harald/vault-auth-tee
1
0
Fork 0
mirror of https://github.com/matter-labs/vault-auth-tee.git synced 2025-07-21 07:43:57 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(deps): update module github.com/hashicorp/vault/api to v1.12.0 (#31)

Browse source 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/hashicorp/vault/api](https://togithub.com/hashicorp/vault)
| `v1.11.0` -> `v1.12.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fhashicorp%2fvault%2fapi/v1.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fhashicorp%2fvault%2fapi/v1.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fhashicorp%2fvault%2fapi/v1.11.0/v1.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fhashicorp%2fvault%2fapi/v1.11.0/v1.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>hashicorp/vault (github.com/hashicorp/vault/api)</summary>

###
[`v1.12.0`](https://togithub.com/hashicorp/vault/releases/tag/v1.12.0)

[Compare
Source](https://togithub.com/hashicorp/vault/compare/v1.11.0...v1.12.0)

##### 1.12.0

##### October 13, 2022

CHANGES:

- api: Exclusively use `GET /sys/plugins/catalog` endpoint for listing
plugins, and add `details` field to list responses.
\[[GH-17347](https://togithub.com/hashicorp/vault/pull/17347)]
- auth: `GET /sys/auth/:name` endpoint now returns an additional
`deprecation_status` field in the response data for builtins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- auth: `GET /sys/auth` endpoint now returns an additional
`deprecation_status` field in the response data for builtins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- auth: `POST /sys/auth/:type` endpoint response contains a warning for
`Deprecated` auth methods.
\[[GH-17058](https://togithub.com/hashicorp/vault/pull/17058)]
- auth: `auth enable` returns an error and `POST /sys/auth/:type`
endpoint reports an error for `Pending Removal` auth methods.
\[[GH-17005](https://togithub.com/hashicorp/vault/pull/17005)]
- core/entities: Fixed stranding of aliases upon entity merge, and
require explicit selection of which aliases should be kept when some
must be deleted
\[[GH-16539](https://togithub.com/hashicorp/vault/pull/16539)]
-   core: Bump Go version to 1.19.2.
- core: Validate input parameters for vault operator init command. Vault
1.12 CLI version is needed to run operator init now.
\[[GH-16379](https://togithub.com/hashicorp/vault/pull/16379)]
- identity: a request to `/identity/group` that includes
`member_group_ids` that contains a cycle will now be responded to with a
400 rather than 500
\[[GH-15912](https://togithub.com/hashicorp/vault/pull/15912)]
- licensing (enterprise): Terminated licenses will no longer result in
shutdown. Instead, upgrades will not be allowed if the license
termination time is before the build date of the binary.
- plugins: Add plugin version to auth register, list, and mount table
\[[GH-16856](https://togithub.com/hashicorp/vault/pull/16856)]
- plugins: `GET /sys/plugins/catalog/:type/:name` endpoint contains
deprecation status for builtin plugins.
\[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)]
- plugins: `GET /sys/plugins/catalog/:type/:name` endpoint now returns
an additional `version` field in the response data.
\[[GH-16688](https://togithub.com/hashicorp/vault/pull/16688)]
- plugins: `GET /sys/plugins/catalog/` endpoint contains deprecation
status in `detailed` list.
\[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)]
- plugins: `GET /sys/plugins/catalog` endpoint now returns an additional
`detailed` field in the response data with a list of additional plugin
metadata. \[[GH-16688](https://togithub.com/hashicorp/vault/pull/16688)]
- plugins: `plugin info` displays deprecation status for builtin
plugins. \[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)]
- plugins: `plugin list` now accepts a `-detailed` flag, which display
deprecation status and version info.
\[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)]
- secrets/azure: Removed deprecated AAD graph API support from the
secrets engine.
\[[GH-17180](https://togithub.com/hashicorp/vault/pull/17180)]
- secrets: All database-specific (standalone DB) secrets engines are now
marked `Pending Removal`.
\[[GH-17038](https://togithub.com/hashicorp/vault/pull/17038)]
- secrets: `GET /sys/mounts/:name` endpoint now returns an additional
`deprecation_status` field in the response data for builtins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- secrets: `GET /sys/mounts` endpoint now returns an additional
`deprecation_status` field in the response data for builtins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- secrets: `POST /sys/mounts/:type` endpoint response contains a warning
for `Deprecated` secrets engines.
\[[GH-17058](https://togithub.com/hashicorp/vault/pull/17058)]
- secrets: `secrets enable` returns an error and `POST /sys/mount/:type`
endpoint reports an error for `Pending Removal` secrets engines.
\[[GH-17005](https://togithub.com/hashicorp/vault/pull/17005)]

