[VAULT] Last minute updates for 1.21.x (#1153)

* apply feedback re: snowflake deprecation

* Apply fix from #928

* Apply changes from #992

* Apply updates from #840

* fix partial reference

* apply more feedback

* Fix folder name

Author: schavis

content/vault/global/partials/important-changes/known-issue/ssrf-block-endpoint.mdx

@@ -0,0 +1,48 @@
+### Secrets sync SSRF protection may block private endpoints ((#ssrf-block-endpoint)
+
+<!-- BEGIN: Vault:=v1.18.x -->
+
+| Change      | Status   | Vault edition | Affected version | Fixed version
+| ----------- | -------- | ------------- | ---------------- | -------------
+| Known issue | Closed   | Enterprise    | 1.18.0           | 1.18.5
+
+<!-- END: Vault:=v1.18.x -->
+
+<!-- BEGIN: Vault:=v1.17.x -->
+
+| Change      | Status   | Vault edition | Affected version | Fixed version
+| ----------- | -------- | ------------- | ---------------- | -------------
+| Known issue | Closed   | Enterprise    | 1.17.3           | 1.17.12
+
+<!-- END: Vault:=v1.17.x -->
+
+<!-- BEGIN: Vault:=v1.16.x -->
+
+| Change      | Status   | Vault edition | Affected version | Fixed version
+| ----------- | -------- | ------------- | ---------------- | -------------
+| Known issue | Closed   | Enterprise    | 1.16.7           | 1.16.16
+
+<!-- END: Vault:=v1.16.x -->
+
+The Server-Side Request Forgery (SSRF) protection measures in Vault secrets sync
+introduced a new SSRF-safe HTTP client that prevents sync operations to certain
+IP ranges. The client specifically blocks requests to private IP ranges
+(such as 10.0.0.0/8), including requests that access cloud provider secret
+stores through private endpoints.
+
+As a result, Vault blocked secrets sync operations to private IP ranges for all
+destinations when accessed through private endpoints.
+
+Example error message:
+
+```text
+couldn't sync secret with store: failed to publish event: dial tcp [IP]: prohibited IP address: [IP] is not a permitted destination (denied by: 10.0.0.0/8)
+```
+
+#### Recommendation
+
+If you use private endpoints to sync secrets, upgrade to a fixed version or set
+the
+[`disable_strict_networking`](/vault/api-docs/system/secrets-sync#disable_strict_networking)
+secret sync configuration parameter to `true` to disable IP address and port
+number restrictions used by the SSRF-safe sync clients.

content/vault/global/partials/important-changes/summary-tables/1_16.mdx

@@ -45,6 +45,7 @@ Found   | Fixed   | Workaround | Edition    | Issue
 1.16.3  | 1.16.6  | **Yes**    | All        | [JWT auth login requires bound audiences on the role](/vault/docs/v1.16.x/updates/important-changes#jwt-auth-login-requires-bound-audiences-on-the-role)
 1.16.3  | 1.16.7  | Upgrade    | Enterprise | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/v1.16.x/updates/important-changes#deleting-an-entity-aliases-does-not-remove-it-from-the-in-memory-database-on-standby-nodes)
 1.16.7  | 1.16.9  | Upgrade    | All        | [Client tokens and token accessors audited in plaintext](/vault/docs/v1.16.x/updates/important-changes#client-tokens-and-token-accessors-audited-in-plaintext)
+1.16.7  | 1.16.16 | **Yes**    | Enterprise | [Secrets sync SSRF protection may block private endpoints](/vault/docs/v1.16.x/updates/important-changes#ssrf-block-endpoint)
 1.16.16 | No      | No         | All        | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.16.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials)
 1.16.16 | 1.16.20 | Upgrade    | All        | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.16.x/updates/important-changes#database-static-role-rotations-on-upgrade)
 1.16.16 | 1.16.20 | Upgrade    | All        | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.16.x/updates/important-changes#ldap-static-role-rotations-on-upgrade)

