From 772e9cd18e5922952e79eacd10de45e84f600773 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sun, 28 Apr 2024 22:17:06 +0200
Subject: [PATCH] fix(deps): update module github.com/hashicorp/vault/api to
 v1.13.0 (#11)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/hashicorp/vault/api](https://togithub.com/hashicorp/vault)
| `v1.11.0` -> `v1.13.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fhashicorp%2fvault%2fapi/v1.13.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fhashicorp%2fvault%2fapi/v1.13.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fhashicorp%2fvault%2fapi/v1.11.0/v1.13.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fhashicorp%2fvault%2fapi/v1.11.0/v1.13.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>hashicorp/vault (github.com/hashicorp/vault/api)</summary>

###
[`v1.13.0`](https://togithub.com/hashicorp/vault/releases/tag/v1.13.0)

[Compare
Source](https://togithub.com/hashicorp/vault/compare/v1.12.2...v1.13.0)

#### 1.13.0

##### March 01, 2023

SECURITY:

- secrets/ssh: removal of the deprecated dynamic keys mode. **When any
remaining dynamic key leases expire**, an error stating `secret is
unsupported by this backend` will be thrown by the lease manager.
\[[GH-18874](https://togithub.com/hashicorp/vault/pull/18874)]

CHANGES:

- auth/alicloud: require the `role` field on login
\[[GH-19005](https://togithub.com/hashicorp/vault/pull/19005)]
- auth/approle: Add maximum length of 4096 for approle role_names, as
this value results in HMAC calculation
\[[GH-17768](https://togithub.com/hashicorp/vault/pull/17768)]
- auth: Returns invalid credentials for ldap, userpass and approle when
wrong credentials are provided for existent users.
This will only be used internally for implementing user lockout.
\[[GH-17104](https://togithub.com/hashicorp/vault/pull/17104)]
-   core: Bump Go version to 1.20.1.
- core: Vault version has been moved out of sdk and into main vault
module.
Plugins using sdk/useragent.String must instead use
sdk/useragent.PluginString.
\[[GH-14229](https://togithub.com/hashicorp/vault/pull/14229)]
- logging: Removed legacy environment variable for log format
('LOGXI_FORMAT'), should use 'VAULT_LOG_FORMAT' instead
\[[GH-17822](https://togithub.com/hashicorp/vault/pull/17822)]
- plugins: Mounts can no longer be pinned to a specific *builtin*
version. Mounts previously pinned to a specific builtin version will now
automatically upgrade to the latest builtin version, and may now be
overridden if an unversioned plugin of the same name and type is
registered. Mounts using plugin versions without `builtin` in their
metadata remain unaffected.
\[[GH-18051](https://togithub.com/hashicorp/vault/pull/18051)]
- plugins: `GET /database/config/:name` endpoint now returns an
additional `plugin_version` field in the response data.
\[[GH-16982](https://togithub.com/hashicorp/vault/pull/16982)]
- plugins: `GET /sys/auth/:path/tune` and `GET /sys/mounts/:path/tune`
endpoints may now return an additional `plugin_version` field in the
response data if set.
\[[GH-17167](https://togithub.com/hashicorp/vault/pull/17167)]
- plugins: `GET` for `/sys/auth`, `/sys/auth/:path`, `/sys/mounts`, and
`/sys/mounts/:path` paths now return additional `plugin_version`,
`running_plugin_version` and `running_sha256` fields in the response
data for each mount.
\[[GH-17167](https://togithub.com/hashicorp/vault/pull/17167)]
- sdk: Remove version package, make useragent.String versionless.
\[[GH-19068](https://togithub.com/hashicorp/vault/pull/19068)]
- secrets/aws: do not create leases for non-renewable/non-revocable STS
credentials to reduce storage calls
\[[GH-15869](https://togithub.com/hashicorp/vault/pull/15869)]
- secrets/gcpkms: Updated plugin from v0.13.0 to v0.14.0
\[[GH-19063](https://togithub.com/hashicorp/vault/pull/19063)]
- sys/internal/inspect: Turns of this endpoint by default. A SIGHUP can
now be used to reload the configs and turns this endpoint on.
- ui: Upgrade Ember to version 4.4.0
\[[GH-17086](https://togithub.com/hashicorp/vault/pull/17086)]

FEATURES:

- **Azure Auth Managed Identities**: Allow any Azure resource that
supports managed identities to authenticate with Vault
\[[GH-19077](https://togithub.com/hashicorp/vault/pull/19077)]
- **Azure Auth Rotate Root**: Add support for rotate root in Azure Auth
engine \[[GH-19077](https://togithub.com/hashicorp/vault/pull/19077)]
- **Event System (Alpha)**: Vault has a new opt-in experimental event
system. Not yet suitable for production use. Events are currently only
generated on writes to the KV secrets engine, but external plugins can
also be updated to start generating events.
\[[GH-19194](https://togithub.com/hashicorp/vault/pull/19194)]
- **GCP Secrets Impersonated Account Support**: Add support for GCP
service account impersonation, allowing callers to generate a GCP access
token without requiring Vault to store or retrieve a GCP service account
key for each role.
\[[GH-19018](https://togithub.com/hashicorp/vault/pull/19018)]
- **Kubernetes Secrets Engine UI**: Kubernetes is now available in the
UI as a supported secrets engine.
\[[GH-17893](https://togithub.com/hashicorp/vault/pull/17893)]
- **New PKI UI**: Add beta support for new and improved PKI UI
\[[GH-18842](https://togithub.com/hashicorp/vault/pull/18842)]
-   **PKI Cross-Cluster Revocations**: Revocation information can now be
synchronized across primary and performance replica clusters offering
a unified CRL/OCSP view of revocations across cluster boundaries.
\[[GH-19196](https://togithub.com/hashicorp/vault/pull/19196)]
- **Server UDS Listener**: Adding listener to Vault server to serve http
request via unix domain socket
\[[GH-18227](https://togithub.com/hashicorp/vault/pull/18227)]
- **Transit managed keys**: The transit secrets engine now supports
configuring and using managed keys
- **User Lockout**: Adds support to configure the user-lockout behaviour
for failed logins to prevent
brute force attacks for userpass, approle and ldap auth methods.
\[[GH-19230](https://togithub.com/hashicorp/vault/pull/19230)]
- **VMSS Flex Authentication**: Adds support for Virtual Machine Scale
Set Flex Authentication
\[[GH-19077](https://togithub.com/hashicorp/vault/pull/19077)]
- **Namespaces (enterprise)**: Added the ability to allow access to
secrets and more to be shared across namespaces that do not share a
namespace hierarchy. Using the new `sys/config/group-policy-application`
API, policies can be configured to apply outside of namespace hierarchy,
allowing this kind of cross-namespace sharing.
- **OpenAPI-based Go & .NET Client Libraries (Beta)**: We have now made
available two new OpenAPI-based Go & .NET Client libraries (beta). You
can use them to perform various secret management operations easily from
your applications.

