scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-31 10:37:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add various missing PKI related changelog entries (#15500)

Browse Source 
* Add various missing PKI related changelog entries

* Fix typo
This commit is contained in:
Steven Clark
2022-05-23 11:53:49 -04:00
committed by GitHub
parent b16913b0c3
commit 436a6ae63b
9 changed files with 40 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@@ -16,15 +16,10 @@ endpoints in favor of [autoloaded licenses](https://www.vaultproject.io/docs/ent
FEATURES: FEATURES:
* **Allows Multiple Issuer Certificates to enable Non-Disruptive * **Non-Disruptive Intermediate/Root Certificate Rotation**: This allows
Intermediate/Root Certificate Rotation**: This introduces /keys and /issuers import, generation and configuration of any number of keys and/or issuers
endpoints to allow import, generation and configuration of any number of keys within a PKI mount, providing operators the ability to rotate certificates
or issuers that can be used to issue and revoke certificates. Keys and Issuers in place without affecting existing client configurations. [[GH-15277](https://github.com/hashicorp/vault/pull/15277)]
can be referred to by (a) a unique UUID; (b) a name; (c) “default”. If an
issuer existed prior to this feature, that issuer will be tagged by a migration
as “default” to allow backwards compatible calls which dont specify an issuer.
Creation of new roles will assume an issuer of “default” unless otherwise
specified. This default can be configured at /config/issuers and /config/keys. [[GH-15277](https://github.com/hashicorp/vault/pull/15277)]
* api/command: Global -output-policy flag to determine minimum required policy HCL for a given operation [[GH-14899](https://github.com/hashicorp/vault/pull/14899)] * api/command: Global -output-policy flag to determine minimum required policy HCL for a given operation [[GH-14899](https://github.com/hashicorp/vault/pull/14899)]
* nomad: Bootstrap Nomad ACL system if no token is provided [[GH-12451](https://github.com/hashicorp/vault/pull/12451)] * nomad: Bootstrap Nomad ACL system if no token is provided [[GH-12451](https://github.com/hashicorp/vault/pull/12451)]
* storage/dynamodb: Added `AWS_DYNAMODB_REGION` environment variable. [[GH-15054](https://github.com/hashicorp/vault/pull/15054)] * storage/dynamodb: Added `AWS_DYNAMODB_REGION` environment variable. [[GH-15054](https://github.com/hashicorp/vault/pull/15054)]

5
changelog/14975.txt Normal file
View File

@@ -0,0 +1,5 @@
```release-note:change
secrets/pki: existing Generate Root (pki/root/generate/:type),
Set Signed Intermediate (/pki/intermediate/set-signed) APIs will
add new issuers/keys to a mount instead of warning that an existing CA exists
```

4
changelog/15004.txt Normal file
View File

@@ -0,0 +1,4 @@
```release-note:change
secrets/pki: existing Delete Root API (pki/root) will now delete all issuers
and keys within the mount path.
```

4
changelog/15100.txt Normal file
View File

@@ -0,0 +1,4 @@
```release-note:change
secrets/pki: Existing CRL API (/pki/crl) now returns an X.509 v2 CRL instead
of a v1 CRL.
```

4
changelog/15152.txt Normal file
View File

@@ -0,0 +1,4 @@
```release-note:improvement
secrets/pki: Allow operators to control the issuing certificate behavior when
the requested TTL is beyond the NotAfter value of the signing certificate
```

5
changelog/15155.txt Normal file
View File

@@ -0,0 +1,5 @@
```release-note:change
secrets/pki: The `ca_chain` response field within issuing (/pki/issue/:role)
and signing APIs will now include the root CA certificate if the mount is
aware of it.
```

4
changelog/15179.txt Normal file
View File

@@ -0,0 +1,4 @@
```release-note:bug
secrets/pki: CRLs on performance secondary clusters are now automatically
rebuilt upon changes to the list of issuers.
```

6
changelog/15211.txt Normal file
View File

@@ -0,0 +1,6 @@
```release-note:change
secrets/pki: A new aliased api path (/pki/issuer/:issuer_ref/sign-self-issued)
providing the same functionality as the existing API(/pki/root/sign-self-issued)
does not require sudo capabilities but the latter still requires it in an
effort to maintain backwards compatibility.
```

13
changelog/15277.txt
View File

@@ -1,11 +1,6 @@
```release-note:feature ```release-note:feature
**Allows Multiple Issuer Certificates to enable Non-Disruptive **Non-Disruptive Intermediate/Root Certificate Rotation**: This allows
Intermediate/Root Certificate Rotation**: This introduces /keys and /issuers import, generation and configuration of any number of keys and/or issuers
endpoints to allow import, generation and configuration of any number of keys within a PKI mount, providing operators the ability to rotate certificates
or issuers that can be used to issue and revoke certificates. Keys and Issuers in place without affecting existing client configurations.
can be referred to by (a) a unique UUID; (b) a name; (c) “default”. If an
issuer existed prior to this feature, that issuer will be tagged by a migration
as “default” to allow backwards compatible calls which dont specify an issuer.
Creation of new roles will assume an issuer of “default” unless otherwise
specified. This default can be configured at /config/issuers and /config/keys.
``` ```