chore(deps): update dependency hashicorp/vault to v1.15.0

[renovate]

This PR contains the following updates:

Package	Update	Change
hashicorp/vault	minor	v1.14.3 -> v1.15.0

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

---

Release Notes

hashicorp/vault (hashicorp/vault)

v1.15.0

Compare Source

1.15.0

September 27, 2023

SECURITY:

• secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. [GH-22852]

CHANGES:

• auth/alicloud: Update plugin to v0.16.0 [GH-22646]
• auth/azure: Update plugin to v0.16.0 [GH-22277]
• auth/azure: Update plugin to v0.16.1 [GH-22795]
• auth/azure: Update plugin to v0.16.2 [GH-23060]
• auth/cf: Update plugin to v0.15.1 [GH-22758]
• auth/gcp: Update plugin to v0.16.1 [GH-22612]
• auth/jwt: Update plugin to v0.17.0 [GH-22678]
• auth/kerberos: Update plugin to v0.10.1 [GH-22797]
• auth/kubernetes: Update plugin to v0.17.0 [GH-22709]
• auth/kubernetes: Update plugin to v0.17.1 [GH-22879]
• auth/ldap: Normalize HTTP response codes when invalid credentials are provided [GH-21282]
• auth/oci: Update plugin to v0.14.2 [GH-22805]
• core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
• core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
  which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
• core: Bump Go version to 1.21.1.
• database/couchbase: Update plugin to v0.9.3 [GH-22854]
• database/couchbase: Update plugin to v0.9.4 [GH-22871]
• database/elasticsearch: Update plugin to v0.13.3 [GH-22696]
• database/mongodbatlas: Update plugin to v0.10.1 [GH-22655]
• database/redis-elasticache: Update plugin to v0.2.2 [GH-22584]
• database/redis-elasticache: Update plugin to v0.2.3 [GH-22598]
• database/redis: Update plugin to v0.2.2 [GH-22654]
• database/snowflake: Update plugin to v0.9.0 [GH-22516]
• events: Log level for processing an event dropped from info to debug. [GH-22997]
• events: data_path will include full data path of secret, including name. [GH-22487]
• replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
• sdk/logical/events: EventSender interface method is now SendEvent instead of Send. [GH-22487]
• secrets/ad: Update plugin to v0.16.1 [GH-22856]
• secrets/alicloud: Update plugin to v0.15.1 [GH-22533]
• secrets/azure: Update plugin to v0.16.2 [GH-22799]
• secrets/azure: Update plugin to v0.16.3 [GH-22824]
• secrets/gcp: Update plugin to v0.17.0 [GH-22746]
• secrets/gcpkms: Update plugin to v0.15.1 [GH-22757]
• secrets/keymgmt: Update plugin to v0.9.3
• secrets/kubernetes: Update plugin to v0.6.0 [GH-22823]
• secrets/kv: Update plugin to v0.16.1 [GH-22716]
• secrets/mongodbatlas: Update plugin to v0.10.1 [GH-22748]
• secrets/openldap: Update plugin to v0.11.2 [GH-22734]
• secrets/terraform: Update plugin to v0.7.3 [GH-22907]
• secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
• storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]
• telemetry: Replace vault.rollback.attempt.{MOUNT_POINT} and vault.route.rollback.{MOUNT_POINT} metrics with vault.rollback.attempt and vault.route.rollback metrics by default. Added a telemetry configuration add_mount_point_rollback_metrics which, when set to true, causes vault to emit the metrics with mount points in their names. [GH-22400]

FEATURES:

• Certificate Issuance External Policy Service (CIEPS) (enterprise): Allow highly-customizable operator control of certificate validation and generation through the PKI Secrets Engine.
• Copyable KV v2 paths in UI: KV v2 secret paths are copyable for use in CLI commands or API calls [GH-22551]
• Dashboard UI: Dashboard is now available in the UI as the new landing page. [GH-21057]
• Database Static Role Advanced TTL Management: Adds the ability to rotate
• Event System: Add subscribe capability and subscribe_event_types to policies for events. [GH-22474]
  static roles on a defined schedule. [GH-22484]
• GCP IAM Support: Adds support for IAM-based authentication to MySQL and PostgreSQL backends using Google Cloud SQL. [GH-22445]
• Improved KV V2 UI: Updated and restructured secret engine for KV (version 2 only) [GH-22559]
• Merkle Tree Corruption Detection (enterprise): Add a new endpoint to check merkle tree corruption.
• Plugin Containers: Vault supports registering, managing, and running plugins inside a container on Linux. [GH-22712]
• SAML Auth Method (enterprise): Enable users to authenticate with Vault using their identity in a SAML Identity Provider.
• Seal High Availability Beta (enterprise): operators can try out configuring more than one automatic seal for resilience against seal provider outages. Not for production use at this time.
• Secrets Sync (enterprise): Add the ability to synchronize KVv2 secret with external secrets manager solutions.
• UI LDAP secrets engine: Add LDAP secrets engine to the UI. [GH-20790]

IMPROVEMENTS:

• Bump github.com/hashicorp/go-plugin version v1.4.9 -> v1.4.10 [GH-20966]
• api: add support for cloning a Client's tls.Config. [GH-21424]
• api: adding a new api sys method for replication status [GH-20995]
• audit: add core audit events experiment [GH-21628]
• auth/aws: Added support for signed GET requests for authenticating to vault using the aws iam method. [GH-10961]
• auth/azure: Add support for azure workload identity authentication (see issue
  #​18257). Update go-kms-wrapping dependency to include PR
  #​155 [GH-22994]
• auth/azure: Added Azure API configurable retry options [GH-23059]
• auth/cert: Adds support for requiring hexadecimal-encoded non-string certificate extension values [GH-21830]
• auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
• auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
• auto-auth: added support for LDAP auto-auth [GH-21641]
• aws/auth: Adds a new config field use_sts_region_from_client which allows for using dynamic regional sts endpoints based on Authorization header when using IAM-based authentication. [GH-21960]
• command/server: add -dev-tls-san flag to configure subject alternative names for the certificate generated when using -dev-tls. [GH-22657]
• core (ent) : Add field that allows lease-count namespace quotas to be inherited by child namespaces.
• core : Add field that allows rate-limit namespace quotas to be inherited by child namespaces. [GH-22452]
• core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
• core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
• core: Add a new periodic metric to track the number of available policies, vault.policy.configured.count. [GH-21010]
• core: Fix OpenAPI representation and -output-policy recognition of some non-standard sudo paths [GH-21772]
• core: Fix regexes for sys/raw/ and sys/leases/lookup/ to match prevailing conventions [GH-21760]
• core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
• core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [GH-22567]
• core: add a listener configuration "chroot_namespace" that forces requests to use a namespace hierarchy [GH-22304]
• core: add a listener configuration "chroot_namespace" that forces requests to use a namespace hierarchy
