pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
vault: Update to 1.3.0
Module Name: pkgsrc-wip
Committed By: Iku Iwasa <iku.iwasa%gmail.com@localhost>
Pushed By: iquiw
Date: Sat Nov 16 16:07:32 2019 +0900
Changeset: 05df510c2efeb69e652ddcc5d64ae1f912c35201
Modified Files:
vault/Makefile
vault/distinfo
Log Message:
vault: Update to 1.3.0
CHANGES:
* Secondary cluster activation: There has been a change to the way that
activating performance and DR secondary clusters works when using public
keys for encryption of the parameters rather than a wrapping token. This
flow was experimental and never documented. It is now officially supported
and documented but is not backwards compatible with older Vault releases.
* Cluster cipher suites: On its cluster port, Vault will no longer
advertise the full TLS 1.2 cipher suite list by default. Although this port
is only used for Vault-to-Vault communication and would always pick a
strong cipher, it could cause false flags on port scanners and other
security utilities that assumed insecure ciphers were being used. The
previous behavior can be achieved by setting the value of
the (undocumented) cluster_cipher_suites config flag to tls12.
FEATURES:
* Vault Debug: A new top-level subcommand, debug, is added that allows
operators to retrieve debugging information related to a particular Vault
node. Operators can use this simple workflow to capture triaging
information, which can then be consumed programmatically or by support and
engineering teams. It has the abilitity to probe for config, host, metrics,
pprof, server status, and replication status.
* Recovery Mode: Vault server can be brought up in recovery mode to resolve
outages caused due to data store being in bad state. This is a privileged
mode that allows sys/raw API calls to perform surgical corrections to the
data store. Bad storage state can be caused by bugs. However, this is
usually observed when known (and fixed) bugs are hit by older versions of
Vault.
* Entropy Augmentation (Enterprise): Vault now supports sourcing entropy
from external source for critical security parameters. Currently an HSM
that supports PKCS#11 is the only supported source.
* Active Directory Secret Check-In/Check-Out: In the Active Directory
secrets engine, users or applications can check out a service account for
use, and its password will be rotated when it's checked back in.
* Vault Agent Template: Vault Agent now supports rendering templates
containing Vault secrets to disk, similar to Consul Template [GH-7652]
* Transit Key Type Support: Signing and verification is now supported with
the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551] and
encryption and decryption is now supported via AES128-GCM96 [GH-7555]
* SSRF Protection for Vault Agent: Vault Agent has a configuration option
to require a specific header before allowing requests [GH-7627]
* AWS Auth Method Root Rotation: The credential used by the AWS auth method
can now be rotated, to ensure that only Vault knows the credentials it is
using [GH-7131]
* New UI Features: The UI now supports managing users and groups for the
Userpass, Cert, Okta, and Radius auth methods.
* Shamir with Stored Master Key: The on disk format for Shamir seals has
changed, allowing for a secondary cluster using Shamir downstream from a
primary cluster using Auto Unseal. [GH-7694]
* Stackdriver Metrics Sink: Vault can now send metrics to Stackdriver. See
the configuration documentation for details. [GH-6957]
* Filtered Paths Replication (Enterprise): Based on the predecessor
Filtered Mount Replication, Filtered Paths Replication allows now filtering
of namespaces in addition to mounts.
* Token Renewal via Accessor: Tokens can now be renewed via the accessor
value through the new auth/token/renew-accessor endpoint if the caller's
token has permission to access that endpoint.
* Improved Integrated Storage (Beta): Improved raft write performance,
added support for non-voter nodes, along with UI support for: using raft
storage, joining a raft cluster, and downloading and restoring a snapshot.
IMPROVEMENTS:
* agent: Add ability to set the TLS SNI name used by Agent [GH-7519]
* auth/jwt: The redirect callback host may now be specified for CLI logins
[JWT-71]
* auth/jwt: Bound claims may now contain boolean values [JWT-73]
* auth/jwt: CLI logins can now open the browser when running in WSL
[JWT-77]
* core: Exit ScanView if context has been cancelled [GH-7419]
* core: re-encrypt barrier and recovery keys if the unseal key is updated
[GH-7493]
* core: Don't advertise the full set of TLS 1.2 cipher suites on the
cluster port, even though only strong ciphers were used [GH-7487]
* core (enterprise): Add background seal re-wrap
* core/metrics: Add config parameter to allow unauthenticated sys/metrics
access. [GH-7550]
* metrics: Upgrade DataDog library to improve performance [GH-7794]
* replication (enterprise): Write-Ahead-Log entries will not duplicate the
data belonging to the encompassing physical entries of the transaction,
thereby improving the performance and storage capacity.
* replication (enterprise): Added more replication metrics
* replication (enterprise): Reindex process now compares subpages for a
more accurate indexing process.
* replication (enterprise): Reindex API now accepts a new skip_flush
parameter indicating all the changes should not be flushed while the tree
is locked.
