chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/checkout	action	digest	b4ffde6 -> 692973e
actions/setup-go	action	digest	0c52d54 -> 0a12ed9
alpine	final	digest	c5b1261 -> 0a4eaa0
alpine	stage	digest	c5b1261 -> 0a4eaa0
codecov/codecov-action	action	digest	8450866 -> e28ff12
github.com/go-vela/types	require	minor	v0.23.3 -> v0.24.0
github.com/hashicorp/vault/api	require	minor	v1.12.2 -> v1.14.0
github.com/urfave/cli/v2	require	patch	v2.27.1 -> v2.27.4
github/codeql-action	action	digest	df5a14d -> 429e197
reviewdog/action-golangci-lint	action	digest	00311c2 -> 7708105

---

Release Notes

go-vela/types (github.com/go-vela/types)

v0.24.0

Compare Source

What's Changed

• feat: allow for step status reporting to SCM as its own context by @​ecrupper in https://github.com/go-vela/types/pull/367
• chore: delete legacy allow event fields and methods by @​ecrupper in https://github.com/go-vela/types/pull/362
• feat(rulesets): add support for PR labeled events by @​wsan3 in https://github.com/go-vela/types/pull/361
• enhance: return err in NewEventsFromSlice by @​plyr4 in https://github.com/go-vela/types/pull/369
• fix(deployments): check for deployment created event action by @​plyr4 in https://github.com/go-vela/types/pull/365
• chore: pin go version; import order; linter setup by @​wass3rw3rk in https://github.com/go-vela/types/pull/371
• chore(linter): remove goimports by @​wass3rw3rk in https://github.com/go-vela/types/pull/372
• fix: allow events yaml unmarshal by @​plyr4 in https://github.com/go-vela/types/pull/370
• fix(ci): use intermediate env variable for PR title validator by @​ecrupper in https://github.com/go-vela/types/pull/377
• fix(ci): remove deprecated linter rules by @​ecrupper in https://github.com/go-vela/types/pull/378
• feat: Vela OIDC Provider by @​ecrupper in https://github.com/go-vela/types/pull/375
• chore(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 by @​dependabot in https://github.com/go-vela/types/pull/374
• chore(deps): update all non-major dependencies by @​renovate in https://github.com/go-vela/types/pull/368
• fix(container): skip "label" rule evaluation in container execution by @​wsan3 in https://github.com/go-vela/types/pull/380
• fix(lint): use proper formats field by @​wass3r in https://github.com/go-vela/types/pull/381
• chore(deps): update all non-major dependencies by @​renovate in https://github.com/go-vela/types/pull/379
• chore(deps): update reviewdog/action-golangci-lint action to v2.6.2 by @​renovate in https://github.com/go-vela/types/pull/382

New Contributors

• @​wsan3 made their first contribution in https://github.com/go-vela/types/pull/361

Full Changelog: go-vela/types@v0.23.3...v0.24.0

hashicorp/vault (github.com/hashicorp/vault/api)

v1.14.0

Compare Source

1.14.0

June 21, 2023

BREAKING CHANGES:

• secrets/pki: Maintaining running count of certificates will be turned off by default.
  To re-enable keeping these metrics available on the tidy status endpoint, enable
  maintain_stored_certificate_counts on tidy-config, to also publish them to the
  metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]

CHANGES:

• auth/alicloud: Updated plugin from v0.14.0 to v0.15.0 [GH-20758]
• auth/azure: Updated plugin from v0.13.0 to v0.15.0 [GH-20816]
• auth/centrify: Updated plugin from v0.14.0 to v0.15.1 [GH-20745]
• auth/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20725]
• auth/jwt: Updated plugin from v0.15.0 to v0.16.0 [GH-20799]
• auth/kubernetes: Update plugin to v0.16.0 [GH-20802]
• core: Bump Go version to 1.20.5.
• core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. [GH-20834]
• core: Revert #​19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
• database/couchbase: Updated plugin from v0.9.0 to v0.9.2 [GH-20764]
• database/redis-elasticache: Updated plugin from v0.2.0 to v0.2.1 [GH-20751]
• replication (enterprise): Add a new parameter for the update-primary API call
  that allows for setting of the primary cluster addresses directly, instead of
  via a token.
• secrets/ad: Updated plugin from v0.10.1-0.20230329210417-0b2cdb26cf5d to v0.16.0 [GH-20750]
• secrets/alicloud: Updated plugin from v0.5.4-beta1.0.20230330124709-3fcfc5914a22 to v0.15.0 [GH-20787]
• secrets/aure: Updated plugin from v0.15.0 to v0.16.0 [GH-20777]
• secrets/database/mongodbatlas: Updated plugin from v0.9.0 to v0.10.0 [GH-20882]
• secrets/database/snowflake: Updated plugin from v0.7.0 to v0.8.0 [GH-20807]
• secrets/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20818]
• secrets/keymgmt: Updated plugin to v0.9.1
• secrets/kubernetes: Update plugin to v0.5.0 [GH-20802]
• secrets/mongodbatlas: Updated plugin from v0.9.1 to v0.10.0 [GH-20742]
• secrets/pki: Allow issuance of root CAs without AIA, when templated AIA information includes issuer_id. [GH-21209]
• secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. [GH-20654]

FEATURES:

• AWS Static Roles: The AWS Secrets Engine can manage static roles configured by users. [GH-20536]
• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• Environment Variables through Vault Agent: Introducing a new process-supervisor mode for Vault Agent which allows injecting secrets as environment variables into a child process using a new env_template configuration stanza. The process-supervisor configuration can be generated with a new vault agent generate-config helper tool. [GH-20530]
• MongoDB Atlas Database Secrets: Adds support for client certificate credentials [GH-20425]
• MongoDB Atlas Database Secrets: Adds support for generating X.509 certificates on dynamic roles for user authentication [GH-20882]
• NEW PKI Workflow in UI: Completes generally available rollout of new PKI UI that provides smoother mount configuration and a more guided user experience [GH-pki-ui-improvements]
• Secrets/Auth Plugin Multiplexing: The plugin will be multiplexed when run
  as an external plugin by vault versions that support secrets/auth plugin
  multiplexing (> 1.12) [GH-19215]
• Sidebar Navigation in UI: A new sidebar navigation panel has been added in the UI to replace the top navigation bar. [GH-19296]
• Vault PKI ACME Server: Support for the ACME certificate lifecycle management protocol has been added to the Vault PKI Plugin. This allows standard ACME clients, such as the EFF's certbot and the CNCF's k8s cert-manager, to request certificates from a Vault server with no knowledge of Vault APIs or authentication mechanisms. For public-facing Vault instances, we recommend requiring External Account Bindings (EAB) to limit the ability to request certificates to only authenticated clients. [GH-20752]
• Vault Proxy: Introduced Vault Proxy, a new subcommand of the Vault binary that can be invoked using vault proxy -config=config.hcl. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [GH-20548]
• OCI Auto-Auth: Add OCI (Oracle Cloud Infrastructure) auto-auth method [GH-19260]

IMPROVEMENTS:

• api: Add Config.TLSConfig method to fetch the TLS configuration from a client config. [GH-20265]
• physical/etcd: Upgrade etcd3 client to v3.5.7 [GH-20261]
• activitylog: EntityRecord protobufs now contain a ClientType field for
  distinguishing client sources. [GH-20626]
• agent: Add integration tests for agent running in process supervisor mode [GH-20741]
• agent: Add logic to validate env_template entries in configuration [GH-20569]
• agent: Added reload option to cert auth configuration in case of external renewals of local x509 key-pairs. [GH-19002]
• agent: JWT auto-auth has a new config option, remove_jwt_follows_symlinks (default: false), that, if set to true will now remove the JWT, instead of the symlink to the JWT, if a symlink to a JWT has been provided in the path option, and the remove_jwt_after_reading config option is set to true (default). [GH-18863]
• agent: Vault Agent now reports its name and version as part of the User-Agent header in all requests issued. [GH-19776]
• agent: initial implementation of a process runner for injecting secrets via environment variables via vault agent [GH-20628]
• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• api: property based testing for LifetimeWatcher sleep duration calculation [GH-17919]
• audit: add plugin metadata, including plugin name, type, version, sha256, and whether plugin is external, to audit logging [GH-19814]
• audit: forwarded requests can now contain host metadata on the node it was sent 'from' or a flag to indicate that it was forwarded.
• auth/cert: Better return OCSP validation errors during login to the caller. [GH-20234]
• auth/kerberos: Enable plugin multiplexing
  auth/kerberos: Upgrade plugin dependencies [GH-20771]
• auth/ldap: allow configuration of alias dereferencing in LDAP search [GH-18230]
• auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI [GH-18225]
• auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider. [GH-19247]
• build: Prefer GOBIN when set over GOPATH/bin when building the binary [GH-19862]
• cli: Add walkSecretsTree helper function, which recursively walks secrets rooted at the given path [GH-20464]
• cli: Improve addPrefixToKVPath helper [GH-20488]
• command/server (enterprise): -dev-three-node now creates perf standbys instead of regular standbys. [GH-20629]
• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• command/server: New -dev-cluster-json writes a file describing the dev cluster in -dev and -dev-three-node modes, plus -dev-three-node now enables unauthenticated metrics and pprof requests. [GH-20224]
• core (enterprise): add configuration for license reporting [GH-19891]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core (enterprise): vault server command now allows for opt-out of automated
  reporting via the OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]
• core, secrets/pki, audit: Update dependency go-jose to v3 due to v2 deprecation. [GH-20559]
• core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
• core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
• core: Add possibility to decode a generated encoded root token via the rest API [GH-20595]
• core: include namespace path in granting_policies block of audit log
• core: include reason for ErrReadOnly on PBPWF writing failures
• core: report intermediate error messages during request forwarding [GH-20643]
• core:provide more descriptive error message when calling enterprise feature paths in open-source [GH-18870]
• database/elasticsearch: Upgrade plugin dependencies [GH-20767]
• database/mongodb: upgrade mongo driver to 1.11 [GH-19954]
• database/redis: Upgrade plugin dependencies [GH-20763]
• http: Support responding to HEAD operation from plugins [GH-19520]
• openapi: Add openapi response definitions to /sys defined endpoints. [GH-18633]
• openapi: Add openapi response definitions to pki/config_*.go [GH-18376]
• openapi: Add openapi response definitions to vault/logical_system_paths.go defined endpoints. [GH-18515]
