alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity

chore(deps): update vault to v2.0.1 #7237

Merged
renovate-bot merged 1 commits from renovate/unified-vault into main 2026-05-22 01:12:15 +00:00
Conversation 0 Commits 1 Files Changed 2
+3 -3
renovate-bot commented 2026-05-22 01:11:56 +00:00
Collaborator
Copy Link
Copy Source

This PR contains the following updates:

Package Update Change
hashicorp/vault patch 2.0.02.0.1
hashicorp/vault patch 2.0.02.0.1

Release Notes

hashicorp/vault (hashicorp/vault)

v2.0.1

Compare Source

BREAKING CHANGES:

  • containers: set cap_ipc_lock capability on vault at build time. Container runtimes will need to add IPC_LOCK capabilities when running the vault container.

SECURITY:

  • api: Update golang.org/x/net to resolve GO-2026-4918"
  • core/identity: reject wildcards in rendered identity templates
  • core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
  • core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
  • core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
  • core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
  • core: Update golang.org/x/net to resolve GO-2026-4918"
  • core: Validate both path and file_path cannot be empty for requests to sys/audit/{path}
  • sdk: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
  • sdk: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
  • sdk: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
  • sdk: Update golang.org/x/net to resolve GO-2026-4918"

CHANGES:

  • auth/jwt: Update plugin to v0.26.3
  • core: Bump Go version to 1.26.3
  • identity: Require sudo capability to invoke the identity entity merge API endpoint (identity/entity/merge).
  • secrets/azure: Update plugin to v0.26.2+ent
  • secrets/openldap: Update plugin to v0.18.1+ent

FEATURES:

  • Billing metrics dashboard: Create a new billing dashboard with responsive layout to display metric data.
  • Secrets Sync UI: Added Workload Identity Federation (WIF) support in the UI for AWS, Azure, and GCP sync destinations

IMPROVEMENTS:

  • api: Add start_month and end_month parameters to /sys/billing/overview endpoint to allow querying billing data for specific time ranges.
  • api: Add migration_done_at_epoch to sys/seal-status response.
  • consumption-billing: Add billing tracking for OS Local Account static roles to support consumption-based billing metrics and high-water mark (HWM) tracking.
  • consumption-billing: Added consumption billing metrics for OIDC tokens.
  • consumption-billing: Added consumption billing metrics for PKI External CA certificates.
  • consumption-billing: Added consumption billing metrics for SPIFFE JWT tokens.
  • consumption-billing: Enabled sys/billing/overview endpoint in admin namespace.
  • consumption-billing: Float64 values returned by sys/billing/overview are now rounded to 4 decimal places.
  • consumption-billing: Increased billing data retention from 2 months to 37 months. The /sys/internal/billing/overview API endpoint now returns 37 months of historical consumption billing data by default.
  • consumption-billing: The /sys/internal/billing/overview API endpoint now always returns all metric types in the response, even when their values are zero. This ensures consistent response structure for easier client-side parsing.
  • core (Enterprise): Sanitized config now shows kms_library config.
  • core/seal (enterprise): Make it possible for new nodes to join a cluster configured with Seal High Availability.
  • scim: The SCIM Group PATCH handler now supports the path field in the form members[value eq "id"] on remove operations.
  • sdk: Expand support for docker test cluster options like seals, kms libraries, and entropy augmentation. DockerClusterNode.UpdateConfig now takes a full set of cluster options instead of just node config.
  • sdk: add WIF and rotation helpers for checking if params were updated to allow the consumer to know when changes need to be persisted to storage
  • secrets/pki (enterprise): Allow SCEP to use an issuer that is backed by an RSA based PKCS#11 managed key
  • secrets/transit: Change to using Trail of Bits libraries for PQC signature implementation in Transit
  • ui/dashboard: Reorganized dashboard widgets to improve layout and usability. Updated widgets to use HDS table components for better consistency. Enhanced the Quick Actions card with frequently used links alongside existing actions.
  • ui: Set pagination size to 10 for custom messages list view and toggle the "Apply filters" button visibility based on filter selection.
  • ui: Update copy on merge entities page to specify entity ID is the required data input when merging entities.
  • ui: add validations to the ACL visual policy editor to prevent it from saving policies with empty paths or capabilities.

BUG FIXES:

  • auth/aws: fix bug where rotation and wif config updates were not persisted to storage
  • client/ocsp: Adds a grace period to renew the cached entry for OCSP response.
  • core: Fix failure to detect errors during storage writes of totp keys.
  • database/mssql: Fix "sysadmin" requirement during lease revocation by replacing the undocumented sp_msloginmappings procedure with a granular metadata query. This allows the plugin to function with VIEW ANY DEFINITION instead of full sysadmin privileges.
  • database/mssql: Fix dynamic secret revocation by executing custom statements as a single batch instead of splitting on semicolons
  • database/snowflake: Fix WAL rollback issue for key-pair root credential rotation.
  • database: prevent static role rotation and connection init from hanging indefinitely when database calls block by adding timeouts around UpdateUser and Initialize
  • events (enterprise): Fix panic when replicating lease events.
  • go-plugin: Upgrade go-plugin to fix a bug where file descriptors could be leaked when spawning external plugins
  • identity: fixed a rare but possible data race issue with identities.
  • sdk: Small bugfixes relating to docker test container cleanup and image building.
  • secrets-sync (enterprise): Fix destination PATCH handling for WIF identity_token_ttl normalization and GCP service_account_email decoding.
  • secrets/kmip (enterprise): Address a nil pointer within the invalidation handler for managed objects.
  • secrets/ldap: enable proper license checking on 'openldap' plugin alias. This enables enterprise features when configuring mounts with the 'openldap' alias.
  • secrets/pki (enterprise): Fix SCEP nonce logging in audit data.
  • secrets/pki (enterprise): Include root CA in chain for CIEPS endpoints when root is the direct issuer, unless remove_roots_from_chain is true.
  • secrets/pki: Remove invalid value from the supported list of ACME algorithms.
  • ui: Add name field validation to LDAP create and edit roles forms.
  • ui: Fix LDAP hierarchical role navigation in UI
  • ui: Fix entities page to show success message after successfully editing an entity.
  • ui: Fix secrets to secrets-engines redirect for bookmarked URLs.
  • ui: Fixed custom messages list to display the expiration time on Inactive message badges.
  • ui: Fixed sidebar navigation animation issues
  • ui: Restore re-sizable columns for secrets and namespaces tables.
  • ui: Update DR operation token generation to accept a primary root token for authentication.
  • ui: Update KV max_version validation to disallow negative values.

