chore(deps): bump github.com/openbao/openbao/api/v2 from 2.1.0 to 2.2.0

[dependabot]

Bumps github.com/openbao/openbao/api/v2 from 2.1.0 to 2.2.0.

Release notes

Sourced from github.com/openbao/openbao/api/v2's releases.

v2.2.0-beta20250213

New Features:

• ACME TLS Listener Certificate Provisioning: Automatically fetch TLS certificates for OpenBao Server's TCP listeners via an Automatic Certificate Management Environment (ACME - RFC 8555) capable certificate authority (CA). This allows OpenBao to be self-hosted, using a CA contained within the instance to sign the instance's own certificates. [GH-857]
• PKCS#11 Auto-Unseal: Add support for automatic unsealing of OpenBao using a PKCS#11-enabled Hardware Security Module (HSM) or Key Management System (KMS). [GH-889]
• Scanning: introduce the ability to recursively list (scan) within plugins, adding a separate scan ACL capability, operation type, HTTP verb (SCAN with GET fallback via ?scan=true), API, and CLI support. This also adds support to the KVv1 and KVv2 engines. [GH-763]
• Transit: Add support for key derivation mechansims (derives a new key from a base key).
  • This path uses the named base key and derivation algorithm specific parameters to derive a new named key.
  • Currently, only the ECDH key agreement algorithm is supported: the base key is one's own ECC private key and the "peer_public_key" is the pem-encoded other party's ECC public key.The computed shared secret is the resulting derived key. [GH-811]
• UI: Reintroduction of the WebUI. [GH-940]
• raft: Added support for nodes to join the Raft cluster as non-voters. [GH-741]

• Fix goreleaser prerelease status by @​cipherboy in openbao/openbao#713
• Get current time in each JWT leeway subtest by @​tsaarni in openbao/openbao#704
• [fix][inmem - Occasional logging after test finishes #702] by @​DrGabriel in openbao/openbao#703
• Update release checklist with v2.1.0-beta20241114 info by @​cipherboy in openbao/openbao#722
• Release notes v2.0.3 by @​cipherboy in openbao/openbao#729
• PKI: clarify usage of set-signed command by @​klaus-sap in openbao/openbao#723
• Bump @​docusaurus/module-type-aliases from 3.5.2 to 3.6.1 in /website by @​dependabot in openbao/openbao#689
• Bump @​docusaurus/plugin-sitemap from 3.5.2 to 3.6.1 in /website by @​dependabot in openbao/openbao#688
• Bump @​docusaurus/tsconfig from 3.5.2 to 3.6.1 in /website by @​dependabot in openbao/openbao#687
• Bump @​docusaurus/preset-classic from 3.5.2 to 3.6.1 in /website by @​dependabot in openbao/openbao#685
• Update website metadata by @​cipherboy in openbao/openbao#733
• Add version to download page, prerelease warning by @​cipherboy in openbao/openbao#732
• UI: Remove clients counts menu by @​bozzo in openbao/openbao#734
• UI: Remove Sentinel verifications in policy menu by @​bozzo in openbao/openbao#740
• Remove HCP Link status in UI by @​cipherboy in openbao/openbao#735
• Return certificate details in pki/certs/detailed endpoint by @​fatima2003 in openbao/openbao#680
• Replace myvault.com with example.com in tests by @​fatima2003 in openbao/openbao#748
• fit token to openbao format by @​rozkerim in openbao/openbao#751
• Allow listing prefixed policies by @​cipherboy in openbao/openbao#736
• Remove script for portablility by @​cipherboy in openbao/openbao#754
• PKI: improve error message when parsing PEM bundles by @​klaus-sap in openbao/openbao#760
• Add pagination to tidy by @​fatima2003 in openbao/openbao#678
• Ensure workflow runs against correct repository by @​cipherboy in openbao/openbao#761
• Remove usage of deprecated .Subjects() in test files by @​fatima2003 in openbao/openbao#765
• Bump go-kms-wrapping, openbao-template by @​cipherboy in openbao/openbao#771
• Add v2.1.0 to changelog, release notes, blog by @​cipherboy in openbao/openbao#773
• Allow Nodes to Join the Raft Cluster as Non-Voters by @​JanMa in openbao/openbao#741
• Add download link to v2.1.0 blog post by @​cipherboy in openbao/openbao#777
• UI: Remove Performance Secondary, Disaster Recovery replication by @​bozzo in openbao/openbao#782
• PKI: improve error message when parsing PEM bundles (2) by @​klaus-sap in openbao/openbao#786
• Replace Vault logo with Openbao in mfa- and oidc-landing page by @​jenrik in openbao/openbao#788
• Introduce HandleListPage Helper for Streamlined Pagination by @​fatima2003 in openbao/openbao#781
• Add test for Canonicalize by @​klaus-sap in openbao/openbao#790
• Test non-voters persist across leadership changes by @​JanMa in openbao/openbao#779

... (truncated)

Changelog

Sourced from github.com/openbao/openbao/api/v2's changelog.

