release prep
This commit is contained in:
parent
3f5117e87d
commit
48dffb9b7c
25
CHANGELOG.md
25
CHANGELOG.md
|
@ -1,4 +1,4 @@
|
|||
## 1.0.0-beta2 (Unreleased)
|
||||
## 1.0.0-beta2 (November 12th, 2018)
|
||||
|
||||
CHANGES:
|
||||
|
||||
|
@ -52,26 +52,33 @@ IMPROVEMENTS:
|
|||
|
||||
BUG FIXES:
|
||||
|
||||
* auth/userpass: Fix minor timing issue that could leak the presence of a
|
||||
username [GH-5614]
|
||||
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
|
||||
* core: Migration from autounseal to shamir will clean up old keys [GH-5671]
|
||||
* core: Fix buggy behavior if trying to remount into a namespace
|
||||
* identity: Fix duplication of entity alias entity during alias transfer
|
||||
between entities [GH-5733]
|
||||
* secrets/azure: Fix valid roles being rejected for duplicate ids despite
|
||||
having distinct scopes
|
||||
[[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
|
||||
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
|
||||
for all other operations for backwards compatibility
|
||||
[[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
|
||||
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
|
||||
* agent: Fix issue when specifying two file sinks [GH-5610]
|
||||
* ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
|
||||
the revoke button in the UI [GH-5647]
|
||||
* ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
|
||||
|
||||
## 0.11.5 (November 12th, 2018)
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* auth/userpass: Fix minor timing issue that could leak the presence of a
|
||||
username [GH-5614]
|
||||
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
|
||||
* core: Fix buggy behavior if trying to remount into a namespace
|
||||
* identity: Fix duplication of entity alias entity during alias transfer
|
||||
between entities [GH-5733]
|
||||
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
|
||||
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form
|
||||
when trying to use tool/hash [GH-5714]
|
||||
* agent: Fix issue when specifying two file sinks [GH-5610]
|
||||
* autounseal/alicloud: Fix issue interacting with the API
|
||||
* autounseal/azure: Fix key version tracking
|
||||
|
||||
## 1.0.0-beta1 (October 23rd, 2018)
|
||||
|
||||
|
|
|
@ -289,7 +289,7 @@ func (b *GcpAuthBackend) pathRoleRead(ctx context.Context, req *logical.Request,
|
|||
resp := make(map[string]interface{})
|
||||
|
||||
if role.RoleType != "" {
|
||||
resp["role"] = role.RoleType
|
||||
resp["type"] = role.RoleType
|
||||
}
|
||||
if role.ProjectId != "" {
|
||||
resp["project_id"] = role.ProjectId
|
||||
|
|
|
@ -2,8 +2,7 @@
|
|||
|
||||
|
||||
[[projects]]
|
||||
branch = "master"
|
||||
digest = "1:e26170d7ec7d444d7b74a5b1dbd6437fd8e552d27efce9327f733311737c4ae9"
|
||||
digest = "1:a69ab3f1445ffd4815add4bd31ba05b65b3b9fec1ade5057d5d717f30e6efd6d"
|
||||
name = "github.com/SermoDigital/jose"
|
||||
packages = [
