chore(deps): update openbao #7236

2026-05-22T01:11:35Z

renovate-bot commented

2026-05-22 01:11:35 +00:00

This PR contains the following updates:

Package	Update	Change
openbao	patch	`0.28.2` → `0.28.3`
openbao/openbao	patch	`2.5.3` → `2.5.4`

Release Notes

openbao/openbao-helm (openbao)

`v0.28.3`

Compare Source

chore: Improve OpenShift annotations
chore: bump OpenBao to v2.5.4

openbao/openbao (openbao/openbao)

`v2.5.4`

Compare Source

SECURITY

core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358. [GH-3076]
core: Prevent hidden default token issuance from auth plugin endpoints returning both a logical.Auth{} response object and an error. GHSA-7j6w-vvw2-5f9c / CVE-2026-46405. [GH-3150]
core: Remove legacy lease endpoints (sys/revoke, sys/renew, sys/revoke-prefix, and sys/revoke-force) due to cross-namespace lease modification. GHSA-v8v8-cm84-m686 / CVE-2026-45808. [GH-3152]

IMPROVEMENTS

storage/postgresql: Set constraint name to table+"_pkey" and ha_table+"_pkey" and index to table+"_idx" for uniqueness when reusing the same database partition for multiple OpenBao instances. [GH-2876]

BUG FIXES

auth/kerberos: Do not return logical.Auth{} response during initial negotiation at the same time as an error. [GH-3150]
core/mfa: Handle invalidation for login MFA, ensuring standby nodes respond appropriately on writes. [GH-3083]
core/policies: Fix list_scan_response_keys_filter_path incorrectly erring on empty list responses. [GH-3063]
core/quotas: Correctly handle default rate limit exempt paths on quota configuration invalidation. [GH-2953]
core: Disallow logical secret engines from creating authentication tokens. [GH-3087]
core: Forward generate-root, step-down and rekey requests to active node to resolve inconsistent standby behavior. [GH-3006]
storage/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers. [GH-3054]
storage/postgresql: Revert accidental rename of ha_table option to haTable. Both spellings are now supported to retain compatibility, though ha_table takes precedence. [GH-2876]

What's Changed

Remove 2.5.x community docs by @cipherboy in #3071
Disallow non-auth plugins from creating tokens (#3087 by @cipherboy) backported by @phil9909 in #3112
Handle invalidation of LoginMFA keys (#3083 by @cipherboy) backported by @phil9909 in #3113
Fix audit logs dropping custom headers when using inline auth (#3076 by @jackyliao123) backported by @phil9909 in #3114
fix: nil-guard d.autopilot before calling GetState (#3054 by @mpldr) backported by @phil9909 in #3115
fix: Fix request handling filtering for the no data case (#3063 by @eklatzer) backported by @phil9909 in #3116
Update vulnerable deps before 2.5.4 by @cipherboy in #3121
Fix cache invalidation memory leak (#3105 by @cipherboy) backported by @phil9909 in #3131
Use unique constraints, indices in PostgreSQL storage (#2876 by @cipherboy) backported by @phil9909 in #3132
Correctly handle default_rate_limit_exempt_paths_toggle invalidation (#2953 by @cipherboy) backported by @phil9909 in #3134
Fix /v1/sys/ forwarding regressions for standby instances (#3006 by @tsaarni) backported by @phil9909 in #3133
Remove legacy cross-namespace lease endpoints (#3152 by @cipherboy) backported by @cipherboy in #3153
Prevent errors from creating orphaned tokens (#3150 by @cipherboy) backported by @cipherboy in #3151
Add release notes for v2.5.4 by @satoqz in #3154

