Create @tailscale authentication tokens using vault

Vault Secrets Plugin - Tailscale

Vault secrets plugins to simplying creation, management, and revocation of Tailscale API tokens.

Usage

Setup Endpoint

  1. Download and enable plugin locally (TODO)

  2. Configure the plugin

    vault write /tailscale/config/root tailnet=<tailnet> token=<token>
    
  3. Add one or more policies

Configure Policies

# NOTE: this policy will not work and is just an example
vault write /tailscale/roles/<role-name> capabilities=-<<EOF
{
	"capabilities": {
    "devices": {
      "create": {
        "reusable": false,
        "ephemeral": false
      }
    }
  }
}
EOF

you can then read from the role using

vault read /tailscale/creds/<role-name>

Generate a new Token

To generate a new token:

Create a new tailscale policy and perform a 'read' operation on the creds/<role-name> endpoint.

# To read data using the api
$ vault read tailscale/role/single-use
Key                Value
---                -----
lease_id           tailscale/creds/test/yfF2qCtSvKSakATS89va1Var
lease_duration     768h
lease_renewable    false
capabilities       map[devices:map[create:map[]]]
expires            2022-03-27T03:13:45Z
id                 koD1dv6CNTRL
token              <token>

Development

The provided Earthfile (think makefile, but using docker) is used to build, test, and publish the plugin. See the build targets for more information. Common targets include

# build a local version of the plugin
$ earthly +build

# execute integration tests
#
# use https://developers.cloudflare.com/api/tokens/create to create a token
# with 'User:API Tokens:Edit' permissions
$ TEST_CLOUDFLARE_TOKEN=<YOUR_CLOUDFLARE_TOKEN> earthly --secret TEST_CLOUDFLARE_TOKEN +test

# start vault and enable the plugin locally
earthly +dev
Comments
  • Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.1

    Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.1

    Bumps github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.1.

    Changelog

    Sourced from github.com/hashicorp/vault/sdk's changelog.

    0.6.1 (August 22, 2016)

    DEPRECATIONS/CHANGES:

    • Once the active node is 0.6.1, standby nodes must also be 0.6.1 in order to connect to the HA cluster. We recommend following our general upgrade instructions in addition to 0.6.1-specific upgrade instructions to ensure that this is not an issue.
    • Status codes for sealed/uninitialized Vaults have changed to 503/501 respectively. See the version-specific upgrade guide for more details.
    • Root tokens (tokens with the root policy) can no longer be created except by another root token or the generate-root endpoint.
    • Issued certificates from the pki backend against new roles created or modified after upgrading will contain a set of default key usages.
    • The dynamodb physical data store no longer supports HA by default. It has some non-ideal behavior around failover that was causing confusion. See the documentation for information on enabling HA mode. It is very important that this configuration is added before upgrading.
    • The ldap backend no longer searches for memberOf groups as part of its normal flow. Instead, the desired group filter must be specified. This fixes some errors and increases speed for directories with different structures, but if this behavior has been relied upon, ensure that you see the upgrade notes before upgrading.
    • app-id is now deprecated with the addition of the new AppRole backend. There are no plans to remove it, but we encourage using AppRole whenever possible, as it offers enhanced functionality and can accommodate many more types of authentication paradigms.

    FEATURES:

    • AppRole Authentication Backend: The approle backend is a machine-oriented authentication backend that provides a similar concept to App-ID while adding many missing features, including a pull model that allows for the backend to generate authentication credentials rather than requiring operators or other systems to push credentials in. It should be useful in many more situations than App-ID. The inclusion of this backend deprecates App-ID. GH-1426
    • Request Forwarding: Vault servers can now forward requests to each other rather than redirecting clients. This feature is off by default in 0.6.1 but will be on by default in the next release. See the HA concepts page for information on enabling and configuring it. GH-443
    • Convergent Encryption in Transit: The transit backend now supports a convergent encryption mode where the same plaintext will produce the same ciphertext. Although very useful in some situations, this has potential security implications, which are mostly mitigated by requiring the use of

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/vault/api from 1.4.1 to 1.8.1

    Bump github.com/hashicorp/vault/api from 1.4.1 to 1.8.1

    Bumps github.com/hashicorp/vault/api from 1.4.1 to 1.8.1.