• core: remove unnecessary *BarrierView field from backendEntry struct [GH-20933]
• core: use Go stdlib functionalities instead of explicit byte/string conversions [GH-21854]
• docs: Clarify when a entity is created [GH-22233]
• eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [GH-21623]
• events: Allow subscriptions to multiple namespaces [GH-22540]
• events: Enabled by default [GH-22815]
• events: WebSocket subscriptions add support for boolean filter expressions [GH-22835]
• framework: Make it an error for CreateOperation to be defined without an ExistenceCheck, thereby fixing misleading x-vault-createSupported in OpenAPI [GH-18492]
• kmip (enterprise): Add namespace lock and unlock support [GH-21925]
• openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [GH-21563]
• openapi: Fix generated types for duration strings [GH-20841]
• openapi: Fix generation of correct fields in some rarer cases [GH-21942]
• openapi: Fix response definitions for list operations [GH-21934]
• openapi: List operations are now given first-class representation in the OpenAPI document, rather than sometimes being overlaid with a read operation at the same path [GH-21723]
• plugins: Containerized plugins can be configured to still work when running with systemd's PrivateTmp=true setting. [GH-23215]
• replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
• replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
• sdk/framework: Adds replication state helper for backends to check for read-only storage [GH-21743]
• secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
• secrets/db: Remove the service_account_json parameter when reading DB connection details [GH-23256]
• secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [GH-21702]
• secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
• secrets/transit: Add support to create CSRs from keys in transit engine and import/export x509 certificates [GH-21081]
• storage/dynamodb: Added three permit pool metrics for the DynamoDB backend, pending_permits, active_permits, and pool_size. [GH-21742]
• storage/etcd: Make etcd parameter MaxCallSendMsgSize configurable [GH-12666]
• storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
• sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]
• ui: Add API Explorer link to Sidebar, under Tools. [GH-21578]
• ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [GH-23193]
• ui: Added allowed_domains_template field for CA type role in SSH engine [GH-23119]
• ui: Adds mount configuration details to Kubernetes secrets engine configuration view [GH-22926]
• ui: Adds tidy_revoked_certs to PKI tidy status page [GH-23232]
• ui: Adds warning before downloading KV v2 secret values [GH-23260]
• ui: Display minus icon for empty MaskedInput value. Show MaskedInput for KV secrets without values [GH-22039]
• ui: JSON diff view available in "Create New Version" form for KV v2 [GH-22593]
• ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
• ui: Move access to KV V2 version diff view to toolbar in Version History [GH-23200]
• ui: Update pki mount configuration details to match the new mount configuration details pattern [GH-23166]
• ui: add example modal to policy form [GH-21583]
• ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
• ui: display CertificateCard instead of MaskedInput for certificates in PKI [GH-22160]
• ui: enables create and update KV secret workflow when control group present [GH-22471]
• ui: implement hashicorp design system alert component [GH-21375]
• ui: update detail views that render ttl durations to display full unit instead of letter (i.e. 'days' instead of 'd') [GH-20697]
• ui: update unseal and DR operation token flow components [GH-21871]
• ui: upgrade Ember to 4.12 [GH-22122]

