.1', + 'upgrade-to-1.6.2', + 'upgrade-to-1.6.3', + 'upgrade-to-1.7.0', + ], + }, + '----------------', + { + category: 'release-notes', + content: ['1.5.0', '1.6.0', '1.7.0'], + }, + '----------------', + { + category: 'enterprise', + content: [ + 'replication', + { + category: 'hsm', + content: ['behavior', 'security'], + }, + 'automated-integrated-storage-snapshots', + 'lease-count-quotas', + 'entropy-augmentation', + 'sealwrap', + 'namespaces', + 'performance-standby', + 'consistency', + 'control-groups', + { + category: 'mfa', + content: ['mfa-duo', 'mfa-okta', 'mfa-pingid', 'mfa-totp'], + }, + { + category: 'sentinel', + content: ['examples', 'properties'], + }, + ], + }, +] From e8714dba34826f146956f6aaa5a9892772b7f4d9 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 5 Apr 2021 15:18:49 -0400 Subject: [PATCH 02/10] Clarify documentation --- website/content/docs/agent/caching/index.mdx | 4 ++-- .../docs/agent/caching/persistent-caches/kubernetes.mdx | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/website/content/docs/agent/caching/index.mdx b/website/content/docs/agent/caching/index.mdx index 08bf44f30d7..928b123bb60 100644 --- a/website/content/docs/agent/caching/index.mdx +++ b/website/content/docs/agent/caching/index.mdx @@ -58,10 +58,10 @@ existing Vault token in the request and instead uses the auto-auth token. ## Persistent Cache -Vault Agent supports creating and restoring tokens and leases from a persistent cache +Vault Agent restoring tokens and leases from a persistent cache file. The persistent cache is a BoltDB file that includes tuples encrypted by a generated encryption key. The encrypted tuples include the Vault token used to retrieve secrets, -leases for tokens and secrets, and secret values. +leases for tokens/secrets, and secret values. -> **Note:** Vault Agent Caching persistent cache will only restore _leased_ secrets. Secrets that are not renewable, such as KV v2, will not be persisted. diff --git a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx index cfbd70c40eb..d0f65a0e079 100644 --- a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx +++ b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx @@ -7,10 +7,10 @@ description: Kubernetes Persistent Cache for Vault Agent Caching # Vault Agent Kubernetes Persistent Cache -The `kubernetes` persistent cache configures Vault Agent persistent caching specifically for -Kubernetes environments. This type of persistent cache requires a Kubernetes service account -token. The service account token is used during encryption and decryption of the persistent cache -as an additional integrity check. +When `kubernetes` is configured for the persistent cache type, Vault Agent will optimize the +persistent cache specifically for Kubernetes. This type of persistent cache requires a Kubernetes +service account token. The service account token is used during encryption and decryption of the +persistent cache as an additional integrity check. The Vault Agent persistent cache file in Kubernetes should only be used for handing off Vault tokens and leases between initialization and sidecar Vault Agent containers. This cache file should be shared From 8e34c50f56f212dcb05f36b4c2c9fcf68b8462c4 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 6 Apr 2021 09:32:39 -0400 Subject: [PATCH 03/10] Update website/content/docs/agent/caching/index.mdx Co-authored-by: Theron Voran --- website/content/docs/agent/caching/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/agent/caching/index.mdx b/website/content/docs/agent/caching/index.mdx index 928b123bb60..4df33b0a8de 100644 --- a/website/content/docs/agent/caching/index.mdx +++ b/website/content/docs/agent/caching/index.mdx @@ -75,7 +75,7 @@ If Vault Agent templating is enabled alongside of the persistent cache, Vault Ag route templating requests through the cache. This ensures template requests are cached and restored properly. At the time of this writing, Vault Agent persistent cache is only supported in a Kubernetes -environment. In the future the persistent cachce will be expanded to include other environments. +environment. In the future the persistent cache will be expanded to include other environments. For more information about the Vault Agent persistent cache, see the sidebar for specific persistent cache types. From fd53ae82c5b03a1569d5ed5ecb7c7d84acce0590 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 6 Apr 2021 09:32:59 -0400 Subject: [PATCH 04/10] Update website/content/docs/agent/caching/persistent-caches/kubernetes.mdx Co-authored-by: Theron Voran --- .../docs/agent/caching/persistent-caches/kubernetes.