|
||||
".",
|
||||
|
@ -12,7 +11,8 @@
|
|||
"jwt",
|
||||
]
|
||||
pruneopts = "UT"
|
||||
revision = "803625baeddc3526d01d321b5066029f53eafc81"
|
||||
revision = "f6df55f235c24f236d11dbcf665249a59ac2021f"
|
||||
version = "1.1"
|
||||
|
||||
[[projects]]
|
||||
branch = "master"
|
||||
|
@ -23,16 +23,17 @@
|
|||
revision = "7fddfc383310abc091d79a27f116d30cf0424032"
|
||||
|
||||
[[projects]]
|
||||
digest = "1:b12a893d64eb4c4c1980240c5706026032f505fef4ecd7d4cbfa2ed60ecd40c9"
|
||||
branch = "master"
|
||||
digest = "1:fb6bb07f738b9ec248ffa7b737dd983df2028001ebd0dad29dfb0830576cef12"
|
||||
name = "github.com/briankassouf/jose"
|
||||
packages = [
|
||||
".",
|
||||
"crypto",
|
||||
"jws",
|
||||
"jwt",
|
||||
]
|
||||
pruneopts = "UT"
|
||||
revision = "f6df55f235c24f236d11dbcf665249a59ac2021f"
|
||||
version = "1.1"
|
||||
revision = "d2569464773f2b9de32e57a79d87318bca5b56c0"
|
||||
|
||||
[[projects]]
|
||||
digest = "1:34e709f36fd4f868fb00dbaf8a6cab4c1ae685832d392874ba9d7c5dec2429d1"
|
||||
|
@ -433,7 +434,6 @@
|
|||
analyzer-name = "dep"
|
||||
analyzer-version = 1
|
||||
input-imports = [
|
||||
"github.com/SermoDigital/jose/jws",
|
||||
"github.com/briankassouf/jose/crypto",
|
||||
"github.com/briankassouf/jose/jws",
|
||||
"github.com/briankassouf/jose/jwt",
|
||||
|
|
|
@ -24,14 +24,9 @@
|
|||
# go-tests = true
|
||||
# unused-packages = true
|
||||
|
||||
|
||||
[[constraint]]
|
||||
branch = "master"
|
||||
name = "github.com/SermoDigital/jose"
|
||||
|
||||
[[constraint]]
|
||||
name = "github.com/briankassouf/jose"
|
||||
version = "1.1.0"
|
||||
branch = "master"
|
||||
|
||||
[[constraint]]
|
||||
branch = "master"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Vault Plugin: Kubernetes Auth Backend
|
||||
# Vault Plugin: Kubernetes Auth Backend [![Build Status](https://travis-ci.org/hashicorp/vault-plugin-auth-kubernetes.svg?branch=master)](https://travis-ci.org/hashicorp/vault-plugin-auth-kubernetes)
|
||||
|
||||
This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault).
|
||||
This plugin allows for Kubernetes Service Accounts to authenticate with Vault.
|
||||
|
|
|
@ -8,7 +8,7 @@ import (
|
|||
"encoding/pem"
|
||||
"errors"
|
||||
|
||||
"github.com/SermoDigital/jose/jws"
|
||||
"github.com/briankassouf/jose/jws"
|
||||
"github.com/hashicorp/vault/logical"
|
||||
"github.com/hashicorp/vault/logical/framework"
|
||||
)
|
||||
|
|
|
@ -21,9 +21,9 @@ import (
|
|||
|
||||
var (
|
||||
// expectedJWTIssuer is used to verify the iss header on the JWT.
|
||||
expectedJWTIssuer string = "kubernetes/serviceaccount"
|
||||
expectedJWTIssuer = "kubernetes/serviceaccount"
|
||||
|
||||
uidJWTClaimKey string = "kubernetes.io/serviceaccount/service-account.uid"
|
||||
uidJWTClaimKey = "kubernetes.io/serviceaccount/service-account.uid"
|
||||
|
||||
// errMismatchedSigningMethod is used if the certificate doesn't match the
|
||||
// JWT's expected signing method.