Configuration

📅 Schedule: (in timezone America/Chicago)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [hashicorp/vault](https://github.com/hashicorp/vault) | patch | `2.0.0` → `2.0.1` | | hashicorp/vault | patch | `2.0.0` → `2.0.1` | --- ### Release Notes <details> <summary>hashicorp/vault (hashicorp/vault)</summary> ### [`v2.0.1`](https://github.com/hashicorp/vault/releases/tag/v2.0.1) [Compare Source](https://github.com/hashicorp/vault/compare/v2.0.0...v2.0.1) BREAKING CHANGES: - containers: set cap\_ipc\_lock capability on vault at build time. Container runtimes will need to add IPC\_LOCK capabilities when running the vault container. SECURITY: - api: Update golang.org/x/net to resolve GO-2026-4918" - core/identity: reject wildcards in rendered identity templates - core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4 - core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1. - core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh - core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx. - core: Update golang.org/x/net to resolve GO-2026-4918" - core: Validate both path and file\_path cannot be empty for requests to sys/audit/{path} - sdk: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4 - sdk: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1. - sdk: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx. - sdk: Update golang.org/x/net to resolve GO-2026-4918" CHANGES: - auth/jwt: Update plugin to v0.26.3 - core: Bump Go version to 1.26.3 - identity: Require sudo capability to invoke the identity entity merge API endpoint (identity/entity/merge). - secrets/azure: Update plugin to v0.26.2+ent - secrets/openldap: Update plugin to v0.18.1+ent FEATURES: - Billing metrics dashboard: Create a new billing dashboard with responsive layout to display metric data. - Secrets Sync UI: Added Workload Identity Federation (WIF) support in the UI for AWS, Azure, and GCP sync destinations IMPROVEMENTS: - api: Add start\_month and end\_month parameters to /sys/billing/overview endpoint to allow querying billing data for specific time ranges. - api: Add migration\_done\_at\_epoch to sys/seal-status response. - consumption-billing: Add billing tracking for OS Local Account static roles to support consumption-based billing metrics and high-water mark (HWM) tracking. - consumption-billing: Added consumption billing metrics for OIDC tokens. - consumption-billing: Added consumption billing metrics for PKI External CA certificates. - consumption-billing: Added consumption billing metrics for SPIFFE JWT tokens. - consumption-billing: Enabled sys/billing/overview endpoint in admin namespace. - consumption-billing: Float64 values returned by sys/billing/overview are now rounded to 4 decimal places. - consumption-billing: Increased billing data retention from 2 months to 37 months. The /sys/internal/billing/overview API endpoint now returns 37 months of historical consumption billing data by default. - consumption-billing: The /sys/internal/billing/overview API endpoint now always returns all metric types in the response, even when their values are zero. This ensures consistent response structure for easier client-side parsing. - core (Enterprise): Sanitized config now shows kms\_library config. - core/seal (enterprise): Make it possible for new nodes to join a cluster configured with Seal High Availability. - scim: The SCIM Group PATCH handler now supports the path field in the form members\[value eq "id"] on remove operations. - sdk: Expand support for docker test cluster options like seals, kms libraries, and entropy augmentation. DockerClusterNode.UpdateConfig now takes a full set of cluster options instead of just node config. - sdk: add WIF and rotation helpers for checking if params were updated to allow the consumer to know when changes need to be persisted to storage - secrets/pki (enterprise): Allow SCEP to use an issuer that is backed by an RSA based [PKCS#11](https://github.com/PKCS/vault/issues/11) managed key - secrets/transit: Change to using Trail of Bits libraries for PQC signature implementation in Transit - ui/dashboard: Reorganized dashboard widgets to improve layout and usability. Updated widgets to use HDS table components for better consistency. Enhanced the Quick Actions card with frequently used links alongside existing actions. - ui: Set pagination size to 10 for custom messages list view and toggle the "Apply filters" button visibility based on filter selection. - ui: Update copy on merge entities page to specify entity ID is the required data input when merging entities. - ui: add validations to the ACL visual policy editor to prevent it from saving policies with empty paths or capabilities. BUG FIXES: - auth/aws: fix bug where rotation and wif config updates were not persisted to storage - client/ocsp: Adds a grace period to renew the cached entry for OCSP response. - core: Fix failure to detect errors during storage writes of totp keys. - database/mssql: Fix "sysadmin" requirement during lease revocation by replacing the undocumented sp\_msloginmappings procedure with a granular metadata query. This allows the plugin to function with VIEW ANY DEFINITION instead of full sysadmin privileges. - database/mssql: Fix dynamic secret revocation by executing custom statements as a single batch instead of splitting on semicolons - database/snowflake: Fix WAL rollback issue for key-pair root credential rotation. - database: prevent static role rotation and connection init from hanging indefinitely when database calls block by adding timeouts around UpdateUser and Initialize - events (enterprise): Fix panic when replicating lease events. - go-plugin: Upgrade go-plugin to fix a bug where file descriptors could be leaked when spawning external plugins - identity: fixed a rare but possible data race issue with identities. - sdk: Small bugfixes relating to docker test container cleanup and image building. - secrets-sync (enterprise): Fix destination PATCH handling for WIF identity\_token\_ttl normalization and GCP service\_account\_email decoding. - secrets/kmip (enterprise): Address a nil pointer within the invalidation handler for managed objects. - secrets/ldap: enable proper license checking on 'openldap' plugin alias. This enables enterprise features when configuring mounts with the 'openldap' alias. - secrets/pki (enterprise): Fix SCEP nonce logging in audit data. - secrets/pki (enterprise): Include root CA in chain for CIEPS endpoints when root is the direct issuer, unless remove\_roots\_from\_chain is true. - secrets/pki: Remove invalid value from the supported list of ACME algorithms. - ui: Add name field validation to LDAP create and edit roles forms. - ui: Fix LDAP hierarchical role navigation in UI - ui: Fix entities page to show success message after successfully editing an entity. - ui: Fix secrets to secrets-engines redirect for bookmarked URLs. - ui: Fixed custom messages list to display the expiration time on Inactive message badges. - ui: Fixed sidebar navigation animation issues - ui: Restore re-sizable columns for secrets and namespaces tables. - ui: Update DR operation token generation to accept a primary root token for authentication. - ui: Update KV max\_version validation to disallow negative values. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE5MS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJkb2NrZXIiLCJnaXRodWItcmVsZWFzZXMiXX0=-->
renovate-bot added the dockergithub-releasesautomerge labels 2026-05-22 01:11:56 +00:00
renovate-bot added 1 commit 2026-05-22 01:11:57 +00:00
chore(deps): update vault to v2.0.1
renovate/stability-days Updates have not met minimum release age requirement
Details
lint-test-helm / lint-helm (pull_request) Successful in 1m19s
Details
render-manifests / render-manifests (pull_request) Successful in 1m9s
Details
lint-test-helm / validate-kubeconform (pull_request) Failing after 13m3s
Details
07c3755d98
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-05-22 01:11:58 +00:00
renovate-bot merged commit 638388e1f0 into main 2026-05-22 01:12:15 +00:00
renovate-bot deleted branch renovate/unified-vault 2026-05-22 01:12:20 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Renovate
Issue generated by Renovate.
 automerge
This PR will be automerged by Renovate.
 chart
Chart update generated by Renovate.
 docker
Docker update generated by Renovate.
github-actions
Github Action update generated by Renovate.
github-releases
Github Release generated by Renovate
 helm
Helm update generated by Renovate.
image
Image update generated by Renovate.
 stale
PR or Issue that has not been updated recently.
No Label automerge docker github-releases
Milestone
No items
No Milestone
Assignees
Clear assignees
gitea-bot (Gitea) renovate-bot (Renovate Bot) alexlebens (Alex Lebens)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#7237
Delete Branch "renovate/unified-vault"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?