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx index d0f65a0e079..55a7c79c0e4 100644 --- a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx +++ b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx @@ -17,10 +17,10 @@ and leases between initialization and sidecar Vault Agent containers. This cache using a memory volume between the Vault Agent containers. If the Vault Agent Injector for Kubernetes is being used, the persistent cache is automatically configured -and used if the annotation `vault.hashicorp.com/agent-cache-enable: true` is set. +and used if the annotation [`vault.hashicorp.com/agent-cache-enable: true`](/docs/platform/k8s/injector/annotations#vault-hashicorp-com-agent-cache-enable) is set. ## Configuration - `service_account_token_file` `(string: optional)` - When type is set to `kubernetes`, this configures the path on disk where the Kubernetes service account token can be found. - Defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. \ No newline at end of file + Defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. From 94ddcc6d819c35737dc550a068894d86526dbdda Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 6 Apr 2021 09:35:20 -0400 Subject: [PATCH 05/10] Update index.mdx --- website/content/docs/agent/caching/index.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/content/docs/agent/caching/index.mdx b/website/content/docs/agent/caching/index.mdx index 4df33b0a8de..dd5dd1f6bd7 100644 --- a/website/content/docs/agent/caching/index.mdx +++ b/website/content/docs/agent/caching/index.mdx @@ -58,10 +58,10 @@ existing Vault token in the request and instead uses the auto-auth token. ## Persistent Cache -Vault Agent restoring tokens and leases from a persistent cache -file. The persistent cache is a BoltDB file that includes tuples encrypted by a generated -encryption key. The encrypted tuples include the Vault token used to retrieve secrets, -leases for tokens/secrets, and secret values. +Vault Agent can restore tokens and leases from a persistent cache file created by a previous +Vault Agent process. The persistent cache is a BoltDB file that includes tuples encrypted +by a generated encryption key. The encrypted tuples include the Vault token used to retrieve +secrets, leases for tokens/secrets, and secret values. -> **Note:** Vault Agent Caching persistent cache will only restore _leased_ secrets. Secrets that are not renewable, such as KV v2, will not be persisted. From 3134bcd4d22c6a99a422034c583f2cbaa6108a96 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 09:29:30 -0400 Subject: [PATCH 06/10] Update website/content/docs/agent/caching/index.mdx Co-authored-by: Calvin Leung Huang --- website/content/docs/agent/caching/index.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/website/content/docs/agent/caching/index.mdx b/website/content/docs/agent/caching/index.mdx index dd5dd1f6bd7..40a0d7987ae 100644 --- a/website/content/docs/agent/caching/index.mdx +++ b/website/content/docs/agent/caching/index.mdx @@ -289,8 +289,7 @@ An example configuration, with very contrived values, follows: ```javascript auto_auth { - method { - type = "kubernetes" + method "kubernetes" { config = { role = "foobar" } From b95a0ddec497ca13ef025b33ce51995cbea97fa8 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 09:29:35 -0400 Subject: [PATCH 07/10] Update website/content/docs/agent/caching/index.mdx Co-authored-by: Calvin Leung Huang --- website/content/docs/agent/caching/index.