FEATURES:

- **GCP Cloud KMS support for managed keys**: Managed keys now support
using GCP Cloud KMS keys
- **LDAP Secrets Engine**: Adds the `ldap` secrets engine with service
account check-out functionality for all supported schemas.
\[[GH-17152](https://togithub.com/hashicorp/vault/pull/17152)]
- **OCSP Responder**: PKI mounts now have an OCSP responder that
implements a subset of RFC6960, answering single serial number OCSP
requests for a specific cluster's revoked certificates in a mount.
\[[GH-16723](https://togithub.com/hashicorp/vault/pull/16723)]
- **Redis DB Engine**: Adding the new Redis database engine that
supports the generation of static and dynamic user roles and root
credential rotation on a stand alone Redis server.
\[[GH-17070](https://togithub.com/hashicorp/vault/pull/17070)]
- **Redis ElastiCache DB Plugin**: Added Redis ElastiCache as a built-in
plugin. \[[GH-17075](https://togithub.com/hashicorp/vault/pull/17075)]
- **Secrets/auth plugin multiplexing**: manage multiple plugin
configurations with a single plugin process
\[[GH-14946](https://togithub.com/hashicorp/vault/pull/14946)]
- **Transform Key Import (BYOK)**: The transform secrets engine now
supports importing keys for tokenization and FPE transformations
- HCP (enterprise): Adding foundational support for self-managed vault
nodes to securely communicate with [HashiCorp Cloud
Platform](https://cloud.hashicorp.com) as an opt-in feature
- ui: UI support for Okta Number Challenge.
\[[GH-15998](https://togithub.com/hashicorp/vault/pull/15998)]

IMPROVEMENTS:

- :core/managed-keys (enterprise): Allow operators to specify PSS
signatures and/or hash algorithm for the test/sign api
- activity (enterprise): Added new clients unit tests to test accuracy
of estimates
- agent/auto-auth: Add `exit_on_err` which when set to true, will cause
Agent to exit if any errors are encountered during authentication.
\[[GH-17091](https://togithub.com/hashicorp/vault/pull/17091)]
- agent: Added `disable_idle_connections` configuration to disable
leaving idle connections open in auto-auth, caching and templating.
\[[GH-15986](https://togithub.com/hashicorp/vault/pull/15986)]
- agent: Added `disable_keep_alives` configuration to disable keep
alives in auto-auth, caching and templating.
\[[GH-16479](https://togithub.com/hashicorp/vault/pull/16479)]
- agent: JWT auto auth now supports a `remove_jwt_after_reading` config
option which defaults to true.
\[[GH-11969](https://togithub.com/hashicorp/vault/pull/11969)]
- agent: Send notifications to systemd on start and stop.
\[[GH-9802](https://togithub.com/hashicorp/vault/pull/9802)]
- api/mfa: Add namespace path to the MFA read/list endpoint
\[[GH-16911](https://togithub.com/hashicorp/vault/pull/16911)]
- api: Add a sentinel error for missing KV secrets
\[[GH-16699](https://togithub.com/hashicorp/vault/pull/16699)]
- auth/alicloud: Enables AliCloud roles to be compatible with Vault's
role based quotas.
\[[GH-17251](https://togithub.com/hashicorp/vault/pull/17251)]
- auth/approle: SecretIDs can now be generated with an per-request
specified TTL and num_uses.
When either the ttl and num_uses fields are not specified, the role's
configuration is used.
\[[GH-14474](https://togithub.com/hashicorp/vault/pull/14474)]
- auth/aws: PKCS7 signatures will now use SHA256 by default in prep for
Go 1.18 \[[GH-16455](https://togithub.com/hashicorp/vault/pull/16455)]
- auth/azure: Enables Azure roles to be compatible with Vault's role
based quotas.
\[[GH-17194](https://togithub.com/hashicorp/vault/pull/17194)]
- auth/cert: Add metadata to identity-alias
\[[GH-14751](https://togithub.com/hashicorp/vault/pull/14751)]
- auth/cert: Operators can now specify a CRL distribution point URL, in
which case the cert auth engine will fetch and use the CRL from that
location rather than needing to push CRLs directly to auth/cert.
\[[GH-17136](https://togithub.com/hashicorp/vault/pull/17136)]
- auth/cf: Enables CF roles to be compatible with Vault's role based
quotas. \[[GH-17196](https://togithub.com/hashicorp/vault/pull/17196)]
- auth/gcp: Add support for GCE regional instance groups
\[[GH-16435](https://togithub.com/hashicorp/vault/pull/16435)]
- auth/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`,
`github.com/hashicorp/go-gcp-common@v0.8.0`.
\[[GH-17160](https://togithub.com/hashicorp/vault/pull/17160)]
- auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider
for groups fetching.
\[[GH-16525](https://togithub.com/hashicorp/vault/pull/16525)]
- auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for
CLI-based logins.
\[[GH-16525](https://togithub.com/hashicorp/vault/pull/16525)]
- auth/kerberos: add `add_group_aliases` config to include LDAP groups
in Vault group aliases
\[[GH-16890](https://togithub.com/hashicorp/vault/pull/16890)]
- auth/kerberos: add `remove_instance_name` parameter to the login CLI
and the Kerberos config in Vault. This removes any instance names found
in the keytab service principal name.
\[[GH-16594](https://togithub.com/hashicorp/vault/pull/16594)]
- auth/kubernetes: Role resolution for K8S Auth
\[[GH-156](https://togithub.com/hashicorp/vault-plugin-auth-kubernetes/pull/156)]
\[[GH-17161](https://togithub.com/hashicorp/vault/pull/17161)]
- auth/oci: Add support for role resolution.
\[[GH-17212](https://togithub.com/hashicorp/vault/pull/17212)]
- auth/oidc: Adds support for group membership parsing when using
SecureAuth as an OIDC provider.
\[[GH-16274](https://togithub.com/hashicorp/vault/pull/16274)]
- cli: CLI commands will print a warning if flags will be ignored
because they are passed after positional arguments.
\[[GH-16441](https://togithub.com/hashicorp/vault/pull/16441)]
- cli: `auth` and `secrets` list `-detailed` commands now show
Deprecation Status for builtin plugins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- cli: `vault plugin list` now has a `details` field in JSON format, and
version and type information in table format.
\[[GH-17347](https://togithub.com/hashicorp/vault/pull/17347)]
- command/audit: Improve missing type error message
\[[GH-16409](https://togithub.com/hashicorp/vault/pull/16409)]
- command/server: add `-dev-tls` and `-dev-tls-cert-dir` subcommands to
create a Vault dev server with generated certificates and private key.
\[[GH-16421](https://togithub.com/hashicorp/vault/pull/16421)]
- command: Fix shell completion for KV v2 mounts
\[[GH-16553](https://togithub.com/hashicorp/vault/pull/16553)]
- core (enterprise): Add HTTP PATCH support for namespaces with an
associated `namespace patch` CLI command
- core (enterprise): Add check to `vault server` command to ensure
configured storage backend is supported.
-   core (enterprise): Add custom metadata support for namespaces
- core/activity: generate hyperloglogs containing clientIds for each
month during precomputation
\[[GH-16146](https://togithub.com/hashicorp/vault/pull/16146)]
- core/activity: refactor activity log api to reuse partial api
functions in activity endpoint when current month is specified
\[[GH-16162](https://togithub.com/hashicorp/vault/pull/16162)]
