luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Add various missing PKI related changelog entries (#15500) 

* Add various missing PKI related changelog entries

* Fix typo
This commit is contained in:
Steven Clark 2022-05-23 11:53:49 -04:00 committed by GitHub
parent 92dbe3b22a
commit a90b29754e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 40 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@ -16,15 +16,10 @@ endpoints in favor of [autoloaded licenses](https://www.vaultproject.io/docs/ent
FEATURES:
* **Allows Multiple Issuer Certificates to enable Non-Disruptive
Intermediate/Root Certificate Rotation**: This introduces /keys and /issuers
endpoints to allow import, generation and configuration of any number of keys
or issuers that can be used to issue and revoke certificates. Keys and Issuers
can be referred to by (a) a unique UUID; (b) a name; (c) “default”. If an
issuer existed prior to this feature, that issuer will be tagged by a migration
as “default” to allow backwards compatible calls which dont specify an issuer.
Creation of new roles will assume an issuer of “default” unless otherwise
specified. This default can be configured at /config/issuers and /config/keys. [[GH-15277](https://github.com/hashicorp/vault/pull/15277)]
* **Non-Disruptive Intermediate/Root Certificate Rotation**: This allows
import, generation and configuration of any number of keys and/or issuers
within a PKI mount, providing operators the ability to rotate certificates
in place without affecting existing client configurations. [[GH-15277](https://github.com/hashicorp/vault/pull/15277)]
* api/command: Global -output-policy flag to determine minimum required policy HCL for a given operation [[GH-14899](https://github.com/hashicorp/vault/pull/14899)]
* nomad: Bootstrap Nomad ACL system if no token is provided [[GH-12451](https://github.com/hashicorp/vault/pull/12451)]
* storage/dynamodb: Added `AWS_DYNAMODB_REGION` environment variable. [[GH-15054](https://github.com/hashicorp/vault/pull/15054)]

5
changelog/14975.txt Normal file
View File

@ -0,0 +1,5 @@
```release-note:change
secrets/pki: existing Generate Root (pki/root/generate/:type),
Set Signed Intermediate (/pki/intermediate/set-signed) APIs will
add new issuers/keys to a mount instead of warning that an existing CA exists
```

4
changelog/15004.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:change
secrets/pki: existing Delete Root API (pki/root) will now delete all issuers
and keys within the mount path.
```

4
changelog/15100.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:change
secrets/pki: Existing CRL API (/pki/crl) now returns an X.509 v2 CRL instead
of a v1 CRL.
```

4
changelog/15152.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:improvement
secrets/pki: Allow operators to control the issuing certificate behavior when
the requested TTL is beyond the NotAfter value of the signing certificate
```

5
changelog/15155.txt Normal file
View File

@ -0,0 +1,5 @@
```release-note:change
secrets/pki: The `ca_chain` response field within issuing (/pki/issue/:role)
and signing APIs will now include the root CA certificate if the mount is
aware of it.
```

4
changelog/15179.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:bug
secrets/pki: CRLs on performance secondary clusters are now automatically
rebuilt upon changes to the list of issuers.
```

6
changelog/15211.txt Normal file
View File

@ -0,0 +1,6 @@
```release-note:change
secrets/pki: A new aliased api path (/pki/issuer/:issuer_ref/sign-self-issued)
providing the same functionality as the existing API(/pki/root/sign-self-issued)
does not require sudo capabilities but the latter still requires it in an
effort to maintain backwards compatibility.
```

13
changelog/15277.txt
View File

@ -1,11 +1,6 @@
```release-note:feature
**Allows Multiple Issuer Certificates to enable Non-Disruptive
Intermediate/Root Certificate Rotation**: This introduces /keys and /issuers
endpoints to allow import, generation and configuration of any number of keys
or issuers that can be used to issue and revoke certificates. Keys and Issuers
can be referred to by (a) a unique UUID; (b) a name; (c) “default”. If an
issuer existed prior to this feature, that issuer will be tagged by a migration
as “default” to allow backwards compatible calls which dont specify an issuer.
Creation of new roles will assume an issuer of “default” unless otherwise
specified. This default can be configured at /config/issuers and /config/keys.
**Non-Disruptive Intermediate/Root Certificate Rotation**: This allows
import, generation and configuration of any number of keys and/or issuers
within a PKI mount, providing operators the ability to rotate certificates
in place without affecting existing client configurations.
```