Release Notes
Release 2024-01-11T13-09-29Z contains changes for the Hashicorp Vault backend.
Added
- Now, a KES server configuration accepts authentication specific Hashicorp Vault namespaces. This may be useful when KES should
authenticate within the root namespace but use secret engines within sub namespaces.
Note that KES can also not send any namespace header for authentication methods, even if a namespace for its secret engines has been configured, by settingapprole: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html namespace: "" # Optional Vault namespace used just for authentication. A single "/" is an alias for the Vault root namespace. engine: "" # The path of the AppRole engine - e.g. authenticate. If empty, defaults to: approle. (Vault default) id: "" # Your AppRole Role ID secret: "" # Your AppRole Secret IDnamespace: "/".
Changed
- The Hashicorp Vault backend now uses a new authentication token renewal implementation. The previous one got removed by 13cee22.
Since then, the KES server uses its authentication credentials to obtain a new token instead of renewing its current one. Now, the KES
server refreshes its authentication token before it expires and only re-authenticates using its credentials when the token renewal fails.
Details can be found in 877a8ae.
What's Changed
- upgrade deps and fix ci by @harshavardhana in #426
- vault: implement authentication token renewal by @aead in #428
- Add workflow to add issues to tracker by @dvaldivia in #429
- vault: support authentication in different namespaces by @aead in #431
- remove unused code by @aead in #432
New Contributors
- @dvaldivia made their first contribution in #429
Full Changelog: 2023-11-10T10-44-28Z...2024-01-11T13-09-29Z