luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/changelog
History
Alexander Scheel 4f6c6ac317
Allow Multiple Issuers in PKI Secret Engine Mounts - PKI Pod (#15277) 
* Starter PKI CA Storage API (#14796)

* Simple starting PKI storage api for CA rotation
* Add key and issuer storage apis
* Add listKeys and listIssuers storage implementations
* Add simple keys and issuers configuration storage api methods

* Handle resolving key, issuer references

The API context will usually have a user-specified reference to the key.
This is either the literal string "default" to select the default key,
an identifier of the key, or a slug name for the key. Here, we wish to
resolve this reference to an actual identifier that can be understood by
storage.

Also adds the missing Name field to keys.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add method to fetch an issuer's cert bundle

This adds a method to construct a certutil.CertBundle from the specified
issuer identifier, optionally loading its corresponding key for signing.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor certutil PrivateKey PEM handling

This refactors the parsing of PrivateKeys from PEM blobs into shared
methods (ParsePEMKey, ParseDERKey) that can be reused by the existing
Bundle parsing logic (ParsePEMBundle) or independently in the new
issuers/key-based PKI storage code.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add importKey, importCert to PKI storage

importKey is generally preferable to the low-level writeKey for adding
new entries. This takes only the contents of the private key (as a
string -- so a PEM bundle or a managed key handle) and checks if it
already exists in the storage.

If it does, it returns the existing key instance.

Otherwise, we create a new one. In the process, we detect any issuers
using this key and link them back to the new key entry.

The same holds for importCert over importKey, with the note that keys
are not modified when importing certificates.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for importing issuers, keys

This adds tests for importing keys and issuers into the new storage
layout, ensuring that identifiers are correctly inferred and linked.

Note that directly writing entries to storage (writeKey/writeissuer)
will take KeyID links from the parent entry and should not be used for
import; only existing entries should be updated with this info.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Implement PKI storage migration.

 - Hook into the backend::initialize function, calling the migration on a primary only.
 - Migrate an existing certificate bundle to the new issuers and key layout

* Make fetchCAInfo aware of new storage layout

This allows fetchCAInfo to fetch a specified issuer, via a reference
parameter provided by the user. We pass that into the storage layer and
have it return a cert bundle for us. Finally, we need to validate that
it truly has the key desired.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Begin /issuers API endpoints

This implements the fetch operations around issuers in the PKI Secrets
Engine. We implement the following operations:

 - LIST /issuers - returns a list of known issuers' IDs and names.
 - GET /issuer/:ref - returns a JSON blob with information about this
   issuer.
 - POST /issuer/:ref - allows configuring information about issuers,
   presently just its name.
 - DELETE /issuer/:ref - allows deleting the specified issuer.
 - GET /issuer/:ref/{der,pem} - returns a raw API response with just
   the DER (or PEM) of the issuer's certificate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add import to PKI Issuers API

This adds the two core import code paths to the API:
/issuers/import/cert and /issuers/import/bundle. The former differs from
the latter in that the latter allows the import of keys. This allows
operators to restrict importing of keys to privileged roles, while
allowing more operators permission to import additional certificates
(not used for signing, but instead for path/chain building).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /issuer/:ref/sign-intermediate endpoint

This endpoint allows existing issuers to be used to sign intermediate
CA certificates. In the process, we've updated the existing
/root/sign-intermediate endpoint to be equivalent to a call to
/issuer/default/sign-intermediate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /issuer/:ref/sign-self-issued endpoint

This endpoint allows existing issuers to be used to sign self-signed
certificates. In the process, we've updated the existing
/root/sign-self-issued endpoint to be equivalent to a call to
/issuer/default/sign-self-issued.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /issuer/:ref/sign-verbatim endpoint

This endpoint allows existing issuers to be used to directly sign CSRs.
In the process, we've updated the existing /sign-verbatim endpoint to be
equivalent to a call to /issuer/:ref/sign-verbatim.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow configuration of default issuers

Using the new updateDefaultIssuerId(...) from the storage migration PR
allows for easy implementation of configuring the default issuer. We
restrict callers from setting blank defaults and setting default to
default.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix fetching default issuers

After setting a default issuer, one should be able to use the old /ca,
/ca_chain, and /cert/{ca,ca_chain} endpoints to fetch the default issuer
(and its chain). Update the fetchCertBySerial helper to no longer
support fetching the ca and prefer fetchCAInfo for that instead (as
we've already updated that to support fetching the new issuer location).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /issuer/:ref/{sign,issue}/:role

This updates the /sign and /issue endpoints, allowing them to take the
default issuer (if none is provided by a role) and adding
issuer-specific versions of them.

Note that at this point in time, the behavior isn't yet ideal (as
/sign/:role allows adding the ref=... parameter to override the default
issuer); a later change adding role-based issuer specification will fix
this incorrect behavior.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support root issuer generation

* Add support for issuer generate intermediate end-point

* Update issuer and key arguments to consistent values

 - Update all new API endpoints to use the new agreed upon argument names.
   - issuer_ref & key_ref to refer to existing
   - issuer_name & key_name for new definitions
 - Update returned values to always user issuer_id and key_id

* Add utility methods to fetch common ref and name arguments

 - Add utility methods to fetch the issuer_name, issuer_ref, key_name and key_ref arguments from data fields.
 - Centralize the logic to clean up these inputs and apply various validations to all of them.

* Rename common PKI backend handlers

 - Use the buildPath convention for the function name instead of common...

* Move setting PKI defaults from writeCaBundle to proper import{keys,issuer} methods

 - PR feedback, move setting up the default configuration references within
   the import methods instead of within the writeCaBundle method. This should
   now cover all use cases of us setting up the defaults properly.

* Introduce constants for issuer_ref, rename isKeyDefaultSet...

* Fix legacy PKI sign-verbatim api path

 - Addresses some test failures due to an incorrect refactoring of a legacy api
   path /sign-verbatim within PKI

* Use import code to handle intermediate, config/ca

The existing bundle import code will satisfy the intermediate import;
use it instead of the old ca_bundle import logic. Additionally, update
/config/ca to use the new import code as well.

While testing, a panic was discovered:

> reflect.Value.SetMapIndex: value of type string is not assignable to type pki.keyId

This was caused by returning a map with type issuerId->keyId; instead
switch to returning string->string maps so the audit log can properly
HMAC them.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error message on missing defaults

When the default issuer and key are missing (and haven't yet been
specified), we should clarify that error message.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update test semantics for new changes

This makes two minor changes to the existing test suite:

 1. Importing partial bundles should now succeed, where they'd
    previously error.
 2. fetchCertBySerial no longer handles CA certificates.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support for deleting all keys, issuers

The old DELETE /root code must now delete all keys and issuers for
backwards compatibility. We strongly suggest calling individual delete
methods (DELETE /key/:key_ref or DELETE /issuer/:issuer_ref) instead,
for finer control.

In the process, we detect whether the deleted key/issuers was set as the
default. This will allow us to warn (from the single key/deletion issuer
code) whether or not the default was deleted (while allowing the
operation to succeed).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Introduce defaultRef constant within PKI

 - Replace hardcoded "default" references with a constant to easily identify various usages.
 - Use the addIssuerRefField function instead of redefining the field in various locations.

* Rework PKI test TestBackend_Root_Idempotency

 - Validate that generate/root calls are no longer idempotent, but the bundle importing
   does not generate new keys/issuers
 - As before make sure that the delete root api resets everything
 - Address a bug within the storage that we bombed when we had multiple different
   key types within storage.

* Assign Name=current to migrated key and issuer

 - Detail I missed from the RFC was to assign the Name field as "current" for migrated key and issuer.

* Build CRL upon PKI intermediary set-signed api called

 - Add a call to buildCRL if we created an issuer within pathImportIssuers
 - Augment existing FullCAChain to verify we have a proper CRL post set-signed api call
 - Remove a code block writing out "ca" storage entry that is no longer used.

* Identify which certificate or key failed

When importing complex chains, we should identify in which certificate
or key the failure occurred.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* PKI migration writes out empty migration log entry

 - Since the elements of the struct were not exported we serialized an empty
   migration log to disk and would re-run the migration

* Add chain-building logic to PKI issuers path

With the one-entry-per-issuer approach, CA Chains become implicitly
constructed from the pool of issuers. This roughly matches the existing
expectations from /config/ca (wherein a chain could be provided) and
/intemediate/set-signed (where a chain may be provided). However, in
both of those cases, we simply accepted a chain. Here, we need to be
able to reconstruct the chain from parts on disk.

However, with potential rotation of roots, we need to be aware of
disparate chains. Simply concating together all issuers isn't
sufficient. Thus we need to be able to parse a certificate's Issuer and
Subject field and reconstruct valid (and potentially parallel)
parent<->child mappings.

This attempts to handle roots, intermediates, cross-signed
intermediates, cross-signed roots, and rotated keys (wherein one might
not have a valid signature due to changed key material with the same
subject).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Return CA Chain when fetching issuers

This returns the CA Chain attribute of an issuer, showing its computed
chain based on other issuers in the database, when fetching a specific
issuer.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add testing for chain building

Using the issuance infrastructure, we generate new certificates (either
roots or intermediates), positing that this is roughly equivalent to
importing an external bundle (minus error handling during partial
imports). This allows us to incrementally construct complex chains,
creating reissuance cliques and cross-signing cycles.

By using ECDSA certificates, we avoid high signature verification and
key generation times.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow manual construction of issuer chain

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix handling of duplicate names

With the new issuer field (manual_chain), we can no longer err when a
name already exists: we might be updating the existing issuer (with the
same name), but changing its manual_chain field. Detect this error and
correctly handle it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for manual chain building

We break the clique, instead building these chains manually, ensuring
that the remaining chains do not change and only the modified certs
change. We then reset them (back to implicit chain building) and ensure
we get the same results as earlier.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add stricter verification of issuers PEM format

This ensures each issuer is only a single certificate entry (as
validated by count and parsing) without any trailing data.

We further ensure that each certificate PEM has leading and trailing
spaces removed with only a single trailing new line remaining.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix full chain building

Don't set the legacy IssuingCA field on the certificate bundle, as we
prefer the CAChain field over it.

Additionally, building the full chain could result in duplicate
certificates when the CAChain included the leaf certificate itself. When
building the full chain, ensure we don't include the bundle's
certificate twice.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add stricter tests for full chain construction

We wish to ensure that each desired certificate in the chain is only
present once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename PKI types to avoid constant variable name collisions

 keyId -> keyID
 issuerId -> issuerID
 key -> keyEntry
 issuer -> issuerEntry
 keyConfig -> keyConfigEntry
 issuerConfig -> issuerConfigEntry

* Update CRL handling for multiple issuers

When building CRLs, we've gotta make sure certs issued by that issuer
land up on that issuer's CRL and not some other CRL. If no CRL is
found (matching a cert), we'll place it on the default CRL.
However, in the event of equivalent issuers (those with the same subject
AND the same key  material) -- perhaps due to reissuance -- we'll only
create a single (unified) CRL for them.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow fetching updated CRL locations

This updates fetchCertBySerial to support querying the default issuer's
CRL.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove legacy CRL storage location test case

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update to CRLv2 Format to copy RawIssuer

When using the older Certificate.CreateCRL(...) call, Go's x509 library
copies the parsed pkix.Name version of the CRL Issuer's Subject field.
For certain constructed CAs, this fails since pkix.Name is not suitable
for round-tripping. This also builds a CRLv1 (per RFC 5280) CRL.

