expiration: VAULT_16_REVOKE_PERMITPOOL environment variable has been removed. [GH-12888]
expiration: VAULT_LEASE_USE_LEGACY_REVOCATION_STRATEGY environment variable has
been removed. [GH-12888]
go: Update go version to 1.17.2
secrets/ssh: Roles with empty allowed_extensions will now forbid end-users
specifying extensions when requesting ssh key signing. Update roles setting
allowed_extensions to * to permit any extension to be specified by an end-user. [GH-12847]
FEATURES:
Customizable HTTP Headers: Add support to define custom HTTP headers for root path (/) and also on API endpoints (/v1/*) [GH-12485]
Deduplicate Token With Entities in Activity Log: Vault tokens without entities are now tracked with client IDs and deduplicated in the Activity Log [GH-12820]
Elasticsearch Database UI: The UI now supports adding and editing Elasticsearch connections in the database secret engine. [GH-12672]
KV Custom Metadata: Add ability in kv-v2 to specify version-agnostic custom key metadata via the
metadata endpoint. The data will be present in responses made to the data endpoint independent of the
calling token's read access to the metadata endpoint. [GH-12907]
KV patch (Tech Preview): Add partial update support for the /<mount>/data/:path kv-v2
endpoint through HTTP PATCH. A new patch ACL capability has been added and
is required to make such requests. [GH-12687]
Key Management Secrets Engine (Enterprise): Adds support for distributing and managing keys in GCP Cloud KMS.
Local Auth Mount Entities (enterprise): Logins on local auth mounts will
generate identity entities for the tokens issued. The aliases of the entity
resulting from local auth mounts (local-aliases), will be scoped by the cluster.
This means that the local-aliases will never leave the geographical boundary of
the cluster where they were issued. This is something to be mindful about for
those who have implemented local auth mounts for complying with GDPR guidelines.
Namespaces (Enterprise): Adds support for locking Vault API for particular namespaces.
OIDC Identity Provider (Tech Preview): Adds support for Vault to be an OpenID Connect (OIDC) provider. [GH-12932]
Oracle Database UI: The UI now supports adding and editing Oracle connections in the database secret engine. [GH-12752]
Postgres Database UI: The UI now supports adding and editing Postgres connections in the database secret engine. [GH-12945]
IMPROVEMENTS:
agent/cache: Process persistent cache leases in dependency order during restore to ensure child leases are always correctly restored [GH-12843]
agent/cache: Use an in-process listener between consul-template and vault-agent when caching is enabled and either templates or a listener is defined [GH-12762]
agent/cache: tolerate partial restore failure from persistent cache [GH-12718]
agent/template: add support for new 'writeToFile' template function [GH-12505]
api: Add configuration option for ensuring isolated read-after-write semantics for all Client requests. [GH-12814]
api: adds native Login method to Go client module with different auth method interfaces to support easier authentication [GH-12796]
api: Move mergeStates and other required utils from agent to api module [GH-12731]
api: Support VAULT_HTTP_PROXY environment variable to allow overriding the Vault client's HTTP proxy [GH-12582]
auth/approle: The role/:name/secret-id-accessor/lookup endpoint now returns a 404 status code when the secret_id_accessor cannot be found [GH-12788]
auth/approle: expose secret_id_accessor as WrappedAccessor when creating wrapped secret-id. [GH-12425]
auth/aws: add profile support for AWS credentials when using the AWS auth method [GH-12621]
auth/kubernetes: disable_iss_validation defaults to true. #127 [GH-12975]
expiration: VAULT_16_REVOKE_PERMITPOOL environment variable has been removed. [GH-12888]
expiration: VAULT_LEASE_USE_LEGACY_REVOCATION_STRATEGY environment variable has
been removed. [GH-12888]
go: Update go version to 1.17.2
secrets/ssh: Roles with empty allowed_extensions will now forbid end-users
specifying extensions when requesting ssh key signing. Update roles setting
allowed_extensions to * to permit any extension to be specified by an end-user. [GH-12847]
FEATURES:
Customizable HTTP Headers: Add support to define custom HTTP headers for root path (/) and also on API endpoints (/v1/*) [GH-12485]
Deduplicate Token With Entities in Activity Log: Vault tokens without entities are now tracked with client IDs and deduplicated in the Activity Log [GH-12820]
Elasticsearch Database UI: The UI now supports adding and editing Elasticsearch connections in the database secret engine. [GH-12672]
KV Custom Metadata: Add ability in kv-v2 to specify version-agnostic custom key metadata via the
metadata endpoint. The data will be present in responses made to the data endpoint independent of the
calling token's read access to the metadata endpoint. [GH-12907]
KV patch (Tech Preview): Add partial update support for the /<mount>/data/:path kv-v2
endpoint through HTTP PATCH. A new patch ACL capability has been added and
is required to make such requests. [GH-12687]
Key Management Secrets Engine (Enterprise): Adds support for distributing and managing keys in GCP Cloud KMS.
Local Auth Mount Entities (enterprise): Logins on local auth mounts will
generate identity entities for the tokens issued. The aliases of the entity
resulting from local auth mounts (local-aliases), will be scoped by the cluster.
This means that the local-aliases will never leave the geographical boundary of
the cluster where they were issued. This is something to be mindful about for
those who have implemented local auth mounts for complying with GDPR guidelines.
Namespaces (Enterprise): Adds support for locking Vault API for particular namespaces.
OIDC Identity Provider (Tech Preview): Adds support for Vault to be an OpenID Connect (OIDC) provider. [GH-12932]
Oracle Database UI: The UI now supports adding and editing Oracle connections in the database secret engine. [GH-12752]
Postgres Database UI: The UI now supports adding and editing Postgres connections in the database secret engine. [GH-12945]
SECURITY:
core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5, 1.8.4, and 1.9.0.
core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
IMPROVEMENTS:
agent/cache: Process persistent cache leases in dependency order during restore to ensure child leases are always correctly restored [GH-12843]
agent/cache: Use an in-process listener between consul-template and vault-agent when caching is enabled and either templates or a listener is defined [GH-12762]
agent/cache: tolerate partial restore failure from persistent cache [GH-12718]
agent/template: add support for new 'writeToFile' template function [GH-12505]
api: Add configuration option for ensuring isolated read-after-write semantics for all Client requests. [GH-12814]
api: adds native Login method to Go client module with different auth method interfaces to support easier authentication [GH-12796]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault/api from 1.7.2 to 1.9.0.
Release notes
Sourced from github.com/hashicorp/vault/api's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault/api's changelog.
... (truncated)
Commits
6dae166
Revert more downgrades from #12975. (#13168) (#13172)5c83aaa
Fix 1.9 regression with raft and stored time values (#13165) (#13170)abe5416
Fix startup failures when aliases from a pre-1.9 vault version exist (#13169)...559197a
Updating SDK in go.mod (#13147)f5c187a
Updating version for 1.9.0 (#13144)f42e70d
Changelog fixes (#13128)8165371
update changelog/12621.txt (#13117) (#13125)481c01b
CL for local auth mount (#13113)df42108
Add message while adding Oracle db connection (#13087) (#13115)5906da5
OIDC: return full issuer uri on read provider (#13058) (#13110)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)