htvault-config-1.11-1.osg36.el8 | Build Info

* Wed Dec 01 2021 Dave Dykstra <dwd@fnal.gov> 1.11-1 - Add support for ssh-agent authentication, including self-registering of ssh public keys. * Mon Nov 15 2021 Dave Dykstra <dwd@fnal.gov> 1.10-1 - Fix problem that /etc/krb5-<name>.keytab was preferred for first service only when the kerbservice was explicitly defined for an issuer. Now it also works for default first kerberos service. * Wed Nov 10 2021 Dave Dykstra <dwd@fnal.gov> 1.9-1 - Restore separate names for names of issuer and policy when generating policies * Wed Nov 10 2021 Dave Dykstra <dwd@fnal.gov> 1.8-1 - Restore part of the setup of kerberos; too much was taken out in 1.7 - When an issuer is deleted, clean out the policies and kerberos modules related to its roles - Make policy names more consistent with module names * Thu Nov 04 2021 Dave Dykstra <dwd@fnal.gov> 1.7-1 - Require at least vault version 1.8.4 - Remove support for coarse-grained kerberos; requires htgettoken >= 1.3 - Use /etc/krb5-<name>.keytab if it exists even for the first defined kerberos service, in preference to /etc/krb5.keytab. - Update to vault-plugin-secrets-oauthapp 3.0.0 - Update to vault-plugin-auth-jwt 0.11.1 * Wed Sep 15 2021 Dave Dykstra <dwd@fnal.gov> 1.6-1 - Update to vault-plugin-secrets-oauthapp 3.0.0-beta.4 which includes a replacement for PR #64. * Mon Sep 13 2021 Dave Dykstra <dwd@fnal.gov> 1.5-1 - Require at least vault version 1.8.2 - Update to vault-plugin-auth-jwt to the master branch at the time of the 0.10.1 tag of the release-1.8 branch - Update to vault-plugin-secrets-oauthapp 3.0.0-beta.3 and use its new feature of combining all providers in a single plugin process - Include vault-plugin-secrets-oauthapp PR #64 which enables a default "legacy" server so older versions of htgettoken can still work. - Reconfigure kerberos if the service name changes. - Add a "kerbservice" issuers keyword to select non-default kerberos service for a particular issuer - Immediately fail with a clear message if there's a duplicate name in a configuration list - Allow vault tokens to read auth/token/lookup-self so clients can look up the remaining time to live on the tokens * Tue Jul 20 2021 Dave Dykstra <dwd@fnal.gov> 1.4-1 - Updated the token exchange PR for vault-plugin-secrets-oauthapp to send the client secret in the initial authorization request in the device flow - Updated to vault-plugin-secrets-oauthapp-2.2.0 * Mon Jul 12 2021 Dave Dykstra <dwd@fnal.gov> 1.3-1 - Added license in COPYING file - Updated to vault-plugin-secrets-oauthapp-2.1.0 - Updated the token exchange PR for vault-plugin-secrets-oauthapp to accept comma-separated lists of audiences - Added audit log at /var/log/htvault-config/auditlog - Enabled delayed log compression and daily logs instead of weekly - Add support for moving the master in a high-availability cluster from one machine to another and for changing the name of either peer - If 'name' is missing from a yaml list, give a helpful error message instead of causing a python crash - Limit vault token policies for oidc and kerberos to a single role and issuer. To use these limited policies for kerberos requires htgettoken >= 1.3 so for now the coarse-grained kerberos is still supported as well but it will be removed later. - Remove the default policy from vault tokens. * Thu Jun 17 2021 Dave Dykstra <dwd@fnal.gov> 1.2-1 - Update to vault-plugin-auth-jwt-0.9.4 and require vault-1.7.3 * Mon May 10 2021 Dave Dykstra <dwd@fnal.gov> 1.1-1 - Correctly disable secret oauth module instead of incorrect auth module when something changes requiring clearing out of old secrets. - Allow dashes in names by converting them in bash variables to underscores, and reject any other non-alphanumeric or underscore in names. - Fix bug in RFC8693 token exchange pull request to puppetlabs plugin which caused comma-separated scopes to get sent to the token issuer instead of space-separated scopes. * Wed May 05 2021 Dave Dykstra <dwd@fnal.gov> 1.0-2 - Add Requires: python3-PyYAML * Tue May 04 2021 Dave Dykstra <dwd@fnal.gov> 1.0-1 - Convert to using yaml files instead of shell variables to configure. - Only update the vault configuration for things that have changed in the configuration, and include removing things that have been removed. - Keep secrets off command line to hide them from 'ps'. - Require at least vault-1.7.1 * Thu Apr 15 2021 Dave Dykstra <dwd@fnal.gov> 0.7-1 - Update to vault-plugin-secrets-oauthapp version 2.0.0 - Update to final version of PR for periodic refresh of credentials - Move the 'PartOf' rule in htvault-config.service to the correct section. - Prevent vault DB initialization failure from blocking future attempts. - Change to have vault listen on all interfaces with tls for port 8200, and to use port 8202 for non-tls localhost access. * Thu Apr 08 2021 Dave Dykstra <dwd@fnal.gov> 0.6-1 - Update vault-plugin-secrets-oauthapp to version 1.10.1, including applying a bug fix for broken minimum_seconds option - Disable periodic refresh of credentials; make it be only on demand - Require at least vault-1.7.0 * Mon Mar 22 2021 Dave Dykstra <dwd@fnal.gov> 0.5-2 - Update vault-plugin-auth-jwt to version 0.9.2 * Fri Feb 19 2021 Dave Dykstra <dwd@fnal.gov> 0.5-1 - Always reconfigure everything when systemd service is started, just don't disable/reenable oauthapp because that wipes out stored secrets. - Support multiple roles per issuer. * Thu Feb 18 2021 Dave Dykstra <dwd@fnal.gov> 0.4-1 - Rename the few OIDC-related variables that didn't begin with OIDC to begin with OIDC. * Wed Feb 17 2021 Dave Dykstra <dwd@fnal.gov> 0.3-1 - Rename make-downloads to make-source-tarball and make it have more in common with the vault-rpm build * Mon Feb 01 2021 Dave Dykstra <dwd@fnal.gov> 0.2-1 - Pre-download and prepare all the go modules using new make-downloads script, so no network is needed during rpm build. * Fri Jan 29 2021 Dave Dykstra <dwd@fnal.gov> 0.1-1 - Initial pre-release, including parameterization based on shell variables

Main Site Links:

Information for build htvault-config-1.11-1.osg36.el8