In updating to the newer x509.CreateRevocationList(...) call, we can
construct the CRL in the CRLv2 format and correctly copy the issuer's
name. However, this requires holding an additional field per-CRL, the
CRLNumber field, which is required in Go's implementation of CRLv2
(though OPTIONAL in the spec). We store this on the new
LocalCRLConfigEntry object, per-CRL.

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add comment regarding CRL non-assignment in GOTO

In previous versions of Vault, it was possible to sign an empty CRL
(when the CRL was disabled and a force-rebuild was requested). Add a
comment about this case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow fetching the specified issuer's CRL

We add a new API endpoint to fetch the specified issuer's CRL directly
(rather than the default issuer's CRL at /crl and /certs/crl). We also
add a new test to validate the CRL in a multi-root scenario and ensure
it is signed with the correct keys.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new PKI key prefix to seal wrapped storage (#15126)

* Refactor common backend initialization within backend_test

 - Leverage an existing helper method within the PKI backend tests to setup a PKI backend with storage.

* Add ability to read legacy cert bundle if the migration has not occurred on secondaries.

 - Track the migration state forbidding an issuer/key writing api call if we have not migrated
 - For operations that just need to read the CA bundle, use the same tracking variable to
   switch between reading the legacy bundle or use the new key/issuer storage.
 - Add an invalidation function that will listen for updates to our log path to refresh the state
   on secondary clusters.

* Always write migration entry to trigger secondary clusters to wake up

 - Some PR feedback and handle a case in which the primary cluster does
   not have a CA bundle within storage but somehow a secondary does.

* Update CA Chain to report entire chain

This merges the ca_chain JSON field (of the /certs/ca_chain path) with
the regular certificate field, returning the root of trust always. This
also affects the non-JSON (raw) endpoints as well.

We return the default issuer's chain here, rather than all known issuers
(as that may not form a strict chain).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow explicit issuer override on roles

When a role is used to generate a certificate (such as with the sign/
and issue/ legacy paths or the legacy sign-verbatim/ paths), we prefer
that issuer to the one on the request. This allows operators to set an
issuer (other than default) for requests to be issued against,
effectively making the change no different from the users' perspective
as it is "just" a different role name.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for role-based issuer selection

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Expand NotAfter limit enforcement behavior

Vault previously strictly enforced NotAfter/ttl values on certificate
requests, erring if the requested TTL extended past the NotAfter date of
the issuer. In the event of issuing an intermediate, this behavior was
ignored, instead permitting the issuance.

Users generally do not think to check their issuer's NotAfter date when
requesting a certificate; thus this behavior was generally surprising.

Per RFC 5280 however, issuers need to maintain status information
throughout the life cycle of the issued cert. If this leaf cert were to
be issued for a longer duration than the parent issuer, the CA must
still maintain revocation information past its expiration.

Thus, we add an option to the issuer to change the desired behavior:

 - err, to err out,
 - permit, to permit the longer NotAfter date, or
 - truncate, to silently truncate the expiration to the issuer's
   NotAfter date.

Since expiration of certificates in the system's trust store are not
generally validated (when validating an arbitrary leaf, e.g., during TLS
validation), permit should generally only be used in that case. However,
browsers usually validate intermediate's validity periods, and thus
truncate should likely be used (as with permit, the leaf's chain will
not validate towards the end of the issuance period).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for expanded issuance behaviors

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning on keyless default issuer (#15178)

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update PKI to new Operations framework (#15180)

The backend Framework has updated Callbacks (used extensively in PKI) to
become deprecated; Operations takes their place and clarifies forwarding
of requests.

We switch to the new format everywhere, updating some bad assumptions
about forwarding along the way. Anywhere writes are handled (that should
be propagated to all nodes in all clusters), we choose to forward the
request all the way up to the performance primary cluster's primary
node. This holds for issuers/keys, roles, and configs (such as CRL
config, which is globally set for all clusters despite all clusters
having their own separate CRL).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Kitography/vault 5474 rebase (#15150)

* These parts work (put in signature so that backend wouldn't break, but missing fields, desc, etc.)

* Import and Generate API calls w/ needed additions to SDK.

* make fmt

* Add Help/Sync Text, fix some of internal/exported/kms code.

* Fix PEM/DER Encoding issue.

* make fmt

* Standardize keyIdParam, keyNameParam, keyTypeParam

* Add error response if key to be deleted is in use.

* replaces all instances of "default" in code with defaultRef

* Updates from Callbacks to Operations Function with explicit forwarding.

* Fixes a panic with names not being updated everywhere.

* add a logged error in addition to warning on deleting default key.

* Normalize whitespace upon importing keys.

Authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>

* Fix isKeyInUse functionality.

* Fixes tests associated with newline at end of key pem.

* Add alternative proposal PKI aliased paths (#15211)

* Add aliased path for root/rotate/:exported

This adds a user-friendly path name for generating a rotated root. We
automatically choose the name "next" for the newly generated root at
this path if it doesn't already exist.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add aliased path for intermediate/cross-sign

This allows cross-signatures to work.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add path for replacing the current root

This updates default to point to the value of the issuer with name
"next" rather than its current value.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove plural issuers/ in signing paths

These paths use a single issuer and thus shouldn't include the plural
issuers/ as a path prefix, instead using the singular issuer/ path
prefix.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Only warn if default issuer was imported

When the default issuer was not (re-)imported, we'd fail to find it,
causing an extraneous warning about missing keys, even though this
issuer indeed had a key.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing issuer sign/issue paths

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clean up various warnings within the PKI package (#15230)

* Rebuild CRLs on secondary performance clusters post migration and on new/updated issuers

 - Hook into the backend invalidation function so that secondaries are notified of
   new/updated issuer or migrations occuring on the primary cluster. Upon notification
   schedule a CRL rebuild to take place upon the next process to read/update the CRL
   or within the periodic function if no request comes in.

* Schedule rebuilding PKI CRLs on active nodes only

 - Address an issue that we were scheduling the rebuilding of a CRL on standby
   nodes, which would not be able to write to storage.
 - Fix an issue with standby nodes not correctly determining that a migration previously
   occurred.

* Return legacy CRL storage path when no migration has occurred.

* Handle issuer, keys locking (#15227)

* Handle locking of issuers during writes

We need a write lock around writes to ensure serialization of
modifications. We use a single lock for both issuer and key
updates, in part because certain operations (like deletion) will
potentially affect both.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing b.useLegacyBundleCaStorage guards

Several locations needed to guard against early usage of the new issuers
endpoint pre-migration.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address PKI to properly support managed keys (#15256)

* Address codebase for managed key fixes
* Add proper public key comparison for better managed key support to importKeys
* Remove redundant public key fetching within PKI importKeys

* Correctly handle rebuilding remaining chains

When deleting a specific issuer, we might impact the chains. From a
consistency perspective, we need to ensure the remaining chains are
correct and don't refer to the since-deleted issuer, so trigger a full
rebuild here.

We don't need to call this in the delete-the-world (DELETE /root) code
path, as there shouldn't be any remaining issuers or chains to build.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove legacy CRL bundle on world deletion

When calling DELETE /root, we should remove the legacy CRL bundle, since
we're deleting the legacy CA issuer bundle as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove deleted issuers' CRL entries

Since CRLs are no longer resolvable after deletion (due to missing
issuer ID, which will cause resolution to fail regardless of if an ID or
a name/default reference was used), we should delete these CRLs from
storage to avoid leaking them.

In the event that this issuer comes back (with key material), we can
simply rebuild the CRL at that time (from the remaining revoked storage
entries).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add unauthed JSON fetching of CRLs, Issuers (#15253)

Default to fetching JSON CRL for consistency

This makes the bare issuer-specific CRL fetching endpoint return the
JSON-wrapped CRL by default, moving the DER CRL to a specific endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Add JSON-specific endpoint for fetching issuers

Unlike the unqualified /issuer/:ref endpoint (which also returns JSON),
we have a separate /issuer/:ref/json endpoint to return _only_ the
PEM-encoded certificate and the chain, mirroring the existing /cert/ca
endpoint but for a specific issuer. This allows us to make the endpoint
unauthenticated, whereas the bare endpoint would remain authenticated
and usually privileged.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Add tests for raw JSON endpoints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add unauthenticated issuers endpoints to PKI table

This adds the unauthenticated issuers endpoints?

 - LIST /issuers,
 - Fetching _just_ the issuer certificates (in JSON/DER/PEM form), and
 - Fetching the CRL of this issuer (in JSON/DER/PEM form).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add issuer usage restrictions bitset

This allows issuers to have usage restrictions, limiting whether they
can be used to issue certificates or if they can generate CRLs. This
allows certain issuers to not generate a CRL (if the global config is
with the CRL enabled) or allows the issuer to not issue new certificates
(but potentially letting the CRL generation continue).

Setting both fields to false effectively forms a soft delete capability.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* PKI Pod rotation Add Base Changelog (#15283)