IMPROVEMENTS:

- **Redis ElastiCache DB Engine**: Renamed configuration parameters for
disambiguation; old parameters still supported for compatibility.
\[[GH-18752](https://togithub.com/hashicorp/vault/pull/18752)]
- Bump github.com/hashicorp/go-plugin version from 1.4.5 to 1.4.8
\[[GH-19100](https://togithub.com/hashicorp/vault/pull/19100)]
- Reduced binary size
\[[GH-17678](https://togithub.com/hashicorp/vault/pull/17678)]
- agent/config: Allow config directories to be specified with -config,
and allow multiple -configs to be supplied.
\[[GH-18403](https://togithub.com/hashicorp/vault/pull/18403)]
- agent: Add note in logs when starting Vault Agent indicating if the
version differs to the Vault Server.
\[[GH-18684](https://togithub.com/hashicorp/vault/pull/18684)]
- agent: Added `token_file` auto-auth configuration to allow using a
pre-existing token for Vault Agent.
\[[GH-18740](https://togithub.com/hashicorp/vault/pull/18740)]
- agent: Agent listeners can now be to be the `metrics_only` role,
serving only metrics, as part of the listener's new top level `role`
option. \[[GH-18101](https://togithub.com/hashicorp/vault/pull/18101)]
- agent: Configured Vault Agent listeners now listen without the need
for caching to be configured.
\[[GH-18137](https://togithub.com/hashicorp/vault/pull/18137)]
- agent: allows some parts of config to be reloaded without requiring a
restart. \[[GH-18638](https://togithub.com/hashicorp/vault/pull/18638)]
- agent: fix incorrectly used loop variables in parallel tests and when
finalizing seals
\[[GH-16872](https://togithub.com/hashicorp/vault/pull/16872)]
- api: Remove dependency on sdk module.
\[[GH-18962](https://togithub.com/hashicorp/vault/pull/18962)]
- api: Support VAULT_DISABLE_REDIRECTS environment variable (and
--disable-redirects flag) to disable default client behavior and prevent
the client following any redirection responses.
\[[GH-17352](https://togithub.com/hashicorp/vault/pull/17352)]
- audit: Add `elide_list_responses` option, providing a countermeasure
for a common source of oversized audit log entries
\[[GH-18128](https://togithub.com/hashicorp/vault/pull/18128)]
- audit: Include stack trace when audit logging recovers from a panic.
\[[GH-18121](https://togithub.com/hashicorp/vault/pull/18121)]
- auth/alicloud: upgrades dependencies
\[[GH-18021](https://togithub.com/hashicorp/vault/pull/18021)]
- auth/azure: Adds support for authentication with Managed Service
Identity (MSI) from a
Virtual Machine Scale Set (VMSS) in flexible orchestration mode.
\[[GH-17540](https://togithub.com/hashicorp/vault/pull/17540)]
- auth/azure: upgrades dependencies
\[[GH-17857](https://togithub.com/hashicorp/vault/pull/17857)]
- auth/cert: Add configurable support for validating client certs with
OCSP. \[[GH-17093](https://togithub.com/hashicorp/vault/pull/17093)]
- auth/cert: Support listing provisioned CRLs within the mount.
\[[GH-18043](https://togithub.com/hashicorp/vault/pull/18043)]
- auth/cf: Remove incorrect usage of CreateOperation from path_config
\[[GH-19098](https://togithub.com/hashicorp/vault/pull/19098)]
- auth/gcp: Upgrades dependencies
\[[GH-17858](https://togithub.com/hashicorp/vault/pull/17858)]
- auth/oidc: Adds `abort_on_error` parameter to CLI login command to
help in non-interactive contexts
\[[GH-19076](https://togithub.com/hashicorp/vault/pull/19076)]
- auth/oidc: Adds ability to set Google Workspace domain for groups
search \[[GH-19076](https://togithub.com/hashicorp/vault/pull/19076)]
- auth/token (enterprise): Allow batch token creation in perfStandby
nodes
- auth: Allow naming login MFA methods and using those names instead of
IDs in satisfying MFA requirement for requests.
Make passcode arguments consistent across login MFA method types.
\[[GH-18610](https://togithub.com/hashicorp/vault/pull/18610)]
- auth: Provide an IP address of the requests from Vault to a Duo
challenge after successful authentication.
\[[GH-18811](https://togithub.com/hashicorp/vault/pull/18811)]
- autopilot: Update version to v.0.2.0 to add better support for
respecting min quorum
- cli/kv: improve kv CLI to remove data or custom metadata using kv
patch \[[GH-18067](https://togithub.com/hashicorp/vault/pull/18067)]
- cli/pki: Add List-Intermediates functionality to pki client.
\[[GH-18463](https://togithub.com/hashicorp/vault/pull/18463)]
- cli/pki: Add health-check subcommand to evaluate the health of a PKI
instance. \[[GH-17750](https://togithub.com/hashicorp/vault/pull/17750)]
- cli/pki: Add pki issue command, which creates a CSR, has a vault mount
sign it, then reimports it.
\[[GH-18467](https://togithub.com/hashicorp/vault/pull/18467)]
- cli/pki: Added "Reissue" command which allows extracting fields from
an existing certificate to create a new certificate.
\[[GH-18499](https://togithub.com/hashicorp/vault/pull/18499)]
- cli/pki: Change the pki health-check --list default config output to
JSON so it's a usable configuration file
\[[GH-19269](https://togithub.com/hashicorp/vault/pull/19269)]
- cli: Add support for creating requests to existing non-KVv2
PATCH-capable endpoints.
\[[GH-17650](https://togithub.com/hashicorp/vault/pull/17650)]
- cli: Add transit import key helper commands for BYOK to
Transit/Transform.
\[[GH-18887](https://togithub.com/hashicorp/vault/pull/18887)]
- cli: Support the -format=raw option, to read non-JSON Vault endpoints
and original response bodies.
\[[GH-14945](https://togithub.com/hashicorp/vault/pull/14945)]
- cli: updated `vault operator rekey` prompts to describe recovery keys
when `-target=recovery`
\[[GH-18892](https://togithub.com/hashicorp/vault/pull/18892)]
- client/pki: Add a new command verify-sign which checks the
relationship between two certificates.
\[[GH-18437](https://togithub.com/hashicorp/vault/pull/18437)]
- command/server: Environment variable keys are now logged at startup.
\[[GH-18125](https://togithub.com/hashicorp/vault/pull/18125)]
- core/fips: use upstream toolchain for FIPS 140-2 compliance again;
this will appear as X=boringcrypto on the Go version in Vault server
logs.
- core/identity: Add machine-readable output to body of response upon
alias clash during entity merge
\[[GH-17459](https://togithub.com/hashicorp/vault/pull/17459)]
- core/server: Added an environment variable to write goroutine
stacktraces to a
temporary file for SIGUSR2 signals.
\[[GH-17929](https://togithub.com/hashicorp/vault/pull/17929)]
-   core: Add RPCs to read and update userFailedLoginInfo map
- core: Add experiments system and `events.alpha1` experiment.
\[[GH-18682](https://togithub.com/hashicorp/vault/pull/18682)]
- core: Add read support to `sys/loggers` and `sys/loggers/:name`
endpoints \[[GH-17979](https://togithub.com/hashicorp/vault/pull/17979)]
- core: Add user lockout field to config and configuring this for auth
mount using auth tune to prevent brute forcing in auth methods
\[[GH-17338](https://togithub.com/hashicorp/vault/pull/17338)]
- core: Add vault.core.locked_users telemetry metric to emit information
about total number of locked users.
\[[GH-18718](https://togithub.com/hashicorp/vault/pull/18718)]
- core: Added sys/locked-users endpoint to list locked users. Changed
api endpoint from
sys/lockedusers/\[mount_accessor]/unlock/\[alias_identifier] to
sys/locked-users/\[mount_accessor]/unlock/\[alias_identifier].
\[[GH-18675](https://togithub.com/hashicorp/vault/pull/18675)]
- core: Added
sys/lockedusers/\[mount_accessor]/unlock/\[alias_identifier] endpoint to
unlock an user
with given mount_accessor and alias_identifier if locked
\[[GH-18279](https://togithub.com/hashicorp/vault/pull/18279)]
- core: Added warning to /sys/seal-status and vault status command if
potentially dangerous behaviour overrides are being used.
\[[GH-17855](https://togithub.com/hashicorp/vault/pull/17855)]
- core: Implemented background thread to update locked user entries
every 15 minutes to prevent brute forcing in auth methods.
\[[GH-18673](https://togithub.com/hashicorp/vault/pull/18673)]
- core: License location is no longer cache exempt, meaning sys/health
will not contribute as greatly to storage load when using consul as a
storage backend.
\[[GH-17265](https://togithub.com/hashicorp/vault/pull/17265)]
- core: Update protoc from 3.21.5 to 3.21.7
\[[GH-17499](https://togithub.com/hashicorp/vault/pull/17499)]
- core: add `detect_deadlocks` config to optionally detect core state
deadlocks \[[GH-18604](https://togithub.com/hashicorp/vault/pull/18604)]
- core: added changes for user lockout workflow.
\[[GH-17951](https://togithub.com/hashicorp/vault/pull/17951)]
- core: parallelize backend initialization to improve startup time for
large numbers of mounts.
\[[GH-18244](https://togithub.com/hashicorp/vault/pull/18244)]
- database/postgres: Support multiline strings for revocation
statements.
\[[GH-18632](https://togithub.com/hashicorp/vault/pull/18632)]
- database/redis-elasticache: changed config argument names for
disambiguation
\[[GH-19044](https://togithub.com/hashicorp/vault/pull/19044)]
- database/snowflake: Allow parallel requests to Snowflake
\[[GH-17593](https://togithub.com/hashicorp/vault/pull/17593)]
- hcp/connectivity: Add foundational OSS support for opt-in secure
communication between self-managed Vault nodes and [HashiCorp Cloud
Platform](https://cloud.hashicorp.com)
\[[GH-18228](https://togithub.com/hashicorp/vault/pull/18228)]
- hcp/connectivity: Include HCP organization, project, and resource ID
in server startup logs
\[[GH-18315](https://togithub.com/hashicorp/vault/pull/18315)]
- hcp/connectivity: Only update SCADA session metadata if status changes
\[[GH-18585](https://togithub.com/hashicorp/vault/pull/18585)]
- hcp/status: Add cluster-level status information
\[[GH-18351](https://togithub.com/hashicorp/vault/pull/18351)]
- hcp/status: Expand node-level status information
\[[GH-18302](https://togithub.com/hashicorp/vault/pull/18302)]
- logging: Vault Agent supports logging to a specified file path via