• openapi: Consistently stop Vault server on exit in gen_openapi.sh [GH-19252]
• openapi: Improve operationId/request/response naming strategy [GH-19319]
• openapi: add openapi response definitions to /sys/internal endpoints [GH-18542]
• openapi: add openapi response definitions to /sys/rotate endpoints [GH-18624]
• openapi: add openapi response definitions to /sys/seal endpoints [GH-18625]
• openapi: add openapi response definitions to /sys/tool endpoints [GH-18626]
• openapi: add openapi response definitions to /sys/version-history, /sys/leader, /sys/ha-status, /sys/host-info, /sys/in-flight-req [GH-18628]
• openapi: add openapi response definitions to /sys/wrapping endpoints [GH-18627]
• openapi: add openapi response defintions to /sys/auth endpoints [GH-18465]
• openapi: add openapi response defintions to /sys/capabilities endpoints [GH-18468]
• openapi: add openapi response defintions to /sys/config and /sys/generate-root endpoints [GH-18472]
• openapi: added ability to validate response structures against openapi schema for test clusters [GH-19043]
• sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
• sdk: Add new docker-based cluster testing framework to the sdk. [GH-20247]
• secrets/ad: upgrades dependencies [GH-19829]
• secrets/alicloud: upgrades dependencies [GH-19846]
• secrets/consul: Improve error message when ACL bootstrapping fails. [GH-20891]
• secrets/database: Adds error message requiring password on root crednetial rotation. [GH-19103]
• secrets/gcpkms: Enable plugin multiplexing
  secrets/gcpkms: Upgrade plugin dependencies [GH-20784]
• secrets/mongodbatlas: upgrades dependencies [GH-19861]
• secrets/openldap: upgrades dependencies [GH-19993]
• secrets/pki: Add missing fields to tidy-status, include new last_auto_tidy_finished field. [GH-20442]
• secrets/pki: Add warning when issuer lacks KeyUsage during CRL rebuilds; expose in logs and on rotation. [GH-20253]
• secrets/pki: Allow determining existing issuers and keys on import. [GH-20441]
• secrets/pki: Include CA serial number, key UUID on issuers list endpoint. [GH-20276]
• secrets/pki: Limit ACME issued certificates NotAfter TTL to a maximum of 90 days [GH-20981]
• secrets/pki: Support TLS-ALPN-01 challenge type in ACME for DNS certificate identifiers. [GH-20943]
• secrets/pki: add subject key identifier to read key response [GH-20642]
• secrets/postgresql: Add configuration to scram-sha-256 encrypt passwords on Vault before sending them to PostgreSQL [GH-19616]
• secrets/terraform: upgrades dependencies [GH-19798]
• secrets/transit: Add support to import public keys in transit engine and allow encryption and verification of signed data [GH-17934]
• secrets/transit: Allow importing RSA-PSS OID (1.2.840.113549.1.1.10) private keys via BYOK. [GH-19519]
• secrets/transit: Respond to writes with updated key policy, cache configuration. [GH-20652]
• secrets/transit: Support BYOK-encrypted export of keys to securely allow synchronizing specific keys and version across clusters. [GH-20736]
• ui: Add download button for each secret value in KV v2 [GH-20431]
• ui: Add filtering by auth type and auth name to the Authentication Method list view. [GH-20747]
• ui: Add filtering by engine type and engine name to the Secret Engine list view. [GH-20481]
• ui: Adds whitespace warning to secrets engine and auth method path inputs [GH-19913]
• ui: Remove the Bulma CSS framework. [GH-19878]
• ui: Update Web CLI with examples and a new kv-get command for reading kv v2 data and metadata [GH-20590]
• ui: Updates UI javascript dependencies [GH-19901]
• ui: add allowed_managed_keys field to secret engine mount options [GH-19791]
• ui: adds warning for commas in stringArray inputs and updates tooltip help text to remove references to comma separation [GH-20163]
• ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]
• website/docs: Add rotate root documentation for azure secrets engine [GH-19187]
• website/docs: fix database static-user sample payload [GH-19170]

