luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

CL and plugin updates

This commit is contained in:
Jeff Mitchell 2018-12-03 11:45:02 -05:00
parent 149e14f8fa
commit 9066bba70a
3 changed files with 73 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
CHANGELOG.md
View File

@ -1,21 +1,12 @@
## 1.0.0 ## 1.0.0
IMPROVEMENTS:
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
read secret metadata [GH-5879]
BUG FIXES:
* ui: Update DR Secondary Token generation command [GH-5857]
* ui: Fix pagination bug where controls would be rendered once for each
item when viewing policies [GH-5866]
## 1.0.0-rc1 (Nov 20th, 2018)
CHANGES: CHANGES:
* Tokens are now prefixed by a designation to indicate what type of token they
are. Service tokens start with `s.` and batch tokens start with `b.`.
Existing tokens will still work (they are all of service type and will be
considered as such). Prefixing allows us to be more efficient when consuming
a token, which keeps the critical path of requests faster.
* Paths within `auth/token` that allow specifying a token or accessor in the * Paths within `auth/token` that allow specifying a token or accessor in the
URL have been removed. These have been deprecated since March 2016 and URL have been removed. These have been deprecated since March 2016 and
undocumented, but were retained for backwards compatibility. They shouldn't undocumented, but were retained for backwards compatibility. They shouldn't
@ -28,35 +19,6 @@ CHANGES:
options map itself cannot be unset once it's set, but the keypairs within the options map itself cannot be unset once it's set, but the keypairs within the
map can be unset if an empty value is provided, with the exception of the map can be unset if an empty value is provided, with the exception of the
`version` keypair which is handled differently for KVv2 purposes. `version` keypair which is handled differently for KVv2 purposes.
IMPROVEMENTS:
* agent: Support for configuring the location of the kubernetes service account
[GH-5725]
* ui: Empty states have updated styling and link to relevant actions and
documentation [GH-5758]
BUG FIXES:
* identity: Update group memberships when entity is deleted [GH-5786]
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
[GH-5804]
* ui: Fix the PKI context menu so that items load [GH-5824]
* ui: Fix dr secondary operation token generation via the ui [GH-5818]
* ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
* agent: Fix auth when multiple redirects [GH-5814]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
* performance standby: Fix audit table upgrade on standbys [GH-5811]
* performance standby: Fix redirect on approle update [GH-5820]
* cli: Restore the `-policy-override` flag [GH-5826]
* core: Fix rekey progress reset which did not happen under certain
circumstances. [GH-5743]
## 1.0.0-beta2 (November 13th, 2018)
CHANGES:
* Agent no longer automatically reauthenticates when new credentials are * Agent no longer automatically reauthenticates when new credentials are
detected. It's not strictly necessary and in some cases was causing detected. It's not strictly necessary and in some cases was causing
reauthentication much more often than intended. reauthentication much more often than intended.
@ -76,25 +38,32 @@ CHANGES:
writing custom clients using the Go API library. As before, this can be writing custom clients using the Go API library. As before, this can be
changed to any custom HTTP client by the caller. changed to any custom HTTP client by the caller.
CHANGES FROM BETA 1:
(Note: these items will be removed from the final 1.0 changelog as they are
only breaking changes from beta1)
* Token Store Roles and Batch Tokens: Roles now default to `default-service`
token type, issuing service tokens by default but allowing overriding by the
client. They now also support `default-batch` in addition to `service` and
`batch`.
FEATURES: FEATURES:
* AppRole support in Vault Agent Auto-Auth: You can now use AppRole * **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated
credentials when having Agent automatically authenticate to Vault. from Enterprise to Open Source. We've created a migrator to allow migrating
* OpenAPI descriptions of mounted backends can be served directly from Vault. between Shamir seals and auto unseal methods.
* Support for Kubernetes Projected Service Account Tokens in Kubernetes auth * Batch Tokens: Batch tokens trade off some features of service tokens for no
* Added ability to wrap secrets and easily copy the wrap token or secret JSON in the UI. storage overhead, and in most cases can be used across performance
replication clusters.
* Replication Speed Improvements: We've worked hard to speed up a lot of
operations when using Vault Enterprise Replication.
* **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
pattern to keys stored within GCP Cloud KMS.
* **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole
credentials when having Agent automatically authenticate to Vault
* **OpenAPI Support**: Descriptions of mounted backends can be served directly
from Vault
* **Kubernetes Projected Service Account Tokens**: Projected Service Account
Tokens are now supported in Kubernetes auth
* **Response Wrapping in UI**: Added ability to wrap secrets and easily copy
the wrap token or secret JSON in the UI
IMPROVEMENTS: IMPROVEMENTS:
* agent: Support for configuring the location of the kubernetes service account
[GH-5725]
* auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
* secret/totp: Allow @ character to be part of key name [GH-5652] * secret/totp: Allow @ character to be part of key name [GH-5652]
* secret/consul: Add support for new policy based tokens added in Consul 1.4 * secret/consul: Add support for new policy based tokens added in Consul 1.4
[GH-5586] [GH-5586]
@ -104,16 +73,37 @@ IMPROVEMENTS:
* ui: Improved banner and popup design [GH-5672] * ui: Improved banner and popup design [GH-5672]
* ui: Added token type to auth method mount config [GH-5723] * ui: Added token type to auth method mount config [GH-5723]
* ui: Display additonal wrap info when unwrapping. [GH-5664] * ui: Display additonal wrap info when unwrapping. [GH-5664]
* ui: Empty states have updated styling and link to relevant actions and
documentation [GH-5758]
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