environment variable, CLI or config
\[[GH-17841](https://togithub.com/hashicorp/vault/pull/17841)]
- logging: Vault agent and server commands support log file and log
rotation. \[[GH-18031](https://togithub.com/hashicorp/vault/pull/18031)]
- migration: allow parallelization of key migration for `vault operator
migrate` in order to speed up a migration.
\[[GH-18817](https://togithub.com/hashicorp/vault/pull/18817)]
- namespaces (enterprise): Add new API,
`sys/config/group-policy-application`, to allow group policies to be
configurable
to apply to a group in `any` namespace. The default,
`within_namespace_hierarchy`, is the current behaviour.
- openapi: Add default values to thing_mount_path parameters
\[[GH-18935](https://togithub.com/hashicorp/vault/pull/18935)]
- openapi: Add logic to generate openapi response structures
\[[GH-18192](https://togithub.com/hashicorp/vault/pull/18192)]
- openapi: Add openapi response definitions to approle/path_login.go &
approle/path_tidy_user_id.go
\[[GH-18772](https://togithub.com/hashicorp/vault/pull/18772)]
- openapi: Add openapi response definitions to approle/path_role.go
\[[GH-18198](https://togithub.com/hashicorp/vault/pull/18198)]
- openapi: Change gen_openapi.sh to generate schema with generic mount
paths \[[GH-18934](https://togithub.com/hashicorp/vault/pull/18934)]
- openapi: Mark request body objects as required
\[[GH-17909](https://togithub.com/hashicorp/vault/pull/17909)]
- openapi: add openapi response defintions to /sys/audit endpoints
\[[GH-18456](https://togithub.com/hashicorp/vault/pull/18456)]
- openapi: generic_mount_paths: Move implementation fully into server,
rather than partially in plugin framework; recognize all 4 singleton
mounts (auth/token, cubbyhole, identity, system) rather than just 2;
change parameter from `{mountPath}` to `{<type>_mount_path}`
\[[GH-18663](https://togithub.com/hashicorp/vault/pull/18663)]
- plugins: Add plugin version information to key plugin lifecycle log
lines. \[[GH-17430](https://togithub.com/hashicorp/vault/pull/17430)]
- plugins: Allow selecting builtin plugins by their reported semantic
version of the form `vX.Y.Z+builtin` or `vX.Y.Z+builtin.vault`.
\[[GH-17289](https://togithub.com/hashicorp/vault/pull/17289)]
-   plugins: Let Vault unseal and mount deprecated builtin plugins in a
deactivated state if this is not the first unseal after an upgrade.
\[[GH-17879](https://togithub.com/hashicorp/vault/pull/17879)]
- plugins: Mark app-id auth method Removed and remove the plugin code.
\[[GH-18039](https://togithub.com/hashicorp/vault/pull/18039)]
- plugins: Mark logical database plugins Removed and remove the plugin
code. \[[GH-18039](https://togithub.com/hashicorp/vault/pull/18039)]
- sdk/ldap: Added support for paging when searching for groups using
group filters
\[[GH-17640](https://togithub.com/hashicorp/vault/pull/17640)]
- sdk: Add response schema validation method
framework/FieldData.ValidateStrict and two test helpers
(ValidateResponse, ValidateResponseData)
\[[GH-18635](https://togithub.com/hashicorp/vault/pull/18635)]
- sdk: Adding FindResponseSchema test helper to assist with response
schema validation in tests
\[[GH-18636](https://togithub.com/hashicorp/vault/pull/18636)]
- secrets/aws: Update dependencies
\[[PR-17747](https://togithub.com/hashicorp/vault/pull/17747)]
\[[GH-17747](https://togithub.com/hashicorp/vault/pull/17747)]
- secrets/azure: Adds ability to persist an application for the lifetime
of a role.
\[[GH-19096](https://togithub.com/hashicorp/vault/pull/19096)]
- secrets/azure: upgrades dependencies
\[[GH-17964](https://togithub.com/hashicorp/vault/pull/17964)]
- secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify`
parameters
\[[GH-18799](https://togithub.com/hashicorp/vault/pull/18799)]
- secrets/gcp: Upgrades dependencies
\[[GH-17871](https://togithub.com/hashicorp/vault/pull/17871)]
- secrets/kubernetes: Add /check endpoint to determine if environment
variables are set
\[[GH-18](https://togithub.com/hashicorp/vault-plugin-secrets-kubernetes/pull/18)]
\[[GH-18587](https://togithub.com/hashicorp/vault/pull/18587)]
- secrets/kubernetes: add /check endpoint to determine if environment
variables are set
\[[GH-19084](https://togithub.com/hashicorp/vault/pull/19084)]
- secrets/kv: Emit events on write if events system enabled
\[[GH-19145](https://togithub.com/hashicorp/vault/pull/19145)]
- secrets/kv: make upgrade synchronous when no keys to upgrade
\[[GH-19056](https://togithub.com/hashicorp/vault/pull/19056)]
- secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will
upgrade synchronously, allowing for instant use
\[[GH-17406](https://togithub.com/hashicorp/vault/pull/17406)]
- secrets/pki: Add a new API that returns the serial numbers of revoked
certificates on the local cluster
\[[GH-17779](https://togithub.com/hashicorp/vault/pull/17779)]
- secrets/pki: Add support to specify signature bits when generating
CSRs through intermediate/generate apis
\[[GH-17388](https://togithub.com/hashicorp/vault/pull/17388)]
- secrets/pki: Added a new API that allows external actors to craft a
CRL through JSON parameters
\[[GH-18040](https://togithub.com/hashicorp/vault/pull/18040)]
- secrets/pki: Allow UserID Field
(https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1) to be set on
Certificates when
allowed by role
\[[GH-18397](https://togithub.com/hashicorp/vault/pull/18397)]
- secrets/pki: Allow issuer creation, import to change default issuer
via `default_follows_latest_issuer`.
\[[GH-17824](https://togithub.com/hashicorp/vault/pull/17824)]
- secrets/pki: Allow templating performance replication cluster- and
issuer-specific AIA URLs.
\[[GH-18199](https://togithub.com/hashicorp/vault/pull/18199)]
- secrets/pki: Allow tidying of expired issuer certificates.
\[[GH-17823](https://togithub.com/hashicorp/vault/pull/17823)]
- secrets/pki: Allow tidying of the legacy ca_bundle, improving startup
on post-migrated, seal-wrapped PKI mounts.
\[[GH-18645](https://togithub.com/hashicorp/vault/pull/18645)]
- secrets/pki: Respond with written data to `config/auto-tidy`,
`config/crl`, and `roles/:role`.
\[[GH-18222](https://togithub.com/hashicorp/vault/pull/18222)]
- secrets/pki: Return issuer_id and issuer_name on
/issuer/:issuer_ref/json endpoint.
\[[GH-18482](https://togithub.com/hashicorp/vault/pull/18482)]
- secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id
to existing certificate serial lookup api if it is revoked
\[[GH-17774](https://togithub.com/hashicorp/vault/pull/17774)]
- secrets/ssh: Allow removing SSH host keys from the dynamic keys
feature. \[[GH-18939](https://togithub.com/hashicorp/vault/pull/18939)]
- secrets/ssh: Evaluate ssh validprincipals user template before
splitting \[[GH-16622](https://togithub.com/hashicorp/vault/pull/16622)]
- secrets/transit: Add an optional reference field to batch operation
items
which is repeated on batch responses to help more easily correlate
inputs with outputs.
\[[GH-18243](https://togithub.com/hashicorp/vault/pull/18243)]
- secrets/transit: Add associated_data parameter for additional
authenticated data in AEAD ciphers
\[[GH-17638](https://togithub.com/hashicorp/vault/pull/17638)]
- secrets/transit: Add support for PKCSv1\_5\_NoOID RSA signatures
\[[GH-17636](https://togithub.com/hashicorp/vault/pull/17636)]
- secrets/transit: Allow configuring whether upsert of keys is allowed.
\[[GH-18272](https://togithub.com/hashicorp/vault/pull/18272)]
- storage/raft: Add `retry_join_as_non_voter` config option.
\[[GH-18030](https://togithub.com/hashicorp/vault/pull/18030)]
- storage/raft: add additional raft metrics relating to applied index
and heartbeating; also ensure OSS standbys emit periodic metrics.
\[[GH-12166](https://togithub.com/hashicorp/vault/pull/12166)]
- sys/internal/inspect: Creates an endpoint to look to inspect internal
subsystems.
\[[GH-17789](https://togithub.com/hashicorp/vault/pull/17789)]
- sys/internal/inspect: Creates an endpoint to look to inspect internal
subsystems.
- ui: Add algorithm-signer as a SSH Secrets Engine UI field
\[[GH-10299](https://togithub.com/hashicorp/vault/pull/10299)]
- ui: Add inline policy creation when creating an identity entity or
group \[[GH-17749](https://togithub.com/hashicorp/vault/pull/17749)]
- ui: Added JWT authentication warning message about blocked pop-up
windows and web browser settings.
\[[GH-18787](https://togithub.com/hashicorp/vault/pull/18787)]
- ui: Enable typescript for future development
\[[GH-17927](https://togithub.com/hashicorp/vault/pull/17927)]
- ui: Prepends "passcode=" if not provided in user input for duo totp
mfa method authentication
\[[GH-18342](https://togithub.com/hashicorp/vault/pull/18342)]
- ui: Update language on database role to "Connection name"
\[[GH-18261](https://togithub.com/hashicorp/vault/issues/18261)]
\[[GH-18350](https://togithub.com/hashicorp/vault/pull/18350)]
- ui: adds allowed_response_headers as param for secret engine mount
config \[[GH-19216](https://togithub.com/hashicorp/vault/pull/19216)]
- ui: consolidate all <a> tag usage
\[[GH-17866](https://togithub.com/hashicorp/vault/pull/17866)]
- ui: mfa: use proper request id generation
\[[GH-17835](https://togithub.com/hashicorp/vault/pull/17835)]
- ui: remove wizard
\[[GH-19220](https://togithub.com/hashicorp/vault/pull/19220)]
- ui: update DocLink component to use new host url:
developer.hashicorp.com
\[[GH-18374](https://togithub.com/hashicorp/vault/pull/18374)]
- ui: update TTL picker for consistency
\[[GH-18114](https://togithub.com/hashicorp/vault/pull/18114)]
- ui: use the combined activity log (partial + historic) API for client
count dashboard and remove use of monthly endpoint
\[[GH-17575](https://togithub.com/hashicorp/vault/pull/17575)]
- vault/diagnose: Upgrade `go.opentelemetry.io/otel`,
`go.opentelemetry.io/otel/sdk`, `go.opentelemetry.io/otel/trace` to
v1.11.2 \[[GH-18589](https://togithub.com/hashicorp/vault/pull/18589)]