2.2.0-beta20250213

February 13, 2025

CHANGES:

• command/server: Prevent and warn about loading of duplicate config file from config directory. [GH-816]
• container: Set -dev-no-store-token in default container images, fixing default read-only containers. [GH-826]
• core/seal: remove support for legacy pre-keyring barrier entries core/seal: remove support for legacy (direct) shamir unseal keys [GH-750]

FEATURES:

• ACME TLS Listener Certificate Provisioning: Automatically fetch TLS certificates for OpenBao Server's TCP listeners via an Automatic Certificate Management Environment (ACME - RFC 8555) capable certificate authority (CA). This allows OpenBao to be self-hosted, using a CA contained within the instance to sign the instance's own certificates. [GH-857]
• PKCS#11 Auto-Unseal: Add support for automatic unsealing of OpenBao using a PKCS#11-enabled Hardware Security Module (HSM) or Key Management System (KMS). [GH-889]
• Scanning: introduce the ability to recursively list (scan) within plugins, adding a separate scan ACL capability, operation type, HTTP verb (SCAN with GET fallback via ?scan=true), API, and CLI support. This also adds support to the KVv1 and KVv2 engines. [GH-763]
• Transit: Add support for key derivation mechansims (derives a new key from a base key).
  • This path uses the named base key and derivation algorithm specific parameters to derive a new named key.
  • Currently, only the ECDH key agreement algorithm is supported: the base key is one's own ECC private key and the "peer_public_key" is the pem-encoded other party's ECC public key.The computed shared secret is the resulting derived key. [GH-811]
• UI: Reintroduction of the WebUI. [GH-940]
• raft: Added support for nodes to join the Raft cluster as non-voters. [GH-741]

IMPROVEMENTS:

• audit: modify the hashWalker to handle nested structs without panicing [GH-887]
• auth: Use transactions for read-then-write methods in the credential package [GH-952]
• auth: Use transactions for write and delete config for various auth methods. [GH-878]
• core/mounts: Allow tuning HMAC request and response parameters on sys/, cubbyhole/, and identity/, enabling auditing of core policy changes. [GH-921]
• core/policies: Allow listing policies under a given prefix. [GH-736]
• core/policies: add pagination_limit to ACL policies for enforcing max pagination sizes. [GH-802]
• core: Bump to latest Go toolchain 1.24.0. [GH-1000]
• rabbitmq: Use transactions for read-then-write methods in the rabbitmq package [GH-997]
• secret/pki: Add new endpoint pki/certs/detailed to return detailed cert list. [GH-680]
• secret/pki: Add pagination to tidy operations for improved scalability in large certificate stores. [GH-678]
• secrets/kv: add a detailed-metadata/:prefix endpoint that supports listing entries along with their corresponding metadata in the detailed key_info response field [GH-766]
• transit: Use transactions for read + write policy operations [GH-956]
• ui: Remove client count menu [GH-734]

BUG FIXES:

• core-listener: Fix operator diagnose with unix-socker listener [GH-958]
• raft: Fix noisy warn on follower-less keyring rotation. [GH-937]
• secrets/pki: Fix bao pki health-check detection on non-pki mounts. [GH-935]

2.1.1

January 21, 2025

IMPROVEMENTS:

• core: Bump to latest Go toolchain 1.23.5. [GH-912]

Commits

• bf84bfe Add detailed metadata list to KV (#766)
• 4393480 Add pagination_limit to ACL policies (#802)
• 5897ade Add support for ECDH key agreement in Transit Secret Engine (#811)
• 4b15b37 Add transaction to rabbitmq module (#997)
• 969d3ee Set BAO_CONFIG_DIR to a default but let it be overridable. (#994)
• 1ee6f08 Auto-TLS listeners via ACME (#857)
• 51ca06b Add HSM build to release workflow (#945)
• 9ac8307 Bump ember-resolver from 8.0.3 to 13.1.0 in /ui (#983)
• 2366fff Bump @​typescript-eslint/eslint-plugin from 5.44.0 to 6.21.0 in /ui (#985)
• fb4a127 Update gofumpt tool dependency (#987)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)