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/website/content/docs/agent/caching/index.mdx b/website/content/docs/agent/caching/index.mdx index 40a0d7987ae..8e1449d0ac6 100644 --- a/website/content/docs/agent/caching/index.mdx +++ b/website/content/docs/agent/caching/index.mdx @@ -295,8 +295,7 @@ auto_auth { } } - sink { - type = "file" + sink "file" { config = { path = "/tmp/file-foo" } From b1fd18cfa7cfd142a458ba6050eb407d649d2ff9 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 09:30:42 -0400 Subject: [PATCH 08/10] Update index.mdx --- website/content/docs/agent/caching/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/docs/agent/caching/index.mdx b/website/content/docs/agent/caching/index.mdx index 8e1449d0ac6..8c155dbddfc 100644 --- a/website/content/docs/agent/caching/index.mdx +++ b/website/content/docs/agent/caching/index.mdx @@ -66,8 +66,8 @@ secrets, leases for tokens/secrets, and secret values. -> **Note:** Vault Agent Caching persistent cache will only restore _leased_ secrets. Secrets that are not renewable, such as KV v2, will not be persisted. -In order to use Vault Agent persistent cache, auto-authentication must be used. During the restoration -of the cache, Vault Agent will pre-populate auto-authentication with the persisted token. This token +In order to use Vault Agent persistent cache, auto-auth must be used. During the restoration +of the cache, Vault Agent will pre-populate auto-auth with the persisted token. This token is required to renew restored leases. If the token has expired, the cached leases will be evicted and secrets will need to be retrieved from Vault. From 884866824bcd5c03f65a2df1f1446aab224f52e0 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 09:31:09 -0400 Subject: [PATCH 09/10] Update kubernetes.mdx --- .../content/docs/agent/caching/persistent-caches/kubernetes.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx index 55a7c79c0e4..4e38ae17804 100644 --- a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx +++ b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Vault Agent Kubernetes Persistent Cache +page_title: Kubernetes - Vault Agent Persistent Cache sidebar_title: Kubernetes description: Kubernetes Persistent Cache for Vault Agent Caching --- From 2df3cb5c6506e730a6f3eff116ad3a5520ef6678 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 8 Apr 2021 09:54:52 -0400 Subject: [PATCH 10/10] Resolve conflicts --- .../agent/caching/persistent-caches/index.mdx | 1 - .../caching/persistent-caches/kubernetes.mdx | 17 +- website/data/docs-nav-data.json | 20 +- website/data/docs-navigation.js | 463 ------------------ 4 files changed, 27 insertions(+), 474 deletions(-) delete mode 100644 website/data/docs-navigation.js diff --git a/website/content/docs/agent/caching/persistent-caches/index.mdx b/website/content/docs/agent/caching/persistent-caches/index.mdx index cd9293c1ded..a8d1863c3db 100644 --- a/website/content/docs/agent/caching/persistent-caches/index.mdx +++ b/website/content/docs/agent/caching/persistent-caches/index.mdx @@ -1,7 +1,6 @@ --- layout: docs page_title: Vault Agent Persistent Cache Types -sidebar_title: Persistent Cache description: Persistent Cache Types for Vault Agent Caching --- diff --git a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx index 4e38ae17804..5217edb06d8 100644 --- a/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx +++ b/website/content/docs/agent/caching/persistent-caches/kubernetes.mdx @@ -1,26 +1,25 @@ --- layout: docs page_title: Kubernetes - Vault Agent Persistent Cache -sidebar_title: Kubernetes description: Kubernetes Persistent Cache for Vault Agent Caching --- # Vault Agent Kubernetes Persistent Cache -When `kubernetes` is configured for the persistent cache type, Vault Agent will optimize the -persistent cache specifically for Kubernetes. This type of persistent cache requires a Kubernetes -service account token. The service account token is used during encryption and decryption of the +When `kubernetes` is configured for the persistent cache type, Vault Agent will optimize the +persistent cache specifically for Kubernetes. This type of persistent cache requires a Kubernetes +service account token. The service account token is used during encryption and decryption of the persistent cache as an additional integrity check. -The Vault Agent persistent cache file in Kubernetes should only be used for handing off Vault tokens -and leases between initialization and sidecar Vault Agent containers. This cache file should be shared +The Vault Agent persistent cache file in Kubernetes should only be used for handing off Vault tokens +and leases between initialization and sidecar Vault Agent containers. This cache file should be shared using a memory volume between the Vault Agent containers. -If the Vault Agent Injector for Kubernetes is being used, the persistent cache is automatically