|
||||
|
@ -108,20 +108,20 @@ func (b *kubeAuthBackend) pathLogin() framework.OperationFunc {
|
|||
NumUses: role.NumUses,
|
||||
Period: role.Period,
|
||||
Alias: &logical.Alias{
|
||||
Name: serviceAccount.UID,
|
||||
Name: serviceAccount.uid(),
|
||||
},
|
||||
InternalData: map[string]interface{}{
|
||||
"role": roleName,
|
||||
},
|
||||
Policies: role.Policies,
|
||||
Metadata: map[string]string{
|
||||
"service_account_uid": serviceAccount.UID,
|
||||
"service_account_name": serviceAccount.Name,
|
||||
"service_account_namespace": serviceAccount.Namespace,
|
||||
"service_account_uid": serviceAccount.uid(),
|
||||
"service_account_name": serviceAccount.name(),
|
||||
"service_account_namespace": serviceAccount.namespace(),
|
||||
"service_account_secret_name": serviceAccount.SecretName,
|
||||
"role": roleName,
|
||||
},
|
||||
DisplayName: fmt.Sprintf("%s-%s", serviceAccount.Namespace, serviceAccount.Name),
|
||||
DisplayName: fmt.Sprintf("%s-%s", serviceAccount.namespace(), serviceAccount.name()),
|
||||
LeaseOptions: logical.LeaseOptions{
|
||||
Renewable: true,
|
||||
TTL: role.TTL,
|
||||
|
@ -187,14 +187,14 @@ func (b *kubeAuthBackend) parseAndValidateJWT(jwtStr string, role *roleStorageEn
|
|||
|
||||
// verify the namespace is allowed
|
||||
if len(role.ServiceAccountNamespaces) > 1 || role.ServiceAccountNamespaces[0] != "*" {
|
||||
if !strutil.StrListContains(role.ServiceAccountNamespaces, sa.Namespace) {
|
||||
if !strutil.StrListContains(role.ServiceAccountNamespaces, sa.namespace()) {
|
||||
return errors.New("namespace not authorized")
|
||||
}
|
||||
}
|
||||
|
||||
// verify the service account name is allowed
|
||||
if len(role.ServiceAccountNames) > 1 || role.ServiceAccountNames[0] != "*" {
|
||||
if !strutil.StrListContains(role.ServiceAccountNames, sa.Name) {
|
||||
if !strutil.StrListContains(role.ServiceAccountNames, sa.name()) {
|
||||
return errors.New("service account name not authorized")
|
||||
}
|
||||
}
|
||||
|
@ -284,6 +284,53 @@ type serviceAccount struct {
|
|||
UID string `mapstructure:"kubernetes.io/serviceaccount/service-account.uid"`
|
||||
SecretName string `mapstructure:"kubernetes.io/serviceaccount/secret.name"`
|
||||
Namespace string `mapstructure:"kubernetes.io/serviceaccount/namespace"`
|
||||
Aud []string `mapstructure:"aud"`
|
||||
|
||||
// the JSON returned from reviewing a Projected Service account has a
|
||||
// different structure, where the information is in a sub-structure instead of
|
||||
// at the top level
|
||||
Kubernetes *projectedServiceToken `mapstructure:"kubernetes.io"`
|
||||
Expiration int64 `mapstructure:"exp"`
|
||||
IssuedAt int64 `mapstructure:"iat"`
|
||||
}
|
||||
|
||||
// uid returns the UID for the service account, preferring the projected service
|
||||
// account value if found
|
||||
func (s *serviceAccount) uid() string {
|
||||
if s.Kubernetes != nil && s.Kubernetes.ServiceAccount != nil {
|
||||
return s.Kubernetes.ServiceAccount.UID
|
||||
}
|
||||
return s.UID
|
||||
}
|
||||
|
||||
// name returns the name for the service account, preferring the projected
|
||||
// service account value if found. This is "default" for projected service
|
||||
// accounts
|
||||
func (s *serviceAccount) name() string {
|
||||
if s.Kubernetes != nil && s.Kubernetes.ServiceAccount != nil {
|
||||
return s.Kubernetes.ServiceAccount.Name
|
||||
}
|
||||
return s.Name
|
||||
}
|
||||
|
||||
// namespace returns the namespace for the service account, preferring the
|
||||
// projected service account value if found
|
||||
func (s *serviceAccount) namespace() string {
|
||||
if s.Kubernetes != nil {
|
||||
return s.Kubernetes.Namespace
|
||||
}
|
||||
return s.Namespace
|
||||
}
|
||||
|
||||
type projectedServiceToken struct {
|
||||
Namespace string `mapstructure:"namespace"`
|
||||
Pod *projectedServiceAccountPod `mapstructure:"pod"`
|
||||
ServiceAccount *projectedServiceAccountPod `mapstructure:"serviceaccount"`
|
||||
}
|
||||
|
||||
type projectedServiceAccountPod struct {
|
||||
Name string `mapstructure:"name"`
|
||||
UID string `mapstructure:"uid"`
|
||||
}
|
||||
|
||||
// lookup calls the TokenReview API in kubernetes to verify the token and secret
|
||||
|
@ -296,13 +343,13 @@ func (s *serviceAccount) lookup(jwtStr string, tr tokenReviewer) error {
|
|||
|
||||
// Verify the returned metadata matches the expected data from the service
|
||||
// account.