* PKI Pod rotation changelog.
* Use feature release-note formatting of changelog.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
Co-authored-by: kitography <khaines@mit.edu>
2022-05-11 12:42:28 -04:00
..
7277.txt Allow globbing dis/allowed_policies_glob in token roles (#7277) 2021-09-21 08:25:06 -07:00
9109.txt Add support for go-sockaddr templated addresses in config. (#9109) 2021-10-21 10:10:48 -04:00
9972.txt add to changelog (#10601) 2020-12-18 10:26:08 -07:00
10072.txt docs change for max request size community PR (#10723) 2021-01-27 10:02:00 -08:00
10077.txt
10085.txt Fix entity group associations (#10085) 2021-10-01 10:22:52 -04:00
10101.txt Dedup from_entity_ids when merging two entities (#10101) 2021-10-12 15:35:19 -04:00
10131.txt changelog: add PR 10131 to the changelog (#10688) 2021-01-12 18:24:04 -08:00
10181.txt Add a Changelog entry for 10181 (#11293) 2021-04-07 11:44:19 -05:00
10231.txt Allow Vault Agent to run as a Windows service (#10231) 2020-11-23 14:24:32 -08:00
10249.txt Add allowed_uri_sans_template (#10249) 2021-12-15 09:18:28 -06:00
10365.txt "vault operator usage" CLI for client count reporting (#10365) 2020-11-23 14:57:35 -06:00
10375.txt changelog with go changelog (#10434) 2020-11-30 09:24:24 -08:00
10384.txt Match influxdb changelog with correct PR (#10535) 2020-12-11 15:50:07 -07:00
10386.txt changelog for vault 849 (#10435) 2020-11-30 10:28:32 -08:00
10416.txt Add changelog for #10416 (#10473) 2020-12-01 16:08:19 +00:00
10417.txt Fix delete role issue on transform (#10417) 2020-11-23 10:38:09 -06:00
10424.txt Fix license caching issue (#10424) 2020-12-02 18:21:14 +01:00
10433.txt MySQL - Fix username generation length bug (#10433) 2020-12-01 15:24:51 -07:00
10444.txt Add AllowedHeader and fix AllowedOrigins in the API (#10482) 2020-12-03 14:31:25 +01:00
10456.txt changelog/10456.txt 2020-12-10 06:55:24 -05:00
10487.txt Only use entropy augmentation for root token creation [VAULT-670] (#10487) 2020-12-04 09:44:04 -08:00
10489.txt core: Record the time a node became active (#10489) 2020-12-11 16:50:19 -08:00
10490.txt Fix UI custom header values (#10511) 2020-12-15 15:58:03 +01:00
10491.txt No 'v' in version HTML anchor (#10491) 2020-12-08 11:21:48 -06:00
10498.txt Be consistent with how we report init status. (#10498) 2020-12-08 13:55:34 -05:00
10505.txt Add helper for encoding/decoding root tokens and OTP generation in SDK module (#10504) (#10505) 2021-12-01 08:05:49 -05:00
10514.txt metrics: activity log (#10514) 2021-01-26 16:37:07 -06:00
10520.txt Send a test message before committing a new audit device. (#10520) 2020-12-16 16:00:32 -06:00
10536.txt rate limit: fix initialize defaults (#10536) 2020-12-14 14:55:52 -05:00
10537.txt Improve consistency in error messages (#10537) 2020-12-11 15:21:53 -06:00
10546.txt Updates the OIDC/JWT auth plugin (#10546) 2020-12-14 10:07:07 -08:00
10556.txt Only set the namespace if the env var isn't present (#1519) (#10556) 2020-12-14 11:40:48 -08:00
10558.txt changelog: add entry for 10558 (#10563) 2020-12-14 12:00:26 -08:00
10579.txt Fix ip disclosure (#10649) 2021-01-05 15:32:47 -06:00
10588.txt UI/managed namespace changes (#10588) 2021-01-07 14:18:36 -06:00
10596.txt Bug: Fix issue with double encoding on space in secret history route (#10596) 2021-01-04 09:32:52 -07:00
10603.txt Add changelog entry for Snowflake DB support being added (#11078) 2021-03-10 16:09:13 -08:00
10609.txt Add log gathering to debug command. (#10609) 2020-12-22 15:15:24 -05:00
10613.txt Feature flags API (#10613) 2021-01-06 16:05:00 -06:00
10650.txt Make the error response to the sys/internal/ui/mounts with no client token consistent (#10650) 2021-01-07 11:46:08 -06:00
10653.txt add variable entropy readers to cert gen helpers [VAULT-1179] (#10653) 2021-01-08 09:48:27 -08:00
10655.txt UI Database Secrets Engine (MongoDB) (#10655) 2021-02-18 10:36:31 -06:00
10677.txt UI: Update dependencies (#10677) 2021-02-01 13:38:03 -06:00
10684.txt UI: Fix shape of response anticipated from feature-flags endpoint (#10684) 2021-01-11 14:44:52 -06:00
10689.txt Update 10689.txt 2021-02-24 13:29:09 -05:00
10705.txt changelog: add entry for PR 10705 (#10785) 2021-01-26 12:54:15 -08:00
10708.txt Protect part of emitMetrics from panic behavior during post-seal (#10708) 2021-01-19 14:06:50 -08:00
10725.txt Implement sys/seal-status and sys/leader in system backend (#10725) 2021-01-20 14:04:24 -06:00
10726.txt Minimal change to ensure that the bulky leaseEntry isn't kept in memory. (#10726) 2021-01-19 17:51:41 -05:00
10730.txt Update to go 1.15.7 (#10730) 2021-01-20 11:02:33 -08:00
10743.txt make token create case insensitive [VAULT-1021] (#10743) 2021-01-27 09:56:54 -08:00
10744.txt Documentation for barrier autorotation (#11027) 2021-03-01 10:45:22 -06:00
10751.txt secrets/consul: Add support to auto-bootstrap Consul ACL system (#10751) 2022-04-20 17:16:15 -05:00
10756.txt Pull in newest consul-template from master and all corresponding dependencies [VAULT-1392] (#10756) 2021-01-29 12:30:16 -08:00
10757.txt Set namespace for template server in agent (#10757) 2021-01-25 17:37:01 -05:00
10758.txt changelog++ (#10775) 2021-01-26 12:45:54 -05:00
10759.txt CHANGELOG update: GCP secrets WAL issue fix (#10776) 2021-01-26 13:50:39 -08:00
10766.txt Add Username Templating Concepts page (#10935) 2021-02-26 16:04:12 -07:00
10767.txt Add Username Templating Concepts page (#10935) 2021-02-26 16:04:12 -07:00
10812.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
10826.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
10833.txt Set TokenParent in the Index to be cached (#10833) 2021-02-03 18:30:41 -08:00
10834.txt Add Username Templating Concepts page (#10935) 2021-02-26 16:04:12 -07:00
10848.txt Updating date-fns library from 1.x to 2.x (#10848) 2021-02-08 13:13:00 -07:00
10850.txt agent: allow auto-auth to use an existing token (#10850) 2021-02-11 09:36:03 -05:00
10855.txt Fill in missing lease ID deterministically. Generate a UUID on creation. (#10855) 2021-02-08 13:46:59 -06:00
10858.txt Add Username Templating Concepts page (#10935) 2021-02-26 16:04:12 -07:00
10877.txt Correct lock acquisition order in the pathEntityMergeID identity to fix deadlock condition (#10877) 2021-02-10 11:05:16 -05:00
10886.txt Let allowed_users template mix templated and non-templated parts (#10886) 2021-10-19 15:00:15 -07:00
10901.txt Use an atomic to avoid a race in runEventDemuxer. (#10901) 2021-02-11 11:50:41 -05:00
10904.txt UI: Upgrade storybook (#10904) 2021-02-11 12:16:00 -07:00
10906.txt Add Username Templating Concepts page (#10935) 2021-02-26 16:04:12 -07:00
10919.txt Updates the JWT/OIDC auth plugin (#10919) 2021-02-16 17:21:35 -08:00
10927.txt agent: persistent caching support (#10938) 2021-03-03 14:01:33 -08:00
10931.txt Bundle new Vault plugin: Terraform secrets (#10931) 2021-02-19 16:38:56 -06:00
10938.txt agent: persistent caching support (#10938) 2021-03-03 14:01:33 -08:00
10942.txt Add TOTP support to Okta Auth (#10942) 2021-02-21 21:18:17 -08:00
10948.txt Adds "raw(/pem)" format to individual cert routes (#10947) (#10948) 2022-02-07 09:47:13 -05:00
10949.txt UI/Database Secrets Engine cleanup (#10949) 2021-02-19 14:04:51 -06:00
10951.txt UI/add usage metrics description (#10951) 2021-02-22 09:35:15 -06:00
10952.txt update docs related to OCI alias changes (#10952) 2021-02-23 10:08:15 -06:00
10953.txt Add changelog entry for #10953 (#11077) 2021-03-10 15:54:15 -08:00
10964.txt Add configurable exponential backoff to Agent auto-auth (#10964) 2021-02-23 12:04:21 -08:00
10980.txt UI: Show error when connection roles fail to update on role create (#10980) 2021-02-23 10:47:02 -06:00
10982.txt UI: Add the wizard to the database secret engine (#10982) 2021-02-23 13:52:39 -07:00
10992.txt Make metrics access unauthenticated when in dev mode. (#10992) 2021-02-24 14:04:23 -05:00
10995.txt Vendor Couchbase DB plugin v0.3.0 (#10995) 2021-02-25 12:59:45 -07:00
10996.txt Vendor OpenLDAP v0.4.0 (#10996) 2021-02-25 13:00:00 -07:00
10997.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11000.txt Fix missing changelog (#13230) 2021-11-19 12:59:00 -08:00
11011.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11015.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11018.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11022.txt Add Partial Month Client Count API for Activity Log (#11022) 2021-03-01 16:15:59 -07:00
11094.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11113.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11119.txt UI: Connection "Add Role" automatically populates database in form (#11119) 2021-03-17 11:32:27 -05:00
11127.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11129.txt Add command to look up a lease by ID (#11129) 2021-03-18 11:11:09 -05:00
11142.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11143.txt UI/control groups kv (#11143) 2021-03-22 10:03:47 -06:00
11182.txt UI/namespace bug (#11182) 2021-03-23 14:55:31 -06:00
11208.txt Replace go-bindata-assetfs build dependency with native go:embed (#11208) 2021-08-18 11:05:11 -04:00
11213.txt UI: Fix status menu bug (#11213) 2021-03-26 09:53:33 -06:00
11216.txt certutil: select appropriate hash algorithm for ECDSA signature (#11216) 2021-11-04 16:33:01 -04:00
11218.txt pki: calculate Subject Key Identifier according to RFC 5280 (#11218) 2022-01-28 10:46:51 -05:00
11226.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11231.txt UI/database mssql (#11231) 2021-04-14 16:07:07 -05:00