- core/activity: use monthly hyperloglogs to calculate new clients
approximation for current month
\[[GH-16184](https://togithub.com/hashicorp/vault/pull/16184)]
- core/quotas (enterprise): Added ability to add path suffixes for
lease-count resource quotas
- core/quotas (enterprise): Added ability to add role information for
lease-count resource quotas, to limit login requests on auth mounts made
using that role
- core/quotas: Added ability to add path suffixes for rate-limit
resource quotas
\[[GH-15989](https://togithub.com/hashicorp/vault/pull/15989)]
- core/quotas: Added ability to add role information for rate-limit
resource quotas, to limit login requests on auth mounts made using that
role \[[GH-16115](https://togithub.com/hashicorp/vault/pull/16115)]
- core: Activity log goroutine management improvements to allow tests to
be more deterministic.
\[[GH-17028](https://togithub.com/hashicorp/vault/pull/17028)]
- core: Add `sys/loggers` and `sys/loggers/:name` endpoints to provide
ability to modify logging verbosity
\[[GH-16111](https://togithub.com/hashicorp/vault/pull/16111)]
- core: Handle and log deprecated builtin mounts. Introduces
`VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` to override shutdown and error when
attempting to mount `Pending Removal` builtin plugins.
\[[GH-17005](https://togithub.com/hashicorp/vault/pull/17005)]
- core: Limit activity log client count usage by namespaces
\[[GH-16000](https://togithub.com/hashicorp/vault/pull/16000)]
- core: Upgrade github.com/hashicorp/raft
\[[GH-16609](https://togithub.com/hashicorp/vault/pull/16609)]
- core: remove gox
\[[GH-16353](https://togithub.com/hashicorp/vault/pull/16353)]
- docs: Clarify the behaviour of local mounts in the context of DR
replication
\[[GH-16218](https://togithub.com/hashicorp/vault/pull/16218)]
- identity/oidc: Adds support for detailed listing of clients and
providers.
\[[GH-16567](https://togithub.com/hashicorp/vault/pull/16567)]
- identity/oidc: Adds the `client_secret_post` token endpoint
authentication method.
\[[GH-16598](https://togithub.com/hashicorp/vault/pull/16598)]
- identity/oidc: allows filtering the list providers response by an
allowed_client_id
\[[GH-16181](https://togithub.com/hashicorp/vault/pull/16181)]
- identity: Prevent possibility of data races on entity creation.
\[[GH-16487](https://togithub.com/hashicorp/vault/pull/16487)]
- physical/postgresql: pass context to queries to propagate timeouts and
cancellations on requests.
\[[GH-15866](https://togithub.com/hashicorp/vault/pull/15866)]
- plugins/multiplexing: Added multiplexing support to database plugins
if run as external plugins
\[[GH-16995](https://togithub.com/hashicorp/vault/pull/16995)]
- plugins: Add Deprecation Status method to builtinregistry.
\[[GH-16846](https://togithub.com/hashicorp/vault/pull/16846)]
- plugins: Added environment variable flag to opt-out specific plugins
from multiplexing
\[[GH-16972](https://togithub.com/hashicorp/vault/pull/16972)]
- plugins: Adding version to plugin GRPC interface
\[[GH-17088](https://togithub.com/hashicorp/vault/pull/17088)]
- plugins: Plugin catalog supports registering and managing plugins with
semantic version information.
\[[GH-16688](https://togithub.com/hashicorp/vault/pull/16688)]
- replication (enterprise): Fix race in merkle sync that can prevent
streaming by returning key value matching provided hash if found in log
shipper buffer.
- secret/nomad: allow reading CA and client auth certificate from
/nomad/config/access
\[[GH-15809](https://togithub.com/hashicorp/vault/pull/15809)]
- secret/pki: Add RSA PSS signature support for issuing certificates,
signing CRLs
\[[GH-16519](https://togithub.com/hashicorp/vault/pull/16519)]
- secret/pki: Add signature_bits to sign-intermediate, sign-verbatim
endpoints \[[GH-16124](https://togithub.com/hashicorp/vault/pull/16124)]
- secret/pki: Allow issuing certificates with non-domain, non-email
Common Names from roles, sign-verbatim, and as issuers
(`cn_validations`).
\[[GH-15996](https://togithub.com/hashicorp/vault/pull/15996)]
- secret/pki: Allow specifying SKID for cross-signed issuance from older
Vault versions.
\[[GH-16494](https://togithub.com/hashicorp/vault/pull/16494)]
- secret/transit: Allow importing
[`Ed25519`](https://togithub.com/hashicorp/vault/commit/Ed25519) keys
from [PKCS#8](https://togithub.com/PKCS/vault/issues/8) with inner RFC
5915 ECPrivateKey blobs (NSS-wrapped keys).
\[[GH-15742](https://togithub.com/hashicorp/vault/pull/15742)]
- secrets/ad: set config default length only if password_policy is
missing \[[GH-16140](https://togithub.com/hashicorp/vault/pull/16140)]
- secrets/azure: Adds option to permanently delete AzureAD objects
created by Vault.
\[[GH-17045](https://togithub.com/hashicorp/vault/pull/17045)]
- secrets/database/hana: Add ability to customize dynamic usernames
\[[GH-16631](https://togithub.com/hashicorp/vault/pull/16631)]
- secrets/database/snowflake: Add multiplexing support
\[[GH-17159](https://togithub.com/hashicorp/vault/pull/17159)]
- secrets/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`,
`github.com/hashicorp/go-gcp-common@v0.8.0`.
\[[GH-17174](https://togithub.com/hashicorp/vault/pull/17174)]
- secrets/gcpkms: Update dependencies: google.golang.org/api@v0.83.0.
\[[GH-17199](https://togithub.com/hashicorp/vault/pull/17199)]
- secrets/kubernetes: upgrade to v0.2.0
\[[GH-17164](https://togithub.com/hashicorp/vault/pull/17164)]
- secrets/pki/tidy: Add another pair of metrics counting certificates
not deleted by the tidy operation.
