[DOCS] Manual cherry pick PR 28746 to 1.17.x doc (#29186)

* Docs/secrets sync ssrf private endpoints (#28746) * docs: add Secrets Sync SSRF protection breaking change to 1.17 upgrade guide The Secrets Sync feature in 1.17.3 introduced SSRF protection that blocks private IP ranges, affecting users accessing secret stores through private endpoints. This adds documentation about the change and available options. * renamed issue * referenced secret sync ssrf known issue * re-ordered secret sync known issue in page * Hide copy-to-clipboard button on the output example codeblock --------- Co-authored-by: yhyakuna <yoko@hashicorp.com> * Remove extra include --------- Co-authored-by: James <135497751+pixambi@users.noreply.github.com>
hashicorp · Dec 13, 2024 · e017eb2 · e017eb2
1 parent 826683d
commit e017eb2
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx
@@ -203,3 +203,5 @@ more details, and information about opt-out.
 @include 'known-issues/aws-auth-external-id.mdx'
 
 @include 'known-issues/sync-activation-flags-cache-not-updated.mdx'
+
+@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx'
diff --git a/website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx b/website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx
@@ -0,0 +1,21 @@
+### Secrets Sync SSRF Protection May Block Private Endpoints
+
+As of version 1.17.3, Vault's Secrets Sync includes additional Server-Side Request Forgery (SSRF) protection measures. This security enhancement prevents sync operations to certain IP ranges by introducing a new SSRF-safe HTTP client. The client specifically blocks requests to private IP ranges (such as 10.0.0.0/8), which affects users accessing cloud provider secret stores through private endpoints.
+
+**Impact:**
+- Secrets Sync operations to private IP ranges will be blocked
+- Affects all destinations when accessed via private endpoints
+
+**Example error message:**
+
+<CodeBlockConfig hideClipboard>
+
+```plaintext
+couldn't sync secret with store: failed to publish event: dial tcp [IP]: prohibited IP address: [IP] is not a permitted destination (denied by: 10.0.0.0/8)
+```
+
+</CodeBlockConfig>
+
+**Current Workaround:**
+1. Remain on Vault version 1.17.2 or earlier if you require Secrets Sync with private endpoints
+2. Use public endpoints for your secret store services
Original file line number	Diff line number	Diff line change
Expand Up		@@ -203,3 +203,5 @@ more details, and information about opt-out.
		@include 'known-issues/aws-auth-external-id.mdx'

		@include 'known-issues/sync-activation-flags-cache-not-updated.mdx'

		@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx'