UI/merge main (#14997)

* Vault documentation: changing references from learn to tutorial (#14844) * changed learn to tutorial references * changed learn to tutorial * Update website/content/docs/plugins/plugin-portal.mdx Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Update website/content/docs/platform/aws/run.mdx Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * UI/Only show form values if have read access (#14794) * only show value in edit form if has read capabilities * revert messing with form * delete secret data from secret * add check for selected version * remove added line * add changelog * modified text (#14854) * fixed a link issue (#14850) * docs: add known issue to 1.10 release notes (#14859) * Vault 3999 Change permissions for directory/archive created by debug command (#14846) * adding debug changes from ent * adding changelog * Vault 3992 ToB Config and Plugins Permissions (#14817) * updating changes from ent PR * adding changelog * fixing err * fixing semgrep error * updated references from learn to tutorial (#14866) * updated references from learn to tutorial (#14867) * changed reference from learn to tutorial (#14868) * Fix handling of default zero SignatureBits value with Any key type in PKI Secrets Engine (#14875) * Correctly handle minimums, default SignatureBits When using KeyType = "any" on a role (whether explicitly or implicitly via a sign-verbatim like operation), we need to update the value of SignatureBits from its new value 0 to a per-key-type default value. This will allow sign operations on these paths to function correctly, having the correctly inferred default signature bit length. Additionally, this allows the computed default value for key type to be used for minimum size validation in the RSA/ECDSA paths. We additionally enforce the 2048-minimum in this case as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix defaults and validation of "any" KeyType When certutil is given the placeholder any keytype, it attempts to validate and update the default zero value. However, in lacking a default value for SignatureBits, it cannot update the value from the zero value, thus causing validation to fail. Add more awareness to the placeholder "any" value to certutil. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add role-based regression tests for key bits This adds regression tests for Key Type, Key Bits, and Signature Bits parameters on the role. We test several values, including the "any" value to ensure it correctly restricts key sizes. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add sign-verbatim test for key type This ensures that we test sign-verbatim against a variety of key types. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * Subtle docs change for allow_store_key (#14889) * Subtle docs change for allow_store_key * errant space * Adds Vault version prerelease and metadata to logical.PluginEnvironment (#14851) * docs: fix formatting on plugin upgrade page (#14874) * docs: fix formatting on plugin upgrade page * fix more formatting issues * Update CC docs (#14714) * Update CC docs * Add sample response * Address review feedback * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/internal-counters.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Minor edits * Update partial month API Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> Co-authored-by: Meggie <meggie@hashicorp.com> * Docs improvements for Managed Keys (#14756) * Add more color around managed keys in their concepts page, and create additional links between the various docs pages related to them. * Typos * sdk/useragent: plugin version string consistent with Vault version string (#14912) * clean up (#14911) * website: fix usages of img tag (#14910) * fix usages of img tag and integrate dev-portal workflows * Adjust Makefile * remove mount_accessor from the docs (#14927) * Add extra test coverage to PKI (#14767) * Add PKI test for delete role - Create a role, validate that defaults are what we expect and delete the role, verifying it is gone on subsequent read attempts. * Add PKI test for crl/rotate command - Missing a unit test that validates the crl/rotate command works. The test validates the rotate command was successful by checking if we have a different/new update time on the CRL. * Rework PKI TestBackend_PathFetchValidRaw test to not write directly to storage - Rework the existing test to not write directly to storage as we might change that in the future. - Add tests that validate the ca_chain behaviour of not returning the root authority cert * PR Feedback * Additional PR feedback * Use WriteWithContext in auth helpers (#14775) * Add ability to pass certificate PEM bytes to vault/api (#14753) * Respect increment value in grace period calculations (api/LifetimeWatcher) (#14836) * Mount flag syntax to mitigate confusion from KV-v2 path discrepancies (#14807) * Add explanation to help text and flag usage text * KV get with new mount flag * Clearer naming * KV Put, Patch, Metadata Get + corresponding tests * KV Delete, Destroy, Rollback, Undelete, MetadataDelete, MetadataPatch, MetadataPut * Update KV-v2 docs to use mount flag syntax * Add changelog * Run make fmt * Clarify deprecation message in help string * Address style comments * Update vault-plugin-auth-gcp to newest pseudo-version (#14923) * docs: added hello-vault-spring repo link to developer-qs.mdx. (#14928) * Update developer-qs.mdx docs: added link to Java / Spring Boot sample app repo in developer quick start. * removed space. * trigger ci Co-authored-by: taoism4504 <loann@hashicorp.com> * OIDC Login Bug (#14916) * fixes issue logging in with oidc from listed auth path tab * adds changelog entry * adds more tests for oidc auth workflow * updates oidc auth method test to use non-standard path * Fix handling of SignatureBits for ECDSA issuers (#14943) When adding SignatureBits control logic, we incorrectly allowed specification of SignatureBits in the case of an ECDSA issuer. As noted in the original request, NIST and Mozilla (and others) are fairly prescriptive in the choice of signatures (matching the size of the NIST P-curve), and we shouldn't usually use a smaller (or worse, larger and truncate!) hash. Ignore the configuration of signature bits and always use autodetection for ECDSA like ed25519. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Bug Fix and Glimmerize secret-edit component (#14941) * inital glimmerize * wip * wip * wip * fix maybeQueryRecord * fix * fix * fix test * cleanup * add changelog * clean up * Agent error log level is mismatched (#14424) * [VAULT-1618] Agent error log level is mismatched `logLevelToStringPtr` translates `go-hclog`'s `ERROR` to `"ERROR"` for Consul Template's runner, but that expects `ERR` and is quite strict about it. This will address hashicorp/vault-k8s#223 after it is set as the default image in `vault-k8s`. I didn't find a simple way to test this other than starting up a full server and agent and letting them run, which is unfortunately fairly slow. I confirmed that this addresses the original issue by modifying the helm chart with the values in this commit and patching the log level to `err`. * VAULT-1618 Add changelog/14424.txt * VAULT-1618 Update changelog/14424.txt based on @kalafut suggestion Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> * VAULT-1618 Move cancel and server stop into defer in tests * VAULT-1618 Triggering CircleCI tests * VAULT-1618 Replace ioutil with os functions for agent template tests Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> * UI/Add months to activity serializer (#14942) * add mock monthly data to mirage handler * add months to serializer for activity response * change selectors Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com> * clean up serializer * please stop being flakey <3 Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com> * Revert the WithContext changes to vault tests (#14947) * adding env var (#14958) * Fix dead link for JWT supported algorithms (#14953) * Don't clone OutputCurlString value (#14968) * Don't clone OutputCurlString value, add flag to docs * Add changelog * Ensure initialMmapSize is 0 on Windows (#14977) * ensure initialMmapSize is 0 on windows * add changelog * Vault 3992 documentation changes (#14918) * doc changes * adding config changes * adding chnages to plugins * using include * making doc changes * adding newline * aws auth displayName (#14954) * set displayName to include RoleSessionName * Add Windows error (#14982) * Warnings indicating ignored and replaced parameters (#14962) * Warnings indicating ignored and replaced parameters * Avoid additional var creation * Add warnings only if the response is non-nil * Return the response even when error is non-nil * Fix tests * Rearrange comments * Print warning in the log * Fix another test * Add CL * Fix edit capabilities call in auth method (#14966) * Fix edit capabilities call in auth method - Capabilities call was not getting triggered correctly as apiPath method was missing the correct context. * Added changelog * make linting fix Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com> Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Steven Clark <steven.clark@hashicorp.com> Co-authored-by: Scott Miller <smiller@hashicorp.com> Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com> Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com> Co-authored-by: Meggie <meggie@hashicorp.com> Co-authored-by: Bryce Kalow <bkalow@hashicorp.com> Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> Co-authored-by: VAL <val@hashicorp.com> Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com> Co-authored-by: mryan-hashi <88851444+mryan-hashi@users.noreply.github.com> Co-authored-by: taoism4504 <loann@hashicorp.com> Co-authored-by: Jordan Reimer <zofskeez@gmail.com> Co-authored-by: Christopher Swenson <swenson@swenson.io> Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Jose Estrada <jose.estrada@tradeshift.com> Co-authored-by: Arnav Palnitkar <arnav@hashicorp.com>
hashicorp · Apr 11, 2022 · 3f1ab4c · 3f1ab4c
1 parent d73182f
commit 3f1ab4c
Show file tree

Hide file tree

Showing 280 changed files with 5,631 additions and 2,358 deletions.
diff --git a/api/auth/approle/approle.go b/api/auth/approle/approle.go
@@ -100,6 +100,10 @@ func NewAppRoleAuth(roleID string, secretID *SecretID, opts ...LoginOption) (*Ap
 }
 
 func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
 	loginData := map[string]interface{}{
 		"role_id": a.roleID,
 	}
@@ -125,7 +129,7 @@ func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secre
 
 	// if the caller indicated that the value was actually a wrapping token, unwrap it first
 	if a.unwrap {
-		unwrappedToken, err := client.Logical().Unwrap(secretIDValue)
+		unwrappedToken, err := client.Logical().UnwrapWithContext(ctx, secretIDValue)
 		if err != nil {
 			return nil, fmt.Errorf("unable to unwrap response wrapping token: %w", err)
 		}
@@ -135,7 +139,7 @@ func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secre
 	}
 
 	path := fmt.Sprintf("auth/%s/login", a.mountPath)
-	resp, err := client.Logical().Write(path, loginData)
+	resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in with app role auth: %w", err)
 	}

diff --git a/api/auth/aws/aws.go b/api/auth/aws/aws.go
@@ -84,6 +84,10 @@ func NewAWSAuth(opts ...LoginOption) (*AWSAuth, error) {
 // variables. To specify a path to a credentials file on disk instead, set
 // the environment variable AWS_SHARED_CREDENTIALS_FILE.
 func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
 	loginData := make(map[string]interface{})
 	switch a.authType {
 	case ec2Type:
@@ -182,7 +186,7 @@ func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, e
 	}
 
 	path := fmt.Sprintf("auth/%s/login", a.mountPath)
-	resp, err := client.Logical().Write(path, loginData)
+	resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in with AWS auth: %w", err)
 	}

diff --git a/api/auth/azure/azure.go b/api/auth/azure/azure.go
@@ -90,6 +90,10 @@ func NewAzureAuth(roleName string, opts ...LoginOption) (*AzureAuth, error) {
 // Login sets up the required request body for the Azure auth method's /login
 // endpoint, and performs a write to it.
 func (a *AzureAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
 	jwtResp, err := a.getJWT()
 	if err != nil {
 		return nil, fmt.Errorf("unable to get access token: %w", err)
@@ -110,7 +114,7 @@ func (a *AzureAuth) Login(ctx context.Context, client *api.Client) (*api.Secret,
 	}
 
 	path := fmt.Sprintf("auth/%s/login", a.mountPath)
-	resp, err := client.Logical().Write(path, loginData)
+	resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in with Azure auth: %w", err)
 	}

diff --git a/api/auth/gcp/gcp.go b/api/auth/gcp/gcp.go
@@ -67,6 +67,10 @@ func NewGCPAuth(roleName string, opts ...LoginOption) (*GCPAuth, error) {
 // endpoint, and performs a write to it. This method defaults to the "gce"
 // auth type unless NewGCPAuth is called with WithIAMAuth().
 func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
 	loginData := map[string]interface{}{
 		"role": a.roleName,
 	}
@@ -86,7 +90,7 @@ func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, e
 	}
 
 	path := fmt.Sprintf("auth/%s/login", a.mountPath)
-	resp, err := client.Logical().Write(path, loginData)
+	resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in with GCP auth: %w", err)
 	}

diff --git a/api/auth/kubernetes/kubernetes.go b/api/auth/kubernetes/kubernetes.go
@@ -68,13 +68,17 @@ func NewKubernetesAuth(roleName string, opts ...LoginOption) (*KubernetesAuth, e
 }
 
 func (a *KubernetesAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
 	loginData := map[string]interface{}{
 		"jwt":  a.serviceAccountToken,
 		"role": a.roleName,
 	}
 
 	path := fmt.Sprintf("auth/%s/login", a.mountPath)
-	resp, err := client.Logical().Write(path, loginData)
+	resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in with Kubernetes auth: %w", err)
 	}

diff --git a/api/auth/ldap/ldap.go b/api/auth/ldap/ldap.go
@@ -84,6 +84,10 @@ func NewLDAPAuth(username string, password *Password, opts ...LoginOption) (*LDA
 }
 
 func (a *LDAPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
 	loginData := make(map[string]interface{})
 
 	if a.passwordFile != "" {
@@ -103,7 +107,7 @@ func (a *LDAPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret,
 	}
 
 	path := fmt.Sprintf("auth/%s/login/%s", a.mountPath, a.username)
-	resp, err := client.Logical().Write(path, loginData)
+	resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in with LDAP auth: %w", err)
 	}

diff --git a/api/auth/userpass/userpass.go b/api/auth/userpass/userpass.go
@@ -88,6 +88,10 @@ func NewUserpassAuth(username string, password *Password, opts ...LoginOption) (
 }
 
 func (a *UserpassAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
 	loginData := make(map[string]interface{})
 
 	if a.passwordFile != "" {
@@ -107,7 +111,7 @@ func (a *UserpassAuth) Login(ctx context.Context, client *api.Client) (*api.Secr
 	}
 
 	path := fmt.Sprintf("auth/%s/login/%s", a.mountPath, a.username)
-	resp, err := client.Logical().Write(path, loginData)
+	resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in with userpass auth: %w", err)
 	}

diff --git a/api/client.go b/api/client.go
@@ -36,6 +36,7 @@ const (
 	EnvVaultAddress       = "VAULT_ADDR"
 	EnvVaultAgentAddr     = "VAULT_AGENT_ADDR"
 	EnvVaultCACert        = "VAULT_CACERT"
+	EnvVaultCACertBytes   = "VAULT_CACERT_BYTES"
 	EnvVaultCAPath        = "VAULT_CAPATH"
 	EnvVaultClientCert    = "VAULT_CLIENT_CERT"
 	EnvVaultClientKey     = "VAULT_CLIENT_KEY"
@@ -172,9 +173,14 @@ type Config struct {
 // used to communicate with Vault.
 type TLSConfig struct {
 	// CACert is the path to a PEM-encoded CA cert file to use to verify the
-	// Vault server SSL certificate.
+	// Vault server SSL certificate. It takes precedence over CACertBytes
+	// and CAPath.
 	CACert string
 
+	// CACertBytes is a PEM-encoded certificate or bundle. It takes precedence
+	// over CAPath.
+	CACertBytes []byte
+
 	// CAPath is the path to a directory of PEM-encoded CA cert files to verify
 	// the Vault server SSL certificate.
 	CAPath string
@@ -266,12 +272,13 @@ func (c *Config) configureTLS(t *TLSConfig) error {
 		return fmt.Errorf("both client cert and client key must be provided")
 	}
 
-	if t.CACert != "" || t.CAPath != "" {
+	if t.CACert != "" || len(t.CACertBytes) != 0 || t.CAPath != "" {
 		c.curlCACert = t.CACert
 		c.curlCAPath = t.CAPath
 		rootConfig := &rootcerts.Config{
-			CAFile: t.CACert,
-			CAPath: t.CAPath,
+			CAFile:        t.CACert,
+			CACertificate: t.CACertBytes,
+			CAPath:        t.CAPath,
 		}
 		if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {
 			return err
@@ -313,6 +320,7 @@ func (c *Config) ReadEnvironment() error {
 	var envAddress string
 	var envAgentAddress string
 	var envCACert string
+	var envCACertBytes []byte
 	var envCAPath string
 	var envClientCert string
 	var envClientKey string
@@ -343,6 +351,9 @@ func (c *Config) ReadEnvironment() error {
 	if v := os.Getenv(EnvVaultCACert); v != "" {
 		envCACert = v
 	}
+	if v := os.Getenv(EnvVaultCACertBytes); v != "" {
+		envCACertBytes = []byte(v)
+	}
 	if v := os.Getenv(EnvVaultCAPath); v != "" {
 		envCAPath = v
 	}
@@ -398,6 +409,7 @@ func (c *Config) ReadEnvironment() error {
 	// Configure the HTTP clients TLS configuration.
 	t := &TLSConfig{
 		CACert:        envCACert,
+		CACertBytes:   envCACertBytes,
 		CAPath:        envCAPath,
 		ClientCert:    envClientCert,
 		ClientKey:     envClientKey,
@@ -576,7 +588,6 @@ func (c *Client) CloneConfig() *Config {
 	newConfig.CheckRetry = c.config.CheckRetry
 	newConfig.Logger = c.config.Logger
 	newConfig.Limiter = c.config.Limiter
-	newConfig.OutputCurlString = c.config.OutputCurlString
 	newConfig.SRVLookup = c.config.SRVLookup
 	newConfig.CloneHeaders = c.config.CloneHeaders
 	newConfig.CloneToken = c.config.CloneToken
@@ -990,22 +1001,21 @@ func (c *Client) clone(cloneHeaders bool) (*Client, error) {
 	defer config.modifyLock.RUnlock()
 
 	newConfig := &Config{
-		Address:          config.Address,
-		HttpClient:       config.HttpClient,
-		MinRetryWait:     config.MinRetryWait,
-		MaxRetryWait:     config.MaxRetryWait,
-		MaxRetries:       config.MaxRetries,
-		Timeout:          config.Timeout,
-		Backoff:          config.Backoff,
-		CheckRetry:       config.CheckRetry,
-		Logger:           config.Logger,
-		Limiter:          config.Limiter,
-		OutputCurlString: config.OutputCurlString,
-		AgentAddress:     config.AgentAddress,
-		SRVLookup:        config.SRVLookup,
-		CloneHeaders:     config.CloneHeaders,
-		CloneToken:       config.CloneToken,
-		ReadYourWrites:   config.ReadYourWrites,
+		Address:        config.Address,
+		HttpClient:     config.HttpClient,
+		MinRetryWait:   config.MinRetryWait,
+		MaxRetryWait:   config.MaxRetryWait,
+		MaxRetries:     config.MaxRetries,
+		Timeout:        config.Timeout,
+		Backoff:        config.Backoff,
+		CheckRetry:     config.CheckRetry,
+		Logger:         config.Logger,
+		Limiter:        config.Limiter,
+		AgentAddress:   config.AgentAddress,
+		SRVLookup:      config.SRVLookup,
+		CloneHeaders:   config.CloneHeaders,
+		CloneToken:     config.CloneToken,
+		ReadYourWrites: config.ReadYourWrites,
 	}
 	client, err := NewClient(newConfig)
 	if err != nil {

diff --git a/api/client_test.go b/api/client_test.go
@@ -262,24 +262,37 @@ func TestDefaulRetryPolicy(t *testing.T) {
 
 func TestClientEnvSettings(t *testing.T) {
 	cwd, _ := os.Getwd()
+
+	caCertBytes, err := os.ReadFile(cwd + "/test-fixtures/keys/cert.pem")
+	if err != nil {
+		t.Fatalf("error reading %q cert file: %v", cwd+"/test-fixtures/keys/cert.pem", err)
+	}
+
 	oldCACert := os.Getenv(EnvVaultCACert)
+	oldCACertBytes := os.Getenv(EnvVaultCACertBytes)
 	oldCAPath := os.Getenv(EnvVaultCAPath)
 	oldClientCert := os.Getenv(EnvVaultClientCert)
 	oldClientKey := os.Getenv(EnvVaultClientKey)
 	oldSkipVerify := os.Getenv(EnvVaultSkipVerify)
 	oldMaxRetries := os.Getenv(EnvVaultMaxRetries)
+
 	os.Setenv(EnvVaultCACert, cwd+"/test-fixtures/keys/cert.pem")
+	os.Setenv(EnvVaultCACertBytes, string(caCertBytes))
 	os.Setenv(EnvVaultCAPath, cwd+"/test-fixtures/keys")
 	os.Setenv(EnvVaultClientCert, cwd+"/test-fixtures/keys/cert.pem")
 	os.Setenv(EnvVaultClientKey, cwd+"/test-fixtures/keys/key.pem")
 	os.Setenv(EnvVaultSkipVerify, "true")
 	os.Setenv(EnvVaultMaxRetries, "5")
-	defer os.Setenv(EnvVaultCACert, oldCACert)
-	defer os.Setenv(EnvVaultCAPath, oldCAPath)
-	defer os.Setenv(EnvVaultClientCert, oldClientCert)
-	defer os.Setenv(EnvVaultClientKey, oldClientKey)
-	defer os.Setenv(EnvVaultSkipVerify, oldSkipVerify)
-	defer os.Setenv(EnvVaultMaxRetries, oldMaxRetries)
+
+	defer func() {
+		os.Setenv(EnvVaultCACert, oldCACert)
+		os.Setenv(EnvVaultCACertBytes, oldCACertBytes)
+		os.Setenv(EnvVaultCAPath, oldCAPath)
+		os.Setenv(EnvVaultClientCert, oldClientCert)
+		os.Setenv(EnvVaultClientKey, oldClientKey)
+		os.Setenv(EnvVaultSkipVerify, oldSkipVerify)
+		os.Setenv(EnvVaultMaxRetries, oldMaxRetries)
+	}()
 