content/vault/global/partials/important-changes/summary-tables/1_17.mdx

@@ -44,6 +44,7 @@ Found   | Fixed   | Workaround | Edition    | Issue
 1.17.0  | 1.17.17 | **Yes**    | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.17.x/updates/important-changes#external-ent-plugins)
 1.17.0  | 1.17.14 | Upgrade    | All        | [Vault log file missing subsystem logs](/vault/docs/v1.17.x/updates/important-changes#vault-log-file-missing-subsystem-logs)
 1.17.1  | 1.17.2  | **Yes**    | All        | [Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener](/vault/docs/v1.17.x/updates/important-changes#potential-dos-when-using-the-deny_unauthorized-proxy-protocol-behavior-for-a-tcp-listener)
+1.17.3  | 1.17.12 | **Yes**    | Enterprise | [Secrets sync SSRF protection may block private endpoints](/vault/docs/v1.17.x/updates/important-changes#ssrf-block-endpoint)
 1.17.12 | No      | No         | All        | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.17.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials)
 1.17.12 | 1.17.16 | Upgrade    | All        | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.17.x/updates/important-changes#database-static-role-rotations-on-upgrade)
 1.17.12 | 1.17.16 | Upgrade    | All        | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.17.x/updates/important-changes#ldap-static-role-rotations-on-upgrade)

content/vault/global/partials/important-changes/summary-tables/1_18.mdx

@@ -29,6 +29,7 @@ Found  | Fixed   | Workaround | Edition    | Issue
 1.18.0 | No      | **Yes**    | Enterprise | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.18.x/updates/important-changes#seal-seal-wrapped-duplicate-hsm-keys)
 1.18.0 | 1.18.9  | **Yes**    | All        | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.18.x/updates/important-changes#database-and-ldap-secrets-engine-unwanted-secret-rotation-on-backend-restart)
 1.18.0 | 1.18.7  | Upgrade    | All        | [Vault log file missing subsystem logs](/vault/docs/v1.18.x/updates/important-changes#vault-log-file-missing-subsystem-logs)
+1.18.0 | 1.18.5  | **Yes**    | Enterprise | [Secrets sync SSRF protection may block private endpoints](/vault/docs/v1.18.x/updates/important-changes#ssrf-block-endpoint)
 1.18.5 | No      | No         | All        | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.18.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials)
 1.18.5 | 1.18.9  | Upgrade    | All        | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.18.x/updates/important-changes#database-static-role-rotations-on-upgrade)
 1.18.5 | 1.18.9  | Upgrade    | All        | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.18.x/updates/important-changes#ldap-static-role-rotations-on-upgrade)

content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx

@@ -310,3 +310,5 @@ If you use `file` audit devices, you need to:
 @include 'known-issues/enterprise-plugins.mdx'
 
 @include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
+
+@include '../../../global/partials/important-changes/known-issue/ssrf-block-endpoint.mdx'

content/vault/v1.17.x/content/docs/upgrading/upgrade-to-1.17.x.mdx

@@ -254,3 +254,5 @@ more details, and information about opt-out.
 @include 'known-issues/azure-auth-fails-uniform-vmss.mdx'
 
 @include 'known-issues/enterprise-plugins.mdx'
+
+@include '../../../global/partials/important-changes/known-issue/ssrf-block-endpoint.mdx'

content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx

@@ -248,3 +248,5 @@ If you use `file` audit devices, you need to:
 @include 'known-issues/enterprise-plugins.mdx'
 
 @include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx'
+
+@include '../../../global/partials/important-changes/known-issue/ssrf-block-endpoint.mdx'

content/vault/v1.19.x/content/docs/about-vault/what-is-vault.mdx

@@ -124,6 +124,6 @@ or clone the Vault Community repo in GitHub and
 [build Vault from source code](/vault/get-vault/build-from-code).
 
 To use Vault Enterprise features, you must have a
-[valid license configured](/vault/license).
+[valid license configured](/vault/docs/license).
 
 @include 'social-bar.mdx'

content/vault/v1.20.x/content/docs/about-vault/what-is-vault.mdx

@@ -122,6 +122,6 @@ or clone the Vault Community repo in GitHub and
 [build Vault from source code](/vault/get-vault/build-from-code).
 
 To use Vault Enterprise features, you must have a
-[valid license configured](/vault/license).
+[valid license configured](/vault/docs/license).
 
 @include 'social-bar.mdx'

content/vault/v1.21.x (rc)/content/api-docs/system/policies-password.mdx

@@ -40,6 +40,12 @@ generation times.
   base64-encoded to avoid string escaping. See [Password Policy Syntax](/vault/docs/concepts/password-policies#password-policy-syntax)
   for details on password policy definitions.
 
+ `entropy_source` `(string: "")` - Specifies an override to the default source of entropy
+  (randomness) used to generate the passwords.  Must be one of:
+    - "" - source randomness from the default source.
+    - `platform` - source randomness from the platform RNG.
+    - `seal` - source entropy from the entropy augmentation. <EnterpriseAlert inline="true" />
+
 ### Sample payload
 
 ```json