vault: Update to 1.3.0

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: vault: Update to 1.3.0
From: Iku Iwasa <iku.iwasa%gmail.com@localhost>
Date: Sat, 16 Nov 2019 07:07:32 +0000
Module Name:	pkgsrc-wip
Committed By:	Iku Iwasa <iku.iwasa%gmail.com@localhost>
Pushed By:	iquiw
Date:		Sat Nov 16 16:07:32 2019 +0900
Changeset:	05df510c2efeb69e652ddcc5d64ae1f912c35201

Modified Files:
	vault/Makefile
	vault/distinfo

Log Message:
vault: Update to 1.3.0

CHANGES:

* Secondary cluster activation: There has been a change to the way that
  activating performance and DR secondary clusters works when using public
  keys for encryption of the parameters rather than a wrapping token. This
  flow was experimental and never documented. It is now officially supported
  and documented but is not backwards compatible with older Vault releases.
* Cluster cipher suites: On its cluster port, Vault will no longer
  advertise the full TLS 1.2 cipher suite list by default. Although this port
  is only used for Vault-to-Vault communication and would always pick a
  strong cipher, it could cause false flags on port scanners and other
  security utilities that assumed insecure ciphers were being used. The
  previous behavior can be achieved by setting the value of
  the (undocumented) cluster_cipher_suites config flag to tls12.

FEATURES:

* Vault Debug: A new top-level subcommand, debug, is added that allows
  operators to retrieve debugging information related to a particular Vault
  node. Operators can use this simple workflow to capture triaging
  information, which can then be consumed programmatically or by support and
  engineering teams. It has the abilitity to probe for config, host, metrics,
  pprof, server status, and replication status.
* Recovery Mode: Vault server can be brought up in recovery mode to resolve
  outages caused due to data store being in bad state. This is a privileged
  mode that allows sys/raw API calls to perform surgical corrections to the
  data store. Bad storage state can be caused by bugs. However, this is
  usually observed when known (and fixed) bugs are hit by older versions of
  Vault.
* Entropy Augmentation (Enterprise): Vault now supports sourcing entropy
  from external source for critical security parameters. Currently an HSM
  that supports PKCS#11 is the only supported source.
* Active Directory Secret Check-In/Check-Out: In the Active Directory
  secrets engine, users or applications can check out a service account for
  use, and its password will be rotated when it's checked back in.
* Vault Agent Template: Vault Agent now supports rendering templates
  containing Vault secrets to disk, similar to Consul Template [GH-7652]
* Transit Key Type Support: Signing and verification is now supported with
  the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551] and
  encryption and decryption is now supported via AES128-GCM96 [GH-7555]
* SSRF Protection for Vault Agent: Vault Agent has a configuration option
  to require a specific header before allowing requests [GH-7627]
* AWS Auth Method Root Rotation: The credential used by the AWS auth method
  can now be rotated, to ensure that only Vault knows the credentials it is
  using [GH-7131]
* New UI Features: The UI now supports managing users and groups for the
  Userpass, Cert, Okta, and Radius auth methods.
* Shamir with Stored Master Key: The on disk format for Shamir seals has
  changed, allowing for a secondary cluster using Shamir downstream from a
  primary cluster using Auto Unseal. [GH-7694]
* Stackdriver Metrics Sink: Vault can now send metrics to Stackdriver. See
  the configuration documentation for details. [GH-6957]
* Filtered Paths Replication (Enterprise): Based on the predecessor
  Filtered Mount Replication, Filtered Paths Replication allows now filtering
  of namespaces in addition to mounts.
* Token Renewal via Accessor: Tokens can now be renewed via the accessor
  value through the new auth/token/renew-accessor endpoint if the caller's
  token has permission to access that endpoint.
* Improved Integrated Storage (Beta): Improved raft write performance,
  added support for non-voter nodes, along with UI support for: using raft
  storage, joining a raft cluster, and downloading and restoring a snapshot.

IMPROVEMENTS:

* agent: Add ability to set the TLS SNI name used by Agent [GH-7519]
* auth/jwt: The redirect callback host may now be specified for CLI logins
  [JWT-71]
* auth/jwt: Bound claims may now contain boolean values [JWT-73]
* auth/jwt: CLI logins can now open the browser when running in WSL
  [JWT-77]
* core: Exit ScanView if context has been cancelled [GH-7419]
* core: re-encrypt barrier and recovery keys if the unseal key is updated
  [GH-7493]
* core: Don't advertise the full set of TLS 1.2 cipher suites on the
  cluster port, even though only strong ciphers were used [GH-7487]
* core (enterprise): Add background seal re-wrap
* core/metrics: Add config parameter to allow unauthenticated sys/metrics
  access. [GH-7550]
* metrics: Upgrade DataDog library to improve performance [GH-7794]
* replication (enterprise): Write-Ahead-Log entries will not duplicate the
  data belonging to the encompassing physical entries of the transaction,
  thereby improving the performance and storage capacity.
* replication (enterprise): Added more replication metrics
* replication (enterprise): Reindex process now compares subpages for a
  more accurate indexing process.
* replication (enterprise): Reindex API now accepts a new skip_flush
  parameter indicating all the changes should not be flushed while the tree
  is locked.
* secrets/aws: The root config can now be read [GH-7245]
* secrets/aws: Role paths may now contain the '@' character [GH-7553]
* secrets/database/cassandra: Add ability to skip verfication of connection
  [GH-7614]
* secrets/gcp: Fix panic during rollback if the roleset has been deleted
  [GCP-52]
* storage/azure: Add config parameter to Azure storage backend to allow
  specifying the ARM endpoint [GH-7567]
* storage/cassandra: Improve storage efficiency by eliminating unnecessary
  copies of value data [GH-7199]
* storage/raft: Improve raft write performance by utilizing FSM Batching
  [GH-7527]
* storage/raft: Add support for non-voter nodes [GH-7634]
* sys: Add a new sys/host-info endpoint for querying information about the
  host [GH-7330]
* sys: Add a new set of endpoints under sys/pprof/ that allows profiling
  information to be extracted [GH-7473]
* sys: Add endpoint that counts the total number of active identity
  entities [GH-7541]
* sys: sys/seal-status now has a storage_type field denoting what type of
  storage the cluster is configured to use
* sys: Add a new sys/internal/counters/tokens endpoint, that counts the
  total number of active service token accessors in the shared token
  storage. [GH-7541]
* sys/config: Add a new endpoint under sys/config/state/sanitized that
  returns the configuration state of the server. It excludes config values
  from storage, ha_storage, and seal stanzas and some values from telemetry
  due to potential sensitive entries in those fields.
* ui: when using raft storage, you can now join a raft cluster, download a
  snapshot, and restore a snapshot from the UI [GH-7410]
* ui: clarify when secret version is deleted in the secret version history
  dropdown [GH-7714]