11245.txt improvement: add signature_bits field to CA and signers (#11245) 2021-09-10 14:39:05 -07:00
11247.txt Autopilot: Return leader info via delegate (#11247) 2021-04-27 15:54:26 -04:00
11252.txt Add CL for #11252. (#11368) 2021-04-16 09:33:47 -04:00
11256.txt Updated show lease with toggle ttl picker (#11256) 2021-04-02 13:23:56 -07:00
11258.txt UI/fix kvv2 version (#11258) 2021-04-02 15:17:42 -05:00
11259.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
11260.txt Add HA only autopilot to changelog (#11339) 2021-04-12 09:57:45 -04:00
11262.txt Cassandra DB plugin: Allow special chars in usernames (#11262) 2021-04-16 14:01:15 -06:00
11269.txt Switch to shared raft-boltdb library and add metrics (#11269) 2021-04-26 16:01:26 -07:00
11283.txt Bug Fix: OIDC with hcp flag (#11283) 2021-04-07 10:46:06 -06:00
11284.txt UI/obscure secret on input (#11284) 2021-04-22 08:58:37 -06:00
11288.txt Add ServerName to Vault Agent template config (#11288) 2021-05-13 07:18:15 -07:00
11289.txt Add HTTP response headers for hostname and raft node ID (if applicable) (#11289) 2021-04-20 15:25:04 -07:00
11294.txt Bug: DB secret engine not showing "Select one" in role select options (#11294) 2021-04-08 13:46:40 -06:00
11324.txt Add support for unauthenticated pprof access on a per-listener basis,… (#11324) 2021-04-19 14:30:59 -04:00
11345.txt feat(aws): add ability to provide a role session name when generating STS credentials (#11345) 2021-05-17 11:03:09 -07:00
11360.txt Updated search select component styling (#11360) 2021-04-19 15:40:18 -07:00
11364.txt Don't cut off stack traces at 32MB. (#11364) 2021-04-16 15:55:05 -04:00
11365.txt Validate hostnames when using TLS in Cassandra (#11365) 2021-04-16 15:52:35 -06:00
11366.txt Add metrics for requests forwarded by standbys. (#11366) 2021-04-16 14:02:20 -04:00
11367.txt pki: fix tidy removal on revoked entries (#11367) 2021-04-19 09:40:40 -07:00
11371.txt Fix goroutine leak caused by updating rate quotas (#11371) 2021-04-16 14:00:01 -04:00
11377.txt On lease deletion, also delete non-orphan batch token parent index (#11377) 2021-04-16 17:03:22 -04:00
11388.txt Updates the JWT/OIDC auth plugin to v0.9.3 (#11388) 2021-04-19 09:14:17 -07:00
11404.txt Add root rotation statement support to mongoDB (#11404) 2021-04-19 15:40:44 -05:00
11408.txt Make cubbyhole revocation/tidying compatible with cubbys in namespaces. (#11408) 2021-04-19 17:28:04 -04:00
11442.txt UI/okta duo push notification (#11442) 2021-05-06 12:29:39 -06:00
11447.txt UI/update UI deps (#11447) 2021-04-26 11:23:57 -05:00
11451.txt secrets/database: Fixes marshalling bug for json.Number types (#11451) 2021-04-23 14:07:26 -07:00
11453.txt [VAULT-1441] Fix race that allowed remounting on path used by another mount (#11453) 2021-04-24 09:05:41 -07:00
11473.txt Update Agent Auth with GCP to use new SignJWT endpoint (#11473) 2021-04-30 15:45:06 -05:00
11495.txt Add support for templated values in SSH CA DefaultExtensions. (#11495) 2021-05-13 14:37:22 -07:00
11500.txt Updated code mirror component for consistency (#11500) 2021-05-06 09:59:15 -07:00
11502.txt Adding changelog for #11502 (#11944) 2021-06-25 15:41:08 -07:00
11506.txt Use correct mount accessor when refreshing external group memberships (#11506) 2021-05-03 08:23:59 -04:00
11517.txt When running under systemd, send notifications about server startup, shutdown, and config reload (#11517) 2021-05-04 14:47:16 -05:00
11530.txt KV 2 Toolbar delete redesign (#11530) 2021-05-19 10:43:55 -06:00
11532.txt Fixes #11914. (#11915) 2021-06-22 12:39:23 -04:00
11541.txt Fix barrier key autoration config edge cases (#11541) 2021-05-05 14:39:04 -05:00
11562.txt changelog: add changelog for #11562 (#11564) 2021-05-07 11:43:09 -07:00
11576.txt agent/cert: properly return the cached client on AuthClient (#11576) 2021-05-12 14:59:07 -07:00
11585.txt DB engine: Check ErrPluginStaticUnsupported in rollback code (#11601) 2021-05-12 17:09:56 -06:00
11586.txt UI: Regex validation on transform templates (#11586) 2021-05-12 10:12:33 -05:00
11588.txt Add an exponential backoff to TCP listeners to avoid fast loops in error scenarios (#11588) 2021-05-12 10:47:38 -05:00
11596.txt core: updates to password policy generator (#11596) 2021-05-13 09:55:46 -04:00
11597.txt Fix: link on database role item goes to correct URL (#11597) 2021-05-12 14:33:35 -05:00
11600.txt Add ability to customize some timeouts in MongoDB database plugin (#11600) 2021-05-17 11:40:35 -06:00
11607.txt Vault 1979: Query API for Irrevocable Leases (#11607) 2021-06-02 10:11:30 -06:00
11628.txt Fix: Transit encrypt batch does not honor key_version (#11628) 2021-05-27 14:05:20 -05:00
11638.txt AWS Auth: Update error message to include underlying error (#11638) 2021-05-17 13:56:35 -06:00
11641.txt UI/fix identity model (#11641) 2021-05-17 16:41:39 -05:00
11647.txt Tokenutil: Perform num uses check earlier (#11647) 2021-05-19 14:06:08 -04:00
11650.txt Patch expiration fix over from ENT (#11650) 2021-05-18 14:55:38 -07:00
11672.txt UI/tools partial (#11672) 2021-05-24 10:45:35 -06:00
11680.txt Update cluster status partial to component (#11680) 2021-05-27 09:52:51 -07:00
11696.txt changelog: add entry for #11696 (#11715) 2021-05-27 10:57:59 -07:00
11705.txt UI unseal screen updates (#11705) 2021-05-26 13:59:11 -05:00
11708.txt UI: allow reset on database json fields (#11708) 2021-05-27 16:25:58 -05:00
11759.txt UI/license banners (#11759) 2021-06-03 15:30:26 -05:00
11775.txt agent: restart template runner on retry for unlimited retries (#11775) 2021-06-21 16:10:15 -07:00
11778.txt UI/license page with autoload (#11778) 2021-06-07 12:44:39 -05:00
11780.txt Add support for ed25519 (#11780) 2021-10-05 11:28:49 -04:00
11784.txt Updates the JWT/OIDC auth plugin to v0.9.4 (#11784) 2021-06-07 16:02:57 -07:00
11785.txt Implement ember-cp-validations on KV secret engine (#11785) 2021-06-15 09:21:54 -06:00
11795.txt Displays Auth Method description on Vault UI login page (#11795) 2021-06-14 13:03:49 -07:00
11796.txt add changelog to influxdb (#11896) 2021-06-18 14:56:41 -05:00
11802.txt Udate to Go 1.16.5 (#11802) 2021-06-09 10:38:52 -04:00
11820.txt db/cassandra: Adding changelog and documentation (#11822) 2021-06-10 19:06:40 -04:00
11826.txt Omit wrapping tokens and control groups from client counts (#11826) 2021-06-10 15:57:51 -07:00
11836.txt mod: update vault-plugin-secrets-ad@v0.9.1 (#11837) 2021-06-11 13:40:51 -04:00
11838.txt dep: update consul-template to v0.26.0 (#11838) 2021-06-11 10:29:40 -07:00
11861.txt Cassandra: Refactor PEM parsing logic (#11861) 2021-06-21 11:38:08 -06:00
11864.txt Fix for Issue 11863 - Panic when creating/updating approle role with token_type (#11864) 2021-06-24 13:03:41 -04:00
11872.txt Mongo doesnt allow periods in usernames (#11872) 2021-06-24 13:26:31 -04:00
11878.txt UI/cp validations kv duplicate path (#11878) 2021-06-22 10:34:00 -06:00
11884.txt UI/fix safari oidc login (#11884) 2021-06-17 15:56:04 -05:00
11887.txt base32.DecodeString expects length 8 for the buffer (#11887) 2021-07-14 07:38:10 -04:00
11895.txt Add new boltdb options (#11895) 2021-06-21 11:35:40 -07:00
11899.txt RabbitMQ - Add username customization (#11899) 2021-06-22 14:50:46 -05:00
11907.txt raft: Set BatchApplyCh for more consistent batch sizes (#11907) 2021-06-21 12:00:41 -07:00
11934.txt agent/template: add static_secret_render_interval configurable (#11934) 2021-06-24 15:40:31 -04:00
11942.txt secrets/ad: change improvement to feature in changelog (#12095) 2021-07-15 15:55:40 -04:00
11956.txt mongodbatlas: update changelog for username customization (#12098) 2021-07-15 15:44:03 -05:00
11957.txt Update ElasticSearch DB plugin to v0.8.0 (#11957) 2021-06-29 08:07:00 -05:00
11958.txt changelog: update feature formatting for gcp and key management secrets (#12120) 2021-07-19 12:16:27 -07:00
11963.txt Handle form validation for open api form (#11963) 2021-07-13 15:50:27 -07:00
11970.txt [VAULT-708] Zero out request counter on preSeal (#11970) 2021-07-07 14:03:39 -05:00
11975.txt [ldap] auth method fix request_timeout (#11975) 2021-07-01 13:33:01 -05:00
11980.txt Update Go client libraries for etcd (#11980) 2021-09-29 14:28:13 -04:00
11984.txt UI: Show day of month instead of day of year in the expiration warning dialog (#11984) 2021-09-02 18:06:55 -04:00
11992.txt vault delete should allow the same output options as vault write,… (#11992) 2021-07-06 10:36:07 -04:00
11995.txt Truncate Secret Engine Description Text (#11995) 2021-07-08 08:21:10 -07:00
11997.txt Update SnowflakeDB plugin to v0.2.0 (#11997) 2021-07-06 13:23:03 -05:00
12003.txt Adds transform secrets engine to feature (#12003) 2021-07-07 16:14:54 -07:00
12008.txt Docfix: "Fix" is not a valid release-note type (#12676) 2021-09-29 14:54:58 -06:00
12016.txt Redshift - Add username customization (#12016) 2021-07-08 10:29:12 -05:00
12019.txt Change changelog type for openldap bug fix (#12112) 2021-07-16 16:37:21 -04:00
12020.txt [VAULT-1836] Support kv-v1 generic mounts for vault.kv.secret.count metric (#12020) 2021-07-09 11:05:05 -04:00
12023.txt changelog: update feature formatting for gcp and key management secrets (#12120) 2021-07-19 12:16:27 -07:00
12024.txt UI/control group db cred (#12024) 2021-07-12 12:50:30 -05:00
12025.txt [VAULT-2776] Add prefix_filter option to Vault (#12025) 2021-07-09 14:49:53 -05:00
12026.txt [VAULT-1986] Cap AWS Token TTL based on Default Lease TTL (#12026) 2021-07-15 10:05:38 -07:00
12031.txt Make the list and kv list commands work with wrapping, e.g. for controlgroups (#12031) 2021-07-09 12:08:58 -04:00