|
||||
if s.Name != r.Name {
|
||||
if s.name() != r.Name {
|
||||
return errors.New("JWT names did not match")
|
||||
}
|
||||
if s.UID != r.UID {
|
||||
if s.uid() != r.UID {
|
||||
return errors.New("JWT UIDs did not match")
|
||||
}
|
||||
if s.Namespace != r.Namespace {
|
||||
if s.namespace() != r.Namespace {
|
||||
return errors.New("JWT namepaces did not match")
|
||||
}
|
||||
|
||||
|
|
|
@ -161,7 +161,7 @@ func (b *azureSecretBackend) pathRoleUpdate(ctx context.Context, req *logical.Re
|
|||
|
||||
err := jsonutil.DecodeJSON([]byte(roles.(string)), &parsedRoles)
|
||||
if err != nil {
|
||||
return logical.ErrorResponse("invalid Azure role definitions"), nil
|
||||
return logical.ErrorResponse(fmt.Sprintf("error parsing Azure roles '%s': %s", roles.(string), err.Error())), nil
|
||||
}
|
||||
role.AzureRoles = parsedRoles
|
||||
}
|
||||
|
|
|
@ -1403,14 +1403,14 @@
|
|||
{
|
||||
"checksumSHA1": "NRGHY73VI2kEgy+FSDOuSsixS4k=",
|
||||
"path": "github.com/hashicorp/vault-plugin-auth-alicloud",
|
||||
"revision": "1c2bb0abe14ed980276707b1d572dd280da69d86",
|
||||
"revisionTime": "2018-10-03T22:48:59Z"
|
||||
"revision": "f278a59ca3e8aeafeda7cb9a14e8815359d25fcd",
|
||||
"revisionTime": "2018-11-09T18:06:36Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "xdrSQoX7B7Hr4iWm9T2+5wHVpHQ=",
|
||||
"path": "github.com/hashicorp/vault-plugin-auth-alicloud/tools",
|
||||
"revision": "1c2bb0abe14ed980276707b1d572dd280da69d86",
|
||||
"revisionTime": "2018-10-03T22:48:59Z"
|
||||
"revision": "f278a59ca3e8aeafeda7cb9a14e8815359d25fcd",
|
||||
"revisionTime": "2018-11-09T18:06:36Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "ojr0r/jmutGEhftDXiHthCCwpIA=",
|
||||
|
@ -1425,10 +1425,10 @@
|
|||
"revisionTime": "2018-08-16T20:11:31Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "/Jn1UXwpf4RVqNhxyUT275WMQzQ=",
|
||||
"checksumSHA1": "pJC3V+AR+Khd/TpvekLf1ZRU7rA=",
|
||||
"path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin",
|
||||
"revision": "d57adfb30a2e65659bdb83e632a6d4e6690e2e86",
|
||||
"revisionTime": "2018-10-12T20:41:23Z"
|
||||
"revision": "86f7837fd8102347f7a10e3f0ad275e5a256863c",
|
||||
"revisionTime": "2018-10-25T21:28:40Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "tt3FtyjXgdBI9Mb43UL4LtOZmAk=",
|
||||
|
@ -1437,46 +1437,46 @@
|
|||
"revisionTime": "2018-10-31T19:59:42Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "hrJZzU9iG2ixRu2hOdPgN7wa48c=",
|
||||
"checksumSHA1": "8J4z30a2oTqSPQYOaT4j/jiZuNE=",
|
||||
"path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
|
||||
"revision": "8bfe988b36157168563f726887da232af94ee87f",
|
||||
"revisionTime": "2018-08-16T20:15:54Z"
|
||||
"revision": "5328b889a921243d6e19cda38fb2c31a48cba2b2",
|
||||
"revisionTime": "2018-11-01T19:05:09Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "pNERL2s72vwnApekzTLxGsvkyNU=",
