Releases: hashicorp/vault
Releases · hashicorp/vault
v1.11.5
1.11.5
November 2, 2022
IMPROVEMENTS:
- database/snowflake: Allow parallel requests to Snowflake [GH-17594]
- sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
BUG FIXES:
- core/managed-keys (enterprise): Return better error messages when encountering key creation failures
- core/managed-keys (enterprise): fix panic when having
cache_disable
true - core: prevent memory leak when using control group factors in a policy [GH-17532]
- core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
- kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
- login: Store token in tokenhelper for interactive login MFA [GH-17040]
- secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
- secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17384]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
- ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
v1.12.1
1.12.1
November 2, 2022
IMPROVEMENTS:
- api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
- database/snowflake: Allow parallel requests to Snowflake [GH-17593]
- plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
- sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
BUG FIXES:
- cli: Remove empty table heading for
vault secrets list -detailed
output. [GH-17577] - core/managed-keys (enterprise): Return better error messages when encountering key creation failures
- core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
- core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
- core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
- core: prevent memory leak when using control group factors in a policy [GH-17532]
- core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
- kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
- kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
- login: Store token in tokenhelper for interactive login MFA [GH-17040]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
v1.10.8
1.10.8
November 2, 2022
BUG FIXES:
- core/managed-keys (enterprise): Return better error messages when encountering key creation failures
- core/managed-keys (enterprise): fix panic when having
cache_disable
true - core: prevent memory leak when using control group factors in a policy [GH-17532]
- core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
- login: Store token in tokenhelper for interactive login MFA [GH-17040]
- secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
v1.12.0
1.12.0
October 13, 2022
CHANGES:
- api: Exclusively use
GET /sys/plugins/catalog
endpoint for listing plugins, and adddetails
field to list responses. [GH-17347] - auth:
GET /sys/auth/:name
endpoint now returns an additionaldeprecation_status
field in the response data for builtins. [GH-16849] - auth:
GET /sys/auth
endpoint now returns an additionaldeprecation_status
field in the response data for builtins. [GH-16849] - auth:
POST /sys/auth/:type
endpoint response contains a warning forDeprecated
auth methods. [GH-17058] - auth:
auth enable
returns an error andPOST /sys/auth/:type
endpoint reports an error forPending Removal
auth methods. [GH-17005] - core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
- core: Bump Go version to 1.19.2.
- core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
- identity: a request to
/identity/group
that includesmember_group_ids
that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912] - licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
- plugins: Add plugin version to auth register, list, and mount table [GH-16856]
- plugins:
GET /sys/plugins/catalog/:type/:name
endpoint contains deprecation status for builtin plugins. [GH-17077] - plugins:
GET /sys/plugins/catalog/:type/:name
endpoint now returns an additionalversion
field in the response data. [GH-16688] - plugins:
GET /sys/plugins/catalog/
endpoint contains deprecation status indetailed
list. [GH-17077] - plugins:
GET /sys/plugins/catalog
endpoint now returns an additionaldetailed
field in the response data with a list of additional plugin metadata. [GH-16688] - plugins:
plugin info
displays deprecation status for builtin plugins. [GH-17077] - plugins:
plugin list
now accepts a-detailed
flag, which display deprecation status and version info. [GH-17077] - secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
- secrets: All database-specific (standalone DB) secrets engines are now marked
Pending Removal
. [GH-17038] - secrets:
GET /sys/mounts/:name
endpoint now returns an additionaldeprecation_status
field in the response data for builtins. [GH-16849] - secrets:
GET /sys/mounts
endpoint now returns an additionaldeprecation_status
field in the response data for builtins. [GH-16849] - secrets:
POST /sys/mounts/:type
endpoint response contains a warning forDeprecated
secrets engines. [GH-17058] - secrets:
secrets enable
returns an error andPOST /sys/mount/:type
endpoint reports an error forPending Removal
secrets engines. [GH-17005]
FEATURES:
- GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
- LDAP Secrets Engine: Adds the
ldap
secrets engine with service account check-out functionality for all supported schemas. [GH-17152] - OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
- Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
- Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
- Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
- Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
- HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
- ui: UI support for Okta Number Challenge. [GH-15998]
IMPROVEMENTS:
- :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
- activity (enterprise): Added new clients unit tests to test accuracy of estimates
- agent/auto-auth: Add
exit_on_err
which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091] - agent: Added
disable_idle_connections
configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986] - agent: Added
disable_keep_alives
configuration to disable keep alives in auto-auth, caching and templating. [GH-16479] - agent: JWT auto auth now supports a
remove_jwt_after_reading
config option which defaults to true. [GH-11969] - agent: Send notifications to systemd on start and stop. [GH-9802]
- api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
- api: Add a sentinel error for missing KV secrets [GH-16699]
- auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
- auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses.
When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474] - auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
- auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
- auth/cert: Add metadata to identity-alias [GH-14751]
- auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
- auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
- auth/gcp: Add support for GCE regional instance groups [GH-16435]
- auth/gcp: Updates dependencies:
google.golang.org/api@v0.83.0
,github.com/hashicorp/go-gcp-common@v0.8.0
. [GH-17160] - auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
- auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
- auth/kerberos: add
add_group_aliases
config to include LDAP groups in Vault group aliases [GH-16890] - auth/kerberos: add
remove_instance_name
parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594] - auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
- auth/oci: Add support for role resolution. [GH-17212]
- auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
- cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
- cli:
auth
andsecrets
list-detailed
commands now show Deprecation Status for builtin plugins. [GH-16849] - cli:
vault plugin list
now has adetails
field in JSON format, and version and type information in table format. [[GH-17347](https://github.com/hashicorp/vault...
v1.12.0-rc1
core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319) (#17365) * docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc
v1.11.4
backport of commit 7f22056686b5a8e71c66e73eeaab4403809b791c (#17039) Co-authored-by: Troy Ready <troy@troyready.com>
v1.10.7
backport of commit 6c399c1c3b1c24ee830ef62d7966687a01dc5833 (#17287) Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
v1.9.10
Backport of #17138: Populate CRL data on backend startup (#17150) * Load existing CRLs on startup and after invalidate (#17138) * Load existing CRLs on startup and after invalidate * changelog * Populate during renew calls also (#17143) * Remove unused config fetch
v1.11.3
Backport of UI/OIDC auth bug for hcp namespace flag into release/1.11…
v1.10.6
Backport of UI/OIDC auth bug for hcp namespace flag into release/1.10…