    Release notes

    Sourced from github.com/hashicorp/vault/api's releases.

    v1.8.1

    1.8.1

    August 5th, 2021

    CHANGES:

    • go: Update go version to 1.16.6 [GH-12245]

    IMPROVEMENTS:

    • serviceregistration: add external-source: "vault" metadata value for Consul registration. [GH-12163]

    BUG FIXES:

    • auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. [GH-12026]
    • auth/jwt: Fixes OIDC auth from the Vault UI when using form_post as the oidc_response_mode. [GH-12258]
    • core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified
    • core: fix byte printing for diagnose disk checks [GH-12229]
    • identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [GH-12151]

    v1.8.0

    1.8.0

    July 28th, 2021

    CHANGES:

    • agent: Errors in the template engine will no longer cause agent to exit unless explicitly defined to do so. A new configuration parameter, exit_on_retry_failure, within the new top-level stanza, template_config, can be set to true in order to cause agent to exit. Note that for agent to exit if template.error_on_missing_key is set to true, exit_on_retry_failure must be also set to true. Otherwise, the template engine will log an error but then restart its internal runner. [GH-11775]
    • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs when using GCP Auto-Auth method [GH-11473]
    • core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to start Vault. More information is available in the Vault License FAQ

    FEATURES:

    • GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation of service account keys and access tokens. [GH-12023]
    • Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
    • License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
    • MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
    • Vault Diagnose: A new vault operator command to detect common issues with vault server setups.

    IMPROVEMENTS:

    • agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]

    ... (truncated)

    Changelog

    Sourced from github.com/hashicorp/vault/api's changelog.

    1.8.12

    June 10, 2022

    BUG FIXES:

    • agent: Redact auto auth token from renew endpoints [GH-15380]
    • core: Prevent changing file permissions of audit logs when mode 0000 is used. [GH-15759]
    • core: fixed systemd reloading notification [GH-15041]
    • core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
    • storage/raft (enterprise): Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type. Strip leading prefix in path prefix for AWS. Improve error handling/reporting.
    • transform (enterprise): Fix non-overridable column default value causing tokenization tokens to expire prematurely when using the MySQL storage backend.

    1.8.11

    April 29, 2022

    BUG FIXES:

    • raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
    • sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]

    1.8.10

    April 22, 2022

    CHANGES:

    • core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
    • core: Bump Go version to 1.16.15. [GH-go-ver-1810]

    IMPROVEMENTS:

    • auth/ldap: Add username_as_alias configurable to change how aliases are named [GH-14324]
    • core: Systemd unit file included with the Linux packages now sets the service type to notify. [GH-14385]
    • sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer

    BUG FIXES:

    • api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
    • auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
    • cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
    • cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
    • core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
    • core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
    • core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
    • core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
    • core: fixing excessive unix file permissions [GH-14791]
    • core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
    • core: report unused or redundant keys in server configuration [GH-14752]
    • core: time.After() used in a select statement can lead to memory leak [GH-14814]
    • metrics/autosnapshots (enterprise) : Fix bug that could cause vault.autosnapshots.save.errors to not be incremented when there is an

    ... (truncated)

    Commits
    • 4b0264f Updates vault-plugin-auth-jwt to v0.10.1 (#12258)
    • 21ecd7d Backport 1.8.1: identity: allow creating a role with a non-existent key (#122...
    • d4269f3 [VAULT-1986] Cap AWS Token TTL based on Default Lease TTL (#12026) (#12252)
    • 062842a Updating SDK version for 1.8.1 (#12247)
    • bd35cc7 Updating go version to 1.16.6 for security fix (#12245) (#12249)
    • c48b322 Forward cert signing requests to the primary on perf secondaries as well as p...
    • 436d893 serviceregistration: add external-source meta value (#12163) (#12241)
    • 7f2cfd0 Backport: Don't use autogenerated licenses in diagnose when config is specifi...
    • 6748c7d backport disk usage print fixes (#12232)
    • f882564 identity: do not allow a role's token_ttl to be longer than verification_ttl ...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.0

    Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.0

    Bumps github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.0.

    Changelog

    Sourced from github.com/hashicorp/vault/sdk's changelog.

    0.6.0 (June 14th, 2016)

    SECURITY:

    • Although sys/revoke-prefix was intended to revoke prefixes of secrets (via lease IDs, which incorporate path information) and auth/token/revoke-prefix was intended to revoke prefixes of tokens (using the tokens' paths and, since 0.5.2, role information), in implementation they both behaved exactly the same way since a single component in Vault is responsible for managing lifetimes of both, and the type of the tracked lifetime was not being checked. The end result was that either endpoint could revoke both secret leases and tokens. We consider this a very minor security issue as there are a number of mitigating factors: both endpoints require sudo capability in addition to write capability, preventing blanket ACL path globs from providing access; both work by using the prefix to revoke as a part of the endpoint path, allowing them to be properly ACL'd; and both are intended for emergency scenarios and users should already not generally have access to either one. In order to prevent confusion, we have simply removed auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be meant for both leases and tokens instead.

