fix(deps): update module github.com/hashicorp/vault/api to v1.12.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/hashicorp/vault/api	v1.11.0 -> v1.12.0

---

Release Notes

hashicorp/vault (github.com/hashicorp/vault/api)

v1.12.0

Compare Source

1.12.0

October 13, 2022

CHANGES:

• api: Exclusively use GET /sys/plugins/catalog endpoint for listing plugins, and add details field to list responses. [GH-17347]
• auth: GET /sys/auth/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• auth: GET /sys/auth endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• auth: POST /sys/auth/:type endpoint response contains a warning for Deprecated auth methods. [GH-17058]
• auth: auth enable returns an error and POST /sys/auth/:type endpoint reports an error for Pending Removal auth methods. [GH-17005]
• core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
• core: Bump Go version to 1.19.2.
• core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
• identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
• licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
• plugins: Add plugin version to auth register, list, and mount table [GH-16856]
• plugins: GET /sys/plugins/catalog/:type/:name endpoint contains deprecation status for builtin plugins. [GH-17077]
• plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
• plugins: GET /sys/plugins/catalog/ endpoint contains deprecation status in detailed list. [GH-17077]
• plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
• plugins: plugin info displays deprecation status for builtin plugins. [GH-17077]
• plugins: plugin list now accepts a -detailed flag, which display deprecation status and version info. [GH-17077]
• secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
• secrets: All database-specific (standalone DB) secrets engines are now marked Pending Removal. [GH-17038]
• secrets: GET /sys/mounts/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• secrets: GET /sys/mounts endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• secrets: POST /sys/mounts/:type endpoint response contains a warning for Deprecated secrets engines. [GH-17058]
• secrets: secrets enable returns an error and POST /sys/mount/:type endpoint reports an error for Pending Removal secrets engines. [GH-17005]

FEATURES:

• GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
• LDAP Secrets Engine: Adds the ldap secrets engine with service account check-out functionality for all supported schemas. [GH-17152]
• OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
• Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
• Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
• Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
• Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
• HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
• ui: UI support for Okta Number Challenge. [GH-15998]

IMPROVEMENTS:

• :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
• activity (enterprise): Added new clients unit tests to test accuracy of estimates
• agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
• agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
• agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
• agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
• agent: Send notifications to systemd on start and stop. [GH-9802]
• api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
• api: Add a sentinel error for missing KV secrets [GH-16699]
• auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
• auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses.
  When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474]
• auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
• auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
• auth/cert: Add metadata to identity-alias [GH-14751]
• auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
• auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
• auth/gcp: Add support for GCE regional instance groups [GH-16435]
• auth/gcp: Updates dependencies: google.golang.org/api@v0.83.0, github.com/hashicorp/go-gcp-common@v0.8.0. [GH-17160]
• auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
• auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
• auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
• auth/kerberos: add remove_instance_name parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594]
• auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
• auth/oci: Add support for role resolution. [GH-17212]
• auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
• cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
• cli: auth and secrets list -detailed commands now show Deprecation Status for builtin plugins. [GH-16849]
• cli: vault plugin list now has a details field in JSON format, and version and type information in table format. [GH-17347]
• command/audit: Improve missing type error message [GH-16409]
• command/server: add -dev-tls and -dev-tls-cert-dir subcommands to create a Vault dev server with generated certificates and private key. [GH-16421]
• command: Fix shell completion for KV v2 mounts [GH-16553]
• core (enterprise): Add HTTP PATCH support for namespaces with an associated namespace patch CLI command
• core (enterprise): Add check to vault server command to ensure configured storage backend is supported.
• core (enterprise): Add custom metadata support for namespaces
• core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
• core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
• core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
• core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
• core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
• core/quotas: Added ability to add path suffixes for rate-limit resource quotas [GH-15989]
• core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [GH-16115]
• core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
• core: Add sys/loggers and sys/loggers/:name endpoints to provide ability to modify logging verbosity [GH-16111]
• core: Handle and log deprecated builtin mounts. Introduces VAULT_ALLOW_PENDING_REMOVAL_MOUNTS to override shutdown and error when attempting to mount Pending Removal builtin plugins. [GH-17005]
• core: Limit activity log client count usage by namespaces [GH-16000]
• core: Upgrade github.com/hashicorp/raft [GH-16609]
• core: remove gox [GH-16353]
• docs: Clarify the behaviour of local mounts in the context of DR replication [GH-16218]
• identity/oidc: Adds support for detailed listing of clients and providers. [GH-16567]
• identity/oidc: Adds the client_secret_post token endpoint authentication method. [GH-16598]
• identity/oidc: allows filtering the list providers response by an allowed_client_id [GH-16181]
• identity: Prevent possibility of data races on entity creation. [GH-16487]
• physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [GH-15866]
• plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins [GH-16995]
• plugins: Add Deprecation Status method to builtinregistry. [GH-16846]
• plugins: Added environment variable flag to opt-out specific plugins from multiplexing [GH-16972]
• plugins: Adding version to plugin GRPC interface [GH-17088]
• plugins: Plugin catalog supports registering and managing plugins with semantic version information. [GH-16688]
• replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer.
• secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [GH-15809]
• secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs [GH-16519]
• secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [GH-16124]
• secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (cn_validations). [GH-15996]
• secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. [GH-16494]
• secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [GH-15742]
• secrets/ad: set config default length only if password_policy is missing [GH-16140]
• secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. [GH-17045]
• secrets/database/hana: Add ability to customize dynamic usernames [GH-16631]
• secrets/database/snowflake: Add multiplexing support [GH-17159]
• secrets/gcp: Updates dependencies: google.golang.org/api@v0.83.0, github.com/hashicorp/go-gcp-common@v0.8.0. [GH-17174]
• secrets/gcpkms: Update dependencies: google.golang.org/api@v0.83.0. [GH-17199]
• secrets/kubernetes: upgrade to v0.2.0 [GH-17164]
• secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. [GH-16702]
• secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field [GH-16935]
• secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL [GH-17073]
• secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. [GH-16958]
• secrets/pki: Add ability to periodically rebuild CRL before expiry [GH-16762]
• secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. [GH-16900]
• secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs [GH-16563]
• secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
• secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. [GH-16676]
• secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). [GH-16564]
• secrets/pki: Allow revocation via proving possession of certificate's private key [GH-16566]
• secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance [GH-16871]
• secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. [GH-16249]
• secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. [GH-16874]
• secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. [GH-16773]
• secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. [GH-16056]
• secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
• secrets/ssh: Allow the use of Identity templates in the default_user field [GH-16351]
• secrets/transit: Add a dedicated HMAC key type, which can be used with key import. [GH-16668]
• secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. [GH-17118]
• secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. [GH-16549]
• ssh: Addition of an endpoint ssh/issue/:role to allow the creation of signed key pairs [GH-15561]
• storage/cassandra: tuning parameters for clustered environments connection_timeout, initial_connection_timeout, simple_retry_policy_retries. [GH-10467]
• storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [GH-14455]
• ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [GH-15852]
• ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated [GH-17139]
• ui: Removed deprecated version of core-js 2.6.11 [GH-15898]
• ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. [GH-16489]
• ui: Replaces non-inclusive terms [GH-17116]
• ui: redirect_to param forwards from auth route when authenticated [GH-16821]
• website/docs: API generate-recovery-token documentation. [GH-16213]
• website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period [GH-16950]
• website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc [GH-17139]
• website/docs: Update replication docs to mention Integrated Storage [GH-16063]
• website/docs: changed to echo for all string examples instead of (<<<) here-string. [GH-9081]

BUG FIXES:

• agent/template: Fix parsing error for the exec stanza [GH-16231]
• agent: Agent will now respect max_retries retry configuration even when caching is set. [GH-16970]
• agent: Update consul-template for pkiCert bug fixes [GH-16087]
• api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [GH-15835]
• api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [GH-16794]
• api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P.+) endpoints where it was not properly handling /auth/ [GH-15552]
• api: properly handle switching to/from unix domain socket when changing client address [GH-11904]
• auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
• auth/kerberos: Maintain headers set by the client [GH-16636]
• auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17161]
• auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
• command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
• core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [GH-15583]
• core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts.
• core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
• core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
• core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
• core/managed-keys (enterprise): fix panic when having cache_disable true
• core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases
• core/quotas: Added globbing functionality on the end of path suffix quota paths [GH-16386]
• core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
• core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
• core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
• core: Fix panic when the plugin catalog returns neither a plugin nor an error. [GH-17204]
• core: Fixes parsing boolean values for ha_storage backends in config [GH-15900]
• core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
• core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
• database: Invalidate queue should cancel context first to avoid deadlock [GH-15933]
• debug: Fix panic when capturing debug bundle on Windows [GH-14399]
• debug: Remove extra empty lines from vault.log when debug command is run [GH-16714]
• identity (enterprise): Fix a data race when creating an entity for a local alias.
• identity/oidc: Adds claims_supported to discovery document. [GH-16992]
• identity/oidc: Change the state parameter of the Authorization Endpoint to optional. [GH-16599]
• identity/oidc: Detect invalid redirect_uri values sooner in validation of the Authorization Endpoint. [GH-16601]
• identity/oidc: Fixes validation of the request and request_uri parameters. [GH-16600]
• openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [GH-15552]
• plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
• plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [GH-16673]
• plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
• quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [GH-15735]
• replication (enterprise): Fix data race in SaveCheckpoint()
• replication (enterprise): Fix data race in saveCheckpoint.
• replication (enterprise): Fix possible data race during merkle diff/sync
• secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
• secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
• secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
• secrets/kv: Fix kv get issue preventing the ability to read a secret when providing a leading slash [GH-16443]
• secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers [GH-16865]
• secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
• secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
• secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [GH-16813]
• secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [GH-16721]
• secrets/pki: LIST issuers endpoint is now unauthenticated. [GH-16830]
• secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
• secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
• storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
• storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
• storage/raft: Fix retry_join initialization failure [GH-16550]
• storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [GH-17019]
• ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
• ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
• ui: Fix info tooltip submitting form [GH-16659]
• ui: Fix issue logging in with JWT auth method [GH-16466]
• ui: Fix lease force revoke action [GH-16930]
• ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]
• ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [GH-15681]
• ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
• ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]
• vault: Fix a bug where duplicate policies could be added to an identity group. [GH-15638]

---

Configuration

📅 Schedule: Branch creation - "after 1am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.