|
||||
"checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=",
|
||||
"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin",
|
||||
"revision": "d8a0991deac4006068826a99b82d8274aa119161",
|
||||
"revisionTime": "2018-08-20T22:27:10Z"
|
||||
"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
|
||||
"revisionTime": "2018-11-09T18:28:34Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "GOxdFElG31lXWgKFG9aqpDcG47M=",
|
||||
"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/client",
|
||||
"revision": "d8a0991deac4006068826a99b82d8274aa119161",
|
||||
"revisionTime": "2018-08-20T22:27:10Z"
|
||||
"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
|
||||
"revisionTime": "2018-11-09T18:28:34Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "RaH2xTkjaToCk+RoPhap7I66ibo=",
|
||||
"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/util",
|
||||
"revision": "d8a0991deac4006068826a99b82d8274aa119161",
|
||||
"revisionTime": "2018-08-20T22:27:10Z"
|
||||
"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
|
||||
"revisionTime": "2018-11-09T18:28:34Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "VLXyxS5dEoiWTSFmpMJIz+Pwtmw=",
|
||||
"path": "github.com/hashicorp/vault-plugin-secrets-alicloud",
|
||||
"revision": "4272d944e495635b30fcabf70dd71a9355b798a9",
|
||||
"revisionTime": "2018-10-03T22:47:18Z"
|
||||
"revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d",
|
||||
"revisionTime": "2018-11-09T18:14:53Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "dqduixICi6NeyLNRCDdw62t1LFU=",
|
||||
"path": "github.com/hashicorp/vault-plugin-secrets-alicloud/clients",
|
||||
"revision": "4272d944e495635b30fcabf70dd71a9355b798a9",
|
||||
"revisionTime": "2018-10-03T22:47:18Z"
|
||||
"revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d",
|
||||
"revisionTime": "2018-11-09T18:14:53Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "f7Ul8JZy98iiDLRN5j9/6jbq9jc=",
|
||||
"checksumSHA1": "Zr5xVeEJxmlBLWgaUq5rRRIuryE=",
|
||||
"path": "github.com/hashicorp/vault-plugin-secrets-azure",
|
||||
"revision": "824f07d5c72f72bb6d983c07d8fba2ab72bd45b8",
|
||||
"revisionTime": "2018-10-24T21:21:15Z"
|
||||
"revision": "26e517ba4190bab20ebb28336921434f96093250",
|
||||
"revisionTime": "2018-11-08T17:16:20Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "tFP1EEyVlomSSx46NHDZWGPzUz0=",
|
||||
|
|
|
@ -7,5 +7,5 @@ func init() {
|
|||
// A pre-release marker for the version. If this is "" (empty string)
|
||||
// then it means that it is a final release. Otherwise, this is a pre-release
|
||||
// such as "dev" (in development), "beta", "rc1", etc.
|
||||
VersionPrerelease = "beta1"
|
||||
VersionPrerelease = "beta2"
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue