auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
website/docs: Add docs for VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]
core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch
option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
core: validate name identifiers in mssql physical storage backend prior use [GH-19591]
database/elasticsearch: Update error messages resulting from Elasticsearch API errors [GH-19545]
events: Suppress log warnings triggered when events are sent but the events system is not enabled. [GH-19593]
BUG FIXES:
agent: Fix panic when SIGHUP is issued to Agent while it has a non-TLS listener. [GH-19483]
core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
kmip (enterprise): Fix a problem forwarding some requests to the active node.
openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
secrets/ldap: Invalidates WAL entry for static role if password_policy has changed. [GH-19640]
secrets/pki: Fix PKI revocation request forwarding from standby nodes due to an error wrapping bug [GH-19624]
secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
ui: Fixes crypto.randomUUID error in unsecure contexts from third party ember-data library [GH-19428]
ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
ui: fixes oidc tabs in auth form submitting with the root's default_role value after a namespace has been inputted [GH-19541]
ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]
v1.13.0
1.13.0
March 01, 2023
SECURITY:
secrets/ssh: removal of the deprecated dynamic keys mode. When any remaining dynamic key leases expire, an error stating secret is unsupported by this backend will be thrown by the lease manager. [GH-18874]
CHANGES:
auth/alicloud: require the role field on login [GH-19005]
auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
This will only be used internally for implementing user lockout. [GH-17104]
core: Bump Go version to 1.20.1.
core: Vault version has been moved out of sdk and into main vault module.
Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString. [GH-14229]
logging: Removed legacy environment variable for log format ('LOGXI_FORMAT'), should use 'VAULT_LOG_FORMAT' instead [GH-17822]
auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
website/docs: Add docs for VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]
core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch
option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
core: validate name identifiers in mssql physical storage backend prior use [GH-19591]
database/elasticsearch: Update error messages resulting from Elasticsearch API errors [GH-19545]
events: Suppress log warnings triggered when events are sent but the events system is not enabled. [GH-19593]
BUG FIXES:
agent: Fix panic when SIGHUP is issued to Agent while it has a non-TLS listener. [GH-19483]
core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
kmip (enterprise): Fix a problem forwarding some requests to the active node.
openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
secrets/ldap: Invalidates WAL entry for static role if password_policy has changed. [GH-19640]
secrets/pki: Fix PKI revocation request forwarding from standby nodes due to an error wrapping bug [GH-19624]
secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
ui: Fixes crypto.randomUUID error in unsecure contexts from third party ember-data library [GH-19428]
ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
ui: fixes oidc tabs in auth form submitting with the root's default_role value after a namespace has been inputted [GH-19541]
ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]
1.13.0
March 01, 2023
SECURITY:
secrets/ssh: removal of the deprecated dynamic keys mode. When any remaining dynamic key leases expire, an error stating secret is unsupported by this backend will be thrown by the lease manager. [GH-18874]
CHANGES:
auth/alicloud: require the role field on login [GH-19005]
auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
This will only be used internally for implementing user lockout. [GH-17104]
core: Bump Go version to 1.20.1.
core: Vault version has been moved out of sdk and into main vault module.
Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString. [GH-14229]
logging: Removed legacy environment variable for log format ('LOGXI_FORMAT'), should use 'VAULT_LOG_FORMAT' instead [GH-17822]
plugins: Mounts can no longer be pinned to a specific builtin version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without builtin in their metadata remain unaffected. [GH-18051]
plugins: GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]
... (truncated)
Commits
4472e4a backport of commit 85c3eab989de0c90d82b0cb39cabb79fb3911943 (#19716)
cf51afa Backport of Add tests for PKI endpoint authentication via OpenAPI into releas...
487fd7e backport of commit 0c69cf10488c1b36ea112a98a2ea156e7eec8d74 (#19710)
ed85df3 Backport of Allow overriding gRPC's connection timeout with VAULT_GRPC_MIN_CO...
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault from 1.11.4 to 1.13.1.
Release notes
Sourced from github.com/hashicorp/vault's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault's changelog.
... (truncated)
Commits
4472e4a
backport of commit 85c3eab989de0c90d82b0cb39cabb79fb3911943 (#19716)cf51afa
Backport of Add tests for PKI endpoint authentication via OpenAPI into releas...487fd7e
backport of commit 0c69cf10488c1b36ea112a98a2ea156e7eec8d74 (#19710)ed85df3
Backport of Allow overriding gRPC's connection timeout with VAULT_GRPC_MIN_CO...36dddc3
Regression bug fix OIDC namespace (#19460) (#19696)996dc56
Backport 1.13.x: UI/update auth form to fetchRoles after a namespace is input...9ab8152
backport of commit 449482d9b37864c4408a5f904e67b7c9286d197c (#19692)217d7a9
backport of commit 3dbe94678ffefe8295d196f0e8e633a2f9eeb1fd (#19675)96a97d6
backport of commit 6d8ed36032322caf95e619ab41e6fee77ec34548 (#19674)ba46ad7
backport of commit 3926057a4f963a102a62c9a33e7c33daee7d9310 (#19657)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)