configured +If the Vault Agent Injector for Kubernetes is being used, the persistent cache is automatically configured and used if the annotation [`vault.hashicorp.com/agent-cache-enable: true`](/docs/platform/k8s/injector/annotations#vault-hashicorp-com-agent-cache-enable) is set. ## Configuration -- `service_account_token_file` `(string: optional)` - When type is set to `kubernetes`, - this configures the path on disk where the Kubernetes service account token can be found. +- `service_account_token_file` `(string: optional)` - When type is set to `kubernetes`, + this configures the path on disk where the Kubernetes service account token can be found. Defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 1697a2f9029..44b05b7b05c 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -765,7 +765,25 @@ }, { "title": "Caching", - "path": "agent/caching" + "routes": [ + { + "title": "Overview", + "path": "agent/caching" + }, + { + "title": "Persistent Caching", + "routes": [ + { + "title": "Overview", + "path": "agent/caching/persistent-caches" + }, + { + "title": "Kubernetes", + "path": "agent/caching/persistent-caches/kubernetes" + } + ] + } + ] }, { "title": "Templates", diff --git a/website/data/docs-navigation.js b/website/data/docs-navigation.js deleted file mode 100644 index 71b2d9cb8a5..00000000000 --- a/website/data/docs-navigation.js +++ /dev/null @@ -1,463 +0,0 @@ -// The root folder for this documentation category is `pages/docs` -// -// - A string refers to the name of a file -// - A "category" value refers to the name of a directory -// - All directories must have an "index.mdx" file to serve as -// the landing page for the category - -export default [ - 'install', - { - category: 'internals', - content: [ - 'architecture', - 'high-availability', - 'integrated-storage', - 'security', - 'telemetry', - 'token', - 'rotation', - 'replication', - 'plugins', - 'limits', - ], - }, - { - category: 'concepts', - content: [ - 'dev-server', - 'seal', - 'lease', - 'auth', - 'tokens', - 'response-wrapping', - 'policies', - 'password-policies', - 'username-templating', - 'ha', - { - category: 'integrated-storage', - content: ['autopilot'], - }, - 'pgp-gpg-keybase', - 'recovery-mode', - 'resource-quotas', - 'client-count', - 'transform', - ], - }, - { - category: 'configuration', - content: [ - { - category: 'listener', - content: ['tcp'], - }, - 'replication', - { - category: 'seal', - content: [ - 'alicloudkms', - 'awskms', - 'azurekeyvault', - 'gcpckms', - 'ocikms', - 'pkcs11', - 'transit', - ], - }, - 'sentinel', - { - category: 'service-registration', - content: ['consul', 'kubernetes'], - }, - { - category: 'storage', - content: [ - 'aerospike', - 'azure', - 'cassandra', - 'cockroachdb', - 'consul', - 'couchdb', - 'dynamodb', - 'etcd', - 'filesystem', - 'foundationdb', - 'google-cloud-spanner', - 'google-cloud-storage', - 'in-memory', - 'manta', - 'mssql', - 'mysql', - 'oci-object-storage', - 'postgresql', - 'raft', - 's3', - 'swift', - 'zookeeper', - ], - }, - 'telemetry', - 'ui', - 'entropy-augmentation', - ], - }, - { - category: 'commands', - content: [ - 'agent', - { - category: 'audit', - content: ['disable', 'enable', 'list'], - }, - { - category: 'auth', - content: ['disable', 'enable', 'help', 'list', 'tune'], - }, - 'debug', - 'delete', - { - category: 'kv', - content: [ - 'delete', - 'destroy', - 'enable-versioning', - 'get', - 'list', - 'metadata', - 'patch', - 'put', - 'rollback', - 'undelete', - ], - }, - { - category: 'lease', - content: ['renew', 'revoke'], - }, - 'list', - 'login', - 'monitor', - 'namespace', - { - category: 'operator', - content: [ - 'generate-root', - 'init', - 'key-status', - 'migrate', - 'raft', - 'rekey', - 'rotate', - 'seal', - 'step-down', - 'unseal', - 'usage', - ], - }, - 'path-help', - { - category: 'plugin', - content: ['deregister', 'info', 'list', 'register', 'reload'], - }, - { - category: 'policy', - content: ['delete', 'fmt', 'list', 'read', 'write'], - }, - 'read', - { - category: 'secrets', - content: ['disable', 'enable', 'list', 'move', 'tune'], - }, - 'server', - 'ssh', - 'status', - { - category: 'token', - content: ['capabilities', 'create', 'lookup', 'renew', 'revoke'], - }, - 'unwrap', - 'version', - 'write', - 'token-helper', - ], - }, - { - category: 'agent', - content: [ - { - category: 