DEPRECATIONS:

- secrets/ad: Marks the Active Directory (AD) secrets engine as
deprecated.
\[[GH-19334](https://togithub.com/hashicorp/vault/pull/19334)]

BUG FIXES:

- api: Remove timeout logic from ReadRaw functions and add
ReadRawWithContext
\[[GH-18708](https://togithub.com/hashicorp/vault/pull/18708)]
- auth/alicloud: fix regression in vault login command that caused login
to fail \[[GH-19005](https://togithub.com/hashicorp/vault/pull/19005)]
- auth/approle: Add nil check for the secret ID entry when deleting via
secret id accessor preventing cross role secret id deletion
\[[GH-19186](https://togithub.com/hashicorp/vault/pull/19186)]
- auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks
for role and secret ID
\[[GH-18145](https://togithub.com/hashicorp/vault/pull/18145)]
- auth/cert: Address a race condition accessing the loaded crls without
a lock \[[GH-18945](https://togithub.com/hashicorp/vault/pull/18945)]
- auth/kubernetes: Ensure a consistent TLS configuration for all k8s API
requests
\[[#&#8203;173](https://togithub.com/hashicorp/vault-plugin-auth-kubernetes/pull/173)]
\[[GH-18716](https://togithub.com/hashicorp/vault/pull/18716)]
- auth/kubernetes: fixes and dep updates for the auth-kubernetes plugin
(see plugin changelog for details)
\[[GH-19094](https://togithub.com/hashicorp/vault/pull/19094)]
- auth/okta: fix a panic for AuthRenew in Okta
\[[GH-18011](https://togithub.com/hashicorp/vault/pull/18011)]
- auth: Deduplicate policies prior to ACL generation
\[[GH-17914](https://togithub.com/hashicorp/vault/pull/17914)]
- cli/kv: skip formatting of nil secrets for patch and put with field
parameter set
\[[GH-18163](https://togithub.com/hashicorp/vault/pull/18163)]
- cli/pki: Decode integer values properly in health-check configuration
file \[[GH-19265](https://togithub.com/hashicorp/vault/pull/19265)]
- cli/pki: Fix path for role health-check warning messages
\[[GH-19274](https://togithub.com/hashicorp/vault/pull/19274)]
- cli/pki: Properly report permission issues within health-check mount
tune checks
\[[GH-19276](https://togithub.com/hashicorp/vault/pull/19276)]
- cli/transit: Fix import, import-version command invocation
\[[GH-19373](https://togithub.com/hashicorp/vault/pull/19373)]
- cli: Fix issue preventing kv commands from executing properly when the
mount path provided by `-mount` flag and secret key path are the same.
\[[GH-17679](https://togithub.com/hashicorp/vault/pull/17679)]
- cli: Fix vault read handling to return raw data as secret.Data when
there is no top-level data object from api response.
\[[GH-17913](https://togithub.com/hashicorp/vault/pull/17913)]
- cli: Remove empty table heading for `vault secrets list -detailed`
output. \[[GH-17577](https://togithub.com/hashicorp/vault/pull/17577)]
- command/namespace: Fix vault cli namespace patch examples in help
text. \[[GH-18143](https://togithub.com/hashicorp/vault/pull/18143)]
-   core (enterprise): Fix missing quotation mark in error message
- core (enterprise): Fix panic that could occur with SSCT alongside
invoking external plugins for revocation.
- core (enterprise): Fix panic when using invalid accessor for
control-group request
- core (enterprise): Fix perf standby WAL streaming silently failures
when replication setup happens at a bad time.
- core (enterprise): Supported storage check in `vault server` command
will no longer prevent startup. Instead, a warning will be logged if
configured to use storage backend other than `raft` or `consul`.
- core/activity: add namespace breakdown for new clients when date range
spans multiple months, including the current month.
\[[GH-18766](https://togithub.com/hashicorp/vault/pull/18766)]
- core/activity: de-duplicate namespaces when historical and current
month data are mixed
\[[GH-18452](https://togithub.com/hashicorp/vault/pull/18452)]
- core/activity: fix the end_date returned from the activity log
endpoint when partial counts are computed
\[[GH-17856](https://togithub.com/hashicorp/vault/pull/17856)]
- core/activity: include mount counts when de-duplicating current and
historical month data
\[[GH-18598](https://togithub.com/hashicorp/vault/pull/18598)]
- core/activity: report mount paths (rather than mount accessors) in
current month activity log counts and include deleted mount paths in
precomputed queries.
\[[GH-18916](https://togithub.com/hashicorp/vault/pull/18916)]
- core/activity: return partial month counts when querying a historical
date range and no historical data exists.
\[[GH-17935](https://togithub.com/hashicorp/vault/pull/17935)]
- core/auth: Return a 403 instead of a 500 for wrapping requests when
token is not provided
\[[GH-18859](https://togithub.com/hashicorp/vault/pull/18859)]
- core/managed-keys (enterprise): Limit verification checks to mounts in
a key's namespace
- core/managed-keys (enterprise): Return better error messages when
encountering key creation failures
- core/managed-keys (enterprise): Switch to using hash length as PSS
Salt length within the test/sign api for better
[PKCS#11](https://togithub.com/PKCS/vault/issues/11) compatibility
- core/quotas (enterprise): Fix a lock contention issue that could occur
and cause Vault to become unresponsive when creating, changing, or
deleting lease count quotas.
- core/quotas (enterprise): Fix a potential deadlock that could occur
when using lease count quotas.
- core/quotas: Fix issue with improper application of default rate limit
quota exempt paths
\[[GH-18273](https://togithub.com/hashicorp/vault/pull/18273)]
- core/seal: Fix regression handling of the key_id parameter in seal
configuration HCL.
\[[GH-17612](https://togithub.com/hashicorp/vault/pull/17612)]
- core: Fix panic caused in Vault Agent when rendering certificate
templates \[[GH-17419](https://togithub.com/hashicorp/vault/pull/17419)]
- core: Fix potential deadlock if barrier ciphertext is less than 4
bytes. \[[GH-17944](https://togithub.com/hashicorp/vault/pull/17944)]
- core: Fix spurious `permission denied` for all HelpOperations on
sudo-protected paths
\[[GH-18568](https://togithub.com/hashicorp/vault/pull/18568)]
- core: Fix vault operator init command to show the right curl string
with -output-curl-string and right policy hcl with -output-policy
\[[GH-17514](https://togithub.com/hashicorp/vault/pull/17514)]
- core: Fixes spurious warnings being emitted relating to "unknown or
unsupported fields" for JSON config
\[[GH-17660](https://togithub.com/hashicorp/vault/pull/17660)]
- core: Linux packages now have vendor label and set the default label
to HashiCorp.
This fix is implemented for any future releases, but will not be updated
for historical releases.
- core: Prevent panics in `sys/leases/lookup`, `sys/leases/revoke`, and
`sys/leases/renew` endpoints if provided `lease_id` is null
\[[GH-18951](https://togithub.com/hashicorp/vault/pull/18951)]
- core: Refactor lock grabbing code to simplify stateLock deadlock
investigations
\[[GH-17187](https://togithub.com/hashicorp/vault/pull/17187)]
- core: fix GPG encryption to support subkeys.
\[[GH-16224](https://togithub.com/hashicorp/vault/pull/16224)]
- core: fix a start up race condition where performance standbys could
go into a
mount loop if default policies are not yet synced from the active node.
\[[GH-17801](https://togithub.com/hashicorp/vault/pull/17801)]
- core: fix bug where context cancellations weren't forwarded to active
node from performance standbys.
- core: fix race when using SystemView.ReplicationState outside of a
request context
\[[GH-17186](https://togithub.com/hashicorp/vault/pull/17186)]
- core: prevent memory leak when using control group factors in a policy
\[[GH-17532](https://togithub.com/hashicorp/vault/pull/17532)]
- core: prevent panic during mfa after enforcement's namespace is
deleted \[[GH-17562](https://togithub.com/hashicorp/vault/pull/17562)]
