search

ondat / trousseau

Store and access your secrets the Kubernetes native way with any external KMS.
https://trousseau.io
Apache License 2.0
178 stars 11 forks source link

Bump github.com/hashicorp/vault/api from 1.1.1 to 1.6.0 #92

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps github.com/hashicorp/vault/api from 1.1.1 to 1.6.0.

Release notes

Sourced from github.com/hashicorp/vault/api's releases.

v1.6.0

Release vault v1.6.0

v1.6.0-rc

Release vault v1.6.0-rc

v1.5.9

1.5.9

May 20th, 2021

SECURITY:

  • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token leases and dynamic secret leases with a zero-second TTL, causing them to be treated as non-expiring, and never revoked. This issue affects Vault and Vault Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 1.7.2 (CVE-2021-32923).

CHANGES:

  • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs when using GCP Auto-Auth method [GH-11473]
  • auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for signing JWTs [GH-11499]

BUG FIXES:

  • core: correct logic for renewal of leases nearing their expiration time. [GH-11650]

v1.5.8

Release vault v1.5.8

v1.5.7

SECURITY:

  • IP Address Disclosure: We fixed a vulnerability where, under some error conditions, Vault would return an error message disclosing internal IP addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2021-3024).
  • Mount Path Disclosure: Vault previously returned different HTTP status codes for existent and non-existent mount paths. This behavior would allow unauthenticated brute force attacks to reveal which paths had valid mounts. This issue affects Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594).

IMPROVEMENTS:

  • storage/raft (enterprise): Listing of peers is now allowed on DR secondary cluster nodes, as an update operation that takes in DR operation token for authenticating the request.

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault/api's changelog.

1.6.0

November 11th, 2020

NOTE:

Binaries for 32-bit macOS (i.e. the darwin_386 build) will no longer be published. This target was dropped in the latest version of the Go compiler.

CHANGES:

  • agent: Agent now properly returns a non-zero exit code on error, such as one due to template rendering failure. Using error_on_missing_key in the template config will cause agent to immediately exit on failure. In order to make agent properly exit due to continuous failure from template rendering errors, the old behavior of indefinitely restarting the template server is now changed to exit once the default retry attempt of 12 times (with exponential backoff) gets exhausted. [GH-9670]
  • token: Periodic tokens generated by auth methods will have the period value stored in its token entry. [GH-7885]
  • core: New telemetry metrics reporting mount table size and number of entries [GH-10201]
  • go: Updated Go version to 1.15.4 [GH-10366]

FEATURES:

  • Couchbase Secrets: Vault can now manage static and dynamic credentials for Couchbase. [GH-9664]
  • Expanded Password Policy Support: Custom password policies are now supported for all database engines.
  • Integrated Storage Auto Snapshots (Enterprise): This feature enables an operator to schedule snapshots of the integrated storage backend and ensure those snapshots are persisted elsewhere.
  • Integrated Storage Cloud Auto Join: This feature for integrated storage enables Vault nodes running in the cloud to automatically discover and join a Vault cluster via operator-supplied metadata.
  • Key Management Secrets Engine (Enterprise; Tech Preview): This new secret engine allows securely distributing and managing keys to Azure cloud KMS services.
  • Seal Migration: With Vault 1.6, we will support migrating from an auto unseal mechanism to a different mechanism of the same type. For example, if you were using an AWS KMS key to automatically unseal, you can now migrate to a different AWS KMS key.
  • Tokenization (Enterprise; Tech Preview): Tokenization supports creating irreversible “tokens” from sensitive data. Tokens can be used in less secure environments, protecting the original data.
  • Vault Client Count: Vault now counts the number of active entities (and non-entity tokens) per month and makes this information available via the "Metrics" section of the UI.

IMPROVEMENTS:

  • auth/approle: Role names can now be referenced in templated policies through the approle.metadata.role_name property [GH-9529]
  • auth/aws: Improve logic check on wildcard BoundIamPrincipalARNs and include role name on error messages on check failure [GH-10036]
  • auth/jwt: Add support for fetching groups and user information from G Suite during authentication. [GH-123]
  • auth/jwt: Adding EdDSA (ed25519) to supported algorithms [GH-129]
  • auth/jwt: Improve cli authorization error [GH-137]
  • auth/jwt: Add OIDC namespace_in_state option [GH-140]
  • secrets/transit: fix missing plaintext in bulk decrypt response [GH-9991]
  • command/server: Delay informational messages in -dev mode until logs have settled. [GH-9702]
  • command/server: Add environment variable support for disable_mlock. [GH-9931]
  • core/metrics: Add metrics for storage cache [GH_10079]
  • core/metrics: Add metrics for leader status [GH 10147]
  • physical/azure: Add the ability to use Azure Instance Metadata Service to set the credentials for Azure Blob storage on the backend. [GH-10189]
  • sdk/framework: Add a time type for API fields. [GH-9911]
  • secrets/database: Added support for password policies to all databases [GH-9641, and more]
  • secrets/database/cassandra: Added support for static credential rotation [GH-10051]
  • secrets/database/elasticsearch: Added support for static credential rotation [GH-19]
  • secrets/database/hanadb: Added support for root credential & static credential rotation [GH-10142]
  • secrets/database/hanadb: Default password generation now includes dashes. Custom statements may need to be updated to include quotes around the password field [GH-10142]
  • secrets/database/influxdb: Added support for static credential rotation [GH-10118]
  • secrets/database/mongodbatlas: Added support for root credential rotation [GH-14]
  • secrets/database/mongodbatlas: Support scopes field in creations statements for MongoDB Atlas database plugin [GH-15]

... (truncated)

Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 2 years ago

Looks like github.com/hashicorp/vault/api is up-to-date now, so this is no longer needed.