\[[GH-16702](https://togithub.com/hashicorp/vault/pull/16702)]
- secrets/pki: Add a new flag to issue/sign APIs which can filter out
root CAs from the returned ca_chain field
\[[GH-16935](https://togithub.com/hashicorp/vault/pull/16935)]
- secrets/pki: Add a warning to any successful response when the
requested TTL is overwritten by MaxTTL
\[[GH-17073](https://togithub.com/hashicorp/vault/pull/17073)]
- secrets/pki: Add ability to cancel tidy operations, control tidy
resource usage.
\[[GH-16958](https://togithub.com/hashicorp/vault/pull/16958)]
- secrets/pki: Add ability to periodically rebuild CRL before expiry
\[[GH-16762](https://togithub.com/hashicorp/vault/pull/16762)]
- secrets/pki: Add ability to periodically run tidy operations to remove
expired certificates.
\[[GH-16900](https://togithub.com/hashicorp/vault/pull/16900)]
- secrets/pki: Add support for per-issuer Authority Information Access
(AIA) URLs
\[[GH-16563](https://togithub.com/hashicorp/vault/pull/16563)]
- secrets/pki: Add support to specify signature bits when generating
CSRs through intermediate/generate apis
\[[GH-17388](https://togithub.com/hashicorp/vault/pull/17388)]
- secrets/pki: Added gauge metrics
"secrets.pki.total_revoked_certificates_stored" and
"secrets.pki.total_certificates_stored" to track the number of
certificates in storage.
\[[GH-16676](https://togithub.com/hashicorp/vault/pull/16676)]
- secrets/pki: Allow revocation of certificates with explicitly provided
certificate (bring your own certificate / BYOC).
\[[GH-16564](https://togithub.com/hashicorp/vault/pull/16564)]
- secrets/pki: Allow revocation via proving possession of certificate's
private key
\[[GH-16566](https://togithub.com/hashicorp/vault/pull/16566)]
- secrets/pki: Allow tidy to associate revoked certs with their issuers
for OCSP performance
\[[GH-16871](https://togithub.com/hashicorp/vault/pull/16871)]
- secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires
passthrough_request_headers modification on the mount point.
\[[GH-16249](https://togithub.com/hashicorp/vault/pull/16249)]
- secrets/pki: Improve stability of association of revoked cert with its
parent issuer; when an issuer loses crl-signing usage, do not place
certs on default issuer's CRL.
\[[GH-16874](https://togithub.com/hashicorp/vault/pull/16874)]
- secrets/pki: Support generating delta CRLs for up-to-date CRLs when
auto-building is enabled.
\[[GH-16773](https://togithub.com/hashicorp/vault/pull/16773)]
- secrets/ssh: Add allowed_domains_template to allow templating of
allowed_domains.
\[[GH-16056](https://togithub.com/hashicorp/vault/pull/16056)]
- secrets/ssh: Allow additional text along with a template definition in
defaultExtension value fields.
\[[GH-16018](https://togithub.com/hashicorp/vault/pull/16018)]
- secrets/ssh: Allow the use of Identity templates in the `default_user`
field \[[GH-16351](https://togithub.com/hashicorp/vault/pull/16351)]
- secrets/transit: Add a dedicated HMAC key type, which can be used with
key import.
\[[GH-16668](https://togithub.com/hashicorp/vault/pull/16668)]
- secrets/transit: Added a parameter to encrypt/decrypt batch operations
to allow the caller to override the HTTP response code in case of
partial user-input failures.
\[[GH-17118](https://togithub.com/hashicorp/vault/pull/17118)]
- secrets/transit: Allow configuring the possible salt lengths for RSA
PSS signatures.
\[[GH-16549](https://togithub.com/hashicorp/vault/pull/16549)]
- ssh: Addition of an endpoint `ssh/issue/:role` to allow the creation
of signed key pairs
\[[GH-15561](https://togithub.com/hashicorp/vault/pull/15561)]
- storage/cassandra: tuning parameters for clustered environments
`connection_timeout`, `initial_connection_timeout`,
`simple_retry_policy_retries`.
\[[GH-10467](https://togithub.com/hashicorp/vault/pull/10467)]
- storage/gcs: Add documentation explaining how to configure the gcs
backend using environment variables instead of options in the
configuration stanza
\[[GH-14455](https://togithub.com/hashicorp/vault/pull/14455)]
- ui: Changed the tokenBoundCidrs tooltip content to clarify that comma
separated values are not accepted in this field.
\[[GH-15852](https://togithub.com/hashicorp/vault/pull/15852)]
- ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when
unauthenticated
\[[GH-17139](https://togithub.com/hashicorp/vault/pull/17139)]
- ui: Removed deprecated version of core-js 2.6.11
\[[GH-15898](https://togithub.com/hashicorp/vault/pull/15898)]
- ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap
with description.
\[[GH-16489](https://togithub.com/hashicorp/vault/pull/16489)]
- ui: Replaces non-inclusive terms
\[[GH-17116](https://togithub.com/hashicorp/vault/pull/17116)]
- ui: redirect_to param forwards from auth route when authenticated
\[[GH-16821](https://togithub.com/hashicorp/vault/pull/16821)]
- website/docs: API generate-recovery-token documentation.
\[[GH-16213](https://togithub.com/hashicorp/vault/pull/16213)]
- website/docs: Add documentation around the expensiveness of making
lots of lease count quotas in a short period
\[[GH-16950](https://togithub.com/hashicorp/vault/pull/16950)]
- website/docs: Removes mentions of unauthenticated from internal ui
resultant-acl doc
\[[GH-17139](https://togithub.com/hashicorp/vault/pull/17139)]
- website/docs: Update replication docs to mention Integrated Storage
\[[GH-16063](https://togithub.com/hashicorp/vault/pull/16063)]
- website/docs: changed to echo for all string examples instead of (<<<)
here-string.
\[[GH-9081](https://togithub.com/hashicorp/vault/pull/9081)]