12034.txt VAULT-2809: Tweak creation of vault.db file (#12034) 2021-07-09 14:45:50 -04:00
12035.txt UI: Automatically refresh page on logout (#12035) 2021-07-14 10:01:14 -05:00
12042.txt [VAULT-2825] Fix erroneous 500 resp for field validation errors (#12042) 2021-07-12 13:39:28 -04:00
12049.txt Update node to latest stable version (#12049) 2021-07-22 14:09:12 -07:00
12066.txt [VAULT-1969] Add support for custom IAM usernames based on templates (#12066) 2021-07-20 09:48:29 -07:00
12071.txt Enable building darwin arm64 for 1.8.x (#11855) (#12071) 2021-07-14 09:26:37 -05:00
12073.txt Update kubernetes auth plugin with AliasLookahead fix (#12073) 2021-07-15 14:35:40 +01:00
12079.txt Fix KV Version History queryParams on the component LinkedBlock (#12079) 2021-07-14 15:38:55 -06:00
12084.txt Improve Secret Empty States (#12084) 2021-07-21 12:47:52 -07:00
12087.txt secrets/database: fixes external plugin reconnect after shutdown for v4 and v5 interface (#12087) 2021-07-15 13:41:04 -07:00
12111.txt UI/database cg read role (#12111) 2021-07-20 11:28:44 -05:00
12115.txt fix: print consul svc addr in debug log (#12115) 2021-07-21 13:12:49 -07:00
12117.txt Add ability to optionally clone an api.Client's headers (#12117) 2021-07-19 17:15:31 -04:00
12126.txt VAULT-2285 adding capability to accept comma separated entries for au… (#12126) 2021-08-09 15:37:03 -04:00
12151.txt identity: do not allow a role's token_ttl to be longer than verification_ttl (#12151) 2021-07-28 20:34:52 -05:00
12162.txt Check to make sure context isn't expired before doing a raft operation. (#12162) 2021-08-19 12:03:56 -04:00
12163.txt serviceregistration: add external-source meta value (#12163) 2021-08-03 09:31:01 -07:00
12165.txt Aerospike backend update (#12165) 2021-11-29 11:09:12 -08:00
12169.txt UI add custom metadata to KV2 (#12169) 2021-08-31 09:41:41 -06:00
12175.txt Fix vault debug so that captured logs include newlines. (#12175) 2021-07-27 09:15:24 -04:00
12185.txt Update genUsername to cap STS usernames at 32 chars (#12185) 2021-08-09 09:40:47 -07:00
12196.txt VAULT-1303 when a request to vault fails, show namespace if set (#12196) 2021-07-30 12:32:05 -04:00
12208.txt identity: enforce key param and key existence on role creation (#12208) 2021-09-08 10:46:58 -05:00
12212.txt UI/TTL helperEnabled/DisabledText fix (#12212) 2021-08-03 15:50:49 -07:00
12229.txt Fix Diagnose Formatting In Disk Usage Checks (#12229) 2021-08-02 10:06:04 -07:00
12245.txt Updating go version to 1.16.6 for security fix (#12245) 2021-08-04 11:30:43 -04:00
12253.txt Update github.com/ulikunitz/xz (#12253) 2021-09-17 09:48:38 -07:00
12255.txt Update github.com/gogo/protobuf (#12255) 2021-09-07 11:40:14 -07:00
12262.txt Switch/upgrade to influxdata/influxdb1-client (#12262) 2022-01-25 13:30:24 -05:00
12265.txt Updates vault-plugin-auth-jwt to v0.10.1 (#12265) 2021-08-04 13:13:02 -07:00
12295.txt UI/StatText Component (#12295) 2021-08-16 11:55:12 -07:00
12301.txt dep: update database-couchbase plugin to v0.4.1 (#12301) 2021-08-12 11:54:19 -07:00
12317.txt Vault 2176 snapshot config issue (#12317) 2021-08-16 10:12:00 -07:00
12320.txt Send x-forwarded-for in Okta Push Factor request (#12320) 2021-09-03 13:09:11 -07:00
12338.txt api: return parse errors if any for storage endpoints (#12338) 2021-08-17 13:19:39 -04:00
12339.txt (OSS Port) Restrict Quota Deletion to Primary Cluster [vault-2399] (#12339) 2021-08-17 15:34:43 -07:00
12340.txt creds/aws: Add support for DSA signature verification for EC2 (#12340) 2021-08-19 09:16:31 -04:00
12348.txt UI: Allow metrics view without config read (#12348) 2021-08-18 15:33:39 -05:00
12351.txt dbplugin: fix error message in DeleteUser (#12351) 2021-08-18 16:12:40 -07:00
12354.txt Handle api explorer routing error (#12354) 2021-08-19 14:32:02 -07:00
12357.txt Fixed overflowing text of flash message container (#12357) 2021-08-19 14:27:22 -07:00
12366.txt Auto-join support for IPv6 discovery (#12366) 2021-09-07 11:55:07 -07:00
12371.txt Upgrade snappy to fix panic with identity/packer on Go 1.16+arm64. (#12371) 2021-08-19 15:51:06 -04:00
12372.txt [MAR-3131] Set grace to 0 on non-positive lease duration (#12372) 2021-08-24 19:06:40 -07:00
12377.txt [VAULT-3226] Use os.rename on windows os (#12377) 2021-08-19 16:05:53 -07:00
12378.txt plugin/snowflake: update gosnowflake to v1.6.1 (#12378) 2021-08-20 11:52:31 -04:00
12379.txt Updates vault-plugin-secrets-gcp to v0.10.2 (#12379) 2021-08-19 16:33:34 -07:00
12388.txt Add code to api.RaftSnapshot to detect incomplete snapshots (#12388) 2021-09-07 11:16:37 -04:00
12393.txt Vault 2823 cc namespace (#12393) 2021-09-07 09:16:12 -07:00
12408.txt bump go to 1.16.7 (#12408) 2021-08-24 09:54:26 -07:00
12409.txt Bug Fix: tab on MaskedInput for GeneratedItems it was clearing the value (#12409) 2021-08-24 08:59:37 -06:00
12413.txt Upgrade pq to fix connection failure cleanup bug (v1.8.0 => v1.10.3) (#12413) 2021-10-01 14:35:51 -07:00
12414.txt Identity: prepublish jwt signing keys (#12414) 2021-09-09 13:47:42 -05:00
12418.txt Add missing read unlock calls in transit backend code (#12652) 2021-09-28 11:59:30 -05:00
12422.txt Client count config view (#12422) 2021-08-25 14:22:15 -07:00
12425.txt Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation. (#12425) 2021-09-16 10:47:49 -07:00
12428.txt Add PutAutoPilotRaftConfiguration to api (#12428) 2021-11-10 12:10:15 -05:00
12437.txt UI/bar chart horizontal (#12437) 2021-09-07 12:54:33 -07:00
12443.txt change cassandra db plugin timeout to 5s as in docs (#12443) 2022-02-15 07:35:44 -08:00
12451.txt Bootstrap Nomad ACL system if no token is given (#12451) 2022-04-20 11:06:25 -07:00
12473.txt Fail alias rename if the resulting (name,accessor) exists already (#12473) 2021-09-21 08:19:44 -04:00
12478.txt Docfix: "Fix" is not a valid release-note type (#12676) 2021-09-29 14:54:58 -06:00
12483.txt update couchbase plugin version (#12483) 2021-09-07 11:48:10 -05:00
12485.txt Customizing HTTP headers in the config file (#12485) 2021-10-13 11:06:33 -04:00
12502.txt Add Custom metadata field to alias (#12502) 2021-09-17 11:03:47 -07:00
12505.txt dep: update consul-template to v0.27.0 (#12505) 2021-09-09 09:12:42 -07:00
12508.txt CLI: add new -header option to be able to add headers to all cli requests #8754 (#12508) 2021-10-27 11:04:04 -04:00
12514.txt Allow signing self issued certs with a different public key algorithm. (#12514) 2021-09-14 10:07:27 -05:00
12519.txt Fix pkcs7 parsing in some cases (#12519) 2021-09-10 12:17:03 -04:00
12534.txt vault-agent: copy values retrieved from bolt (#12534) 2021-09-13 11:06:08 -07:00
12541.txt UI/ PKI UI Redesign (#12541) 2021-10-04 14:31:36 -07:00
12550.txt Bug fix: allow forward slash in paths for delete menu (#12550) 2021-09-14 12:30:01 -06:00
12554.txt Client count updates (#12554) 2021-09-16 15:28:03 -07:00
12559.txt Use the system rand reader for CA root and intermediate generation (#12559) 2021-09-15 11:59:12 -05:00
12560.txt Use the system rand reader for SSH keypair generation (#12560) 2021-09-15 11:59:28 -05:00
12563.txt Port: Premature Rotation For autorotate (#12563) 2021-09-21 17:45:04 -07:00
12565.txt [VAULT-3519] Return no_default_policy on token role read (#12565) 2021-09-21 09:53:08 -07:00
12577.txt Added namespace search to client count (#12577) 2021-09-22 12:50:59 -07:00
12581.txt Update plugin proto to send tls.ConnectionState (Op.2) (#12581) 2021-10-07 08:06:09 -04:00
12582.txt Patch to support VAULT_HTTP_PROXY variable (#12582) 2021-10-06 09:40:31 -07:00
12600.txt dep: update vault-plugin-secrets-openldap to latest (#12600) 2021-09-21 15:30:19 -07:00
12621.txt update changelog/12621.txt (#13117) 2021-11-10 16:39:27 -08:00
12622.txt UI/bar chart updates (#12622) 2021-09-27 13:48:44 -07:00
12626.txt KV search box when no list access to metadata (#12626) 2021-09-29 14:35:00 -06:00
12629.txt Update Azure secrets engine to use MS Graph (#12629) 2021-09-29 11:28:13 -06:00
12633.txt fix: upgrade vault-plugin-auth-kubernetes (#12633) 2021-09-27 13:10:55 -04:00
12635.txt core: set namespace within GeneratePasswordFromPolicy (#12635) 2021-09-27 09:08:07 -07:00
12646.txt Auth method role edit form should be valid by default (#12646) 2021-10-04 11:53:24 -06:00
12663.txt UI/kv creation time (#12663) 2021-09-28 13:15:43 -06:00
12668.txt Add support to parameterize unauthenticated paths (#12668) 2021-10-13 11:51:20 -05:00
12672.txt UI/Add Elasticsearch DB (#12672) 2021-10-07 14:00:42 -07:00
12687.txt Add HTTP PATCH support to KV (#12687) 2021-10-13 15:24:31 -04:00
12688.txt agent: tolerate partial restore failure from persistent cache (#12718) 2021-10-08 11:30:04 +01:00
12691.txt Fix a Deadlock on HA leadership transfer (#12691) 2021-10-04 13:55:15 -04:00
12713.txt Removed unpublished:true for sys/internal/* endpoints (#12713) 2021-10-15 14:50:14 -04:00
12715.txt Fix auth/aws so that config/rotate-root saves new key pair to vault (#12715) 2021-10-19 10:26:47 -04:00
12716.txt Fix 1.8 regression preventing email addresses being used as common name within pki certificates (#12336) (#12716) 2021-10-04 14:02:47 -04:00
12718.txt agent: tolerate partial restore failure from persistent cache (#12718) 2021-10-08 11:30:04 +01:00
12720.txt CLI request when namespace is in argument and part of the path (#12720) 2021-10-21 22:35:13 -04:00
12724.txt Upgrade go-kms-wrapping to pickup oci-go-sdk update (#12724) 2021-10-04 16:21:38 -05:00
12731.txt [VAULT-3157] Move mergeStates utils from Agent to api module (#12731) 2021-10-06 10:57:06 -07:00