Full Changelog: https://github.com/openbao/openbao/compare/v2.5.3...v2.5.4

Configuration

📅 Schedule: (in timezone America/Chicago)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [openbao](https://github.com/openbao/openbao-helm) | patch | `0.28.2` → `0.28.3` | | [openbao/openbao](https://github.com/openbao/openbao) | patch | `2.5.3` → `2.5.4` | --- ### Release Notes <details> <summary>openbao/openbao-helm (openbao)</summary> ### [`v0.28.3`](https://github.com/openbao/openbao-helm/blob/HEAD/CHANGELOG.md#0283) [Compare Source](https://github.com/openbao/openbao-helm/compare/openbao-0.28.2...openbao-0.28.3) - chore: Improve OpenShift annotations - chore: bump OpenBao to v2.5.4 </details> <details> <summary>openbao/openbao (openbao/openbao)</summary> ### [`v2.5.4`](https://github.com/openbao/openbao/releases/tag/v2.5.4) [Compare Source](https://github.com/openbao/openbao/compare/v2.5.3...v2.5.4) #### SECURITY - core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358. \[[GH-3076](https://github.com/openbao/openbao/pull/3076)] - core: Prevent hidden default token issuance from auth plugin endpoints returning both a `logical.Auth{}` response object and an error. GHSA-7j6w-vvw2-5f9c / CVE-2026-46405. \[[GH-3150](https://github.com/openbao/openbao/pull/3150)] - core: Remove legacy lease endpoints (`sys/revoke`, `sys/renew`, `sys/revoke-prefix`, and `sys/revoke-force`) due to cross-namespace lease modification. GHSA-v8v8-cm84-m686 / CVE-2026-45808. \[[GH-3152](https://github.com/openbao/openbao/pull/3152)] #### IMPROVEMENTS - storage/postgresql: Set constraint name to `table+"_pkey"` and `ha_table+"_pkey"` and index to `table+"_idx"` for uniqueness when reusing the same database partition for multiple OpenBao instances. \[[GH-2876](https://github.com/openbao/openbao/pull/2876)] #### BUG FIXES - auth/kerberos: Do not return `logical.Auth{}` response during initial negotiation at the same time as an error. \[[GH-3150](https://github.com/openbao/openbao/pull/3150)] - core/mfa: Handle invalidation for login MFA, ensuring standby nodes respond appropriately on writes. \[[GH-3083](https://github.com/openbao/openbao/pull/3083)] - core/policies: Fix `list_scan_response_keys_filter_path` incorrectly erring on empty list responses. \[[GH-3063](https://github.com/openbao/openbao/pull/3063)] - core/quotas: Correctly handle default rate limit exempt paths on quota configuration invalidation. \[[GH-2953](https://github.com/openbao/openbao/pull/2953)] - core: Disallow logical secret engines from creating authentication tokens. \[[GH-3087](https://github.com/openbao/openbao/pull/3087)] - core: Forward generate-root, step-down and rekey requests to active node to resolve inconsistent standby behavior. \[[GH-3006](https://github.com/openbao/openbao/pull/3006)] - storage/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers. \[[GH-3054](https://github.com/openbao/openbao/pull/3054)] - storage/postgresql: Revert accidental rename of `ha_table` option to `haTable`. Both spellings are now supported to retain compatibility, though `ha_table` takes precedence. \[[GH-2876](https://github.com/openbao/openbao/pull/2876)] #### What's Changed - Remove 2.5.x community docs by [@cipherboy](https://github.com/cipherboy) in [#3071](https://github.com/openbao/openbao/pull/3071) - Disallow non-auth plugins from creating tokens ([#3087](https://github.com/openbao/openbao/issues/3087) by [@cipherboy](https://github.com/cipherboy)) backported by [@phil9909](https://github.com/phil9909) in [#3112](https://github.com/openbao/openbao/pull/3112) - Handle invalidation of LoginMFA keys ([#3083](https://github.com/openbao/openbao/issues/3083) by [@cipherboy](https://github.com/cipherboy)) backported by [@phil9909](https://github.com/phil9909) in [#3113](https://github.com/openbao/openbao/pull/3113) - Fix audit logs dropping custom headers when using inline auth ([#3076](https://github.com/openbao/openbao/issues/3076) by [@jackyliao123](https://github.com/jackyliao123)) backported by [@phil9909](https://github.com/phil9909) in [#3114](https://github.com/openbao/openbao/pull/3114) - fix: nil-guard d.autopilot before calling GetState ([#3054](https://github.com/openbao/openbao/issues/3054) by [@mpldr](https://github.com/mpldr)) backported by [@phil9909](https://github.com/phil9909) in [#3115](https://github.com/openbao/openbao/pull/3115) - fix: Fix request handling filtering for the no data case ([#3063](https://github.com/openbao/openbao/issues/3063) by [@eklatzer](https://github.com/eklatzer)) backported by [@phil9909](https://github.com/phil9909) in [#3116](https://github.com/openbao/openbao/pull/3116) - Update vulnerable deps before 2.5.4 by [@cipherboy](https://github.com/cipherboy) in [#3121](https://github.com/openbao/openbao/pull/3121) - Fix cache invalidation memory leak ([#3105](https://github.com/openbao/openbao/issues/3105) by [@cipherboy](https://github.com/cipherboy)) backported by [@phil9909](https://github.com/phil9909) in [#3131](https://github.com/openbao/openbao/pull/3131) - Use unique constraints, indices in PostgreSQL storage ([#2876](https://github.com/openbao/openbao/issues/2876) by [@cipherboy](https://github.com/cipherboy)) backported by [@phil9909](https://github.com/phil9909) in [#3132](https://github.com/openbao/openbao/pull/3132) - Correctly handle default\_rate\_limit\_exempt\_paths\_toggle invalidation ([#2953](https://github.com/openbao/openbao/issues/2953) by [@cipherboy](https://github.com/cipherboy)) backported by [@phil9909](https://github.com/phil9909) in [#3134](https://github.com/openbao/openbao/pull/3134) - Fix `/v1/sys/` forwarding regressions for standby instances ([#3006](https://github.com/openbao/openbao/issues/3006) by [@tsaarni](https://github.com/tsaarni)) backported by [@phil9909](https://github.com/phil9909) in [#3133](https://github.com/openbao/openbao/pull/3133) - Remove legacy cross-namespace lease endpoints ([#3152](https://github.com/openbao/openbao/issues/3152) by [@cipherboy](https://github.com/cipherboy)) backported by [@cipherboy](https://github.com/cipherboy) in [#3153](https://github.com/openbao/openbao/pull/3153) - Prevent errors from creating orphaned tokens ([#3150](https://github.com/openbao/openbao/issues/3150) by [@cipherboy](https://github.com/cipherboy)) backported by [@cipherboy](https://github.com/cipherboy) in [#3151](https://github.com/openbao/openbao/pull/3151) - Add release notes for v2.5.4 by [@satoqz](https://github.com/satoqz) in [#3154](https://github.com/openbao/openbao/pull/3154) **Full Changelog**: <https://github.com/openbao/openbao/compare/v2.5.3...v2.5.4> </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate-bot added the helm automerge labels 2026-05-22 01:11:35 +00:00

renovate-bot added 1 commit 2026-05-22 01:11:38 +00:00

chore(deps): update openbao

renovate/stability-days Updates have not met minimum release age requirement

Details

lint-test-helm / lint-helm (pull_request) Successful in 59s

Details

render-manifests / render-manifests (pull_request) Successful in 2m13s

Details

lint-test-helm / validate-kubeconform (pull_request) Successful in 41s

Details

d6d46a5baf

renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-05-22 01:11:39 +00:00

renovate-bot merged commit c49c73da8d into main

2026-05-22 01:11:50 +00:00

renovate-bot deleted branch renovate/unified-openbao

2026-05-22 01:11:52 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#7236