BUG FIXES:

- agent/template: Fix parsing error for the exec stanza
\[[GH-16231](https://togithub.com/hashicorp/vault/pull/16231)]
- agent: Agent will now respect `max_retries` retry configuration even
when caching is set.
\[[GH-16970](https://togithub.com/hashicorp/vault/pull/16970)]
- agent: Update consul-template for pkiCert bug fixes
\[[GH-16087](https://togithub.com/hashicorp/vault/pull/16087)]
- api/sys/internal/specs/openapi: support a new "dynamic" query
parameter to generate generic mountpaths
\[[GH-15835](https://togithub.com/hashicorp/vault/pull/15835)]
- api: Fixed erroneous warnings of unrecognized parameters when
unwrapping data.
\[[GH-16794](https://togithub.com/hashicorp/vault/pull/16794)]
- api: Fixed issue with internal/ui/mounts and
internal/ui/mounts/(?P<path>.+) endpoints where it was not properly
handling /auth/
\[[GH-15552](https://togithub.com/hashicorp/vault/pull/15552)]
- api: properly handle switching to/from unix domain socket when
changing client address
\[[GH-11904](https://togithub.com/hashicorp/vault/pull/11904)]
- auth/cert: Vault does not initially load the CRLs in cert auth unless
the read/write CRL endpoint is hit.
\[[GH-17138](https://togithub.com/hashicorp/vault/pull/17138)]
- auth/kerberos: Maintain headers set by the client
\[[GH-16636](https://togithub.com/hashicorp/vault/pull/16636)]
- auth/kubernetes: Restore support for JWT signature algorithm ES384
\[[GH-160](https://togithub.com/hashicorp/vault-plugin-auth-kubernetes/pull/160)]
\[[GH-17161](https://togithub.com/hashicorp/vault/pull/17161)]
- auth/token: Fix ignored parameter warnings for valid parameters on
token create
\[[GH-16938](https://togithub.com/hashicorp/vault/pull/16938)]
- command/debug: fix bug where monitor was not honoring configured
duration \[[GH-16834](https://togithub.com/hashicorp/vault/pull/16834)]
- core (enterprise): Fix bug where wrapping token lookup does not work
within namespaces.
\[[GH-15583](https://togithub.com/hashicorp/vault/pull/15583)]
- core (enterprise): Fix creation of duplicate entities via alias
metadata changes on local auth mounts.
- core/auth: Return a 403 instead of a 500 for a malformed SSCT
\[[GH-16112](https://togithub.com/hashicorp/vault/pull/16112)]
- core/identity: Replicate member_entity_ids and policies in
identity/group across nodes identically
\[[GH-16088](https://togithub.com/hashicorp/vault/pull/16088)]
- core/license (enterprise): Always remove stored license and allow
unseal to complete when license cleanup fails
- core/managed-keys (enterprise): fix panic when having `cache_disable`
true
- core/quotas (enterprise): Fixed issue with improper counting of leases
if lease count quota created after leases
- core/quotas: Added globbing functionality on the end of path suffix
quota paths
\[[GH-16386](https://togithub.com/hashicorp/vault/pull/16386)]
- core/quotas: Fix goroutine leak caused by the seal process not fully
cleaning up Rate Limit Quotas.
\[[GH-17281](https://togithub.com/hashicorp/vault/pull/17281)]
- core/replication (enterprise): Don't flush merkle tree pages to disk
after losing active duty
- core/seal: Fix possible keyring truncation when using the file
backend. \[[GH-15946](https://togithub.com/hashicorp/vault/pull/15946)]
- core: Fix panic when the plugin catalog returns neither a plugin nor
an error. \[[GH-17204](https://togithub.com/hashicorp/vault/pull/17204)]
- core: Fixes parsing boolean values for ha_storage backends in config
\[[GH-15900](https://togithub.com/hashicorp/vault/pull/15900)]
- core: Increase the allowed concurrent gRPC streams over the cluster
port. \[[GH-16327](https://togithub.com/hashicorp/vault/pull/16327)]
- core: Prevent two or more DR failovers from invalidating SSCT tokens
generated on the previous primaries.
\[[GH-16956](https://togithub.com/hashicorp/vault/pull/16956)]
- database: Invalidate queue should cancel context first to avoid
deadlock \[[GH-15933](https://togithub.com/hashicorp/vault/pull/15933)]
- debug: Fix panic when capturing debug bundle on Windows
\[[GH-14399](https://togithub.com/hashicorp/vault/pull/14399)]
- debug: Remove extra empty lines from vault.log when debug command is
run \[[GH-16714](https://togithub.com/hashicorp/vault/pull/16714)]
- identity (enterprise): Fix a data race when creating an entity for a
local alias.
- identity/oidc: Adds `claims_supported` to discovery document.
\[[GH-16992](https://togithub.com/hashicorp/vault/pull/16992)]
- identity/oidc: Change the `state` parameter of the Authorization
Endpoint to optional.
\[[GH-16599](https://togithub.com/hashicorp/vault/pull/16599)]
- identity/oidc: Detect invalid `redirect_uri` values sooner in
validation of the Authorization Endpoint.
\[[GH-16601](https://togithub.com/hashicorp/vault/pull/16601)]
- identity/oidc: Fixes validation of the `request` and `request_uri`
parameters.