 	config := DefaultConfig()
 	if err := config.ReadEnvironment(); err != nil {
@@ -513,8 +526,8 @@ func TestClone(t *testing.T) {
 			if parent.MaxRetries() != clone.MaxRetries() {
 				t.Fatalf("maxRetries don't match: %v vs %v", parent.MaxRetries(), clone.MaxRetries())
 			}
-			if parent.OutputCurlString() != clone.OutputCurlString() {
-				t.Fatalf("outputCurlString doesn't match: %v vs %v", parent.OutputCurlString(), clone.OutputCurlString())
+			if parent.OutputCurlString() == clone.OutputCurlString() {
+				t.Fatalf("outputCurlString was copied over when it shouldn't have been: %v and %v", parent.OutputCurlString(), clone.OutputCurlString())
 			}
 			if parent.SRVLookup() != clone.SRVLookup() {
 				t.Fatalf("SRVLookup doesn't match: %v vs %v", parent.SRVLookup(), clone.SRVLookup())

diff --git a/api/lifetime_watcher.go b/api/lifetime_watcher.go
@@ -113,7 +113,9 @@ type LifetimeWatcherInput struct {
 
 	// The new TTL, in seconds, that should be set on the lease. The TTL set
 	// here may or may not be honored by the vault server, based on Vault
-	// configuration or any associated max TTL values.
+	// configuration or any associated max TTL values. If specified, the
+	// minimum of this value and the remaining lease duration will be used
+	// for grace period calculations.
 	Increment int
 
 	// RenewBehavior controls what happens when a renewal errors or the
@@ -257,7 +259,7 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
 
 	initialTime := time.Now()
 	priorDuration := time.Duration(initLeaseDuration) * time.Second
-	r.calculateGrace(priorDuration)
+	r.calculateGrace(priorDuration, time.Duration(r.increment)*time.Second)
 	var errorBackoff backoff.BackOff
 
 	for {
@@ -345,7 +347,7 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
 			// extending. Once it stops extending, we've hit the max and need to
 			// rely on the grace duration.
 			if remainingLeaseDuration > priorDuration {
-				r.calculateGrace(remainingLeaseDuration)
+				r.calculateGrace(remainingLeaseDuration, time.Duration(r.increment)*time.Second)
 			}
 			priorDuration = remainingLeaseDuration
 
@@ -373,16 +375,21 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
 	}
 }
 
-// calculateGrace calculates the grace period based on a reasonable set of
-// assumptions given the total lease time; it also adds some jitter to not have
-// clients be in sync.
-func (r *LifetimeWatcher) calculateGrace(leaseDuration time.Duration) {
-	if leaseDuration <= 0 {
+// calculateGrace calculates the grace period based on the minimum of the
+// remaining lease duration and the token increment value; it also adds some
+// jitter to not have clients be in sync.
+func (r *LifetimeWatcher) calculateGrace(leaseDuration, increment time.Duration) {
+	minDuration := leaseDuration
+	if minDuration > increment && increment > 0 {
+		minDuration = increment
+	}
+
+	if minDuration <= 0 {
 		r.grace = 0
 		return
 	}
 
-	leaseNanos := float64(leaseDuration.Nanoseconds())
+	leaseNanos := float64(minDuration.Nanoseconds())
 	jitterMax := 0.1 * leaseNanos
 
 	// For a given lease duration, we want to allow 80-90% of that to elapse,