search

jonasvinther / medusa

A cli tool for importing and exporting Hashicorp Vault secrets
MIT License
482 stars 62 forks source link

Bump github.com/hashicorp/vault/api/auth/kubernetes from 0.5.0 to 0.6.0 #152

Closed dependabot[bot] closed 8 months ago

dependabot[bot] commented 9 months ago

Bumps github.com/hashicorp/vault/api/auth/kubernetes from 0.5.0 to 0.6.0.

Changelog

Sourced from github.com/hashicorp/vault/api/auth/kubernetes's changelog.

0.6.0 (June 14th, 2016)

SECURITY:

  • Although sys/revoke-prefix was intended to revoke prefixes of secrets (via lease IDs, which incorporate path information) and auth/token/revoke-prefix was intended to revoke prefixes of tokens (using the tokens' paths and, since 0.5.2, role information), in implementation they both behaved exactly the same way since a single component in Vault is responsible for managing lifetimes of both, and the type of the tracked lifetime was not being checked. The end result was that either endpoint could revoke both secret leases and tokens. We consider this a very minor security issue as there are a number of mitigating factors: both endpoints require sudo capability in addition to write capability, preventing blanket ACL path globs from providing access; both work by using the prefix to revoke as a part of the endpoint path, allowing them to be properly ACL'd; and both are intended for emergency scenarios and users should already not generally have access to either one. In order to prevent confusion, we have simply removed auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be meant for both leases and tokens instead.

DEPRECATIONS/CHANGES:

  • auth/token/revoke-prefix has been removed. See the security notice for details. GH-1280
  • Vault will now automatically register itself as the vault service when using the consul backend and will perform its own health checks. See the Consul backend documentation for information on how to disable auto-registration and service checks.
  • List operations that do not find any keys now return a 404 status code rather than an empty response object GH-1365
  • CA certificates issued from the pki backend no longer have associated leases, and any CA certs already issued will ignore revocation requests from the lease manager. This is to prevent CA certificates from being revoked when the token used to issue the certificate expires; it was not be obvious to users that they need to ensure that the token lifetime needed to be at least as long as a potentially very long-lived CA cert.

FEATURES:

  • AWS EC2 Auth Backend: Provides a secure introduction mechanism for AWS EC2 instances allowing automated retrieval of Vault tokens. Unlike most Vault authentication backends, this backend does not require first deploying or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance. Vault Enterprise customers have access to a turnkey client that speaks the backend API and makes access to a Vault token easy.

... (truncated)

Commits
  • f627c01 Cut version 0.6.0
  • 5b7e680 Add updated wrapping information
  • 926e56e Merge pull request #1520 from hashicorp/wrapinfo-accessor
  • 65cdcd6 Add some commenting
  • 47dc1cc Add token accessor to wrap information if one exists
  • 4f039d0 Merge pull request #1518 from hashicorp/fix-bound-ami-id
  • e521894 Added bound_ami_id check
  • 117200c Fix mah broken tests
  • c6ded38 cubbyhole-response-wrapping -> response-wrapping
  • 1e67cd8 Merge pull request #1513 from hashicorp/field-data-get-default
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
codecov-commenter commented 9 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (d9fa19b) 70.00% compared to head (e49c844) 70.00%.

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #152 +/- ## ======================================= Coverage 70.00% 70.00% ======================================= Files 2 2 Lines 20 20 ======================================= Hits 14 14 Misses 5 5 Partials 1 1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.