- core: prevent panic in login mfa enforcement delete after
enforcement's namespace is deleted
\[[GH-18923](https://togithub.com/hashicorp/vault/pull/18923)]
- core: trying to unseal with the wrong key now returns HTTP 400
\[[GH-17836](https://togithub.com/hashicorp/vault/pull/17836)]
- credential/cert: adds error message if no tls connection is found
during the AliasLookahead operation
\[[GH-17904](https://togithub.com/hashicorp/vault/pull/17904)]
- database/mongodb: Fix writeConcern set to be applied to any query made
on the database
\[[GH-18546](https://togithub.com/hashicorp/vault/pull/18546)]
- expiration: Prevent panics on perf standbys when an irrevocable lease
gets deleted.
\[[GH-18401](https://togithub.com/hashicorp/vault/pull/18401)]
- kmip (enterprise): Fix a problem with some multi-part MAC Verify
operations.
- kmip (enterprise): Only require data to be full blocks on
encrypt/decrypt operations using CBC and ECB block cipher modes.
- license (enterprise): Fix bug where license would update even if the
license didn't change.
-   licensing (enterprise): update autoloaded license cache after reload
- login: Store token in tokenhelper for interactive login MFA
\[[GH-17040](https://togithub.com/hashicorp/vault/pull/17040)]
- openapi: Fix many incorrect details in generated API spec, by using
better techniques to parse path regexps
\[[GH-18554](https://togithub.com/hashicorp/vault/pull/18554)]
- openapi: fix gen_openapi.sh script to correctly load vault plugins
\[[GH-17752](https://togithub.com/hashicorp/vault/pull/17752)]
- plugins/kv: KV v2 returns 404 instead of 500 for request paths that
incorrectly include a trailing slash.
\[[GH-17339](https://togithub.com/hashicorp/vault/pull/17339)]
- plugins: Allow running external plugins which override deprecated
builtins. \[[GH-17879](https://togithub.com/hashicorp/vault/pull/17879)]
- plugins: Corrected the path to check permissions on when the
registered plugin name does not match the plugin binary's filename.
\[[GH-17340](https://togithub.com/hashicorp/vault/pull/17340)]
- plugins: Listing all plugins while audit logging is enabled will no
longer result in an internal server error.
\[[GH-18173](https://togithub.com/hashicorp/vault/pull/18173)]
- plugins: Only report deprecation status for builtin plugins.
\[[GH-17816](https://togithub.com/hashicorp/vault/pull/17816)]
- plugins: Skip loading but still mount data associated with missing
plugins on unseal.
\[[GH-18189](https://togithub.com/hashicorp/vault/pull/18189)]
- plugins: Vault upgrades will no longer fail if a mount has been
created using an explicit builtin plugin version.
\[[GH-18051](https://togithub.com/hashicorp/vault/pull/18051)]
- replication (enterprise): Fix bug where reloading external plugin on a
secondary would
    break replication.
- sdk: Don't panic if system view or storage methods called during
plugin setup.
\[[GH-18210](https://togithub.com/hashicorp/vault/pull/18210)]
- secret/pki: fix bug with initial legacy bundle migration (from < 1.11
into 1.11+) and missing issuers from ca_chain
\[[GH-17772](https://togithub.com/hashicorp/vault/pull/17772)]
- secrets/ad: Fix bug where updates to config would fail if password
isn't provided
\[[GH-19061](https://togithub.com/hashicorp/vault/pull/19061)]
- secrets/gcp: fix issue where IAM bindings were not preserved during
policy update
\[[GH-19018](https://togithub.com/hashicorp/vault/pull/19018)]
- secrets/mongodb-atlas: Fix a bug that did not allow WAL rollback to
handle partial failures when creating API keys
\[[GH-19111](https://togithub.com/hashicorp/vault/pull/19111)]
- secrets/pki: Address nil panic when an empty POST request is sent to
the OCSP handler
\[[GH-18184](https://togithub.com/hashicorp/vault/pull/18184)]
- secrets/pki: Allow patching issuer to set an empty issuer name.
\[[GH-18466](https://togithub.com/hashicorp/vault/pull/18466)]
- secrets/pki: Do not read revoked certificates from backend when CRL is
disabled \[[GH-17385](https://togithub.com/hashicorp/vault/pull/17385)]
- secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by
setting them to the default.
\[[GH-17693](https://togithub.com/hashicorp/vault/pull/17693)]
- secrets/pki: Fixes duplicate otherName in certificates created by the
sign-verbatim endpoint.
\[[GH-16700](https://togithub.com/hashicorp/vault/pull/16700)]
- secrets/pki: OCSP GET request parameter was not being URL unescaped
before processing.
\[[GH-18938](https://togithub.com/hashicorp/vault/pull/18938)]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary
clusters. \[[GH-17497](https://togithub.com/hashicorp/vault/pull/17497)]
- secrets/pki: Revert fix for PR
[18938](https://togithub.com/hashicorp/vault/pull/18938)
\[[GH-19037](https://togithub.com/hashicorp/vault/pull/19037)]
- secrets/pki: consistently use UTC for CA's notAfter exceeded error
message \[[GH-18984](https://togithub.com/hashicorp/vault/pull/18984)]
- secrets/pki: fix race between tidy's cert counting and tidy status
reporting.
\[[GH-18899](https://togithub.com/hashicorp/vault/pull/18899)]
- secrets/transit: Do not warn about unrecognized parameter
'batch_input'
\[[GH-18299](https://togithub.com/hashicorp/vault/pull/18299)]
- secrets/transit: Honor `partial_success_response_code` on decryption
failures. \[[GH-18310](https://togithub.com/hashicorp/vault/pull/18310)]
- server/config: Use file.Stat when checking file permissions when
VAULT_ENABLE_FILE_PERMISSIONS_CHECK is enabled
\[[GH-19311](https://togithub.com/hashicorp/vault/pull/19311)]
- storage/raft (enterprise): An already joined node can rejoin by wiping
storage
and re-issueing a join request, but in doing so could transiently become
a
non-voter. In some scenarios this resulted in loss of quorum.
\[[GH-18263](https://togithub.com/hashicorp/vault/pull/18263)]
- storage/raft: Don't panic on unknown raft ops
\[[GH-17732](https://togithub.com/hashicorp/vault/pull/17732)]
- storage/raft: Fix race with follower heartbeat tracker during
teardown. \[[GH-18704](https://togithub.com/hashicorp/vault/pull/18704)]
- ui/keymgmt: Sets the defaultValue for type when creating a key.
\[[GH-17407](https://togithub.com/hashicorp/vault/pull/17407)]
- ui: Fix bug where logging in via OIDC fails if browser is in
fullscreen mode
\[[GH-19071](https://togithub.com/hashicorp/vault/pull/19071)]
- ui: Fixes issue with not being able to download raft snapshot via
service worker
\[[GH-17769](https://togithub.com/hashicorp/vault/pull/17769)]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login
via mount path tab
\[[GH-17661](https://togithub.com/hashicorp/vault/pull/17661)]
- ui: Remove `default` and add `default-service` and `default-batch` to
UI token_type for auth mount and tuning.
\[[GH-19290](https://togithub.com/hashicorp/vault/pull/19290)]
- ui: Remove default value of 30 to TtlPicker2 if no value is passed in.
\[[GH-17376](https://togithub.com/hashicorp/vault/pull/17376)]
- ui: allow selection of "default" for ssh algorithm_signer in web
interface \[[GH-17894](https://togithub.com/hashicorp/vault/pull/17894)]
- ui: cleanup unsaved auth method ember data record when navigating away
from mount backend form
\[[GH-18651](https://togithub.com/hashicorp/vault/pull/18651)]
- ui: fix entity policies list link to policy show page
\[[GH-17950](https://togithub.com/hashicorp/vault/pull/17950)]
- ui: fixes query parameters not passed in api explorer test requests
\[[GH-18743](https://togithub.com/hashicorp/vault/pull/18743)]
- ui: fixes reliance on secure context (https) by removing methods using
the Crypto interface
\[[GH-19403](https://togithub.com/hashicorp/vault/pull/19403)]
- ui: show Get credentials button for static roles detail page when a
user has the proper permissions.
\[[GH-19190](https://togithub.com/hashicorp/vault/pull/19190)]