'autoauth', - content: [ - { - category: 'methods', - content: [ - 'alicloud', - 'approle', - 'aws', - 'azure', - 'cert', - 'cf', - 'gcp', - 'jwt', - 'kerberos', - 'kubernetes', - ], - }, - { - category: 'sinks', - content: ['file'], - }, - ], - }, - { - category: 'caching', - content: [ - { - category: 'persistent-caches', - content: [ - 'kubernetes', - ], - }, - ], - }, - 'template', - 'winsvc', - ], - }, - '----------------', - { - category: 'secrets', - content: [ - 'ad', - 'alicloud', - 'aws', - 'azure', - 'consul', - 'cubbyhole', - { - category: 'databases', - content: [ - 'cassandra', - 'couchbase', - 'elasticdb', - 'hanadb', - 'influxdb', - 'mongodb', - 'mongodbatlas', - 'mssql', - 'mysql-maria', - 'oracle', - 'postgresql', - 'redshift', - 'snowflake', - 'custom', - ], - }, - 'gcp', - 'gcpkms', - { - category: 'key-management', - content: ['azurekeyvault', 'awskms'], - }, - 'kmip', - { - category: 'kv', - content: ['kv-v1', 'kv-v2'], - }, - 'identity', - 'mongodbatlas', - 'nomad', - 'openldap', - 'pki', - 'rabbitmq', - { - category: 'ssh', - content: [ - 'signed-ssh-certificates', - 'one-time-ssh-passwords', - 'dynamic-ssh-keys', - ], - }, - 'terraform', - 'totp', - { category: 'transform', content: ['tokenization'] }, - 'transit', - 'venafi', - ], - }, - { - category: 'auth', - content: [ - 'approle', - 'alicloud', - 'aws', - 'azure', - 'cf', - 'github', - 'gcp', - 'jwt', - 'kerberos', - 'kubernetes', - 'ldap', - 'oci', - 'okta', - 'radius', - 'cert', - 'token', - 'userpass', - '---------', - 'app-id', - 'mfa', - ], - }, - { - category: 'audit', - content: ['file', 'syslog', 'socket'], - }, - 'plugin', - 'plugin-portal', - '----------------', - 'what-is-vault', - 'use-cases', - 'partnerships', - '----------------', - { - category: 'platform', - content: [ - { - category: 'k8s', - content: [ - { - category: 'helm', - content: [ - 'run', - 'openshift', - 'configuration', - { - category: 'examples', - content: [ - 'development', - 'standalone-load-balanced-ui', - 'standalone-tls', - 'standalone-audit', - 'external', - 'kubernetes-auth', - 'ha-with-consul', - 'ha-with-raft', - 'enterprise-with-raft', - 'enterprise-dr-with-raft', - 'enterprise-perf-with-raft', - 'injector-tls', - ], - }, - ], - }, - { - category: 'injector', - content: ['annotations', 'installation', 'examples'], - }, - { - category: 'csi', - content: ['configurations', 'examples', 'installation'], - }, - ], - }, - { - category: 'aws-mp', - content: ['run'], - }, - ], - }, - '----------------', - { - category: 'upgrading', - content: [ - 'plugins', - 'upgrade-to-0.5.0', - 'upgrade-to-0.5.1', - 'upgrade-to-0.6.0', - 'upgrade-to-0.6.1', - 'upgrade-to-0.6.2', - 'upgrade-to-0.6.3', - 'upgrade-to-0.6.4', - 'upgrade-to-0.7.0', - 'upgrade-to-0.8.0', - 'upgrade-to-0.9.0', - 'upgrade-to-0.9.1', - 'upgrade-to-0.9.2', - 'upgrade-to-0.9.3', - 'upgrade-to-0.9.6', - 'upgrade-to-0.10.0', - 'upgrade-to-0.10.2', - 'upgrade-to-0.10.4', - 'upgrade-to-0.11.0', - 'upgrade-to-0.11.2', - 'upgrade-to-0.11.6', - 'upgrade-to-1.0.0', - 'upgrade-to-1.1.0', - 'upgrade-to-1.1.1', - 'upgrade-to-1.1.2', - 'upgrade-to-1.2.0', - 'upgrade-to-1.2.1', - 'upgrade-to-1.2.4', - 'upgrade-to-1.2.5', - 'upgrade-to-1.2.6', - 'upgrade-to-1.2.7', - 'upgrade-to-1.3.0', - 'upgrade-to-1.3.2', - 'upgrade-to-1.3.3', - 'upgrade-to-1.3.4', - 'upgrade-to-1.3.5', - 'upgrade-to-1.3.8', - 'upgrade-to-1.3.9', - 'upgrade-to-1.3.10', - 'upgrade-to-1.4.0', - 'upgrade-to-1.4.1', - 'upgrade-to-1.4.4', - 'upgrade-to-1.4.5', - 'upgrade-to-1.4.6', - 'upgrade-to-1.5.0', - 'upgrade-to-1.5.1', - 'upgrade-to-1.5.2', - 'upgrade-to-1.5.3', - 'upgrade-to-1.6.0', - 'upgrade-to-1.6.1', - 'upgrade-to-1.6.2', - 'upgrade-to-1.6.3', - 'upgrade-to-1.7.0', - ], - }, - '----------------', - { - category: 'release-notes', - content: ['1.5.0', '1.6.0', '1.7.0'], - }, - '----------------', - { - category: 'enterprise', - content: [ - 'replication', - { - category: 'hsm', - content: ['behavior', 'security'], - }, - 'automated-integrated-storage-snapshots', - 'lease-count-quotas', - 'entropy-augmentation', - 'sealwrap', - 'namespaces', - 'performance-standby', - 'consistency', - 'control-groups', - { - category: 'mfa', - content: ['mfa-duo', 'mfa-okta', 'mfa-pingid', 'mfa-totp'], - }, - { - category: 'sentinel', - content: ['examples', 'properties'], - }, - ], - }, -]