Vault - 1.12.0
Unreleased
CHANGES:
- core: Bump Go version to 1.17.12.
- identity: a request to
/identity/group
that includesmember_group_ids
that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912] - licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades
will not be allowed if the license termination time is before the build date of the binary.
IMPROVEMENTS:
- agent: Added
disable_idle_connections
configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986] - auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
- core (enterprise): Add check to
vault server
command to ensure configured storage backend is supported. - core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
- core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
- core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
- core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
- core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
- core/quotas: Added ability to add path suffixes for rate-limit resource quotas [GH-15989]
- core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [GH-16115]
- core: Add
sys/loggers
andsys/loggers/:name
endpoints to provide ability to modify logging verbosity [GH-16111] - core: Limit activity log client count usage by namespaces [GH-16000]
- docs: Clarify the behaviour of local mounts in the context of DR replication [GH-16218]
- physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [GH-15866]
- plugins: Use AutoMTLS for secrets engines and auth methods run as external plugins. [GH-15671]
- secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [GH-15809]
- secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [GH-16124]
- secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (
cn_validations
). [GH-15996] - secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [GH-15742]
- secrets/kubernetes: Add allowed_kubernetes_namespace_selector to allow selecting Kubernetes namespaces with a label selector when configuring roles. [GH-16240]
- secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
- ssh: Addition of an endpoint
ssh/issue/:role
to allow the creation of signed key pairs [GH-15561] - ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [GH-15852]
- ui: Removed deprecated version of core-js 2.6.11 [GH-15898]
- website/docs: Update replication docs to mention Integrated Storage [GH-16063]
BUG FIXES:
- agent/template: Fix parsing error for the exec stanza [GH-16231]
- agent: Update consul-template for pkiCert bug fixes [GH-16087]
- api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [GH-15835]
- api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P
.+) endpoints where it was not properly handling /auth/ [GH-15552] - api: properly handle switching to/from unix domain socket when changing client address [GH-11904]
- core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [GH-15583]
- core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
- core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
- core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
- core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
- core: Fixes parsing boolean values for ha_storage backends in config [GH-15900]
- debug: Fix panic when capturing debug bundle on Windows [GH-14399]
- openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [GH-15552]
- plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
- quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [GH-15735]
- replication (enterprise): Fix data race in saveCheckpoint.
- secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
- storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
- storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
- ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [GH-15681]
- ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]
- vault: Fix a bug where duplicate policies could be added to an identity group. [GH-15638]
Details
date
Oct. 13, 2022, midnight
name
1.12.0
type
Minor
👇
Register or login to:
- 🔍View and search all Vault releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!