CL and plugin updates

This commit is contained in:
Jeff Mitchell 2018-12-03 11:45:02 -05:00
parent 149e14f8fa
commit 9066bba70a
3 changed files with 73 additions and 109 deletions

View File

@ -1,21 +1,12 @@
## 1.0.0
IMPROVEMENTS:
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
read secret metadata [GH-5879]
BUG FIXES:
* ui: Update DR Secondary Token generation command [GH-5857]
* ui: Fix pagination bug where controls would be rendered once for each
item when viewing policies [GH-5866]
## 1.0.0-rc1 (Nov 20th, 2018)
CHANGES:
* Tokens are now prefixed by a designation to indicate what type of token they
are. Service tokens start with `s.` and batch tokens start with `b.`.
Existing tokens will still work (they are all of service type and will be
considered as such). Prefixing allows us to be more efficient when consuming
a token, which keeps the critical path of requests faster.
* Paths within `auth/token` that allow specifying a token or accessor in the
URL have been removed. These have been deprecated since March 2016 and
undocumented, but were retained for backwards compatibility. They shouldn't
@ -28,35 +19,6 @@ CHANGES:
options map itself cannot be unset once it's set, but the keypairs within the
map can be unset if an empty value is provided, with the exception of the
`version` keypair which is handled differently for KVv2 purposes.
IMPROVEMENTS:
* agent: Support for configuring the location of the kubernetes service account
[GH-5725]
* ui: Empty states have updated styling and link to relevant actions and
documentation [GH-5758]
BUG FIXES:
* identity: Update group memberships when entity is deleted [GH-5786]
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
[GH-5804]
* ui: Fix the PKI context menu so that items load [GH-5824]
* ui: Fix dr secondary operation token generation via the ui [GH-5818]
* ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
* agent: Fix auth when multiple redirects [GH-5814]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
* performance standby: Fix audit table upgrade on standbys [GH-5811]
* performance standby: Fix redirect on approle update [GH-5820]
* cli: Restore the `-policy-override` flag [GH-5826]
* core: Fix rekey progress reset which did not happen under certain
circumstances. [GH-5743]
## 1.0.0-beta2 (November 13th, 2018)
CHANGES:
* Agent no longer automatically reauthenticates when new credentials are
detected. It's not strictly necessary and in some cases was causing
reauthentication much more often than intended.
@ -76,25 +38,32 @@ CHANGES:
writing custom clients using the Go API library. As before, this can be
changed to any custom HTTP client by the caller.
CHANGES FROM BETA 1:
(Note: these items will be removed from the final 1.0 changelog as they are
only breaking changes from beta1)
* Token Store Roles and Batch Tokens: Roles now default to `default-service`
token type, issuing service tokens by default but allowing overriding by the
client. They now also support `default-batch` in addition to `service` and
`batch`.
FEATURES:
* AppRole support in Vault Agent Auto-Auth: You can now use AppRole
credentials when having Agent automatically authenticate to Vault.
* OpenAPI descriptions of mounted backends can be served directly from Vault.
* Support for Kubernetes Projected Service Account Tokens in Kubernetes auth
* Added ability to wrap secrets and easily copy the wrap token or secret JSON in the UI.
* **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated
from Enterprise to Open Source. We've created a migrator to allow migrating
between Shamir seals and auto unseal methods.
* Batch Tokens: Batch tokens trade off some features of service tokens for no
storage overhead, and in most cases can be used across performance
replication clusters.
* Replication Speed Improvements: We've worked hard to speed up a lot of
operations when using Vault Enterprise Replication.
* **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
pattern to keys stored within GCP Cloud KMS.
* **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole
credentials when having Agent automatically authenticate to Vault
* **OpenAPI Support**: Descriptions of mounted backends can be served directly
from Vault
* **Kubernetes Projected Service Account Tokens**: Projected Service Account
Tokens are now supported in Kubernetes auth
* **Response Wrapping in UI**: Added ability to wrap secrets and easily copy
the wrap token or secret JSON in the UI
IMPROVEMENTS:
* agent: Support for configuring the location of the kubernetes service account
[GH-5725]
* auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
* secret/totp: Allow @ character to be part of key name [GH-5652]
* secret/consul: Add support for new policy based tokens added in Consul 1.4
[GH-5586]
@ -104,16 +73,37 @@ IMPROVEMENTS:
* ui: Improved banner and popup design [GH-5672]
* ui: Added token type to auth method mount config [GH-5723]
* ui: Display additonal wrap info when unwrapping. [GH-5664]
* ui: Empty states have updated styling and link to relevant actions and
documentation [GH-5758]
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
read secret metadata [GH-5879]
BUG FIXES:
* agent: Fix auth when multiple redirects [GH-5814]
* cli: Restore the `-policy-override` flag [GH-5826]
* core: Fix rekey progress reset which did not happen under certain
circumstances. [GH-5743]
* core: Migration from autounseal to shamir will clean up old keys [GH-5671]
* identity: Update group memberships when entity is deleted [GH-5786]
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