DEPRECATIONS:

• auth/centrify: Centrify plugin is deprecated as of 1.15, slated for removal in 1.17 [GH-23050]

BUG FIXES:

• activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
• agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
• agent: Fix "generate-config" command documentation URL [GH-21466]
• api/client: Fix deadlock in client.CloneWithHeaders when used alongside other client methods. [GH-22410]
• api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
• audit: Prevent panic due to nil pointer receiver for audit header formatting. [GH-22694]
• auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21800]
• auth/token, sys: Fix path-help being unavailable for some list-only endpoints [GH-18571]
• auth/token: Fix parsing of auth/token/create fields to avoid incorrect warnings about ignored parameters [GH-18556]
• awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
  respects AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, and AWS_ROLE_SESSION_NAME. [GH-21951]
• cli: Avoid printing "Success" message when -field flag is provided during a vault write. [GH-21546]
• cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to table. [GH-22818]
• core (enterprise): Fix sentinel policy check logic so that sentinel
  policies are not used when Sentinel feature isn't licensed.
• core (enterprise): Remove MFA Configuration for namespace when deleting namespace
• core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
• core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
• core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
  Also fix a related potential deadlock. [GH-21110]
• core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
• core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
• core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
• core: All subloggers now reflect configured log level on reload. [GH-22038]
• core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
• core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
• core: Fixed issue with some durations not being properly parsed to include days. [GH-21357]
• core: Fixes list password policy to include those with names containing / characters. [GH-23155]
• core: fix race when updating a mount's route entry tainted status and incoming requests [GH-21640]
• docs: fix wrong api path for ldap secrets cli-commands [GH-23225]
• events: Ensure subscription resources are cleaned up on close. [GH-23042]
• expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
• identity/mfa: Fixes to OpenAPI representation and returned error codes for identity/mfa/method/* APIs [GH-20879]
• identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
• license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
• openapi: Fix response schema for PKI Issue requests [GH-21449]
• openapi: Fix schema definitions for PKI EAB APIs [GH-21458]
• plugins: Containerized plugins can be run with mlock enabled. [GH-23215]
• plugins: Fix instance where Vault could fail to kill broken/unresponsive plugins. [GH-22914]
• plugins: Fix instance where broken/unresponsive plugins could cause Vault to hang. [GH-22914]
• plugins: Runtime catalog returns 404 instead of 500 when reading a runtime that does not exist [GH-23171]
• plugins: vault plugin runtime list can successfully list plugin runtimes with GET [GH-23171]
• raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
• replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
• replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
• replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
• replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
• replication (enterprise): Sort cluster addresses returned by echo requests, so that primary-addrs only gets persisted when the
  set of addrs changes.
• replication (enterprise): update primary cluster address after DR failover
• sdk/ldaputil: Properly escape user filters when using UPN domains
  sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
• secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21631]
• secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
• secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [GH-21870]
• secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [GH-21870]
• secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [GH-23007]
• secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: no managed key found with uuid. [GH-21316]
• secrets/pki: allowed_domains are now compared in a case-insensitive manner if they use glob patterns [GH-22126]
• secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
• secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
• secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
• secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
• secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
• secrets/transit: fix panic when providing non-PEM formatted public key for import [GH-22753]
• serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
• storage/consul: Consul service registration tags are now case-sensitive. [GH-6483]
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
• ui (enterprise): Fix error message when generating SSH credential with control group [GH-23025]
• ui: Adds missing values to details view after generating PKI certificate [GH-21635]
• ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
• ui: Fix display for "Last Vault Rotation" timestamp for static database roles which was not rendering or copyable [GH-22519]
• ui: Fix styling for username input when editing a user [GH-21771]
• ui: Fix styling for viewing certificate in kubernetes configuration [GH-21968]
• ui: Fix the issue where confirm delete dropdown is being cut off [GH-23066]
• ui: Fixed an issue where editing an SSH role would clear default_critical_options and default_extension if left unchanged. [GH-21739]
• ui: Fixed secrets, leases, and policies filter dropping focus after a single character [GH-21767]
• ui: Fixes filter and search bug in secrets engines [GH-23123]
• ui: Fixes form field label tooltip alignment [GH-22832]
• ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [GH-21562]
• ui: Fixes login screen display issue with Safari browser [GH-21582]
• ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [GH-21926]
• ui: Fixes styling of private key input when configuring an SSH key [GH-21531]
• ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]
• ui: correct doctype for index.html [GH-22153]
• ui: don't exclude features present on license [GH-22855]
• ui: fixes max_versions default for secret metadata unintentionally overriding kv engine defaults [GH-22394]
• ui: fixes long namespace names overflow in the sidebar
• ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
• ui: fixes text readability issue in revoke token confirmation dialog [GH-22390]

v1.14.4

Compare Source

1.14.4

September 27, 2023

CHANGES:

• core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy

IMPROVEMENTS:

• ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [GH-23193]
• ui: Added allowed_domains_template field for CA type role in SSH engine [GH-23119]
• ui: Adds tidy_revoked_certs to PKI tidy status page [GH-23232]
• ui: Adds warning before downloading KV v2 secret values [GH-23260]

BUG FIXES:

• core: Fixes list password policy to include those with names containing / characters. [GH-23155]
• docs: fix wrong api path for ldap secrets cli-commands [GH-23225]
• secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [GH-23007]
• ui (enterprise): Fix error message when generating SSH credential with control group [GH-23025]
• ui: Fix the issue where confirm delete dropdown is being cut off [GH-23066]
• ui: Fixes filter and search bug in secrets engines [GH-23123]
• ui: don't exclude features present on license [GH-22855]

---

Configuration

📅 Schedule: Branch creation - "before 9pm on friday" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.