Subject: CVS commit: pkgsrc/security/vault
From: Filip Hajny
Date: 2018-09-03 20:59:08
Message id: 20180903185908.946EDFBF8@cvs.NetBSD.org

Log Message:
security/vault: Update to 0.11.0.

DEPRECATIONS/CHANGES:

- Request Timeouts: A default request timeout of 90s is now enforced. This
  setting can be overwritten in the config file. If you anticipate requests
  taking longer than 90s this setting should be updated before upgrading.
- (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
  will be some further guidelines around when this will be removed again.)
  * `sys/` Top Level Injection: For the last two years for backwards
  compatibility data for various `sys/` routes has been injected into both the
  Secret's Data map and into the top level of the JSON response object.
  However, this has some subtle issues that pop up from time to time and is
  becoming increasingly complicated to maintain, so it's finally being
  removed.
- Path Fallback for List Operations: For a very long time Vault has
  automatically adjusted `list` operations to always end in a `/`, as list
  operations operates on prefixes, so all list operations by definition end
  with `/`. This was done server-side so affects all clients. However, this
  has also led to a lot of confusion for users writing policies that assume
  that the path that they use in the CLI is the path used internally. Starting
  in 0.11, ACL policies gain a new fallback rule for listing: they will use a
  matching path ending in `/` if available, but if not found, they will look
  for the same path without a trailing `/`. This allows putting `list`
  capabilities in the same path block as most other capabilities for that
  path, while not providing any extra access if `list` wasn't actually
  provided there.
- Performance Standbys On By Default: If you flavor/license of Vault
  Enterprise supports Performance Standbys, they are on by default. You can
  disable this behavior per-node with the `disable_performance_standby`
  configuration flag.
- AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
  the type of AWS credential they are generating; this reduces reduce
  ambiguity that existed previously as well as enables new features for
  specific credential types. Writing role data and generating credentials
  remain backwards compatible; however, the data returned when reading a
  role's configuration has changed in backwards-incompatible ways. Anything
  that depended on reading role data from the AWS secret engine will break
  until it is updated to work with the new format.

FEATURES:

- Namespaces (Enterprise): A set of features within Vault Enterprise
  that allows Vault environments to support *Secure Multi-tenancy* within a
  single Vault Enterprise infrastructure. Through namespaces, Vault
  administrators can support tenant isolation for teams and individuals as
  well as empower those individuals to self-manage their own tenant
  environment.
- Performance Standbys (Enterprise): Standby nodes can now service
  requests that do not modify storage. This provides near-horizontal scaling
  of a cluster in some workloads, and is the intra-cluster analogue of
  the existing Performance Replication feature, which replicates to distinct
  clusters in other datacenters, geos, etc.
- AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage.
- AliCloud Auth Plugin: AliCloud's identity services can now be used to
  grant access to Vault. See the plugin repository for more information.
- Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that
  allows generating credentials to allow access to Azure. See the plugin
  repository for more information.
- HA Support for MySQL Storage: MySQL storage now supports HA.
- ACL Templating: ACL policies can now be templated using identity Entity,
  Groups, and Metadata.
- UI Onboarding wizards: The Vault UI can provide contextual help and
  guidance, linking out to relevant links or guides on vaultproject.io for
  various workflows in Vault.

IMPROVEMENTS:

- agent: Add `exit_after_auth` to be able to use the Agent for a single
  authentication
- auth/approle: Add ability to set token bound CIDRs on individual Secret IDs
- cli: Add support for passing parameters to `vault read` operations
- secrets/aws: Make credential types more explicit
- secrets/nomad: Support for longer token names
- secrets/pki: Allow disabling CRL generation
- storage/azure: Add support for different Azure environments
- storage/file: Sort keys in list responses
- storage/mysql: Support special characters in database and table names.

BUG FIXES:

- auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set
  (IOW, error in this case)
- core: Prevent Go's HTTP library from interspersing logs in a different
  format and/or interleaved
- identity: Properly populate `mount_path` and `mount_type` on group lookup
- identity: Fix persisting alias metadata
- identity: Fix carryover issue from previously fixed race condition that
  could cause Vault not to start up due to two entities referencing the same
  alias. These entities are now merged.
- replication: Fix issue causing some pages not to flush to storage
- secrets/database: Fix inability to update custom SQL statements on
  database roles.
- secrets/pki: Disallow putting the CA's serial on its CRL. While technically
  legal, doing so inherently means the CRL can't be trusted anyways, so it's
  not useful and easy to footgun.
- storage/gcp,spanner: Fix data races

Files:
RevisionActionfile
1.31modifypkgsrc/security/vault/Makefile
1.20modifypkgsrc/security/vault/distinfo