* Add documentation for Managed Keys

 - Add concept, sys/api and pki updates related to managed keys

* Review feedback

 - Reworked quite a bit of the existing documentation based on feedback
   and a re-reading
 - Moved the managed keys out of the concepts section and into the
   enterprise section

* Address broken links and a few grammar tweaks

* setup

* add catch for when no payload

* clean up

* pr comments

* wip

* finish findAll fixes

* clean up

* remove console log

* Add duration/count metrics to PKI issue and revoke flows

* docs, changelog

* tidy

* last tidy

* remove err

* Update callsites

* Simple returns

* Handle the fact that test cases don't have namespaces

* Add mount point to the request

* fmt

* Handle empty mount point, and add it to unit tests

* improvement

* Turns out sign-verbatim is tricky, it can take a role but doesn't have to

* Get around the field schema problem

* Use application/pem-certificate-chain for PEMs

As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html

), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fixed 2 typos on-premise to on-premises.

* Added changelog file.

* Removed 13402.txt file from changelog.

* Update website/content/docs/secrets/terraform.mdx
Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>

* OSS of the managed key consumer pattern

* Wrong changes

* identity/oidc: adds tests for validation of loopback IP redirect URIs

* Update vault/identity_store_oidc_provider_test.go
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

* updates regex-validator component to optionally show pattern input and adds capture groups support

* adds form-field-label component

* adds autocomplete-input component

* updates kv-object-editor component to yield block for value and glimmerizes

* updates transform template model

* adds transform-advanced-templating component

* updates form-field with child component changes

* updates transform template serializer to handle differences in regex named capture groups

* fixes regex-validator test

* adds changelog entry

* updates for pr review feedback

* reverts kv-object-editor guidFor removal

* Include full chain in /cert/ca_chain response

This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.

Resolves: #13489
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for full CA issuance

We test three main scenarios:

 1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
    contain only the root,
 2. An intermediate CA (with root provide) should contain both the root
    and the intermediate.
 3. An external (e.g., `/config/ca`-provided) CA with both root and
    intermediate should contain both certs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation for new ca_chain field
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about where to find the entire chain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add check for OIDC provider to permit a non-exact redirect URI from OIDC client if it is the IPv4 or IPv6 loopback address.

* Update changelog/13871.txt
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update redirectURI check to match that for the OIDC auth method.
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* updated client doc

* fixed heading

* docs/oracle: add wallet permissions example

* Update website/content/docs/secrets/databases/oracle.mdx
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

Turning off binary secret scanning to allow builds to be processed until https://github.com/hashicorp/security-scanner/issues/166 is addressed. (#13920)

Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.

* fix parsing of CRLs

* removes tests

* update comment

This resolves a rendering issue in the Azure API documentation which caused a section to be rendered in its raw markdown form instead of the rich documentation that was expected.

The terraform example had a couple of issues:

- Tags was missing a `=`
- Attribute list is not supported

Without `iam:GetUser` permission, I wasn't able to get Vault to rotate its own credentials.

Seal wrap storage entries of the ManagedKeyRegistry.

Specify the managed key registry's path in SealWrapStorage in the SystemBackend.

Enable SealWrap in the system mount entry.

* [api] Add LDAP auth method

This commit adds LDAP to the available Vault API auth methods.

* Add changelog entry for PR 13841

* Obtain password for LDAPAuth from File/EnvVar

* Fix name of package in error message

* setup

* add forward slash

* fix icon issue

* add to current view

* fixes

* change

* final cleanup

* remove todo

Adding a note on the parameter necessary for deletion on a key deletion example seems like a good idea.
From my limited research I found other people that had trouble finding the relevant part of the documentation.
Though I'm not sure this is the best wording or formatting for it.

The field "replication_per_mode" was renamed before this feature was
released, but the docs have never been updated. Update the documentation
to present the correct name.

* Switch parse-pki-cert from node-forge to PKI.js

This replaces the implementation of parse-pki-cert to use PKI.js rather
than node-forge for two reasons:

 - PKI.js uses Web Crypto rather than maintaining a built-in
   implementation of several algorithms.
 - node-forge presently lacks support for ECDSA and Ed25519
   certificates.

Related: #13680
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add dependency on PKI.js

$ yarn add -D asn1js pvutils pkijs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove dependency on node-forge

$ yarn remove node-forge
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Authored by @remilapeyre.

Added an example to explicitly show how to perform a Rekey operation when the Vault cluster is using Auto Unseal.  This is placed as the second example. 
The existing example code combines with the PGP keys so added a simple example without the PGP keys.

Combined the two Ingress sections into one, hopefully in the right
spot this time.

Tidy a couple of bullets.

* adding docs for the framework Required field

* minor fix

* Update sdk/framework/backend.go
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

* Make backport assistant work with ENT backport tags

I want the regexp to include word characters and the plus sign on
enterprise. I'm confused about the levels of escaping required, because
this is a shell env var that gets passed to a go program as a regular
expression. I didn't escape the square brackets because the parens
weren't escaped. I matched what was done previously with the '.'s for
the '+' because I also want that literal, but it was unclear from
playing around with https://regex101.com/

 and go regexps whether the
extra backslashes were required for the '+' char.

* Update .github/workflows/backport.yml
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* return new object

* rename variables and return truncating of data to component (from serializer)

* fix serializer