###
[`v1.12.2`](https://togithub.com/hashicorp/vault/releases/tag/v1.12.2)

[Compare
Source](https://togithub.com/hashicorp/vault/compare/v1.12.1...v1.12.2)

#### 1.12.2

##### November 30, 2022

CHANGES:

-   core: Bump Go version to 1.19.3.
- plugins: Mounts can no longer be pinned to a specific *builtin*
version. Mounts previously pinned to a specific builtin version will now
automatically upgrade to the latest builtin version, and may now be
overridden if an unversioned plugin of the same name and type is
registered. Mounts using plugin versions without `builtin` in their
metadata remain unaffected.
\[[GH-18051](https://togithub.com/hashicorp/vault/pull/18051)]

IMPROVEMENTS:

- secrets/pki: Allow issuer creation, import to change default issuer
via `default_follows_latest_issuer`.
\[[GH-17824](https://togithub.com/hashicorp/vault/pull/17824)]
- storage/raft: Add `retry_join_as_non_voter` config option.
\[[GH-18030](https://togithub.com/hashicorp/vault/pull/18030)]

BUG FIXES:

- auth/okta: fix a panic for AuthRenew in Okta
\[[GH-18011](https://togithub.com/hashicorp/vault/pull/18011)]
- auth: Deduplicate policies prior to ACL generation
\[[GH-17914](https://togithub.com/hashicorp/vault/pull/17914)]
- cli: Fix issue preventing kv commands from executing properly when the
mount path provided by `-mount` flag and secret key path are the same.
\[[GH-17679](https://togithub.com/hashicorp/vault/pull/17679)]
- core (enterprise): Supported storage check in `vault server` command
will no longer prevent startup. Instead, a warning will be logged if
configured to use storage backend other than `raft` or `consul`.
- core/quotas (enterprise): Fix a lock contention issue that could occur
and cause Vault to become unresponsive when creating, changing, or
deleting lease count quotas.
- core: Fix potential deadlock if barrier ciphertext is less than 4
bytes. \[[GH-17944](https://togithub.com/hashicorp/vault/pull/17944)]
- core: fix a start up race condition where performance standbys could
go into a
mount loop if default policies are not yet synced from the active node.
\[[GH-17801](https://togithub.com/hashicorp/vault/pull/17801)]
- plugins: Only report deprecation status for builtin plugins.
\[[GH-17816](https://togithub.com/hashicorp/vault/pull/17816)]
- plugins: Vault upgrades will no longer fail if a mount has been
created using an explicit builtin plugin version.
\[[GH-18051](https://togithub.com/hashicorp/vault/pull/18051)]
- secret/pki: fix bug with initial legacy bundle migration (from < 1.11
into 1.11+) and missing issuers from ca_chain
\[[GH-17772](https://togithub.com/hashicorp/vault/pull/17772)]
- secrets/azure: add WAL to clean up role assignments if errors occur
\[[GH-18086](https://togithub.com/hashicorp/vault/pull/18086)]
- secrets/gcp: Fixes duplicate service account key for rotate root on
standby or secondary
\[[GH-18111](https://togithub.com/hashicorp/vault/pull/18111)]
- secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by
setting them to the default.
\[[GH-17693](https://togithub.com/hashicorp/vault/pull/17693)]
- ui: Fixes issue with not being able to download raft snapshot via
service worker
\[[GH-17769](https://togithub.com/hashicorp/vault/pull/17769)]
- ui: fix entity policies list link to policy show page
\[[GH-17950](https://togithub.com/hashicorp/vault/pull/17950)]

