agent: Errors in the template engine will no longer cause agent to exit unless
explicitly defined to do so. A new configuration parameter,
exit_on_retry_failure, within the new top-level stanza, template_config, can
be set to true in order to cause agent to exit. Note that for agent to exit if
template.error_on_missing_key is set to true, exit_on_retry_failure must
be also set to true. Otherwise, the template engine will log an error but then
restart its internal runner. [GH-11775]
agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473]
core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to
start Vault. More information is available in the Vault License FAQ
FEATURES:
GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation
of service account keys and access tokens. [GH-12023]
Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
Vault Diagnose: A new vault operator command to detect common issues with vault server setups.
IMPROVEMENTS:
agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
auth/aws: Underlying error included in validation failure message. [GH-11638]
core: Add prefix_filter to telemetry config [GH-12025]
core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
core (enterprise): Add controlled capabilities to control group policy stanza
core: Add metrics for standby node forwarding. [GH-11366]
core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
core: add irrevocable lease list and count apis [GH-11607]
agent: Errors in the template engine will no longer cause agent to exit unless
explicitly defined to do so. A new configuration parameter,
exit_on_retry_failure, within the new top-level stanza, template_config, can
be set to true in order to cause agent to exit. Note that for agent to exit if
template.error_on_missing_key is set to true, exit_on_retry_failure must
be also set to true. Otherwise, the template engine will log an error but then
restart its internal runner. [GH-11775]
agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473]
core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to
start Vault. More information is available in the Vault License FAQ
FEATURES:
GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation
of service account keys and access tokens. [GH-12023]
Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
Vault Diagnose: A new vault operator command to detect common issues with vault server setups.
SECURITY:
storage/raft: When initializing Vault’s Integrated Storage backend, excessively broad filesystem permissions may be set for the underlying Bolt database used by Vault’s Raft implementation. This vulnerability, CVE-2021-38553, was fixed in Vault 1.8.0.
ui: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.
IMPROVEMENTS:
agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
auth/aws: Underlying error included in validation failure message. [GH-11638]
core: Add prefix_filter to telemetry config [GH-12025]
core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
core (enterprise): Add controlled capabilities to control group policy stanza
core: Add metrics for standby node forwarding. [GH-11366]
core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
core: add irrevocable lease list and count apis [GH-11607]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault/api from 1.7.2 to 1.8.0.
Release notes
Sourced from github.com/hashicorp/vault/api's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault/api's changelog.
... (truncated)
Commits
82a99f1Use a mode when opening the db file that won't result in excessive perms. (#1...43cfab4Add fallback font for masked-input (#12152) (#12158)ca2ad70Update node to latest stable version (#12049) (#12154)9f77f5aRe-adding deleted changelog note (#12141)c3855d7Backport: 1.8.x UI/database cg read role (#12111) (#12136)5c7e855Fix KV Version History queryParams on the component LinkedBlock (#12079) (#12...4ffff3achangelog: update feature formatting for gcp and key management secrets (#121...46ed883Change changelog type for openldap bug fix (#12112) (#12114)ed8d36bUI: Automatically refresh page on logout (#12035) (#12082)df0c8d3Backport recent diagnose fixes to 1.8.x (#12108)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)