* replication/perfstandby: Fix redirect on approle update [GH-5820]
* secrets/azure: Fix valid roles being rejected for duplicate ids despite
having distinct scopes
[[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
[GH-5804]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
for all other operations for backwards compatibility
[[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
* ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
* ui: Fix dr secondary operation token generation via the ui [GH-5818]
* ui: Fix the PKI context menu so that items load [GH-5824]
* ui: Update DR Secondary Token generation command [GH-5857]
* ui: Fix pagination bug where controls would be rendered once for each
item when viewing policies [GH-5866]
* ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
the revoke button in the UI [GH-5647]
* ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
@ -122,51 +112,19 @@ BUG FIXES:
BUG FIXES:
* agent: Fix issue when specifying two file sinks [GH-5610]
* auth/userpass: Fix minor timing issue that could leak the presence of a
username [GH-5614]
* autounseal/alicloud: Fix issue interacting with the API (Enterprise)
* autounseal/azure: Fix key version tracking (Enterprise)
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
* core: Fix buggy behavior if trying to remount into a namespace
* identity: Fix duplication of entity alias entity during alias transfer
between entities [GH-5733]
* namespaces: Fix tuning of auth mounts in a namespace
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form
when trying to use tool/hash [GH-5714]
* agent: Fix issue when specifying two file sinks [GH-5610]
* autounseal/alicloud: Fix issue interacting with the API (Enterprise)
* autounseal/azure: Fix key version tracking (Enterprise)
* namespaces: Fix tuning of auth mounts in a namespace
## 1.0.0-beta1 (October 23rd, 2018)
NOTE:
A few items didn't make it into beta1; this entry will be updated for beta2
and the final release.
CHANGES:
* core: Tokens are now prefixed by a designation to indicate what type of
token they are. Service tokens start with `s.` and batch tokens start with
`b.`. Existing tokens will still work (they are all of service type and will
be considered as such). Prefixing allows us to be more efficient when
consuming a token, which keeps the critical path of requests faster.
FEATURES:
* **Auto-Unseal in Open Source**: Cloud-based auto-unseal is migrating from
Enterprise to Open Source. We've created a migrator to allow migrating
between Shamir seals and auto unseal methods.
* Batch Tokens: Batch tokens trade off some features of service tokens for no
storage overhead, and in most cases can be used across performance
replication clusters.
* Replication Speed Improvements: We've worked hard to speed up a lot of
operations when using Vault Enterprise Replication.
* **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
pattern to keys stored within GCP Cloud KMS.
IMPROVEMENTS:
* auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
## 0.11.4 (October 23rd, 2018)
@ -178,12 +136,12 @@ CHANGES:
FEATURES:
* Transit Key Trimming: Keys in transit secret engine can now be trimmed to
remove older unused key versions.
* Web UI support for KV Version 2. Browse, delete, undelete and destroy
individual secret versions in the UI.
* Azure Existing Service Principal Support: Credentials can now be generated
against an existing service principal.
* **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
remove older unused key versions
* **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
individual secret versions in the UI
* **Azure Existing Service Principal Support**: Credentials can now be generated
against an existing service principal
IMPROVEMENTS:
@ -254,13 +212,13 @@ CHANGES:
FEATURES:
* AWS Secret Engine Root Credential Rotation: The credential used by the AWS
* **AWS Secret Engine Root Credential Rotation**: The credential used by the AWS
secret engine can now be rotated, to ensure that only Vault knows the
credentials it is using. [GH-5140]
* Storage Backend Migrator: A new `operator migrate` command allows offline
migration of data between two storage backends.
* AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise): AliCloud KMS can now be used a support seal for
Auto Unseal and Seal Wrapping.
credentials it is using [GH-5140]
* **Storage Backend Migrator**: A new `operator migrate` command allows offline
migration of data between two storage backends
* **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for
Auto Unseal and Seal Wrapping
BUG FIXES:

View File

@ -109,6 +109,12 @@ func (b *kubeAuthBackend) pathLogin() framework.OperationFunc {
Period: role.Period,
Alias: &logical.Alias{
Name: serviceAccount.uid(),
Metadata: map[string]string{
"service_account_uid": serviceAccount.uid(),
"service_account_name": serviceAccount.name(),
"service_account_namespace": serviceAccount.namespace(),
"service_account_secret_name": serviceAccount.SecretName,
},
},
InternalData: map[string]interface{}{
"role": roleName,

6
vendor/vendor.json vendored
View File

@ -1437,10 +1437,10 @@
"revisionTime": "2018-10-31T19:59:42Z"
},
{
"checksumSHA1": "8J4z30a2oTqSPQYOaT4j/jiZuNE=",
"checksumSHA1": "Ldg2jQeyPrpAupyQq4lRVN+jfFY=",
"path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
"revision": "5328b889a921243d6e19cda38fb2c31a48cba2b2",
"revisionTime": "2018-11-01T19:05:09Z"
"revision": "091d9e5d5fabce920533eff31ad778778992a671",
"revisionTime": "2018-11-30T16:25:33Z"
},
{
"checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=",