Prep for release

2025-11-01 19:17:58 +00:00 · 2019-03-18 15:16:30 -04:00
parent 0e38459564
commit 74ba4f72aa
5 changed files with 84 additions and 118 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,122 +1,41 @@
-## 1.1.0 (Unreleased)
+## 1.1.0 (March 18th, 2019)
 CHANGES:
- * agent/caching: Move listeners config out of cache{} block to top level.
+ * auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the
-   Allow running agent with cache enabled and auto-auth disabled.
+   groups claim is not at the top level, it can now be specified as a
- * auth/jwt: Update `bound_audiences` validation during non-OIDC logins to accept
+   [JSONPointer](https://tools.ietf.org/html/rfc6901).
-   any matched audience, as documented and handled in OIDC logins.
+ * auth/jwt: Roles now have a "role type" parameter with a default type of
-   [[GH-30]](https://github.com/hashicorp/vault-plugin-auth-jwt/issues/30)
+   "oidc". To configure new JWT roles, a role type of "jwt" must be explicitly
- * auth/jwt: Apply `bound_audiences` checks to OIDC paths.
+   specified.
-
+ * cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI
-FEATURES:
+   help/warning output in previous versions of Vault for updated commands.
-
+ * core: Vault no longer automatically mounts a K/V backend at the "secret/"
- * core: on non-windows platforms a SIGUSR2 will make the server log a dump of
+   path when initializing Vault
-   all running goroutines' stack traces for debugging purposes.
+ * core: Vault's cluster port will now be open at all times on HA standby nodes
- 
+ * plugins: Vault no longer supports running netRPC plugins. These were
-IMPROVEMENTS:
+   deprecated in favor of gRPC based plugins and any plugin built since 0.9.4
-
+   defaults to gRPC. Older plugins may need to be recompiled against the latest
- * agent/caching: Agent Caching will now return `X-Cache` and `Age` headers on
+   Vault dependencies.
   responses to indicates whether a response was a cache hit or miss, and
   the freshness of the cached response when applicable.
   [[GH-6394]](https://github.com/hashicorp/vault/pull/6394)
 * sentinel: add token namespace id and path, available in rules as 
   token.namespace.id and token.namespace.path.
 BUG FIXES:
 * agent/caching: Non-2xx (e.g. redirects) and non-JSON responses returned by
   the server are no longer wrapped and returned by Agent Caching as 500 
   Internal Server Error responses.
   [[GH-6353]](https://github.com/hashicorp/vault/pull/6353)
 * agent/caching: Add locking during cache lookup to prevent identical
   non-cached requests made in parallel launch multiple rewener goroutines.
   [[GH-6374]](https://github.com/hashicorp/vault/pull/6374)
 * auth/jwt: Apply `bound_claims` validation across all login paths.
 * core: The `operator migrate` command will no longer hang on empty key names.
   [[GH-6371]](https://github.com/hashicorp/vault/pull/6371)
 * secret/ssh: Fix for a bug where attempting to delete the last ssh role
   in the zeroaddress configuration could fail.
   [[GH-6390]](https://github.com/hashicorp/vault/pull/6390)
 * secret/totp: Uppercase provided keys so they don't fail base32 validation
   [GH-6400]
 * sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
   that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
   return a error response if a filtered mount path is requested.
   [[GH-6412]](https://github.com/hashicorp/vault/pull/6412)
 * ui: Fix for a bug where you couldn't access the data tab after clicking on
   wrap details on the tool > unwrap page [GH-6404]
 ## 1.1.0-beta2 (March 5th, 2019)
 CHANGES:
 * agent/caching: Enable the caching of tokens and leases generated by the
   auto-auth token when that's in use.
   [[GH-6293]](https://github.com/hashicorp/vault/pull/6293)
 * auth/jwt: The default listening port for the OIDC login helper is now 8250.
 * core: Token creation responses now contain the `orphan` field indicating
   whether the new token is orphan.
   [[GH-6230]](https://github.com/hashicorp/vault/pull/6320)
 FEATURES:
 * **Vault Agent Caching**: Vault Agent can now be configured to act as a
   caching proxy to Vault. Clients can send requests to Vault Agent and the
   request will be proxied to the Vault server and cached locally in Agent.
   Currently Agent will cache generated leases and tokens and keep them
   renewed. The proxy can also use the Auto Auth feature so clients do not need
   to authenticate to Vault, but rather can make requests to Agent and have
   Agent fully manage token lifecycle.
 * **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC
   roles. These allow authentication via an OIDC-compliant provider via the
   user's browser. The login may be initiated from the Vault UI or through
   the `vault login` command.
 * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable
   wild card matching for a single directory in the path definition.
 * **Transit Auto Unseal**: Vault can now be configured to use the Transit
   Secret Engine in another Vault cluster as an auto unseal provider.
 IMPROVEMENTS:
 * auth/token: A warning will be printed when 'tls_cipher_suites' includes a
   blacklisted cipher suite or all cipher suites are blacklisted by the HTTP/2
   specification.
 * secrets/transit: Multiple HMAC, Sign or Verify operations can now be performed
   with one API call using the new `batch_input` parameter
   [[GH-5875]](https://github.com/hashicorp/vault/pull/5875).
 BUG FIXES:
 * namespace (enterprise): Clearing out identity store items upon namespace
   deletion [[GH-850]](https://github.com/hashicorp/vault-enterprise/pull/850)
 * secrets/kv: Fix issue where a v1→v2 upgrade could run on a performance
   standby when using a local mount.
 * agent/caching: Do not trigger cache update when renewal of the cached lease
   is triggered. [[GH-6303]](https://github.com/hashicorp/vault/pull/6303)
 * auth/token: Fix issue where empty values for token role update call were
   ignored. [[GH-6314]](https://github.com/hashicorp/vault/pull/6314)
 * ui: fix an issue where the policies tab was erroneously hidden [GH-6301]
 * ui: fix encoding issues with kv interfaces [GH-6294]
 ## 1.1.0-beta1 (February 20th, 2019)
 CHANGES:
 * auth/jwt: The `groups_claim_delimiter_pattern` has been removed. If the groups
   claim is not at the top level, it can now be specified as a
   [JSONPointer](https://tools.ietf.org/html/rfc6901).
 * auth/jwt: Roles now have a "role type" parameter with a default type of "oidc". To
   configure new JWT roles, a role type of "jwt" must be explicitly specified.
 * cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI help output
   for updated commands.
 * core: Vault no longer automatically mounts a k/v backend at the "secret/" path when 
   initalizing Vault.
 * core: Vault's cluster port will now be opened on HA standby nodes.
 * plugins: Vault no longer supports running netRPC plugins. These were deprecated in 
   favor of gRPC based plugins and any plugin built since 0.9.4 defaults to gRPC. Older 
   plugins may need to be recompiled against the latest Vault dependencies.
 FEATURES:
 * **Vault Agent Caching**: Vault Agent can now be configured to act as a caching proxy 
   to Vault. Clients can send requests to Vault Agent and the request will be proxied
   to the Vault server and cached locally in Agent. Currently Agent will cache 
   generated leases and tokens and keep them renewed. The proxy can also use the Auto
   Auth feature so clients do not need to provide a Vault token with the request.
 * **OIDC Support**: The JWT auth backend now supports OIDC roles. These allow
   authentication via an OIDC-compliant provider via the user's browser. The
   login may be initiatated from the Vault UI or through the `vault login` command.
 * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable wild card 
   matching for a single directory in the path definition.
 IMPROVEMENTS:
 * auth/jwt: A default role can be set. It will be used during JWT/OIDC logins if
@@ -125,18 +44,50 @@ IMPROVEMENTS:
 * auth/jwt: An arbitrary set of bound claims can now be configured for a role.
 * auth/jwt: The name "oidc" has been added as an alias for the jwt backend. Either
   name may be specified in the `auth enable` command.
 * command/server: A warning will be printed when 'tls_cipher_suites' includes a
   blacklisted cipher suite or all cipher suites are blacklisted by the HTTP/2
   specification [GH-6300]
 * core/metrics: Prometheus pull support using a new sys/metrics endpoint. [GH-5308]
 * core: On non-windows platforms a SIGUSR2 will make the server log a dump of
   all running goroutines' stack traces for debugging purposes [GH-6240]
 * replication: The inital replication indexing process on newly initialized or upgraded
-   clusters now runs asynchronously.