BUG FIXES:

* agent: Fix a data race on the token value for inmemsink [GH-7707]
* api: Fix Go API using lease revocation via URL instead of body [GH-7777]
* api: Allow setting a function to control retry behavior [GH-7331]
* auth/gcp: Fix a bug where region information in instance groups names
  could cause an authorization attempt to fail [GCP-74]
* cli: Fix a bug where a token of an unknown format (e.g. in
  ~/.vault-token) could cause confusing error messages during vault login
  [GH-7508]
* cli: Fix a bug where the namespace list command with JSON formatting
  always returned an empty object [GH-7705]
* cli: Command timeouts are now always specified solely by the
  VAULT_CLIENT_TIMEOUT value. [GH-7469]
* core: Don't allow registering a non-root zero TTL token lease. This is
  purely defense in depth as the lease would be revoked immediately anyways,
  but there's no real reason to allow registration. [GH-7524]
* core: Correctly revoke the token that's present in the response auth from
  a auth/token/ request if there's partial failure during the
  process. [GH-7835]
* identity (enterprise): Fixed identity case sensitive loading in secondary
  cluster [GH-7327]
* identity: Ensure only replication primary stores the identity case
  sensitivity state [GH-7820]
* raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup [GH-7619]
* secrets/pki: Don't allow duplicate SAN names in issued certs [GH-7605]
* sys/health: Pay attention to the values provided for standbyok and
  perfstandbyok rather than simply using their presence as a key to flip on
  that behavior [GH-7323]
* ui: using the wrapped_token query param will work with redirect_to and
  will automatically log in as intended [GH-7398]
* ui: fix an error when initializing from the UI using PGP keys [GH-7542]
* ui: show all active kv v2 secret versions even when delete_version_after
  is configured [GH-7685]
* ui: Ensure that items in the top navigation link to pages that users have
  access to [GH-7590]

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=05df510c2efeb69e652ddcc5d64ae1f912c35201

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 vault/Makefile | 2 +-
 vault/distinfo | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diffs:
diff --git a/vault/Makefile b/vault/Makefile
index 1d47b3b83f..7e1c7246a0 100644
--- a/vault/Makefile
+++ b/vault/Makefile
@@ -1,6 +1,6 @@
 # $NetBSD$
 
-DISTNAME=	vault-1.2.4
+DISTNAME=	vault-1.3.0
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GITHUB:=hashicorp/}
 
diff --git a/vault/distinfo b/vault/distinfo
index 5bb32169f7..0d72b18294 100644
--- a/vault/distinfo
+++ b/vault/distinfo
@@ -1,8 +1,8 @@
 $NetBSD$
 
-SHA1 (vault-1.2.4.tar.gz) = 529b5f9a22436230f17e827195a7e8eba2031676
-RMD160 (vault-1.2.4.tar.gz) = 4a347884ac69ff82f790b62b790a783e48ee0be9
-SHA512 (vault-1.2.4.tar.gz) = 35a91088ac6949863e2de651edac19d73586acc2f42d14e48d3b41236d9458c95e60f8ec2285b3846ff04ebe59a4d4b308686151d758b5af8caad711441e2ee4
-Size (vault-1.2.4.tar.gz) = 27778766 bytes
+SHA1 (vault-1.3.0.tar.gz) = 5ab26dc4742e60c3b5f807a142e56bc4b9e18491
+RMD160 (vault-1.3.0.tar.gz) = 19113cb55c0def3c7e9cfb48b79e627f3c807b19
+SHA512 (vault-1.3.0.tar.gz) = 4011706c2d418e4e13369f5afa5541af8296d6731c12aa670ed0fce66cc4d950edb76a0d24722be6b63538dc3479dcf68bb89ce7d9f37437062635feb6432165
+Size (vault-1.3.0.tar.gz) = 31098388 bytes
 SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_system_stat__netbsd.go) = ae03a0790d6cebaca808db07f55ac3c34539329a
 SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_term_termios__bsd.go) = d13fe7d333f1b892de6d385acc53482d268dd474
Prev by Date: flnews-devel: Add new compile time option to CONFIG
Next by Date: ssh-copy-id: Import ssh-copy-id-8.0.1 as wip/ssh-copy-id
Previous by Thread: flnews-devel: Add new compile time option to CONFIG
Next by Thread: ssh-copy-id: Import ssh-copy-id-8.0.1 as wip/ssh-copy-id
Indexes:
Home | Main Index | Thread Index | Old Index