core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
core: Bump Go version to 1.18.5.
core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades
will not be allowed if the license termination time is before the build date of the binary.
plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
FEATURES:
Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
secrets/database/hana: Add ability to customize dynamic usernames [GH-16631]
secrets/pki: Add an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for
a specific cluster's revoked certificates in a mount. [GH-16723]
ui: UI support for Okta Number Challenge. [GH-15998]
IMPROVEMENTS:
activity (enterprise): Added new clients unit tests to test accuracy of estimates
agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
agent: Send notifications to systemd on start and stop. [GH-9802]
api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
api: Add a sentinel error for missing KV secrets [GH-16699]
auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
auth/cert: Add metadata to identity-alias [GH-14751]
auth/gcp: Add support for GCE regional instance groups [GH-16435]
auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
auth/kerberos: add remove_instance_name parameter to the login CLI and the
Kerberos config in Vault. This removes any instance names found in the keytab
service principal name. [GH-16594]
auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
command/audit: Improve missing type error message [GH-16409]
command/server: add -dev-tls and -dev-tls-cert-dir subcommands to create a Vault dev server with generated certificates and private key. [GH-16421]
core (enterprise): Add HTTP PATCH support for namespaces with an associated namespace patch CLI command
core (enterprise): Add check to vault server command to ensure configured storage backend is supported.
core (enterprise): Add custom metadata support for namespaces
core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
api: Exclusively use GET /sys/plugins/catalog endpoint for listing plugins, and add details field to list responses. [GH-17347]
auth: GET /sys/auth/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
auth: GET /sys/auth endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
auth: POST /sys/auth/:type endpoint response contains a warning for Deprecated auth methods. [GH-17058]
auth: auth enable returns an error and POST /sys/auth/:type endpoint reports an error for Pending Removal auth methods. [GH-17005]
core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
core: Bump Go version to 1.19.2.
core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
plugins: Add plugin version to auth register, list, and mount table [GH-16856]
plugins: GET /sys/plugins/catalog/:type/:name endpoint contains deprecation status for builtin plugins. [GH-17077]
plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
plugins: GET /sys/plugins/catalog/ endpoint contains deprecation status in detailed list. [GH-17077]
plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
plugins: plugin info displays deprecation status for builtin plugins. [GH-17077]
plugins: plugin list now accepts a -detailed flag, which display deprecation status and version info. [GH-17077]
secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
secrets: All database-specific (standalone DB) secrets engines are now marked Pending Removal. [GH-17038]
secrets: GET /sys/mounts/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
secrets: GET /sys/mounts endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
secrets: POST /sys/mounts/:type endpoint response contains a warning for Deprecated secrets engines. [GH-17058]
secrets: secrets enable returns an error and POST /sys/mount/:type endpoint reports an error for Pending Removal secrets engines. [GH-17005]
FEATURES:
GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
LDAP Secrets Engine: Adds the ldap secrets engine with service account check-out functionality for all supported schemas. [GH-17152]
OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
ui: UI support for Okta Number Challenge. [GH-15998]
IMPROVEMENTS:
:core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
activity (enterprise): Added new clients unit tests to test accuracy of estimates
agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
agent: Send notifications to systemd on start and stop. [GH-9802]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
1 year ago
Bumps github.com/hashicorp/vault from 1.3.2 to 1.12.0.
Release notes
Sourced from github.com/hashicorp/vault's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault's changelog.
... (truncated)
Commits
558abfaimport new sdk (#17488)6545e24bump sdk to 1.12.0 (#17487)2068a5fbackport of commit 495bf0a7ec21748d4b646932539910d9c2a3e8c8 (#17483)cb6652bbackport of commit 4625729de15bf9992d63dbfc1be7099a12286429 (#17479)90b89f9backport of commit c023246b9050955ca78b5b3affbf1afc9072a89e (#17473)cb5d319backport of #17340 (#17469)eb5f980backport of commit e9914734e14852264dedc235726ba036fa183223 (#17464)d463811Update 1.12 to go 1.19.2 (#17438)12df3b0backport of commit cfc6b436074140af83e11e896308b147b22a6609 (#17465)4d0c1ecbackport of commit 50a1f9e86a027af858a7c140288a9cc06f207053 (#17466)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)