+   clusters now runs asynchronously
 * sentinel: Add token namespace id and path, available in rules as 
   token.namespace.id and token.namespace.path
 * ui: The UI is now leveraging OpenAPI definitions to pull in fields for various forms.
   This means, it will not be necessary to add fields on the go and JS sides in the future.
   [GH-6209]
 BUG FIXES:
- * identity: Fix a panic at login when external group has a nil alias. [GH-6230]
+ * auth/jwt: Apply `bound_claims` validation across all login paths
- * performance standby: Fixed a bug causing performance standbys to wait longer
+ * auth/jwt: Update `bound_audiences` validation during non-OIDC logins to accept
-   than necessary after forwarding a write to the active node.
+   any matched audience, as documented and handled in OIDC logins [JWT-30]
 * auth/token: Fix issue where empty values for token role update call were
   ignored [GH-6314]
 * core: The `operator migrate` command will no longer hang on empty key names
   [GH-6371]
 * identity: Fix a panic at login when external group has a nil alias [GH-6230]
 * namespaces: Clear out identity store items upon namespace deletion
 * replication/perfstandby: Fixed a bug causing performance standbys to wait
   longer than necessary after forwarding a write to the active node
 * replication/mountfilter: Fix a deadlock that could occur when mount filters
   were updated [GH-6426]
 * secret/kv: Fix issue where a v1→v2 upgrade could run on a performance
   standby when using a local mount
 * secret/ssh: Fix for a bug where attempting to delete the last ssh role
   in the zeroaddress configuration could fail [GH-6390]
 * secret/totp: Uppercase provided keys so they don't fail base32 validation
   [GH-6400]
 * secret/transit: Multiple HMAC, Sign or Verify operations can now be
   performed with one API call using the new `batch_input` parameter [GH-5875]
 * sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
   that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
   return a error response if a filtered mount path is requested. [GH-6412]
 * ui: Fix for a bug where you couldn't access the data tab after clicking on
   wrap details on the unwrap page [GH-6404]
 * ui: Fix an issue where the policies tab was erroneously hidden [GH-6301]
 * ui: Fix encoding issues with kv interfaces [GH-6294]
 ## 1.0.3 (February 12th, 2019)
--- a/terraform/aws/variables.tf
+++ b/terraform/aws/variables.tf
@@ -3,7 +3,7 @@
 //-------------------------------------------------------------------
 variable "download-url" {
-    default = "https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip"
+    default = "https://releases.hashicorp.com/vault/1.1.0/vault_1.1.0_linux_amd64.zip"
    description = "URL to download Vault"
 }
--- a/version/version_base.go
+++ b/version/version_base.go
@@ -7,5 +7,5 @@ func init() {
 	// A pre-release marker for the version. If this is "" (empty string)
 	// then it means that it is a final release. Otherwise, this is a pre-release
 	// such as "dev" (in development), "beta", "rc1", etc.
-	VersionPrerelease = "beta2"
+	VersionPrerelease = ""
 }
--- a/website/config.rb
+++ b/website/config.rb
@@ -6,7 +6,7 @@ use ReshapeMiddleware, component_file: "assets/reshape.js"
 activate :hashicorp do |h|
  h.name         = "vault"
-  h.version      = "1.0.3"
+  h.version      = "1.1.0"
  h.github_slug  = "hashicorp/vault"
  h.website_root = "website"
  h.releases_enabled = true
--- a/website/source/docs/concepts/policies.html.md
+++ b/website/source/docs/concepts/policies.html.md
@@ -150,6 +150,21 @@ path "secret/zip-*" {
 }
 ```
 In addition, a `+` can be used to denote any number of characters bounded
 within a single path segment (this appeared in Vault 1.1):
 ```ruby
 # Permit reading the "teamb" path under any top-level path under secret/
 path "secret/+/teamb" {
  capabilities = ["read"]
 }
 # Permit reading secret/foo/bar/teamb, secret/bar/foo/teamb, etc.
 path "secret/+/+/teamb" {
  capabilities = ["read"]
 }
 ```
 Vault's architecture is similar to a filesystem. Every action in Vault has a
 corresponding path and capability - even Vault's internal core configuration
 endpoints live under the "sys/" path. Policies define access to these paths and