BUG FIXES:

• agent: Fix agent generate-config to accept -namespace, VAULT_NAMESPACE, and other client-modifying flags. [GH-21297]
• agent: Fix bug with 'cache' stanza validation [GH-20934]
• api: Addressed a couple of issues that arose as edge cases for the -output-policy flag. Specifically around properly handling list commands, distinguishing kv V1/V2, and correctly recognizing protected paths. [GH-19160]
• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• auth/token: Fix cubbyhole and revocation for legacy service tokens [GH-19416]
• cli/kv: add -mount flag to kv list [GH-19378]
• core (enterprise): Don't delete backend stored data that appears to be filterable
  on this secondary if we don't have a corresponding mount entry.
• core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Fix panic when using invalid accessor for control-group request
• core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
• core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
• core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
• core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert sscGenCounter
  resulting in 412 errors.
• core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
  have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation. [GH-21260]
• core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
• core: Don't exit just because we think there's a potential deadlock. [GH-21342]
• core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
• core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
• core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [GH-20783]
• identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
• license (enterprise): Fix bug where license would update even if the license didn't change.
• openapi: Small fixes for OpenAPI display attributes. Changed "log-in" to "login" [GH-20285]
• plugin/reload: Fix a possible data race with rollback manager and plugin reload [GH-19468]
• replication (enterprise): Fix a caching issue when replicating filtered data to
  a performance secondary. This resulted in the data being set to nil in the cache
  and a "invalid value" error being returned from the API.
• replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
• replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
• replication (enterprise): Fix bug where reloading external plugin on a secondary would
  break replication.
• replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
• replication (enterprise): Fix regression causing token creation against a role
  with a new entity alias to be incorrectly forwarded from perf standbys. [GH-21100]
• replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
• replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
• sdk/backend: prevent panic when computing the zero value for a TypeInt64 schema field. [GH-18729]
• secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [GH-20664]
• secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
• secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
• secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
• secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [GH-20668]
• secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
  secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
  sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
• shamir: change mul and div implementations to be constant-time [GH-19495]
• ui (enterprise): Fix cancel button from transform engine role creation page [GH-19135]
• ui: Fix secret render when path includes %. Resolves #​11616. [GH-20430]
• ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]
• ui: fixes auto_rotate_period ttl input for transit keys [GH-20731]
• ui: fixes bug in kmip role form that caused operation_all to persist after deselecting all operation checkboxes [GH-19139]
• ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [GH-20907]
• ui: wait for wanted message event during OIDC callback instead of using the first message event [GH-18521]

v1.13.0

Compare Source

1.13.0

March 01, 2023

SECURITY:

• secrets/ssh: removal of the deprecated dynamic keys mode. When any remaining dynamic key leases expire, an error stating secret is unsupported by this backend will be thrown by the lease manager. [GH-18874]

CHANGES:

• auth/alicloud: require the role field on login [GH-19005]
• auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
• auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
  This will only be used internally for implementing user lockout. [GH-17104]
• core: Bump Go version to 1.20.1.
• core: Vault version has been moved out of sdk and into main vault module.
  Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString. [GH-14229]
• logging: Removed legacy environment variable for log format ('LOGXI_FORMAT'), should use 'VAULT_LOG_FORMAT' instead [GH-17822]
• plugins: Mounts can no longer be pinned to a specific builtin version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without builtin in their metadata remain unaffected. [GH-18051]
• plugins: GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]
• plugins: GET /sys/auth/:path/tune and GET /sys/mounts/:path/tune endpoints may now return an additional plugin_version field in the response data if set. [GH-17167]
• plugins: GET for /sys/auth, /sys/auth/:path, /sys/mounts, and /sys/mounts/:path paths now return additional plugin_version, running_plugin_version and running_sha256 fields in the response data for each mount. [GH-17167]
• sdk: Remove version package, make useragent.String versionless. [GH-19068]
• secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [GH-15869]
• secrets/gcpkms: Updated plugin from v0.13.0 to v0.14.0 [GH-19063]
• sys/internal/inspect: Turns of this endpoint by default. A SIGHUP can now be used to reload the configs and turns this endpoint on.
• ui: Upgrade Ember to version 4.4.0 [GH-17086]

FEATURES:

• Azure Auth Managed Identities: Allow any Azure resource that supports managed identities to authenticate with Vault [GH-19077]
• Azure Auth Rotate Root: Add support for rotate root in Azure Auth engine [GH-19077]
• Event System (Alpha): Vault has a new opt-in experimental event system. Not yet suitable for production use. Events are currently only generated on writes to the KV secrets engine, but external plugins can also be updated to start generating events. [GH-19194]
• GCP Secrets Impersonated Account Support: Add support for GCP service account impersonation, allowing callers to generate a GCP access token without requiring Vault to store or retrieve a GCP service account key for each role. [GH-19018]
• Kubernetes Secrets Engine UI: Kubernetes is now available in the UI as a supported secrets engine. [GH-17893]
• New PKI UI: Add beta support for new and improved PKI UI [GH-18842]
• PKI Cross-Cluster Revocations: Revocation information can now be
  synchronized across primary and performance replica clusters offering
  a unified CRL/OCSP view of revocations across cluster boundaries. [GH-19196]
• Server UDS Listener: Adding listener to Vault server to serve http request via unix domain socket [GH-18227]
• Transit managed keys: The transit secrets engine now supports configuring and using managed keys
• User Lockout: Adds support to configure the user-lockout behaviour for failed logins to prevent
  brute force attacks for userpass, approle and ldap auth methods. [GH-19230]
• VMSS Flex Authentication: Adds support for Virtual Machine Scale Set Flex Authentication [GH-19077]
• Namespaces (enterprise): Added the ability to allow access to secrets and more to be shared across namespaces that do not share a namespace hierarchy. Using the new sys/config/group-policy-application API, policies can be configured to apply outside of namespace hierarchy, allowing this kind of cross-namespace sharing.
• OpenAPI-based Go & .NET Client Libraries (Beta): We have now made available two new OpenAPI-based Go & .NET Client libraries (beta). You can use them to perform various secret management operations easily from your applications.

IMPROVEMENTS:

• Redis ElastiCache DB Engine: Renamed configuration parameters for disambiguation; old parameters still supported for compatibility. [GH-18752]
• Bump github.com/hashicorp/go-plugin version from 1.4.5 to 1.4.8 [GH-19100]
• Reduced binary size [GH-17678]
• agent/config: Allow config directories to be specified with -config, and allow multiple -configs to be supplied. [GH-18403]
• agent: Add note in logs when starting Vault Agent indicating if the version differs to the Vault Server. [GH-18684]
• agent: Added token_file auto-auth configuration to allow using a pre-existing token for Vault Agent. [GH-18740]
• agent: Agent listeners can now be to be the metrics_only role, serving only metrics, as part of the listener's new top level role option. [GH-18101]
• agent: Configured Vault Agent listeners now listen without the need for caching to be configured. [GH-18137]
• agent: allows some parts of config to be reloaded without requiring a restart. [GH-18638]
• agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [GH-16872]
• api: Remove dependency on sdk module. [GH-18962]
• api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
• audit: Add elide_list_responses option, providing a countermeasure for a common source of oversized audit log entries [GH-18128]
• audit: Include stack trace when audit logging recovers from a panic. [GH-18121]
• auth/alicloud: upgrades dependencies [GH-18021]
• auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a
  Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [GH-17540]
• auth/azure: upgrades dependencies [GH-17857]
• auth/cert: Add configurable support for validating client certs with OCSP. [GH-17093]
• auth/cert: Support listing provisioned CRLs within the mount. [GH-18043]
• auth/cf: Remove incorrect usage of CreateOperation from path_config [GH-19098]
• auth/gcp: Upgrades dependencies [GH-17858]
• auth/oidc: Adds abort_on_error parameter to CLI login command to help in non-interactive contexts [GH-19076]
• auth/oidc: Adds ability to set Google Workspace domain for groups search [GH-19076]
• auth/token (enterprise): Allow batch token creation in perfStandby nodes
• auth: Allow naming login MFA methods and using those names instead of IDs in satisfying MFA requirement for requests.
  Make passcode arguments consistent across login MFA method types. [GH-18610]
• auth: Provide an IP address of the requests from Vault to a Duo challenge after successful authentication. [GH-18811]
• autopilot: Update version to v.0.2.0 to add better support for respecting min quorum
• cli/kv: improve kv CLI to remove data or custom metadata using kv patch [GH-18067]
• cli/pki: Add List-Intermediates functionality to pki client. [GH-18463]
• cli/pki: Add health-check subcommand to evaluate the health of a PKI instance. [GH-17750]
• cli/pki: Add pki issue command, which creates a CSR, has a vault mount sign it, then reimports it. [GH-18467]
• cli/pki: Added "Reissue" command which allows extracting fields from an existing certificate to create a new certificate. [GH-18499]
• cli/pki: Change the pki health-check --list default config output to JSON so it's a usable configuration file [GH-19269]
• cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [GH-17650]
• cli: Add transit import key helper commands for BYOK to Transit/Transform. [GH-18887]
• cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [GH-14945]
• cli: updated vault operator rekey prompts to describe recovery keys when -target=recovery [GH-18892]
• client/pki: Add a new command verify-sign which checks the relationship between two certificates. [GH-18437]
• command/server: Environment variable keys are now logged at startup. [GH-18125]
• core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
• core/identity: Add machine-readable output to body of response upon alias clash during entity merge [GH-17459]
• core/server: Added an environment variable to write goroutine stacktraces to a
  temporary file for SIGUSR2 signals. [GH-17929]
• core: Add RPCs to read and update userFailedLoginInfo map
• core: Add experiments system and events.alpha1 experiment. [GH-18682]
• core: Add read support to sys/loggers and sys/loggers/:name endpoints [GH-17979]
• core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [GH-17338]
• core: Add vault.core.locked_users telemetry metric to emit information about total number of locked users. [GH-18718]
• core: Added sys/locked-users endpoint to list locked users. Changed api endpoint from
  sys/lockedusers/[mount_accessor]/unlock/[alias_identifier] to sys/locked-users/[mount_accessor]/unlock/[alias_identifier]. [GH-18675]
• core: Added sys/lockedusers/[mount_accessor]/unlock/[alias_identifier] endpoint to unlock an user
  with given mount_accessor and alias_identifier if locked [GH-18279]
• core: Added warning to /sys/seal-status and vault status command if potentially dangerous behaviour overrides are being used. [GH-17855]
• core: Implemented background thread to update locked user entries every 15 minutes to prevent brute forcing in auth methods. [GH-18673]
• core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [GH-17265]
• core: Update protoc from 3.21.5 to 3.21.7 [GH-17499]
• core: add detect_deadlocks config to optionally detect core state deadlocks [GH-18604]
• core: added changes for user lockout workflow. [GH-17951]
• core: parallelize backend initialization to improve startup time for large numbers of mounts. [GH-18244]
• database/postgres: Support multiline strings for revocation statements. [GH-18632]
• database/redis-elasticache: changed config argument names for disambiguation [GH-19044]
• database/snowflake: Allow parallel requests to Snowflake [GH-17593]
• hcp/connectivity: Add foundational OSS support for opt-in secure communication between self-managed Vault nodes and HashiCorp Cloud Platform [GH-18228]
• hcp/connectivity: Include HCP organization, project, and resource ID in server startup logs [GH-18315]
• hcp/connectivity: Only update SCADA session metadata if status changes [GH-18585]
• hcp/status: Add cluster-level status information [GH-18351]
• hcp/status: Expand node-level status information [GH-18302]
• logging: Vault Agent supports logging to a specified file path via environment variable, CLI or config [GH-17841]
• logging: Vault agent and server commands support log file and log rotation. [GH-18031]
• migration: allow parallelization of key migration for vault operator migrate in order to speed up a migration. [GH-18817]
• namespaces (enterprise): Add new API, sys/config/group-policy-application, to allow group policies to be configurable
  to apply to a group in any namespace. The default, within_namespace_hierarchy, is the current behaviour.
• openapi: Add default values to thing_mount_path parameters [GH-18935]
• openapi: Add logic to generate openapi response structures [GH-18192]
• openapi: Add openapi response definitions to approle/path_login.go & approle/path_tidy_user_id.go [GH-18772]
• openapi: Add openapi response definitions to approle/path_role.go [GH-18198]
• openapi: Change gen_openapi.sh to generate schema with generic mount paths [GH-18934]
• openapi: Mark request body objects as required [GH-17909]
• openapi: add openapi response defintions to /sys/audit endpoints [GH-18456]
• openapi: generic_mount_paths: Move implementation fully into server, rather than partially in plugin framework; recognize all 4 singleton mounts (auth/token, cubbyhole, identity, system) rather than just 2; change parameter from {mountPath} to {<type>_mount_path} [GH-18663]
• plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
• plugins: Allow selecting builtin plugins by their reported semantic version of the form vX.Y.Z+builtin or vX.Y.Z+builtin.vault. [GH-17289]
• plugins: Let Vault unseal and mount deprecated builtin plugins in a
  deactivated state if this is not the first unseal after an upgrade. [GH-17879]
• plugins: Mark app-id auth method Removed and remove the plugin code. [GH-18039]
• plugins: Mark logical database plugins Removed and remove the plugin code. [GH-18039]
• sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
• sdk: Add response schema validation method framework/FieldData.ValidateStrict and two test helpers (ValidateResponse, ValidateResponseData) [GH-18635]
• sdk: Adding FindResponseSchema test helper to assist with response schema validation in tests [GH-18636]
• secrets/aws: Update dependencies [PR-17747] [GH-17747]
• secrets/azure: Adds ability to persist an application for the lifetime of a role. [GH-19096]
• secrets/azure: upgrades dependencies [GH-17964]
• secrets/db/mysql: Add tls_server_name and tls_skip_verify parameters [GH-18799]
• secrets/gcp: Upgrades dependencies [GH-17871]
• secrets/kubernetes: Add /check endpoint to determine if environment variables are set [GH-18] [GH-18587]
• secrets/kubernetes: add /check endpoint to determine if environment variables are set [GH-19084]
• secrets/kv: Emit events on write if events system enabled [GH-19145]
• secrets/kv: make upgrade synchronous when no keys to upgrade [GH-19056]
• secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
• secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [GH-17779]
• secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
• secrets/pki: Added a new API that allows external actors to craft a CRL through JSON parameters [GH-18040]
• secrets/pki: Allow UserID Field (https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1) to be set on Certificates when
  allowed by role [GH-18397]
• secrets/pki: Allow issuer creation, import to change default issuer via default_follows_latest_issuer. [GH-17824]
• secrets/pki: Allow templating performance replication cluster- and issuer-specific AIA URLs. [GH-18199]
• secrets/pki: Allow tidying of expired issuer certificates. [GH-17823]
• secrets/pki: Allow tidying of the legacy ca_bundle, improving startup on post-migrated, seal-wrapped PKI mounts. [GH-18645]
• secrets/pki: Respond with written data to config/auto-tidy, config/crl, and roles/:role. [GH-18222]
• secrets/pki: Return issuer_id and issuer_name on /issuer/:issuer_ref/json endpoint. [GH-18482]
• secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [GH-17774]
• secrets/ssh: Allow removing SSH host keys from the dynamic keys feature. [GH-18939]
• secrets/ssh: Evaluate ssh validprincipals user template before splitting [GH-16622]
• secrets/transit: Add an optional reference field to batch operation items
  which is repeated on batch responses to help more easily correlate inputs with outputs. [GH-18243]
• secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [[GH-17638](https://togithub.com/hashi

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.07%. Comparing base (5b1ead3) to head (2876c74).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #450   +/-   ##
=======================================
  Coverage   44.07%   44.07%           
=======================================
  Files           7        7           
  Lines         211      211           
=======================================
  Hits           93       93           
  Misses        103      103           
  Partials       15       15           

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.21 -> 1.23.0
github.com/cpuguy83/go-md2man/v2	v2.0.2 -> v2.0.4
github.com/hashicorp/go-hclog	v1.6.2 -> v1.6.3
github.com/hashicorp/go-retryablehttp	v0.7.5 -> v0.7.6
github.com/xrash/smetrics	v0.0.0-20201216005158-039620a65673 -> v0.0.0-20240521201337-686a1a2994c1
golang.org/x/crypto	v0.21.0 -> v0.23.0
golang.org/x/net	v0.22.0 -> v0.25.0
golang.org/x/sys	v0.18.0 -> v0.20.0
golang.org/x/term	v0.18.0 -> v0.20.0
golang.org/x/text	v0.14.0 -> v0.15.0

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.