\[[GH-16600](https://togithub.com/hashicorp/vault/pull/16600)]
- openapi: Fixed issue where information about /auth/token endpoints was
not present with explicit policy permissions
\[[GH-15552](https://togithub.com/hashicorp/vault/pull/15552)]
- plugin/multiplexing: Fix panic when id doesn't exist in connection map
\[[GH-16094](https://togithub.com/hashicorp/vault/pull/16094)]
- plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2
or generic
\[[GH-16673](https://togithub.com/hashicorp/vault/pull/16673)]
- plugins: Corrected the path to check permissions on when the
registered plugin name does not match the plugin binary's filename.
\[[GH-17340](https://togithub.com/hashicorp/vault/pull/17340)]
- quotas/lease-count: Fix lease-count quotas on mounts not properly
being enforced when the lease generating request is a read
\[[GH-15735](https://togithub.com/hashicorp/vault/pull/15735)]
-   replication (enterprise): Fix data race in SaveCheckpoint()
-   replication (enterprise): Fix data race in saveCheckpoint.
- replication (enterprise): Fix possible data race during merkle
diff/sync
- secret/pki: Do not fail validation with a legacy key_bits default
value and key_type=any when signing CSRs
\[[GH-16246](https://togithub.com/hashicorp/vault/pull/16246)]
- secrets/database: Fix a bug where the secret engine would queue up a
lot of WAL deletes during startup.
\[[GH-16686](https://togithub.com/hashicorp/vault/pull/16686)]
- secrets/gcp: Fixes duplicate static account key creation from
performance secondary clusters.
\[[GH-16534](https://togithub.com/hashicorp/vault/pull/16534)]
- secrets/kv: Fix `kv get` issue preventing the ability to read a secret
when providing a leading slash
\[[GH-16443](https://togithub.com/hashicorp/vault/pull/16443)]
- secrets/pki: Allow import of issuers without CRLSign KeyUsage;
prohibit setting crl-signing usage on such issuers
\[[GH-16865](https://togithub.com/hashicorp/vault/pull/16865)]
- secrets/pki: Do not ignore provided signature bits value when signing
intermediate and leaf certificates with a managed key
\[[GH-17328](https://togithub.com/hashicorp/vault/pull/17328)]
- secrets/pki: Do not read revoked certificates from backend when CRL is
disabled \[[GH-17385](https://togithub.com/hashicorp/vault/pull/17385)]
- secrets/pki: Fix migration to properly handle mounts that contain only
keys, no certificates
\[[GH-16813](https://togithub.com/hashicorp/vault/pull/16813)]
- secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import
(/config/ca, /issuers/import/\*, and /intermediate/set-signed)
\[[GH-16721](https://togithub.com/hashicorp/vault/pull/16721)]
- secrets/pki: LIST issuers endpoint is now unauthenticated.
\[[GH-16830](https://togithub.com/hashicorp/vault/pull/16830)]
- secrets/transform (enterprise): Fix an issue loading tokenization
transform configuration after a specific sequence of reconfigurations.
- secrets/transform (enterprise): Fix persistence problem with
tokenization store credentials.
- storage/raft (enterprise): Fix some storage-modifying RPCs used by
perf standbys that weren't returning the resulting WAL state.
- storage/raft (enterprise): Prevent unauthenticated voter status change
with rejoin
\[[GH-16324](https://togithub.com/hashicorp/vault/pull/16324)]
- storage/raft: Fix retry_join initialization failure
\[[GH-16550](https://togithub.com/hashicorp/vault/pull/16550)]
- storage/raft: Nodes no longer get demoted to nonvoter if we don't know
their version due to missing heartbeats.
\[[GH-17019](https://togithub.com/hashicorp/vault/pull/17019)]
- ui/keymgmt: Sets the defaultValue for type when creating a key.
\[[GH-17407](https://togithub.com/hashicorp/vault/pull/17407)]
- ui: Fix OIDC callback to accept namespace flag in different formats
\[[GH-16886](https://togithub.com/hashicorp/vault/pull/16886)]
- ui: Fix info tooltip submitting form
\[[GH-16659](https://togithub.com/hashicorp/vault/pull/16659)]
- ui: Fix issue logging in with JWT auth method
\[[GH-16466](https://togithub.com/hashicorp/vault/pull/16466)]
- ui: Fix lease force revoke action
\[[GH-16930](https://togithub.com/hashicorp/vault/pull/16930)]
- ui: Fix naming of permitted_dns_domains form parameter on CA creation
(root generation and sign intermediate).
\[[GH-16739](https://togithub.com/hashicorp/vault/pull/16739)]
- ui: Fixed bug where red spellcheck underline appears in
sensitive/secret kv values when it should not appear
\[[GH-15681](https://togithub.com/hashicorp/vault/pull/15681)]
- ui: Fixes secret version and status menu links transitioning to auth
screen \[[GH-16983](https://togithub.com/hashicorp/vault/pull/16983)]
- ui: OIDC login type uses localStorage instead of sessionStorage
\[[GH-16170](https://togithub.com/hashicorp/vault/pull/16170)]
- vault: Fix a bug where duplicate policies could be added to an
identity group.
\[[GH-15638](https://togithub.com/hashicorp/vault/pull/15638)]

