-
Notifications
You must be signed in to change notification settings - Fork 32
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f6509b8
commit d2a9037
Showing
1 changed file
with
34 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # New Features | ||
|
|
||
| * `target` now has a `--no-strongbox` flag. This configures the target to treat | ||
| the Vault installation as having no Strongbox on the VM. This affects `seal`, | ||
| `unseal`, and `status`. Previously, and without this flag set, these commands | ||
| would try to talk to a strongbox server to determine where all the nodes in the | ||
| Vault cluster are, and then perform the command action to all of the nodes. | ||
| With the flag set, the actions will just be applied to the targeted node without | ||
| trying to use a Strongbox server. | ||
| * `target` now has a `--ca-cert` flag. This flag takes either a certificate | ||
| string or a path to a file containing a certificate. The given certificate | ||
| will be trusted as a root CA instead of the certificates in the system | ||
| certificate pool. This flag can be specified multiple times to provide multiple | ||
| CA certificates. The flag even works for passing through to the vault CLI with | ||
| `safe vault`. | ||
|
|
||
| # Improvements | ||
|
|
||
| * Self-signed certificates (such as root-CAs) now have randomized serial | ||
| numbers instead of using 1. This could previously cause issues if the | ||
| self-signed certificate was regenerated, as the browser would throw an error | ||
| for a duplicate serial number entry. | ||
| * `x509 show` now shows more information about the certificate, including if it | ||
| is self-signed, if it is a CA, and the certificate's serial number. | ||
|
|
||
| # Bug Fixes | ||
|
|
||
| * Commands that recurse (e.g. `tree`/`paths`) would fail if access was denied | ||
| to a subsection of the target tree. This was because an attempt to list a path | ||
| would be made on a node that could be discovered, but Vault would return a | ||
| permissions error when trying to list the particular node. This error is now | ||
| handled in a way that allows the rest of the recursive output to succeed. | ||
| * The certificate serial number can no longer increment beyond 2^159, which it | ||
| probably wasn't going to do anyway, but now it definitely won't. |