12747.txt [VAULT-3252] Disallow alias creation if entity/accessor combination exists (#12747) 2021-10-14 09:52:07 -07:00
12752.txt Added support for Oracle db connection (#12752) 2021-10-11 09:20:23 -07:00
12762.txt agent: Use an in-process listener with cache (#12762) 2021-10-15 17:22:19 -07:00
12763.txt Skip metric increment during existence check (#12763) 2022-05-05 10:22:19 -07:00
12770.txt UI/Serialize DB Connection Attributes (#12770) 2021-10-11 16:42:11 -07:00
12780.txt Filter identity token keys (#12780) 2021-10-12 11:14:03 -05:00
12787.txt Add LIST support to sys/policies/password (#12787) 2022-01-24 13:42:14 -08:00
12788.txt Return 404 response when looking for a secret_id_accessor that does not exist (#12788) 2021-10-11 15:07:51 +01:00
12790.txt Add remote_port in the audit logs when it is available (#12790) 2022-01-26 15:47:15 -08:00
12791.txt Return num_uses during authentication (#12791) 2022-01-25 18:59:53 -08:00
12792.txt Some changelog tidying for 1.10 preview (#13385) 2021-12-10 16:23:20 -05:00
12793.txt cl update (#13798) 2022-02-03 16:52:45 -08:00
12795.txt Some changelog tidying for 1.10 preview (#13385) 2021-12-10 16:23:20 -05:00
12796.txt Native Login method for Go client (#12796) 2021-10-26 16:48:48 -07:00
12800.txt UI/OIDC provider (#12800) 2021-10-13 15:04:39 -05:00
12802.txt Diagnose partial/missing telemetry configuration (#12802) 2021-10-20 16:47:59 -05:00
12812.txt Entities may have duplicate policies (#12812) 2021-10-22 19:28:31 -04:00
12814.txt api.Client: support isolated read-after-write (#12814) 2021-10-14 14:51:31 -04:00
12819.txt UI/remove empty rows from DB config pages (#12819) 2021-10-14 13:14:33 -07:00
12820.txt Port: add client ID to TWEs in activity log [vault-3136] (#12820) 2021-10-14 09:10:59 -07:00
12834.txt Fix entity alias deletion (#12834) 2021-10-19 15:05:06 -04:00
12839.txt [VAULT-3379] Add support for contained DBs in MSSQL root rotation and lease revocation (#12839) 2021-10-19 14:11:47 -07:00
12843.txt agent/cache: Store leases in-order in persistent cache so that restore respects dependencies (#12843) 2021-10-27 11:36:48 +01:00
12847.txt Forbid ssh key signing with specified extensions when role allowed_extensions is not set (#12847) 2021-10-15 17:55:18 -04:00
12868.txt Move to go 1.17 (#12868) 2021-10-21 09:32:03 -04:00
12872.txt Restrict ECDSA/NIST P-Curve hash function sizes for cert signing (#12872) 2021-11-12 12:18:38 -05:00
12876.txt Updates vault-plugin-auth-jwt to v0.11.0 (#12876) 2021-10-19 15:22:52 -07:00
12877.txt [VAULT-3008] Update RabbitMQ dependency and fix regression in UserInfo.Tags in v3.9 (#12877) 2021-10-20 09:46:37 -07:00
12881.txt operator generate-root -decode: allow token from stdin (#12881) 2021-10-20 12:29:17 -04:00
12885.txt VAULT-444: Add PKI tidy-status endpoint. (#12885) 2021-11-02 11:12:49 -04:00
12887.txt UI/Remove spinner after token renew (#12887) 2021-10-21 09:05:45 -05:00
12888.txt fix 12888 release note format (#13016) 2021-11-02 16:54:46 -06:00
12890.txt UI Conditionally Copy Tooltips (#12890) 2021-10-21 09:26:56 -06:00
12895.txt adds divider to toolbars with destructive actions (#12895) 2021-10-22 08:11:14 -06:00
12903.txt Set Cassandra connect timeout, not just regular timeout (#12903) 2021-10-22 11:02:28 -04:00
12904.txt UI/Remove token_type field from token auth method (#12904) 2021-10-29 13:00:34 -07:00
12906.txt Vertical resize on .cm-s-hashi.CodeMirror (#12906) 2021-10-22 14:58:04 -06:00
12907.txt Extend kv metadata to get, put, and patch (#12907) 2021-10-26 15:38:56 -04:00
12908.txt Info table row typography (#12908) 2021-10-22 15:16:02 -06:00
12911.txt fixing a bug for cli when namespace is in both arg and path (#12911) 2021-10-22 17:47:16 -04:00
12916.txt Adds missing unlock of RWMutex in OIDC delete key (#12916) 2021-10-25 09:59:26 -07:00
12921.txt KV alert banner for white space in KV path (#12921) 2021-10-28 10:50:33 -06:00
12932.txt Use mutex in OIDC configuration handlers (#12932) 2021-10-27 08:23:05 -07:00
12934.txt go-kms-wrapping update for Azure Key Vault's Managed HSM offering (#12934) 2021-10-27 12:07:18 -04:00
12945.txt UI/ Add PostgreSQL DB (#12945) 2021-10-29 09:58:56 -07:00
12965.txt cockroachdb: add high-availability support (#12965) 2022-03-29 13:12:06 -04:00
12976.txt Incorporate Ember Flight Icons (#12976) 2021-12-07 10:05:14 -07:00
13000.txt UI/kv codemirror diff (#13000) 2021-12-01 11:41:49 -07:00
13015.txt Secrets header version badge (#13015) 2021-11-08 14:29:00 -07:00
13022.txt Some changelog tidying for 1.10 preview (#13385) 2021-12-10 16:23:20 -05:00
13024.txt Fiddling with changelog formatting (#13496) 2021-12-21 18:32:08 -05:00
13032.txt UI/Truncate long secret names (#13032) 2021-11-04 16:57:08 -07:00
13033.txt Add changelog for couchbase plugin bug fix (#13033) 2021-11-03 15:39:19 -05:00
13034.txt secrets/azure: add changelog for rotate-root (#13034) 2021-11-03 16:38:45 -04:00
13038.txt PGP key list input fix (#13038) 2021-11-04 14:25:15 -06:00
13042.txt Fix errors logged on standbys when we try to write versions to storage (#13042) 2021-11-08 10:04:17 -05:00
13044.txt Allowing Unwrap w/ Newline files (#13044) 2021-11-24 10:13:45 -08:00
13054.txt UI/Adds pagination to auth methods list (#13054) 2021-11-04 16:35:20 -07:00
13078.txt Add a periodic test of the autoseal to detect loss of connectivity. (#13078) 2021-11-10 14:46:07 -06:00
13080.txt Add universal default key_bits value for PKI endpoints (#13080) 2021-12-13 15:26:42 -05:00
13086.txt Port: Allow Routing to Partial Monthly Client Count From Namespaces (#13086) 2021-11-08 15:38:35 -08:00
13090.txt UI/Custom empty state messages for transit and transform (#13090) 2021-11-11 16:53:53 -08:00
13093.txt Add missing changelog for pr #13093 (#13095) 2021-11-09 11:03:59 -05:00
13098.txt Raft peer removal bug (#13098) 2021-11-09 15:05:25 -07:00
13107.txt Raft Snapshot Restore Bug (#13107) 2021-11-17 10:30:59 -07:00
13111.txt Return non-retryable errors on transit encrypt and decrypt failures (#13111) 2021-11-15 15:53:22 -06:00
13133.txt OIDC Auth Bug (#13133) 2021-11-15 08:48:11 -07:00
13146.txt sdk/queue: move lock before checking queue length (#13146) 2021-11-29 14:54:00 -05:00
13149.txt UI/Update blueprints to glimmer components (#13149) 2021-11-16 13:14:16 -08:00
13152.txt Hide verify-connection attribute on connection config show page (#13152) 2021-11-16 12:56:42 -06:00
13162.txt Authenticate to "login" endpoint for non-existent mount path bug (#13162) 2021-11-22 17:06:59 -08:00
13165.txt Fix 1.9 regression with raft and stored time values (#13165) 2021-11-16 14:43:00 -05:00
13166.txt KV automatic delete state issue in UI (#13166) 2021-11-23 14:17:37 -07:00
13168.txt Revert more downgrades from #12975. (#13168) 2021-11-16 15:07:03 -05:00
13169.txt Fix startup failures when aliases from a pre-1.9 vault version exist (#13169) 2021-11-16 14:56:34 -05:00
13177.txt Form field component ttl picker not initially enabling (#13177) 2021-11-17 10:21:17 -07:00
13178.txt Some changelog tidying for 1.10 preview (#13385) 2021-12-10 16:23:20 -05:00
13195.txt Add pagination to namespace list view (#13195) 2021-11-29 13:11:14 -08:00
13200.txt Update 13200.txt changelog (#13263) 2021-11-24 13:38:15 -05:00
13215.txt Add HTTP PATCH support for KV key metadata (#13215) 2022-01-12 12:05:27 -05:00
13231.txt identity/oidc: optional nonce parameter for authorize request (#13231) 2021-11-22 09:42:22 -08:00
13233.txt Fixed null token panic from 'v1/auth/token/' endpoints and returned p… (#13233) 2021-12-21 09:46:56 -08:00
13235.txt Fix regression in returning empty value for approle cidrlist. (#13235) 2021-11-23 12:13:47 -05:00
13236.txt Fix null token type bug (#13236) 2021-12-06 09:38:53 -08:00
13238.txt UI/Fix node-forge EC error (#13238) 2021-11-23 13:51:02 -05:00
13241.txt Respect WithWrappingToken for all secret ID's in approle auth (#13241) 2021-11-23 15:53:48 -08:00
13254.txt skip hash bits verification for ed25519 (#13254) 2021-11-23 15:28:18 -05:00
13257.txt recognize ed25519 key type and return PKCS8 format (#13257) 2021-11-24 14:24:06 -05:00
13277.txt secrets/azure: Update plugin to v0.11.2 (#13277) 2021-11-29 09:05:23 -08:00
13282.txt Return an error when trying to store a too-large key with Raft (#13282) 2021-11-25 14:07:03 -05:00
13286.txt Prevent raft transactions from containing overlarge keys. (#13286) 2021-11-26 08:38:39 -05:00
13292.txt Add "operator members" command to list nodes in the cluster. (#13292) 2021-11-30 14:49:58 -05:00
13298.txt Identity: check NextSigningKey existence during key rotation (#13298) 2021-11-29 15:10:58 -06:00
13318.txt Fix possible nil pointer dereference (#13318) 2021-12-02 08:23:41 -05:00
13324.txt Rename master key to root key (#13324) 2021-12-06 17:12:20 -08:00
13332.txt github auth: use org id to verify creds (#13332) 2021-12-14 16:37:19 -06:00
13348.txt auth/cert: Add certificate extensions as metadata (#13348) 2022-01-03 13:38:16 -08:00
13365.txt auth/jwt: update changelog for pkce improvement (#13392) 2021-12-10 11:15:22 -06:00
13367.txt Fiddling with changelog formatting (#13496) 2021-12-21 18:32:08 -05:00
13395.txt Support clearing an identity alias' custom_metadata (#13395) 2021-12-10 18:07:47 -05:00
13396.txt UI/fix client count partial (#13396) 2021-12-10 16:14:57 -06:00
13408.txt Main go version bump (#13408) 2021-12-14 11:11:13 -05:00
13414.txt secrets/database: Add parameter to disable escaping username and password chars for DB connections (#13414) 2022-01-10 12:05:17 -06:00
13439.txt update okta-sdk-golang to v2.9.1 (#13439) 2022-01-06 09:42:51 -05:00