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/matter-labs/vault-auth-tee).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
This commit is contained in:
Harald Hoyer 2024-02-13 13:07:31 +01:00 committed by GitHub
commit b0653b4246
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
go.mod
View file

@ -6,7 +6,7 @@ require (
github.com/hashicorp/go-hclog v1.6.2
github.com/hashicorp/go-rootcerts v1.0.2
github.com/hashicorp/vault v1.2.1-0.20240208012854-90c1515f84d3
github.com/hashicorp/vault/api v1.11.0
github.com/hashicorp/vault/api v1.12.0
github.com/hashicorp/vault/sdk v0.11.0
github.com/stretchr/testify v1.8.4
gitlab.com/hacklunch/ntp v0.2.1-0.20200714090752-d286380a85fb

2
go.sum
View file

@ -829,6 +829,8 @@ github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3 h1:k5jCx6laFvQHvrQod+
github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3/go.mod h1:yqCovAKNUNYnNrs5Wh95aExpsWEU45GB9FV7EquaSbA=
github.com/hashicorp/vault/api v1.11.0 h1:AChWByeHf4/P9sX3Y1B7vFsQhZO2BgQiCMQ2SA1P1UY=
github.com/hashicorp/vault/api v1.11.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
github.com/hashicorp/vault/sdk v0.11.0 h1:KP/tBUywaVcvOebAfMPNCCiXKeCNEbm3JauYmrZd7RI=
github.com/hashicorp/vault/sdk v0.11.0/go.mod h1:cG0OZ7Ebq09Xn2N7OWtHbVqq6LpYP6fkyWo0PIvkLsA=
github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 h1:O/pT5C1Q3mVXMyuqg7yuAWUg/jMZR1/0QTzTRdNR6Uw=