read secret metadata [GH-5879]
BUG FIXES: BUG FIXES:
* agent: Fix auth when multiple redirects [GH-5814]
* cli: Restore the `-policy-override` flag [GH-5826]
* core: Fix rekey progress reset which did not happen under certain
circumstances. [GH-5743]
* core: Migration from autounseal to shamir will clean up old keys [GH-5671] * core: Migration from autounseal to shamir will clean up old keys [GH-5671]
* identity: Update group memberships when entity is deleted [GH-5786]
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
* replication/perfstandby: Fix redirect on approle update [GH-5820]
* secrets/azure: Fix valid roles being rejected for duplicate ids despite * secrets/azure: Fix valid roles being rejected for duplicate ids despite
having distinct scopes having distinct scopes
[[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16) [[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
[GH-5804]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths * secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
for all other operations for backwards compatibility for all other operations for backwards compatibility
[[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19) [[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
* ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
* ui: Fix dr secondary operation token generation via the ui [GH-5818]
* ui: Fix the PKI context menu so that items load [GH-5824]
* ui: Update DR Secondary Token generation command [GH-5857]
* ui: Fix pagination bug where controls would be rendered once for each
item when viewing policies [GH-5866]
* ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show * ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
the revoke button in the UI [GH-5647] the revoke button in the UI [GH-5647]
* ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692] * ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
@ -122,52 +112,20 @@ BUG FIXES:
BUG FIXES: BUG FIXES:
* agent: Fix issue when specifying two file sinks [GH-5610]
* auth/userpass: Fix minor timing issue that could leak the presence of a * auth/userpass: Fix minor timing issue that could leak the presence of a
username [GH-5614] username [GH-5614]
* autounseal/alicloud: Fix issue interacting with the API (Enterprise)
* autounseal/azure: Fix key version tracking (Enterprise)
* cli: Fix panic that could occur if parameters were not provided [GH-5603] * cli: Fix panic that could occur if parameters were not provided [GH-5603]
* core: Fix buggy behavior if trying to remount into a namespace * core: Fix buggy behavior if trying to remount into a namespace
* identity: Fix duplication of entity alias entity during alias transfer * identity: Fix duplication of entity alias entity during alias transfer
between entities [GH-5733] between entities [GH-5733]
* namespaces: Fix tuning of auth mounts in a namespace
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660] * ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form * ui: Fix issue where IE 11 didn't render the UI and also had a broken form
when trying to use tool/hash [GH-5714] when trying to use tool/hash [GH-5714]
* agent: Fix issue when specifying two file sinks [GH-5610]
* autounseal/alicloud: Fix issue interacting with the API (Enterprise)
* autounseal/azure: Fix key version tracking (Enterprise)
* namespaces: Fix tuning of auth mounts in a namespace
## 1.0.0-beta1 (October 23rd, 2018)
NOTE:
A few items didn't make it into beta1; this entry will be updated for beta2
and the final release.
CHANGES:
* core: Tokens are now prefixed by a designation to indicate what type of
token they are. Service tokens start with `s.` and batch tokens start with
`b.`. Existing tokens will still work (they are all of service type and will
be considered as such). Prefixing allows us to be more efficient when
consuming a token, which keeps the critical path of requests faster.
FEATURES:
* **Auto-Unseal in Open Source**: Cloud-based auto-unseal is migrating from
Enterprise to Open Source. We've created a migrator to allow migrating
between Shamir seals and auto unseal methods.
* Batch Tokens: Batch tokens trade off some features of service tokens for no
storage overhead, and in most cases can be used across performance
replication clusters.
* Replication Speed Improvements: We've worked hard to speed up a lot of
operations when using Vault Enterprise Replication.
* **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
pattern to keys stored within GCP Cloud KMS.
IMPROVEMENTS:
* auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
## 0.11.4 (October 23rd, 2018) ## 0.11.4 (October 23rd, 2018)
CHANGES: CHANGES:
@ -178,12 +136,12 @@ CHANGES:
FEATURES: FEATURES:
* Transit Key Trimming: Keys in transit secret engine can now be trimmed to * **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
remove older unused key versions. remove older unused key versions
* Web UI support for KV Version 2. Browse, delete, undelete and destroy * **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
individual secret versions in the UI. individual secret versions in the UI
* Azure Existing Service Principal Support: Credentials can now be generated * **Azure Existing Service Principal Support**: Credentials can now be generated
against an existing service principal. against an existing service principal
IMPROVEMENTS: IMPROVEMENTS:
@ -254,13 +212,13 @@ CHANGES:
FEATURES: FEATURES:
* AWS Secret Engine Root Credential Rotation: The credential used by the AWS * **AWS Secret Engine Root Credential Rotation**: The credential used by the AWS
secret engine can now be rotated, to ensure that only Vault knows the secret engine can now be rotated, to ensure that only Vault knows the
credentials it is using. [GH-5140] credentials it is using [GH-5140]
* Storage Backend Migrator: A new `operator migrate` command allows offline * **Storage Backend Migrator**: A new `operator migrate` command allows offline
migration of data between two storage backends. migration of data between two storage backends
* AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise): AliCloud KMS can now be used a support seal for * **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for
Auto Unseal and Seal Wrapping. Auto Unseal and Seal Wrapping
BUG FIXES: BUG FIXES:

6
vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go generated vendored
View File

@ -109,6 +109,12 @@ func (b *kubeAuthBackend) pathLogin() framework.OperationFunc {
Period: role.Period, Period: role.Period,
Alias: &logical.Alias{ Alias: &logical.Alias{
Name: serviceAccount.uid(), Name: serviceAccount.uid(),
Metadata: map[string]string{
"service_account_uid": serviceAccount.uid(),
"service_account_name": serviceAccount.name(),
"service_account_namespace": serviceAccount.namespace(),
"service_account_secret_name": serviceAccount.SecretName,
},
}, },
InternalData: map[string]interface{}{ InternalData: map[string]interface{}{
"role": roleName, "role": roleName,

6
vendor/vendor.json vendored
View File

@ -1437,10 +1437,10 @@
"revisionTime": "2018-10-31T19:59:42Z" "revisionTime": "2018-10-31T19:59:42Z"
}, },
{ {
"checksumSHA1": "8J4z30a2oTqSPQYOaT4j/jiZuNE=", "checksumSHA1": "Ldg2jQeyPrpAupyQq4lRVN+jfFY=",
"path": "github.com/hashicorp/vault-plugin-auth-kubernetes", "path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
"revision": "5328b889a921243d6e19cda38fb2c31a48cba2b2", "revision": "091d9e5d5fabce920533eff31ad778778992a671",
"revisionTime": "2018-11-01T19:05:09Z" "revisionTime": "2018-11-30T16:25:33Z"
}, },
{ {
"checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=", "checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=",