Subject: CVS commit: pkgsrc/security/vault
From: Filip Hajny
Date: 2017-09-26 09:41:14
Message id: 20170926074114.E5907FA9C@cvs.NetBSD.org

Log Message:
Update security/vault to 0.8.3.

CHANGES:

- Policy input/output standardization: For all built-in authentication
  backends, policies can now be specified as a comma-delimited string or an
  array if using JSON as API input; on read, policies will be returned as an
  array; and the `default` policy will not be forcefully added to policies
  saved in configurations. Please note that the `default` policy will continue
  to be added to generated tokens, however, rather than backends adding
  `default` to the given set of input policies (in some cases, and not in
  others), the stored set will reflect the user-specified set.
- `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the
  endpoint would not modify the Issuer in the generated certificate, leaving
  the output self-issued. Although theoretically valid, in practice crypto
  stacks were unhappy validating paths containing such certs. As a result,
  `sign-self-issued` now encodes the signing CA's Subject DN into the Issuer
  DN of the generated certificate.
- `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely
  useful in break-glass or support scenarios, it is also extremely dangerous.
  As of now, a configuration file option `raw_storage_endpoint` must be set in
  order to enable this API endpoint. Once set, the available functionality has
  been enhanced slightly; it now supports listing and decrypting most of
  Vault's core data structures, except for the encryption keyring itself.
- `generic` is now `kv`: To better reflect its actual use, the `generic`
  backend is now `kv`. Using `generic` will still work for backwards
  compatibility.

FEATURES:

- GCE Support for GCP Auth: GCE instances can now authenticate to Vault
  using machine credentials.
- Support for Kubernetes Service Account Auth: Kubernetes Service Accounts
  can now authenticate to vault using JWT tokens.

IMPROVEMENTS:

- configuration: Provide a config option to store Vault server's process ID
  (PID) in a file
- mfa (Enterprise): Add the ability to use identity metadata in username
  format
- mfa/okta (Enterprise): Add support for configuring base_url for API calls
- secret/pki: `sign-intermediate` will now allow specifying a `ttl` value
  longer than the signing CA certificate's NotAfter value.
- sys/raw: Raw storage access is now disabled by default

BUG FIXES:

- auth/okta: Fix regression that removed the ability to set base_url
- core: Fix panic while loading leases at startup on ARM processors
- secret/pki: Fix `sign-self-issued` encoding the wrong subject public key

Files:
RevisionActionfile
1.18modifypkgsrc/security/vault/Makefile
1.12modifypkgsrc/security/vault/distinfo