* secrets/aws: The root config can now be read [GH-7245]
* secrets/aws: Role paths may now contain the '@' character [GH-7553]
* secrets/database/cassandra: Add ability to skip verfication of connection
[GH-7614]
* secrets/gcp: Fix panic during rollback if the roleset has been deleted
[GCP-52]
* storage/azure: Add config parameter to Azure storage backend to allow
specifying the ARM endpoint [GH-7567]
* storage/cassandra: Improve storage efficiency by eliminating unnecessary
copies of value data [GH-7199]
* storage/raft: Improve raft write performance by utilizing FSM Batching
[GH-7527]
* storage/raft: Add support for non-voter nodes [GH-7634]
* sys: Add a new sys/host-info endpoint for querying information about the
host [GH-7330]
* sys: Add a new set of endpoints under sys/pprof/ that allows profiling
information to be extracted [GH-7473]
* sys: Add endpoint that counts the total number of active identity
entities [GH-7541]
* sys: sys/seal-status now has a storage_type field denoting what type of
storage the cluster is configured to use
* sys: Add a new sys/internal/counters/tokens endpoint, that counts the
total number of active service token accessors in the shared token
storage. [GH-7541]
* sys/config: Add a new endpoint under sys/config/state/sanitized that
returns the configuration state of the server. It excludes config values
from storage, ha_storage, and seal stanzas and some values from telemetry
due to potential sensitive entries in those fields.
* ui: when using raft storage, you can now join a raft cluster, download a
snapshot, and restore a snapshot from the UI [GH-7410]
* ui: clarify when secret version is deleted in the secret version history
dropdown [GH-7714]
BUG FIXES:
* agent: Fix a data race on the token value for inmemsink [GH-7707]
* api: Fix Go API using lease revocation via URL instead of body [GH-7777]
* api: Allow setting a function to control retry behavior [GH-7331]
* auth/gcp: Fix a bug where region information in instance groups names
could cause an authorization attempt to fail [GCP-74]
* cli: Fix a bug where a token of an unknown format (e.g. in
~/.vault-token) could cause confusing error messages during vault login
[GH-7508]
* cli: Fix a bug where the namespace list command with JSON formatting
always returned an empty object [GH-7705]
* cli: Command timeouts are now always specified solely by the
VAULT_CLIENT_TIMEOUT value. [GH-7469]
* core: Don't allow registering a non-root zero TTL token lease. This is
purely defense in depth as the lease would be revoked immediately anyways,
but there's no real reason to allow registration. [GH-7524]
* core: Correctly revoke the token that's present in the response auth from
a auth/token/ request if there's partial failure during the
process. [GH-7835]
* identity (enterprise): Fixed identity case sensitive loading in secondary
cluster [GH-7327]
* identity: Ensure only replication primary stores the identity case
sensitivity state [GH-7820]
* raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup [GH-7619]
* secrets/pki: Don't allow duplicate SAN names in issued certs [GH-7605]
* sys/health: Pay attention to the values provided for standbyok and
perfstandbyok rather than simply using their presence as a key to flip on
that behavior [GH-7323]
* ui: using the wrapped_token query param will work with redirect_to and
will automatically log in as intended [GH-7398]
* ui: fix an error when initializing from the UI using PGP keys [GH-7542]
* ui: show all active kv v2 secret versions even when delete_version_after
is configured [GH-7685]
* ui: Ensure that items in the top navigation link to pages that users have
access to [GH-7590]
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=05df510c2efeb69e652ddcc5d64ae1f912c35201
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
vault/Makefile | 2 +-
vault/distinfo | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diffs:
diff --git a/vault/Makefile b/vault/Makefile
index 1d47b3b83f..7e1c7246a0 100644
--- a/vault/Makefile
+++ b/vault/Makefile
@@ -1,6 +1,6 @@
# $NetBSD$
-DISTNAME= vault-1.2.4
+DISTNAME= vault-1.3.0
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff --git a/vault/distinfo b/vault/distinfo
index 5bb32169f7..0d72b18294 100644
--- a/vault/distinfo
+++ b/vault/distinfo
@@ -1,8 +1,8 @@
$NetBSD$
-SHA1 (vault-1.2.4.tar.gz) = 529b5f9a22436230f17e827195a7e8eba2031676
-RMD160 (vault-1.2.4.tar.gz) = 4a347884ac69ff82f790b62b790a783e48ee0be9
-SHA512 (vault-1.2.4.tar.gz) = 35a91088ac6949863e2de651edac19d73586acc2f42d14e48d3b41236d9458c95e60f8ec2285b3846ff04ebe59a4d4b308686151d758b5af8caad711441e2ee4
-Size (vault-1.2.4.tar.gz) = 27778766 bytes
+SHA1 (vault-1.3.0.tar.gz) = 5ab26dc4742e60c3b5f807a142e56bc4b9e18491
+RMD160 (vault-1.3.0.tar.gz) = 19113cb55c0def3c7e9cfb48b79e627f3c807b19
+SHA512 (vault-1.3.0.tar.gz) = 4011706c2d418e4e13369f5afa5541af8296d6731c12aa670ed0fce66cc4d950edb76a0d24722be6b63538dc3479dcf68bb89ce7d9f37437062635feb6432165
+Size (vault-1.3.0.tar.gz) = 31098388 bytes
SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_system_stat__netbsd.go) = ae03a0790d6cebaca808db07f55ac3c34539329a
SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_term_termios__bsd.go) = d13fe7d333f1b892de6d385acc53482d268dd474
Home |
Main Index |
Thread Index |
Old Index