###
[`v1.12.1`](https://togithub.com/hashicorp/vault/releases/tag/v1.12.1)

[Compare
Source](https://togithub.com/hashicorp/vault/compare/v1.12.0...v1.12.1)

#### 1.12.1

##### November 2, 2022

IMPROVEMENTS:

- api: Support VAULT_DISABLE_REDIRECTS environment variable (and
--disable-redirects flag) to disable default client behavior and prevent
the client following any redirection responses.
\[[GH-17352](https://togithub.com/hashicorp/vault/pull/17352)]
- database/snowflake: Allow parallel requests to Snowflake
\[[GH-17593](https://togithub.com/hashicorp/vault/pull/17593)]
- plugins: Add plugin version information to key plugin lifecycle log
lines. \[[GH-17430](https://togithub.com/hashicorp/vault/pull/17430)]
- sdk/ldap: Added support for paging when searching for groups using
group filters
\[[GH-17640](https://togithub.com/hashicorp/vault/pull/17640)]

BUG FIXES:

- cli: Remove empty table heading for `vault secrets list -detailed`
output. \[[GH-17577](https://togithub.com/hashicorp/vault/pull/17577)]
- core/managed-keys (enterprise): Return better error messages when
encountering key creation failures
- core/managed-keys (enterprise): Switch to using hash length as PSS
Salt length within the test/sign api for better
[PKCS#11](https://togithub.com/PKCS/vault/issues/11) compatibility
- core: Fix panic caused in Vault Agent when rendering certificate
templates \[[GH-17419](https://togithub.com/hashicorp/vault/pull/17419)]
- core: Fixes spurious warnings being emitted relating to "unknown or
unsupported fields" for JSON config
\[[GH-17660](https://togithub.com/hashicorp/vault/pull/17660)]
- core: prevent memory leak when using control group factors in a policy
\[[GH-17532](https://togithub.com/hashicorp/vault/pull/17532)]
- core: prevent panic during mfa after enforcement's namespace is
deleted \[[GH-17562](https://togithub.com/hashicorp/vault/pull/17562)]
- kmip (enterprise): Fix a problem in the handling of attributes that
caused Import operations to fail.
- kmip (enterprise): Fix selection of Cryptographic Parameters for
Encrypt/Decrypt operations.
- login: Store token in tokenhelper for interactive login MFA
\[[GH-17040](https://togithub.com/hashicorp/vault/pull/17040)]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary
clusters. \[[GH-17497](https://togithub.com/hashicorp/vault/pull/17497)]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login
via mount path tab
\[[GH-17661](https://togithub.com/hashicorp/vault/pull/17661)]

###
[`v1.12.0`](https://togithub.com/hashicorp/vault/releases/tag/v1.12.0)

[Compare
Source](https://togithub.com/hashicorp/vault/compare/v1.11.0...v1.12.0)

#### 1.12.0

##### October 13, 2022

CHANGES:

- api: Exclusively use `GET /sys/plugins/catalog` endpoint for listing
plugins, and add `details` field to list responses.
\[[GH-17347](https://togithub.com/hashicorp/vault/pull/17347)]
- auth: `GET /sys/auth/:name` endpoint now returns an additional
`deprecation_status` field in the response data for builtins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- auth: `GET /sys/auth` endpoint now returns an additional
`deprecation_status` field in the response data for builtins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- auth: `POST /sys/auth/:type` endpoint response contains a warning for
`Deprecated` auth methods.
\[[GH-17058](https://togithub.com/hashicorp/vault/pull/17058)]
- auth: `auth enable` returns an error and `POST /sys/auth/:type`
endpoint reports an error for `Pending Removal` auth methods.
\[[GH-17005](https://togithub.com/hashicorp/vault/pull/17005)]
- core/entities: Fixed stranding of aliases upon entity merge, and
require explicit selection of which aliases should be kept when some
must be deleted
\[[GH-16539](https://togithub.com/hashicorp/vault/pull/16539)]
-   core: Bump Go version to 1.19.2.
- core: Validate input parameters for vault operator init command. Vault
1.12 CLI version is needed to run operator init now.
\[[GH-16379](https://togithub.com/hashicorp/vault/pull/16379)]
- identity: a request to `/identity/group` that includes
`member_group_ids` that contains a cycle will now be responded to with a
400 rather than 500
\[[GH-15912](https://togithub.com/hashicorp/vault/pull/15912)]
- licensing (enterprise): Terminated licenses will no longer result in
shutdown. Instead, upgrades will not be allowed if the license
termination time is before the build date of the binary.
- plugins: Add plugin version to auth register, list, and mount table
\[[GH-16856](https://togithub.com/hashicorp/vault/pull/16856)]
- plugins: `GET /sys/plugins/catalog/:type/:name` endpoint contains
deprecation status for builtin plugins.
\[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)]
- plugins: `GET /sys/plugins/catalog/:type/:name` endpoint now returns
an additional `version` field in the response data.
\[[GH-16688](https://togithub.com/hashicorp/vault/pull/16688)]
- plugins: `GET /sys/plugins/catalog/` endpoint contains deprecation
status in `detailed` list.
\[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)]
- plugins: `GET /sys/plugins/catalog` endpoint now returns an additional
`detailed` field in the response data with a list of additional plugin
metadata. \[[GH-16688](https://togithub.com/hashicorp/vault/pull/16688)]
- plugins: `plugin info` displays deprecation status for builtin
plugins. \[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)]
- plugins: `plugin list` now accepts a `-detailed` flag, which display
deprecation status and version info.
\[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)]
- secrets/azure: Removed deprecated AAD graph API support from the
secrets engine.
\[[GH-17180](https://togithub.com/hashicorp/vault/pull/17180)]
- secrets: All database-specific (standalone DB) secrets engines are now
marked `Pending Removal`.
\[[GH-17038](https://togithub.com/hashicorp/vault/pull/17038)]
- secrets: `GET /sys/mounts/:name` endpoint now returns an additional
`deprecation_status` field in the response data for builtins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- secrets: `GET /sys/mounts` endpoint now returns an additional
`deprecation_status` field in the response data for builtins.
\[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)]
- secrets: `POST /sys/mounts/:type` endpoint response contains a warning
for `Deprecated` secrets engines.
\[[GH-17058](https://togithub.com/hashicorp/vault/pull/17058)]
- secrets: `secrets enable` returns an error and `POST /sys/mount/:type`
endpoint reports an error for `Pending Removal` secrets engines.
\[[GH-17005](https://togithub.com/hashicorp/vault/pull/17005)]

FEATURES:

- **GCP Cloud KMS support for managed keys**: Managed keys now support
using GCP Cloud KMS keys
- **LDAP Secrets Engine**: Adds the `ldap` secrets engine with service
account check-out functionality for all supported schemas.
\[[GH-17152](https://togithub.com/hashicorp/vault/pull/17152)]
- **OCSP Responder**: PKI mounts now have an OCSP responder that
implements a subset of RFC6960, answering single serial number OCSP
requests for a specific cluster's revoked certificates in a mount.
\[[GH-16723](https://togithub.com/hashicorp/vault/pull/16723)]
- **Redis DB Engine**: Adding the new Redis database engine that
supports the generation of static and dynamic user roles and root
credential rotation on a stand alone Redis server.
\[[GH-17070](https://togithub.com/hashicorp/vault/pull/17070)]
- **Redis ElastiCache DB Plugin**: Added Redis ElastiCache as a built-in
plugin. \[[GH-17075](https://togithub.com/hashicorp/vault/pull/17075)]
- **Secrets/auth plugin multiplexing**: manage multiple plugin
configurations with a single plugin process
\[[GH-14946](https://togithub.com/hashicorp/vault/pull/14946)]
- **Transform Key Import (BYOK)**: The transform secrets engine now
supports importing keys for tokenization and FPE transformations
- HCP (enterprise): Adding foundational support for self-managed vault
nodes to securely communicate with [HashiCorp Cloud
Platform](https://cloud.hashicorp.com) as an opt-in feature
- ui: UI support for Okta Number Challenge.
\[[GH-15998](https://togithub.com/hashicorp/vault/pull/15998)]

IMPROVEMENTS:

- :core/managed-keys (enterprise): Allow operators to specify PSS
signatures and/or hash algorithm for the test/sign api
- activity (enterprise): Added new clients unit tests to test accuracy
of estimates
- agent/auto-auth: Add `exit_on_err` which when set to true, will cause
Agent to exit if any errors are encountered during authentication.
\[[GH-17091](https://togithub.com/hashicorp/vault/pull/17091)]
- agent: Added `disable_idle_connections` configuration to disable
leaving idle connections open in auto-auth, caching and templating.
\[[GH-15986](https://togithub.com/hashicorp/vault/pull/15986)]
- agent: Added `disable_keep_alives` configuration to disable keep
alives in auto-auth, caching and templating.
\[[GH-16479](https://togithub.com/hashicorp/vault/pull/16479)]
- agent: JWT auto auth now supports a `remove_jwt_after_reading` config
option which defaults to true.
\[[GH-11969](https://togithub.com/hashicorp/vault/pull/11969)]
- agent: Send notifications to systemd on start and stop.
\[[GH-9802](https://togithub.com/hashicorp/vault/pull/9802)]
- api/mfa: Add namespace path to the MFA read/list endpoint
\[[GH-16911](https://togithub.com/hashicorp/vault/pull/16911)]
- api: Add a sentinel error for missing KV secrets
\[[GH-16699](https://togithub.com/hashicorp/vault/pull/16699)]
- auth/alicloud: Enables AliCloud roles to be compatible with Vault's
role based quotas.
\[[GH-17251](https://togithub.com/hashicorp/vault/pull/17251)]
- auth/approle: SecretIDs can now be generated with an per-request
specified TTL and num_uses.
When either the ttl and num_uses fields are not specified, the role's
configuration is used.
\[[GH-14474](https://togithub.com/hashicorp/vault/pull/14474)]
- auth/aws: PKCS7 signatures will now use SHA256 by default in prep for
Go 1.18 \[[GH-16455](https://togithub.com/hashicorp/vault/pull/16455)]
- auth/azure: Enables Azure roles to be compatible with Vault's role
based quotas.
\[[GH-17194](https://togithub.com/hashicorp/vault/pull/17194)]
- auth/cert: Add metadata to identity-alias
\[[GH-14751](https://togithub.com/hashicorp/vault/pull/14751)]
- auth/cert: Operators can now specify a CRL distribution point URL, in
which case the cert auth engine will fetch and use the CRL from that
location rather than needing to push CRLs directly to auth/cert.
\[[GH-17136](https://togithub.com/hashicorp/vault/pull/17136)]
- auth/cf: Enables CF roles to be compatible with Vault's role based
quotas. \[[GH-17196](https://togithub.com/hashicorp/vault/pull/17196)]
- auth/gcp: Add support for GCE regional instance groups
\[[GH-16435](https://togithub.com/hashicorp/vault/pull/16435)]
- auth/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`,
`github.com/hashicorp/go-gcp-common@v0.8.0`.
\[[GH-17160](https://togithub.com/hashicorp/vault/pull/17160)]
- auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider
for groups fetching.
\[[GH-16525](https://togithub.com/hashicorp/vault/pull/16525)]
- auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for
CLI-based logins.
\[[GH-16525](https://togithub.com/hashicorp/vault/pull/16525)]
- auth/kerberos: add `add_group_aliases` config to include LDAP groups
in Vault group aliases
\[[GH-16890](https://togithub.com/hashicorp/vault/pull/16890)]
- auth/kerberos: add `remove_instance_name` parameter to the login CLI
and the Kerberos config in Vault. This removes any instance names found
in the keytab service principal name.
\[[GH-16594](https://togithub.com/hashicorp/vault/pull/16594)]
- auth/kubernetes: Role resolution for K8S Auth
\[[GH-156](https://togithub.com/hashicorp/vault-plugin-auth-kubernetes/pull/156)]
\[[GH-17161](https://togithub.com/hashicorp/vault/pull/17161)]
- auth/oci: Add support for role resolution.
\[[GH-17212](https://togithub.com/hashicorp/vault/pull/17212)]
- auth/oidc: Adds support for group membership parsing when using
SecureAuth as an OIDC provider.
\[[GH-16274](https://togithub.com/hashicorp/vault/pull/16274)]
- cli: CLI commands will print a warning if flags will be ignored
because they are p

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/ffddorf/terraform-backend).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 go.mod | 7 ++++---
 go.sum | 6 ++++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index a6d0174..7ea29f7 100644
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/gruntwork-io/terratest v0.41.16
 	github.com/hashicorp/go-slug v0.15.0
 	github.com/hashicorp/hcl/v2 v2.16.2
-	github.com/hashicorp/vault/api v1.11.0
+	github.com/hashicorp/vault/api v1.13.0
 	github.com/lib/pq v1.10.9
 	github.com/mattn/go-sqlite3 v1.14.22
 	github.com/minio/minio-go/v7 v7.0.66
@@ -49,11 +49,12 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/fatih/color v1.15.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -83,7 +84,7 @@ require (
 	github.com/klauspost/compress v1.17.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mattn/go-isatty v0.0.18 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-zglob v0.0.4 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/sha256-simd v1.0.1 // indirect
diff --git a/go.sum b/go.sum
index a2b9ca3..9eac836 100644
--- a/go.sum
+++ b/go.sum
@@ -267,6 +267,7 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
 github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
@@ -287,6 +288,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
 github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
+github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
+github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-redis/redis v6.15.9+incompatible h1:K0pv1D7EQUjfyoMql+r/jZqCLizCGKFlFgcHWWmHQjg=
 github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/go-redis/redis/v7 v7.4.0 h1:7obg6wUoj05T0EpY0o8B59S9w5yeMWql7sw2kwNW1x4=
@@ -447,6 +450,8 @@ github.com/hashicorp/terraform-json v0.16.0 h1:UKkeWRWb23do5LNAFlh/K3N0ymn1qTOO8
 github.com/hashicorp/terraform-json v0.16.0/go.mod h1:v0Ufk9jJnk6tcIZvScHvetlKfiNTC+WS21mnXIlc0B0=
 github.com/hashicorp/vault/api v1.11.0 h1:AChWByeHf4/P9sX3Y1B7vFsQhZO2BgQiCMQ2SA1P1UY=
 github.com/hashicorp/vault/api v1.11.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
+github.com/hashicorp/vault/api v1.13.0 h1:RTCGpE2Rgkn9jyPcFlc7YmNocomda44k5ck8FKMH41Y=
+github.com/hashicorp/vault/api v1.13.0/go.mod h1:0cb/uZUv1w2cVu9DIvuW1SMlXXC6qtATJt+LXJRx+kg=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -489,6 +494,7 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98=
 github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=