licensing (enterprise): Remove support for stored licenses and associated sys/license and sys/license/signed
endpoints in favor of autoloaded licenses.
replication (enterprise): The /sys/replication/performance/primary/mount-filter endpoint has been removed. Please use Paths Filter instead.
Non-Disruptive Intermediate/Root Certificate Rotation: This allows
import, generation and configuration of any number of keys and/or issuers
within a PKI mount, providing operators the ability to rotate certificates
in place without affecting existing client configurations. [GH-15277]
api/command: Global -output-policy flag to determine minimum required policy HCL for a given operation [GH-14899]
nomad: Bootstrap Nomad ACL system if no token is provided [GH-12451]
agent/auto-auth: Add min_backoff to the method stanza for configuring initial backoff duration. [GH-15204]
agent: Update consult-template to v0.29.0 [GH-15293]
agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [GH-15092]
api: Add ability to pass certificate as PEM bytes to api.Client. [GH-14753]
api: Add context-aware functions to vault/api for each API wrapper function. [GH-14388]
api: Added MFALogin() for handling MFA flow when using login helpers. [GH-14900]
api: If the parameters supplied over the API payload are ignored due to not
being what the endpoints were expecting, or if the parameters supplied get
replaced by the values in the endpoint's path itself, warnings will be added to
the non-empty responses listing all the ignored and replaced parameters. [GH-14962]
api: Provide a helper method WithNamespace to create a cloned client with a new NS [GH-14963]
api: Use the context passed to the api/auth Login helpers. [GH-14775]
auth/okta: Add support for Google provider TOTP type in the Okta auth method [GH-14985]
auth: enforce a rate limit for TOTP passcode validation attempts [GH-14864]
cli/debug: added support for retrieving metrics from DR clusters if unauthenticated_metrics_access is enabled [GH-15316]
cli/vault: warn when policy name contains upper-case letter [GH-14670]
cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [GH-14807]
cockroachdb: add high-availability support [GH-12965]
core (enterprise): Include termination_time in sys/license/status response
auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [GH-14954]
auth/kubernetes: If kubernetes_ca_cert is unset, and there is no pod-local CA available, an error will be surfaced when writing config instead of waiting for login. [GH-15584]
database & storage: Change underlying driver library from lib/pq to pgx. This change affects Redshift & Postgres database secrets engines, and CockroachDB & Postgres storage engines [GH-15343]
licensing (enterprise): Remove support for stored licenses and associated sys/license and sys/license/signed
endpoints in favor of autoloaded licenses.
replication (enterprise): The /sys/replication/performance/primary/mount-filter endpoint has been removed. Please use Paths Filter instead.
secret/pki: Remove unused signature_bits parameter from intermediate CSR generation; this parameter doesn't control the final certificate's signature algorithm selection as that is up to the signing CA [GH-15478]
secrets/kubernetes: Split additional_metadata into extra_annotations and extra_labels parameters [GH-15655]
secrets/pki: A new aliased api path (/pki/issuer/:issuer_ref/sign-self-issued)
providing the same functionality as the existing API(/pki/root/sign-self-issued)
does not require sudo capabilities but the latter still requires it in an
effort to maintain backwards compatibility. [GH-15211]
secrets/pki: Err on unknown role during sign-verbatim. [GH-15543]
secrets/pki: Existing CRL API (/pki/crl) now returns an X.509 v2 CRL instead
of a v1 CRL. [GH-15100]
secrets/pki: The ca_chain response field within issuing (/pki/issue/:role)
and signing APIs will now include the root CA certificate if the mount is
aware of it. [GH-15155]
secrets/pki: existing Delete Root API (pki/root) will now delete all issuers
and keys within the mount path. [GH-15004]
secrets/pki: existing Generate Root (pki/root/generate/:type),
Set Signed Intermediate (/pki/intermediate/set-signed) APIs will
add new issuers/keys to a mount instead of warning that an existing CA exists [GH-14975]
secrets/pki: the signed CA certificate from the sign-intermediate api will now appear within the ca_chain
response field along with the issuer's ca chain. [GH-15524]
Autopilot Improvements (Enterprise): Autopilot on Vault Enterprise now supports automated upgrades and redundancy zones when using integrated storage.
KeyMgmt UI: Add UI support for managing the Key Management Secrets Engine [GH-15523]
Kubernetes Secrets Engine: This new secrets engine generates Kubernetes service account tokens, service accounts, role bindings, and roles dynamically. [GH-15551]
Non-Disruptive Intermediate/Root Certificate Rotation: This allows
import, generation and configuration of any number of keys and/or issuers
within a PKI mount, providing operators the ability to rotate certificates
in place without affecting existing client configurations. [GH-15277]
Print minimum required policy for any command: The global CLI flag -output-policy can now be used with any command to print out the minimum required policy HCL for that operation, including whether the given path requires the "sudo" capability. [GH-14899]
Snowflake Database Plugin: Adds ability to manage RSA key pair credentials for dynamic and static Snowflake users. [GH-15376]
Transit BYOK: Allow import of externally-generated keys into the Transit secrets engine. [GH-15414]
nomad: Bootstrap Nomad ACL system if no token is provided [GH-12451]
... (truncated)
Commits
0f63475 Revert "Backport of AutoMTLS for secrets/auth plugins into release/1.11.x (#1...
a6acc9e backport of commit 3ca6036a4aa590f68c677790c5d5afe1d24f52e6 (#16374)
d32986d backport of commit 75ce87bd563932a37149c62ca36d14cfa334adb1 (#16370)
de675f1 backport of commit 10620260b14da90072077cda2ebb9e14b6cab5ce (#16363)
c177087 backport of commit c67e009e819f19d316f5225dd9178d0c35413772 (#16349)
e49a389 backport of commit 48be182b0f38a6d19ea161fdb0bd37a33ace4284 (#16348)
8a00403 backport of commit dc27973a7ab0746673a38b4cdd44588cbbec066a (#16347)
20ce0cd backport of commit 6681ec1cdf15f9923196236c582ce0b75d86a209 (#16345)
fed9aae Update go version to 1.17.12 for 1.11.x (#16337)
b443be6 Backport of AutoMTLS for secrets/auth plugins into release/1.11.x (#16343)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault from 1.3.2 to 1.11.1.
Release notes
Sourced from github.com/hashicorp/vault's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault's changelog.
... (truncated)
Commits
0f63475
Revert "Backport of AutoMTLS for secrets/auth plugins into release/1.11.x (#1...a6acc9e
backport of commit 3ca6036a4aa590f68c677790c5d5afe1d24f52e6 (#16374)d32986d
backport of commit 75ce87bd563932a37149c62ca36d14cfa334adb1 (#16370)de675f1
backport of commit 10620260b14da90072077cda2ebb9e14b6cab5ce (#16363)c177087
backport of commit c67e009e819f19d316f5225dd9178d0c35413772 (#16349)e49a389
backport of commit 48be182b0f38a6d19ea161fdb0bd37a33ace4284 (#16348)8a00403
backport of commit dc27973a7ab0746673a38b4cdd44588cbbec066a (#16347)20ce0cd
backport of commit 6681ec1cdf15f9923196236c582ce0b75d86a209 (#16345)fed9aae
Update go version to 1.17.12 for 1.11.x (#16337)b443be6
Backport of AutoMTLS for secrets/auth plugins into release/1.11.x (#16343)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)