13443.txt Ember Upgrade to 3.24 (#13443) 2021-12-16 20:44:29 -07:00
13452.txt EscapeLDAPValue - catch trailing escape character (#13452) 2021-12-15 13:17:07 -08:00
13469.txt Update mssql's contained_db field to accept a boolean (#13469) 2021-12-20 10:04:43 -05:00
13476.txt Attempt to address a data race issue within identity store - take 2 (#13476) 2021-12-22 09:51:13 -05:00
13486.txt Fix properly initialize replicateStateStore from SetReadYourWrites() (#13486) 2021-12-21 16:14:39 -05:00
13487.txt [Vault-4628] OpenAPI endpoint not expanding root alternations (#13487) 2021-12-22 15:36:47 -08:00
13492.txt auth/oidc: update plugin to v0.11.4 (#13492) 2021-12-21 16:48:53 -08:00
13515.txt Add ability to optionally clone a Client's token (#13515) 2021-12-22 17:07:26 -05:00
13537.txt Enhance sys/raw to read and write values that cannot be encoded in json (#13537) 2022-01-20 07:52:53 -05:00
13540.txt Add support for PROXY protocol v2 in TCP listener (#13540) 2022-03-08 12:13:00 -05:00
13548.txt secrets/gcp: update plugin to v0.11.1 (#13548) 2022-01-03 11:18:48 -08:00
13573.txt Use MAP_POPULATE for our bbolt mmaps (#13573) 2022-01-11 08:16:53 -05:00
13585.txt UI/fix kmip role form (#13585) 2022-01-07 09:16:40 -06:00
13590.txt Search Select Input Fix (#13590) 2022-01-06 16:34:26 -07:00
13595.txt auth/kubernetes: support for dynamically reloading short-lived tokens (#13595) 2022-01-14 19:55:15 -08:00
13604.txt UI/Fixes secrets list breadcrumb (#13604) 2022-01-10 11:00:47 -08:00
13606.txt Parallel retry join (#13606) 2022-01-17 10:33:03 -05:00
13615.txt If we get a 405 doing an HTTP PATCH, assume the server is pre-1.9 and fall back to old readThenWrite approach (#13615) 2022-01-11 11:52:24 -05:00
13643.txt Distinguish LIST-only paths in OpenAPI (#13643) 2022-01-18 09:21:44 -08:00
13660.txt Add support for client certificates to -output-curl-string (#13660) 2022-01-20 10:25:26 -08:00
13661.txt Make auth/token/revoke-accessor idempotent (#13661) 2022-01-18 06:56:38 -05:00
13667.txt Vault-3991 Code Scanning Alerts Changes (#13667) 2022-01-14 15:35:27 -08:00
13669.txt auth/ldap: Add username to alias.metadata.name (#13669) 2022-01-20 12:30:26 -05:00
13675.txt Add telemetry to Vault agent (#13675) 2022-02-17 17:10:26 -08:00
13678.txt Support go-sockaddr templates in top-level cluster_addr config (#13678) 2022-01-19 10:56:04 -05:00
13682.txt Add the duration and start time to logged completed requests. (#13682) 2022-01-20 08:55:30 -05:00
13683.txt Accept both -f and --force in the web terminal (#13683) 2022-01-20 10:17:53 -07:00
13690.txt Add validation for nonce size when we aren't in convergent encryption mode within transit backend (#13690) 2022-01-19 13:02:49 +05:30
13691.txt Time-based transit key autorotation (#13691) 2022-01-20 09:10:15 -06:00
13703.txt Update to raft lib v1.3.3 (#13703) 2022-01-24 09:50:23 -05:00
13716.txt oidc: check for nil signing key on rotation (#13716) 2022-01-24 12:05:49 -06:00
13736.txt Support Y10K value in notAfter field when signing non-CA certificates (#13736) 2022-01-31 15:37:50 -06:00
13749.txt Raft/fix raft telemetry metric unit (#13749) 2022-01-24 10:51:35 -05:00
13759.txt PKI - Allow performance secondaries to generate and store certificates locally to them (#13759) 2022-01-24 10:03:04 -06:00
13766.txt Add sys/version-history endpoint and associated command (#13766) 2022-02-14 15:26:57 -05:00
13799.txt Remove fmt strings and replace with inline queries (#13799) 2022-01-27 15:20:13 -08:00
13841.txt [API] Add LDAP auth method (#13841) 2022-02-04 11:10:51 -08:00
13850.txt secret/consul: Add support for consul namespaces and admin partitions (#13850) 2022-02-09 15:44:00 -06:00
13871.txt identity/oidc: loopback redirect dynamic port (#13871) 2022-02-07 10:34:33 -08:00
13872.txt Fix kv secret access bug (#13872) 2022-02-03 01:46:03 +05:30
13889.txt Add duration/count metrics to PKI issue and revoke flows (#13889) 2022-02-08 10:37:40 -06:00
13893.txt add API docs for KVv2 subkeys endpoint (#13893) 2022-02-14 15:28:14 -05:00
13894.txt Switch from node-forge to PKI.js (#13894) 2022-02-04 12:52:28 -05:00
13908.txt Transform Advanced Templating (#13908) 2022-02-07 13:07:53 -07:00
13917.txt identity/oidc: Adds proof key for code exchange (PKCE) support (#13917) 2022-02-15 12:02:22 -08:00
13925.txt auth/kubernetes: Update plugin to v0.11.5 (#13925) 2022-02-10 12:23:19 -05:00
13927.txt Use application/pem-certificate-chain for PEMs (#13927) 2022-02-08 08:12:33 -05:00
13935.txt Add full CA Chain to /pki/cert/ca_chain response (#13935) 2022-02-07 14:37:01 -05:00
13950.txt UI: Add check for renewal time before triggering renew-self (#13950) 2022-02-08 11:43:42 -06:00
13958.txt Allow all other_sans in sign-intermediate and sign-verbatim (#13958) 2022-02-09 10:09:19 -05:00
13970.txt UI/transit auto rotate interval (#13970) 2022-02-09 10:56:49 -06:00
13973.txt secrets/azure: update to v0.11.3 (#13973) 2022-02-09 11:58:53 -05:00
13974.txt secrets/gcp: update to v0.11.2 (#13974) 2022-02-09 12:57:53 -05:00
13991.txt Allow specifying multiple allowed SSH key lengths (#13991) 2022-02-17 15:36:56 -05:00
14006.txt Switch to secure signing algorithm for SSH secrets engine (#14006) 2022-02-18 10:44:01 -05:00
14008.txt Allow generation of other types of SSH CA keys (#14008) 2022-02-15 14:14:05 -05:00
14013.txt identity/oidc: use inherited group membership for client assignments (#14013) 2022-02-11 11:40:44 -08:00
14014.txt secret/consul: Add Consul ACL roles support (#14014) 2022-02-16 19:31:08 -06:00
14025.txt update MFA changelog (#14326) 2022-03-01 15:13:39 -08:00
14033.txt update changelog to include db config connection return value change (#14256) 2022-02-24 14:03:11 -06:00
14049.txt MFA UI Changes (v3) (#14145) 2022-02-17 15:40:25 -07:00
14051.txt Allow auto-detection of AWS region when using the vault CLI (#14051) 2022-02-14 12:01:27 -08:00
14054.txt UI: Switch usage of localStorage to sessionStorage (#14054) 2022-02-17 10:04:53 -06:00
14067.txt Revert "MFA (#14049)" (#14135) 2022-02-17 13:17:59 -07:00
14074.txt Use FieldData.GetOkError() to access required Transit parameters. (#14593) 2022-03-18 16:10:38 -04:00
14095.txt auth/ldap: add resp warning if userfilter doesn't consider userattr (#14095) 2022-02-17 17:19:44 -08:00
14107.txt Revert "MFA (#14049)" (#14135) 2022-02-17 13:17:59 -07:00
14109.txt Server Side Consistency Docs (#14392) 2022-03-16 10:20:12 -07:00
14119.txt identity/oidc: Adds default provider, key, and allow_all assignment (#14119) 2022-02-22 08:33:19 -08:00
14130.txt secrets/azure: update plugin to v0.11.4 (#14130) 2022-02-17 12:09:36 -08:00
14131.txt interactive CLI for mfa login (#14131) 2022-02-24 15:16:15 -05:00
14138.txt auth/azure: update to v0.9.3 (#14138) 2022-02-18 09:42:48 -05:00
14144.txt upgrade vault-plugin-auth-kubernetes (#14144) 2022-02-22 11:25:44 -05:00
14171.txt secrets/openldap: fix panic from nil logger (#14171) 2022-02-18 19:40:30 -05:00
14190.txt Update github.com/prometheus/client_golang (#14190) 2022-02-23 09:31:58 -05:00
14193.txt Remove support for etcd v2 storage backend. (#14193) 2022-02-22 16:48:04 -05:00
14195.txt Add checks for other error types within the PKI plugin (#14195) 2022-02-22 14:39:21 -05:00
14197.txt Ensure that fewer goroutines survive after a test completes (#14197) 2022-02-23 10:33:52 -05:00
14206.txt prevent int64 overflow for default_lease_ttl and max_lease_ttl (#14206) 2022-02-23 17:08:52 -05:00
14214.txt agent/azure: adds ability to use specific user-assigned managed identities for auto auth (#14214) 2022-02-23 11:43:36 -08:00
14217.txt Change OpenAPI code generator to extract request objects (#14217) 2022-03-11 19:00:26 -05:00
14222.txt Set header content type instead of overwriting all headers (#14222) 2022-02-23 17:09:57 -05:00
14223.txt Quit agent endpoint with config (#14223) 2022-02-25 10:29:05 +00:00
14224.txt UI/fix db role ttl display (#14224) 2022-02-23 10:00:20 -06:00
14231.txt Increase column width of vault_key on mysql (#14231) 2022-02-24 09:21:57 -05:00
14232.txt Update to Go 1.17.7 (#14232) 2022-02-23 15:08:08 -05:00
14233.txt UI: Fix incorrect validity modal on transit secrets engine (#14233) 2022-02-23 14:59:49 -06:00
14235.txt Fix broken interactions between glob_domains and wildcards (#14235) 2022-02-23 16:44:09 -05:00
14238.txt Add role parameter to restrict issuance of wildcard certificates (#14238) 2022-02-24 08:41:56 -05:00
14268.txt UI: add Database static role password rotation (#14268) 2022-02-25 12:16:54 -06:00
14269.txt [VAULT-5003] Use net/http client in Sys().RaftSnapshotRestore (#14269) 2022-03-14 10:13:33 -07:00
14292.txt Add warning when generate_lease=no_store=true when writing PKI role (#14292) 2022-02-28 13:55:12 -05:00
14301.txt Output full secret path in certain kv commands (#14301) 2022-03-08 13:17:27 -08:00
14324.txt auth/ldap: add username_as_alias config flag (#14324) 2022-03-15 10:21:40 -04:00
14328.txt treat logical.ErrRelativePath as 400 instead of 500 (#14328) 2022-03-30 09:08:02 -04:00
14329.txt Logout with wrapped token (#14329) 2022-03-02 09:45:53 -07:00
14385.txt Set service type to notify in systemd unit. (#14385) 2022-03-09 08:13:45 -05:00
14388.txt Add context-aware functions to vault/api (#14388) 2022-03-23 17:47:43 -04:00
14389.txt Added Enigma Vault secret plugin. Designed to be simple but complete, a good starting point for plugin developers (#14389) 2022-03-11 08:33:48 -05:00
14400.txt UI/Hide empty masked PKI row values (#14400) 2022-03-11 13:55:01 -08:00
14422.txt UI/add managed ns redirect prefix (#14422) 2022-03-10 08:26:33 -06:00
