0.11.1 (2022/11/30)
New and Improved
-
Vault Parameter Templating: In
vault
credential libraries, the paths and any
POST bodies can contain templated parameters using Go template syntax (similar
to Consul-Template). The following template parameters are supported (note
that account values are tied to the account associated with the token making
the call):{{ .User.Id }}
: the user's ID{{ .User.Name }}
: the user's name (from the user resource){{ .User.FullName }}
: the user's name (from the account corresponding to
the primary auth method in the user's scope; this may not be populated or
maybe different than the account name in the template){{ .User.Email }}
: the user's email address (same caveat asFullName
){{ .Account.Id }}
: the account's ID{{ .Account.Name }}
: the account's name (from the account resource){{ .Account.LoginName }}
: the account's login name (if used by that type
of account){{ .Account.Subject }}
: the account's subject (if used by that type
of account){{ .Account.Email }}
: the account's email (if used by that type
of account)
Additionally, there is currently a single function that strips the rest of a
string after a specified substring; this is useful for pulling an user/account name from an email address. In the following example it uses the account email can be any other parameter:{{ truncateFrom .Account.Email "@" }}
: this would turnfoo@example.com
intofoo
-
Per-scope key lifecycle management: You can now manage the lifecycles of both Key
Encryption Keys (KEKs) and Data Encryption Keys (DEKs) using the new key rotation
and key version destruction functionality. To learn more about this new feature,
refer to the
documentation.Upgrade notice: If the Database purpose DEK for a scope is destroyed, you must use
the API to cancel any sessions that predate the upgrade.
(PR) -
workers: PKI Worker daemons now get disconnected from upstreams when their
corresponding resource is deleted (PR)
Bug Fixes
- sessions: Fix workers not being in random order when returned to clients at
authorize-session
time, which could allow one worker to bear the majority of
sessions (PR) - workers: In some error conditions when sending status to controllers, errors
could be written to stdout along with a message that they could not
successfully be evented instead of being written to the event log
(PR) - workers: Fixed a panic that can happen in certain situations
(PR) - sessions: Fixed a panic in a controller when a worker is deleted while
sessions are ongoing (PR) - sessions: Fixed a panic in a worker when a user with an active
session is deleted (PR) - sessions: Fixed a bug where reading a session after its associated project
had been deleted would result in an error
(PR) - config: Fixed a bug where supplying multiple KMS blocks with the same purpose
would silently ignore all but the last block
(PR)
Deprecations/Changes
- In order to standardize on the templating format, templates in
grants
now are documented to use the new capitalization and format; however, the
previous style will continue to work.