    DEPRECATIONS/CHANGES:

    • auth/token/revoke-prefix has been removed. See the security notice for details. GH-1280
    • Vault will now automatically register itself as the vault service when using the consul backend and will perform its own health checks. See the Consul backend documentation for information on how to disable auto-registration and service checks.
    • List operations that do not find any keys now return a 404 status code rather than an empty response object GH-1365
    • CA certificates issued from the pki backend no longer have associated leases, and any CA certs already issued will ignore revocation requests from the lease manager. This is to prevent CA certificates from being revoked when the token used to issue the certificate expires; it was not be obvious to users that they need to ensure that the token lifetime needed to be at least as long as a potentially very long-lived CA cert.

    FEATURES:

    • AWS EC2 Auth Backend: Provides a secure introduction mechanism for AWS EC2 instances allowing automated retrieval of Vault tokens. Unlike most Vault authentication backends, this backend does not require first deploying or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance. Vault Enterprise customers have access to a turnkey client that speaks the backend API and makes access to a Vault token easy.

    ... (truncated)

    Commits
    • f627c01 Cut version 0.6.0
    • 5b7e680 Add updated wrapping information
    • 926e56e Merge pull request #1520 from hashicorp/wrapinfo-accessor
    • 65cdcd6 Add some commenting
    • 47dc1cc Add token accessor to wrap information if one exists
    • 4f039d0 Merge pull request #1518 from hashicorp/fix-bound-ami-id
    • e521894 Added bound_ami_id check
    • 117200c Fix mah broken tests
    • c6ded38 cubbyhole-response-wrapping -> response-wrapping
    • 1e67cd8 Merge pull request #1513 from hashicorp/field-data-get-default
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/vault/api from 1.4.1 to 1.8.0

    Bump github.com/hashicorp/vault/api from 1.4.1 to 1.8.0

    Bumps github.com/hashicorp/vault/api from 1.4.1 to 1.8.0.

    Release notes

    Sourced from github.com/hashicorp/vault/api's releases.

    v1.8.0

    1.8.0

    July 28th, 2021

    CHANGES:

    • agent: Errors in the template engine will no longer cause agent to exit unless explicitly defined to do so. A new configuration parameter, exit_on_retry_failure, within the new top-level stanza, template_config, can be set to true in order to cause agent to exit. Note that for agent to exit if template.error_on_missing_key is set to true, exit_on_retry_failure must be also set to true. Otherwise, the template engine will log an error but then restart its internal runner. [GH-11775]
    • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs when using GCP Auto-Auth method [GH-11473]
    • core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to start Vault. More information is available in the Vault License FAQ

    FEATURES:

    • GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation of service account keys and access tokens. [GH-12023]
    • Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
    • License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
    • MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
    • Vault Diagnose: A new vault operator command to detect common issues with vault server setups.

    IMPROVEMENTS:

    • agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
    • agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
    • api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
    • auth/aws: Underlying error included in validation failure message. [GH-11638]
    • cli/api: Add lease lookup command [GH-11129]
    • core: Add prefix_filter to telemetry config [GH-12025]
    • core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
    • core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
    • core (enterprise): Add controlled capabilities to control group policy stanza
    • core: Add metrics for standby node forwarding. [GH-11366]
    • core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
    • core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
    • core: add irrevocable lease list and count apis [GH-11607]
    • core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
    • db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
    • go: Update to Go 1.16.5 [GH-11802]
    • raft: Improve raft batch size selection [GH-11907]
    • raft: change freelist type to map and set nofreelistsync to true [GH-11895]
    • replication: Delay evaluation of X-Vault-Index headers until merkle sync completes.
    • secrets/rabbitmq: Add ability to customize dynamic usernames [GH-11899]
    • secrets/ad: Add rotate-role endpoint to allow rotations of service accounts. [GH-11942]

    ... (truncated)

    Changelog

    Sourced from github.com/hashicorp/vault/api's changelog.

    1.8.0

    July 28th, 2021

    CHANGES:

    • agent: Errors in the template engine will no longer cause agent to exit unless explicitly defined to do so. A new configuration parameter, exit_on_retry_failure, within the new top-level stanza, template_config, can be set to true in order to cause agent to exit. Note that for agent to exit if template.error_on_missing_key is set to true, exit_on_retry_failure must be also set to true. Otherwise, the template engine will log an error but then restart its internal runner. [GH-11775]
    • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs when using GCP Auto-Auth method [GH-11473]
    • core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to start Vault. More information is available in the Vault License FAQ

    FEATURES:

    • GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation of service account keys and access tokens. [GH-12023]
    • Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
    • License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
    • MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
    • Vault Diagnose: A new vault operator command to detect common issues with vault server setups.

    SECURITY:

    • storage/raft: When initializing Vault’s Integrated Storage backend, excessively broad filesystem permissions may be set for the underlying Bolt database used by Vault’s Raft implementation. This vulnerability, CVE-2021-38553, was fixed in Vault 1.8.0.
    • ui: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

    IMPROVEMENTS:

    • agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
    • agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
    • api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
    • auth/aws: Underlying error included in validation failure message. [GH-11638]
    • cli/api: Add lease lookup command [GH-11129]
    • core: Add prefix_filter to telemetry config [GH-12025]
    • core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
    • core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
    • core (enterprise): Add controlled capabilities to control group policy stanza
    • core: Add metrics for standby node forwarding. [GH-11366]
    • core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
    • core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
    • core: add irrevocable lease list and count apis [GH-11607]
    • core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
    • core: Improve renew/revoke performance using per-lease locks [GH-11122]
    • db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
    • go: Update to Go 1.16.5 [GH-11802]

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.3.1

    Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.3.1

    Bumps github.com/hashicorp/go-hclog from 1.2.0 to 1.3.1.

    Release notes

    Sourced from github.com/hashicorp/go-hclog's releases.

    Improved multi line output rendering

    What's Changed

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.3.0...v1.3.1

    Field Colorization

    This version adds the ability to colorize fields for improved readability.

    What's Changed

    New Contributors

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.2.2...v1.3.0

    Minor formatting fix

    What's Changed

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.2.1...v1.2.2

    testify/go.yaml fix

    This bumps the version of testify and go.yaml that are referenced by go-hclog to fix a security issue in go.yaml.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.3.0

    Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.3.0

    Bumps github.com/hashicorp/go-hclog from 1.2.0 to 1.3.0.

    Release notes

    Sourced from github.com/hashicorp/go-hclog's releases.

    Field Colorization

    This version adds the ability to colorize fields for improved readability.

    What's Changed

    New Contributors

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.2.2...v1.3.0

    Minor formatting fix

    What's Changed

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.2.1...v1.2.2

    testify/go.yaml fix

    This bumps the version of testify and go.yaml that are referenced by go-hclog to fix a security issue in go.yaml.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.2

    Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.2

    Bumps github.com/hashicorp/go-hclog from 1.2.0 to 1.2.2.

    Release notes

    Sourced from github.com/hashicorp/go-hclog's releases.

    Minor formatting fix

    What's Changed

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.2.1...v1.2.2

    testify/go.yaml fix

    This bumps the version of testify and go.yaml that are referenced by go-hclog to fix a security issue in go.yaml.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.3

    Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.3

    Bumps github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.3.

    Changelog

    Sourced from github.com/hashicorp/vault/sdk's changelog.

    0.5.3 (May 27th, 2016)

    SECURITY:

    • Consul ACL Token Revocation: An issue was reported to us indicating that generated Consul ACL tokens were not being properly revoked. Upon investigation, we found that this behavior was reproducible in a specific scenario: when a generated lease for a Consul ACL token had been renewed prior to revocation. In this case, the generated token was not being properly persisted internally through the renewal function, leading to an error during revocation due to the missing token. Unfortunately, this was coded as a user error rather than an internal error, and the revocation logic was expecting internal errors if revocation failed. As a result, the revocation logic believed the revocation to have succeeded when it in fact failed, causing the lease to be dropped while the token was still valid within Consul. In this release, the Consul backend properly persists the token through renewals, and the revocation logic has been changed to consider any error type to have been a failure to revoke, causing the lease to persist and attempt to be revoked later.

    We have written an example shell script that searches through Consul's ACL tokens and looks for those generated by Vault, which can be used as a template for a revocation script as deemed necessary for any particular security response. The script is available at https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0

    Please note that any outstanding leases for Consul tokens produced prior to 0.5.3 that have been renewed will continue to exhibit this behavior. As a result, we recommend either revoking all tokens produced by the backend and issuing new ones, or if needed, a more advanced variant of the provided example could use the timestamp embedded in each generated token's name to decide which tokens are too old and should be deleted. This could then be run periodically up until the maximum lease time for any outstanding pre-0.5.3 tokens has expired.

    This is a security-only release. There are no other code changes since 0.5.2. The binaries have one additional change: they are built against Go 1.6.1 rather than Go 1.6, as Go 1.6.1 contains two security fixes to the Go programming language itself.

    0.5.2 (March 16th, 2016)

    FEATURES:

    • MSSQL Backend: Generate dynamic unique MSSQL database credentials based on configured roles GH-998
    • Token Accessors: Vault now provides an accessor with each issued token. This accessor is an identifier that can be used for a limited set of actions, notably for token revocation. This value can be logged in plaintext to audit logs, and in combination with the plaintext metadata

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/stretchr/testify from 1.7.1 to 1.8.0

    Bump github.com/stretchr/testify from 1.7.1 to 1.8.0

    Bumps github.com/stretchr/testify from 1.7.1 to 1.8.0.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/stretchr/testify from 1.7.1 to 1.7.5

    Bump github.com/stretchr/testify from 1.7.1 to 1.7.5

    Bumps github.com/stretchr/testify from 1.7.1 to 1.7.5.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.2

    Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.2

    Bumps github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.2.

    Changelog

    Sourced from github.com/hashicorp/vault/sdk's changelog.

    0.5.2 (March 16th, 2016)

    FEATURES:

    • MSSQL Backend: Generate dynamic unique MSSQL database credentials based on configured roles GH-998
    • Token Accessors: Vault now provides an accessor with each issued token. This accessor is an identifier that can be used for a limited set of actions, notably for token revocation. This value can be logged in plaintext to audit logs, and in combination with the plaintext metadata logged to audit logs, provides a searchable and straightforward way to revoke particular users' or services' tokens in many cases. To enable plaintext audit logging of these accessors, set hmac_accessor=false when enabling an audit backend.
    • Token Credential Backend Roles: Roles can now be created in the token credential backend that allow modifying token behavior in ways that are not otherwise exposed or easily delegated. This allows creating tokens with a fixed set (or subset) of policies (rather than a subset of the calling token's), periodic tokens with a fixed TTL but no expiration, specified prefixes, and orphans.
    • Listener Certificate Reloading: Vault's configured listeners now reload their TLS certificate and private key when the Vault process receives a SIGHUP.

    IMPROVEMENTS:

    • auth/token: Endpoints optionally accept tokens from the HTTP body rather than just from the URLs GH-1211
    • auth/token,sys/capabilities: Added new endpoints auth/token/lookup-accessor, auth/token/revoke-accessor and sys/capabilities-accessor, which enables performing the respective actions with just the accessor of the tokens, without having access to the actual token GH-1188
    • core: Ignore leading / in policy paths GH-1170
    • core: Ignore leading / in mount paths GH-1172
    • command/policy-write: Provided HCL is now validated for format violations and provides helpful information around where the violation occurred GH-1200
    • command/server: The initial root token ID when running in -dev mode can now be specified via -dev-root-token-id or the environment variable VAULT_DEV_ROOT_TOKEN_ID GH-1162
    • command/server: The listen address when running in -dev mode can now be specified via -dev-listen-address or the environment variable VAULT_DEV_LISTEN_ADDRESS GH-1169
    • command/server: The configured listeners now reload their TLS certificates/keys when Vault is SIGHUP'd GH-1196
    • command/step-down: New vault step-down command and API endpoint to force the targeted node to give up active status, but without sealing. The node will wait ten seconds before attempting to grab the lock again. GH-1146
    • command/token-renew: Allow no token to be passed in; use renew-self in

    ... (truncated)

    Commits
    • 77f2b8a Cut version 0.5.2
    • 1a28dc8 Remove us building Solaris binaries for the moment, as they don't build succe...
    • d887ecb Normalize userpass errors around bad user/pass
    • 33c2641 Use 400 instead of 500 for failing to provide a userpass password.
    • 0676a34 No need for the old Dockerfile for patched 1.5.3 anymore; it's in history if ...
    • b9b4f45 Merge pull request #1216 from hashicorp/userpass-update
    • 4ae83b7 Add comments to existence functions
    • 2fc3c23 changelog++
    • daab5d6 Fix SanitizeTTL check
    • 6f2b428 Addessing review comments
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.2

    Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.2

    Bumps github.com/hashicorp/vault/sdk from 0.4.1 to 0.6.2.

    Changelog

    Sourced from github.com/hashicorp/vault/sdk's changelog.

    0.6.2 (October 5, 2016)

    DEPRECATIONS/CHANGES:

    • Convergent Encryption v2: New keys in transit using convergent mode will use a new nonce derivation mechanism rather than require the user to supply a nonce. While not explicitly increasing security, it minimizes the likelihood that a user will use the mode improperly and impact the security of their keys. Keys in convergent mode that were created in v0.6.1 will continue to work with the same mechanism (user-supplied nonce).
    • etcd HA off by default: Following in the footsteps of dynamodb, the etcd storage backend now requires that ha_enabled be explicitly specified in the configuration file. The backend currently has known broken HA behavior, so this flag discourages use by default without explicitly enabling it. If you are using this functionality, when upgrading, you should set ha_enabled to "true" before starting the new versions of Vault.
    • Default/Max lease/token TTLs are now 32 days: In previous versions of Vault the default was 30 days, but moving it to 32 days allows some operations (e.g. reauthenticating, renewing, etc.) to be performed via a monthly cron job.
    • AppRole Secret ID endpoints changed: Secret ID and Secret ID accessors are no longer part of request URLs. The GET and DELETE operations are now moved to new endpoints (/lookup and /destroy) which consumes the input from the body and not the URL.
    • AppRole requires at least one constraint: previously it was sufficient to turn off all AppRole authentication constraints (secret ID, CIDR block) and use the role ID only. It is now required that at least one additional constraint is enabled. Existing roles are unaffected, but any new roles or updated roles will require this.
    • Reading wrapped responses from cubbyhole/response is deprecated. The sys/wrapping/unwrap endpoint should be used instead as it provides additional security, auditing, and other benefits. The ability to read directly will be removed in a future release.
    • Request Forwarding is now on by default: in 0.6.1 this required toggling on, but is now enabled by default. This can be disabled via the "disable_clustering" parameter in Vault's config, or per-request with the X-Vault-No-Request-Forwarding header.
    • In prior versions a bug caused the bound_iam_role_arn value in the aws-ec2 authentication backend to actually use the instance profile ARN. This has been corrected, but as a result there is a behavior change. To match using the instance profile ARN, a new parameter bound_iam_instance_profile_arn has been added. Existing roles will automatically transfer the value over to the correct parameter, but the next time the role is updated, the new meanings will take effect.

    FEATURES:

    • Secret ID CIDR Restrictions in AppRole: Secret IDs generated under an approle can now specify a list of CIDR blocks from where the requests to

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.4.0

    Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.4.0

    Bumps github.com/hashicorp/go-hclog from 1.2.0 to 1.4.0.

    Release notes

    Sourced from github.com/hashicorp/go-hclog's releases.

    Add GetLevel

    What it says on the tin, add GetLevel to the Logger interface.

    What's Changed

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.3.1...v1.4.0

    Improved multi line output rendering

    What's Changed

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.3.0...v1.3.1

    Field Colorization

    This version adds the ability to colorize fields for improved readability.

    What's Changed

    New Contributors

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.2.2...v1.3.0

    Minor formatting fix

    What's Changed

    Full Changelog: https://github.com/hashicorp/go-hclog/compare/v1.2.1...v1.2.2

    testify/go.yaml fix

    This bumps the version of testify and go.yaml that are referenced by go-hclog to fix a security issue in go.yaml.

    Commits
    • 8b7499a Merge pull request #120 from hashicorp/f-getlevel
    • 0b22181 Add GetLevel to Logger interface
    • 0d6179f Merge pull request #119 from hashicorp/b-quoting
    • 33175f2 When rendering multiple line output, still quote the individual lines
    • 9846b38 Add ColorHeaderAndFields logger option (#118)
    • 1791bf6 build: update go tools dependency (#117)
    • 2a06ec9 Merge pull request #116 from hashicorp/f-no-colon
    • 2c83f91 Merge pull request #115 from marco-m/fix-typos
    • 664598b fix various typos in comments
    • fb7b65b Merge pull request #114 from hashicorp/bflad-update-testify
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/hashicorp/vault/api from 1.4.1 to 1.8.2

    Bump github.com/hashicorp/vault/api from 1.4.1 to 1.8.2

    Bumps github.com/hashicorp/vault/api from 1.4.1 to 1.8.2.

    Release notes

    Sourced from github.com/hashicorp/vault/api's releases.

    v1.8.2

    1.8.2

    26 August 2021

    CHANGES:

    • go: Update go version to 1.16.7 [GH-12408]

    BUG FIXES:

    • auth/aws: Fixes ec2 login no longer supporting DSA signature verification [GH-12340]
    • cli: vault debug now puts newlines after every captured log line. [GH-12175]
    • database/couchbase: change default template to truncate username at 128 characters [GH-12300]
    • identity: Fix a panic on arm64 platform when doing identity I/O. [GH-12371]
    • physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
    • plugin/snowflake: Fixed bug where plugin would crash on 32 bit systems [GH-12378]
    • sdk/database: Fix a DeleteUser error message on the gRPC client. [GH-12351]
    • secrets/gcp: Fixes a potential panic in the service account policy rollback for rolesets. [GH-12379]
    • ui: Fixed api explorer routing bug [GH-12354]
    • ui: Fixes metrics page when read on counter config not allowed [GH-12348]
    • ui: fix issue where on MaskedInput on auth methods if tab it would clear the value. [GH-12409]

    v1.8.1

    1.8.1

    August 5th, 2021

    CHANGES:

    • go: Update go version to 1.16.6 [GH-12245]

    IMPROVEMENTS:

    • serviceregistration: add external-source: "vault" metadata value for Consul registration. [GH-12163]

    BUG FIXES:

    • auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. [GH-12026]
    • auth/jwt: Fixes OIDC auth from the Vault UI when using form_post as the oidc_response_mode. [GH-12258]
    • core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified
    • core: fix byte printing for diagnose disk checks [GH-12229]
    • identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [GH-12151]

    v1.8.0

    1.8.0

    July 28th, 2021

    CHANGES:

    • agent: Errors in the template engine will no longer cause agent to exit unless explicitly defined to do so. A new configuration parameter,

    ... (truncated)

    Changelog

    Sourced from github.com/hashicorp/vault/api's changelog.

    1.8.2

    26 August 2021

    CHANGES:

    • Alpine: Docker images for Vault 1.6.6+, 1.7.4+, and 1.8.2+ are built with Alpine 3.14, due to CVE-2021-36159
    • go: Update go version to 1.16.7 [GH-12408]

    BUG FIXES:

    • auth/aws: Fixes ec2 login no longer supporting DSA signature verification [GH-12340]
    • cli: vault debug now puts newlines after every captured log line. [GH-12175]
    • database/couchbase: change default template to truncate username at 128 characters [GH-12300]
    • identity: Fix a panic on arm64 platform when doing identity I/O. [GH-12371]
    • physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
    • plugin/snowflake: Fixed bug where plugin would crash on 32 bit systems [GH-12378]
    • sdk/database: Fix a DeleteUser error message on the gRPC client. [GH-12351]
    • secrets/gcp: Fixes a potential panic in the service account policy rollback for rolesets. [GH-12379]
    • ui: Fixed api explorer routing bug [GH-12354]
    • ui: Fixes metrics page when read on counter config not allowed [GH-12348]
    • ui: fix issue where on MaskedInput on auth methods if tab it would clear the value. [GH-12409]

    1.8.1

    August 5th, 2021

    CHANGES:

    • go: Update go version to 1.16.6 [GH-12245]

    IMPROVEMENTS:

    • serviceregistration: add external-source: "vault" metadata value for Consul registration. [GH-12163]

    BUG FIXES:

    • auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. [GH-12026]
    • auth/jwt: Fixes OIDC auth from the Vault UI when using form_post as the oidc_response_mode. [GH-12258]
    • core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified
    • core: fix byte printing for diagnose disk checks [GH-12229]
    • identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [GH-12151]

    1.8.0

    July 28th, 2021

    CHANGES:

    • agent: Errors in the template engine will no longer cause agent to exit unless explicitly defined to do so. A new configuration parameter, exit_on_retry_failure, within the new top-level stanza, template_config, can be set to true in order to cause agent to exit. Note that for agent to exit if

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/stretchr/testify from 1.7.1 to 1.8.1

    Bump github.com/stretchr/testify from 1.7.1 to 1.8.1

    Bumps github.com/stretchr/testify from 1.7.1 to 1.8.1.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/davidsbond/tailscale-client-go from 1.2.2 to 1.5.0

    Bump github.com/davidsbond/tailscale-client-go from 1.2.2 to 1.5.0

    Bumps github.com/davidsbond/tailscale-client-go from 1.2.2 to 1.5.0.

    Release notes

    Sourced from github.com/davidsbond/tailscale-client-go's releases.

    v1.5.0

    What's Changed

    Full Changelog: https://github.com/davidsbond/tailscale-client-go/compare/v1.4.1...v1.5.0

    v1.4.1

    What's Changed

    Full Changelog: https://github.com/davidsbond/tailscale-client-go/compare/v1.4.0...v1.4.1

    v1.4.0

    What's Changed

    Full Changelog: https://github.com/davidsbond/tailscale-client-go/compare/v1.3.1...v1.4.0

    v1.3.1

    What's Changed

    New Contributors

    Full Changelog: https://github.com/davidsbond/tailscale-client-go/compare/v1.3.0...v1.3.1

    v1.3.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/davidsbond/tailscale-client-go/compare/v1.2.5...v1.3.0

    v1.2.5

    What's Changed

    Full Changelog: https://github.com/davidsbond/tailscale-client-go/compare/v1.2.4...v1.2.5

    v1.2.4

    ... (truncated)

    Commits
    • c5c40c9 Add support for Tailscale SSH (#22)
    • 7d2065c Bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (#21)
    • 04fd877 Do not attempt to standardise response bodies when we don't need to (#20)
    • fc53730 Move preauthorized to tailnet key (#19)
    • 964807b Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#18)
    • f0d7764 Avoid using deprecated hujson API (#17)
    • eeb1d64 Adding auto approver fields (#16)
    • 931531d fix: allow for parsing json parsing when timestamps are empty (#15)
    • aeb163a Remove destination field from ACLTest type (#14)
    • b0ce196 Use correct type for ACL src field (#13)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
create @auth0 management api tokens

Vault Secrets Plugin - Auth0 Vault secrets plugins to simplying creation, management, and revocation of auth0 management API tokens. Usage Setup Endpo

Jan 2, 2022
A simple, secure self-destructing message service, using HashiCorp Vault product as a backend
A simple, secure self-destructing message service, using HashiCorp Vault product as a backend

sup3rS3cretMes5age! A simple, secure self-destructing message service, using Has

Mar 5, 2022
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP

sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. (demo)

Jan 9, 2023
A plugin that turn hashicorp vault into blockchain wallet.
A plugin that turn hashicorp vault into blockchain wallet.

dq-vault - Hashicorp vault BTC/ETH plugin This vault plugin stores a user's mnemonic inside vault in an encrypted manner. The plugin uses this stored

Dec 7, 2022
Sidecar container for injecting secrets into configuration files from Hashicorp Vault

talebearer noun A person who spreads scandal or tells secrets; gossip Note This code is not being actively developed, and has not seen substantial cha

Nov 1, 2021
docker plugin use vault as secret provider.

docker plugin vault docker secret plugin for vault provider how to build docker plugin rm -fr plugin/rootfs/.dockerenv plugin/rootfs/* docker build -

Aug 12, 2022
A system written in Golang to help ops team to automate the process of mapping Vault groups to LDAP Groups.

A system written in Golang to help ops team to automate the process of mapping Vault groups to LDAP Groups. This utility automatically adds LDAP Groups' members to the corresponding Vault Groups.

Nov 12, 2021
Feb 14, 2022
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

Dec 30, 2022
Create chain for application built using starport.

test test is a blockchain built using Cosmos SDK and Tendermint and created with Starport. Get started starport chain serve serve command installs de

Dec 8, 2021
An ATNA (Audit Trail and Node Authentication) Cloud Backup Utility
An ATNA (Audit Trail and Node Authentication) Cloud Backup Utility

ATNA Vault ATNA Vault allows you to maintain a secure long-term archive for all your IHE audit messages. IHE vendors who can provide "filter forward"

Mar 13, 2022
 🚀 cpwd is create password tool
 🚀 cpwd is create password tool

cpwd ?? cpwd is create password tool Install source code git clone https://github.com/songqii/cpwd_code.git cd $GOPATH/src/cpwd_code go build brew br

Dec 29, 2021
A Go library to create hashes with a builtin expiration

ExpiringLink This is a simple library for creating unique strings that have a built in expiration. The target use case is web links for password reset

Mar 3, 2022
REST API to create and interact with decks of playing cards

Cards API REST API to create and interact with decks of playing cards. Tech Stac

Jul 14, 2022
Console - Commands are defined in struct extending pkg/command/create user.go

Console Creating a Command Commands are defined in struct extending pkg/command/

Jan 2, 2022
Personal-Solana-Wallet - Create your personal wallet on Solana blockchain

Personal Wallet on Solana using Go ♾️ Setting up environment Installation of Cob

Nov 9, 2022
Berylbit PoW chain using Ethash, EPI-Burn and geth. The chain will be using bot congestion flashbot bundles through nodes

Berylbit PoW chain using Ethash, EPI-Burn and geth. The chain will be using bot congestion flashbot bundles through nodes. Soon, We will work towards

Jun 30, 2022
🌰 encrypt/decrypt using ssh keys

ssh-vault ?? encrypt/decrypt using ssh private keys Documentation https://ssh-vault.com Usage $ ssh-vault -h Example: $ echo "secret" | ssh-vault -u

Dec 30, 2022
A command line Crypto-currency ticker made using golang and WazirX Api
A command line Crypto-currency ticker made using golang and WazirX Api

░█████╗░██████╗░██╗░░░██╗██████╗░████████╗███████╗██╗░░██╗ ██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝╚██╗██╔╝ ██║░░╚═╝██████╔╝░╚████╔╝░██████╔

Feb 6, 2022