14424.txt Agent error log level is mismatched (#14424) 2022-04-07 11:03:38 -07:00
14426.txt identity/oidc: prevent key rotation on performance secondary clusters (#14426) 2022-03-09 15:41:02 -08:00
14487.txt only check Contains if IP address (#14487) 2022-03-15 09:55:50 -06:00
14489.txt UI/fix kv data cache (#14489) 2022-03-16 11:00:08 -05:00
14493.txt UI/d3 DOM cleanup hover issue (#14493) 2022-03-16 13:36:41 -05:00
14501.txt Add input validation to getRuleInfo to prevent panic (#14501) 2022-03-24 16:16:37 -04:00
14508.txt UI: Parse OpenAPI response correctly if schema includes $ref (#14508) 2022-03-16 09:24:07 -05:00
14522.txt Fix panic caused by parsing json.Number values for TypeCommaStringSlice fields (#14522) 2022-03-28 11:07:55 -04:00
14523.txt Fix CLI panic caused by single backslash values (#14523) 2022-03-24 16:40:32 -04:00
14543.txt identity/token: fix duplicate keys in well-known (#14543) 2022-03-16 18:48:10 -07:00
14545.txt OIDC Logout Bug (#14545) 2022-03-18 09:40:17 -06:00
14551.txt UI/Wrong sentinel error message for auth methods (#14551) 2022-03-18 16:47:42 -07:00
14622.txt Add a check for missing entity during local alias invalidation. (#14622) 2022-03-21 15:09:31 -04:00
14659.txt Remove Ivy Codemirror (#14659) 2022-03-29 10:25:16 -06:00
14670.txt Warn on upper case in policy name (#14670) 2022-03-24 13:29:11 -07:00
14704.txt Vault-4010 Unauthenticated panic when processing "help" requests (#14704) 2022-03-24 12:19:14 -07:00
14744.txt Ensure that URL encoded passwords are properly redacted. (#14744) 2022-03-29 10:33:55 -04:00
14746.txt add value length check to approle createHMAC (#14746) 2022-03-29 14:43:35 -04:00
14752.txt Vault-4279 reporting redundant/unused keys in config (#14752) 2022-04-01 10:34:27 -04:00
14753.txt Add ability to pass certificate PEM bytes to vault/api (#14753) 2022-04-06 11:21:46 -04:00
14755.txt Address incorrect table metric value for local mounts (#14755) 2022-03-30 13:06:49 -04:00
14763.txt Ember upgrade to 3.28.6 (#14763) 2022-04-12 13:59:34 -06:00
14775.txt Use WriteWithContext in auth helpers (#14775) 2022-04-06 11:20:34 -04:00
14791.txt Fixing excessive unix file permissions (#14791) 2022-04-01 12:57:38 -04:00
14794.txt UI/Only show form values if have read access (#14794) 2022-04-01 16:05:42 -05:00
14807.txt Mount flag syntax to mitigate confusion from KV-v2 path discrepancies (#14807) 2022-04-06 13:58:06 -07:00
14814.txt VAULT-4240 time.After() in a select statement can lead to memory leak (#14814) 2022-04-01 10:17:11 -04:00
14817.txt Vault 3992 ToB Config and Plugins Permissions (#14817) 2022-04-04 09:45:41 -07:00
14836.txt Respect increment value in grace period calculations (api/LifetimeWatcher) (#14836) 2022-04-06 13:04:45 -04:00
14846.txt Vault 3999 Change permissions for directory/archive created by debug command (#14846) 2022-04-04 09:44:03 -07:00
14864.txt VAULT-5422: Add rate limit for TOTP passcode attempts (#14864) 2022-04-14 13:48:24 -04:00
14869.txt deprecating Legacy MFA (#14869) 2022-04-19 21:19:34 -04:00
14875.txt Fix handling of default zero SignatureBits value with Any key type in PKI Secrets Engine (#14875) 2022-04-04 15:26:54 -04:00
14899.txt Global flag that outputs minimum policy HCL required for an operation (#14899) 2022-04-27 16:35:18 -07:00
14900.txt [Vault-5248] MFA support for api login helpers (#14900) 2022-04-15 11:13:15 -07:00
14916.txt OIDC Login Bug (#14916) 2022-04-07 08:30:29 -06:00
14941.txt Bug Fix and Glimmerize secret-edit component (#14941) 2022-04-07 11:07:33 -06:00
14943.txt Fix handling of SignatureBits for ECDSA issuers (#14943) 2022-04-07 11:52:59 -04:00
14954.txt aws auth displayName (#14954) 2022-04-08 14:37:49 -07:00
14957.txt Add build date (#14957) 2022-04-19 14:28:08 -04:00
14962.txt Warnings indicating ignored and replaced parameters (#14962) 2022-04-11 09:57:12 -04:00
14963.txt [Vault-5736] Add (*Client).WithNamespace() for temporary namespace handling (#14963) 2022-04-14 09:50:21 -07:00
14966.txt Fix edit capabilities call in auth method (#14966) 2022-04-11 10:48:35 -07:00
14968.txt Don't clone OutputCurlString value (#14968) 2022-04-08 09:58:50 -07:00
14973.txt Update gocql to resolve #12878 (#14973) 2022-04-18 11:12:32 -07:00
14977.txt Ensure initialMmapSize is 0 on Windows (#14977) 2022-04-08 12:07:21 -07:00
14985.txt supporting google authenticator with Okta auth (#14985) 2022-04-14 08:37:04 -04:00
15009.txt forwarding requests subjected to Login MFA to the active node (#15009) 2022-04-13 10:11:53 -04:00
15025.txt UI: Masked inputs always look the same when value is hidden (#15025) 2022-04-13 16:56:39 -05:00
15041.txt When running under systemd, send ready when server completed reloading config #7028 (#15041) 2022-05-03 08:34:11 -04:00
15042.txt Raft: use a larger initial heartbeat/election timeout (#15042) 2022-04-29 08:32:16 -04:00
15046.txt Custom tooltip for Generated Token Policies form field on auth methods (#15046) 2022-04-14 14:58:26 -06:00
15054.txt Add AWS_DYNAMODB_REGION Environment variable (#15054) 2022-04-28 12:29:51 -07:00
15058.txt UI: fix blank selection on search select field (#15058) 2022-04-15 12:47:55 -05:00
15067.txt When tainting a route during setup, pre-calculate the namespace specific path (#15067) 2022-04-26 09:13:45 -07:00
15072.txt fix TypeCommaIntSlice panic caused by json.Number input (#15072) 2022-04-18 16:43:16 -04:00
15074.txt remove storybook: (#15074) 2022-04-19 15:45:20 -06:00
15092.txt Upgrade hashicorp/consul-template dependency (#15092) 2022-04-19 20:51:11 +01:00
15104.txt [VAULT-5887] TypeInt64 support added to OpenApi Spec generation (#15104) 2022-04-22 15:37:12 -07:00
15123.txt Clone identity objects to prevent races. (#15123) 2022-04-22 13:04:34 -04:00
15125.txt Update golang.org/x/crypto/ssh (#15125) 2022-04-22 12:58:23 -04:00
15156.txt fix raft tls key rotation panic when rotation time in past (#15156) 2022-04-25 21:48:34 -04:00
15163.txt [VAULT-5813] Remove duplicate sha_256 in SystemCatalogRequest OAS (#15163) 2022-04-25 13:12:08 -07:00
15166.txt VAULT-5827 Don't prepare SQL queries before executing them (#15166) 2022-04-26 12:47:06 -07:00
15188.txt [VAULT-14990] Support retrieving kv secret paths with trailing spaces (#15188) 2022-05-10 14:07:45 -07:00
15204.txt agent/auto-auth: Add min_backoff to set first backoff value (#15204) 2022-04-29 12:31:32 -04:00
15213.txt Allow callers to choose the entropy source for the random endpoints. (#15213) 2022-05-02 14:42:07 -05:00
15224.txt Do sockaddr template parsing only when needed (#15224) 2022-04-29 09:57:17 -04:00
15259.txt change ordering of activity log month data to sort by ascending order… (#15259) 2022-05-03 13:39:29 -07:00
15261.txt loading MFA configs upont restart (#15261) 2022-05-05 18:53:57 -04:00
15277.txt Allow Multiple Issuers in PKI Secret Engine Mounts - PKI Pod (#15277) 2022-05-11 12:42:28 -04:00
15293.txt Update deps for consul-template 0.29.0 (#15293) 2022-05-05 10:30:40 -07:00
15295.txt secrets/consul: Add support for generating tokens with service and node identities (#15295) 2022-05-09 20:07:35 -05:00
15316.txt Add DR Metric scraping capability to debug command (#15316) 2022-05-06 16:04:08 -04:00
15364.txt UI/ fix firefox not recognizing csv export (#15364) 2022-05-10 17:19:38 -07:00
_ 1686.txt changelog for entropy augmentation PR [VAULT-1179] (#10755) 2021-01-26 21:06:38 -08:00
_1622.txt Update _1622.txt 2021-01-20 15:06:23 -05:00
_1633.txt Changelog for enterprise fix. (#10560) 2020-12-14 12:43:38 -06:00
_1637.txt Changelog updates for transform fixes (ENT) (#10528) 2020-12-10 13:59:30 -06:00
_1642.txt changelog for license (#10555) 2020-12-15 10:42:39 -08:00
_1656.txt 1.5.6 & 1.6.1 changelog++ 2020-12-16 10:55:12 -05:00
_1659.txt Add changelog for ent #1659. (#10600) 2020-12-18 15:06:54 -05:00
_1663.txt Add changelog for #1663. (#10635) 2021-01-04 11:08:39 -05:00
_1680.txt changelog++ (#10748) 2021-01-26 19:30:42 -05:00
_1691.txt Add changelog entry for ent PR 1691 (#11139) 2021-03-19 10:07:48 -07:00
_1705.txt Add changelog entry for ent PR 1705 (#10827) 2021-02-03 09:35:14 -08:00
_1712.txt Changing from "changelog" to "release-note" (#11303) 2021-04-07 18:21:01 -04:00
_1739.txt Adds a changelog entry for key management secrets engine (#11164) 2021-03-19 15:45:35 -07:00
_1757.txt Add transform upgrade bug fix changelog (#11090) 2021-03-12 09:52:41 -06:00
_1792.txt Changelog for orphan status fix (#11137) 2021-03-19 11:38:07 -05:00
_1819.txt oss part of control groups upgrade (#11772) 2021-06-07 09:15:35 -07:00
_2021Jan20.txt Changelog notes for 1.6.2 (#10737) 2021-01-20 15:52:48 -05:00
_2021Jan26.txt More CL notes for 1.6.2 (#10792) 2021-01-27 12:03:20 -05:00
_2071.txt oss part of license diagnose test fix (#12234) 2021-08-02 10:50:49 -07:00
_10959.txt Make cert domain name validation case insensitive (#10959) 2021-03-09 21:28:27 -08:00
changelog.tmpl Changelog notes for 1.6.2 (#10737) 2021-01-20 15:52:48 -05:00
client-counts.txt UI/Client counts changelog 1.10 (#14166) 2022-02-22 12:08:11 -07:00
diagnose.txt Diagnose docs + changelog (#12159) 2021-07-26 08:45:12 -07:00
go-ver-1110.txt mv changelog/15043.txt -> changelog/go-ver-1110.txt (#15059) 2022-04-15 14:37:54 -04:00
mount-migration.txt Fixes from mount move testing (#14492) 2022-03-15 11:11:23 -07:00
note.tmpl
README.md Add changelog for #10416 (#10473) 2020-12-01 16:08:19 +00:00

README.md

changelog

This folder holds changelog updates from commit 3bc7d15 onwards. See hashicorp/go-changelog for full documentation on the supported entries.