Releases: egen/safe
Safe v1.3.0
New Features
-
SSH tunneling is now supported as a proxy.
ssh+socks5://
is the scheme you'll
want to use in your proxy environment variables to take advantage of this. For
more information on how to use this, check outsafe envvars
-
SAFE_ALL_PROXY
is now a supported environment variable - it will set the values
for bothHTTP_PROXY
andHTTPS_PROXY
.
Safe v1.2.1
Bug Fixes
- Upgraded to compiling with Go 1.12.6. This should fix some DNS timeout problems referenced by #185 (Thanks @geofffranks)
Safe v1.2.0
Bug Fixes
- Fix
versions
command description
New Features
-
safe envvars
- New command that displays available environment variables for use withsafe
-
Auto-mount
secret
onsafe init
andsafe local
- In more recent
versions of Vault,secret
is not mounted by default. Safe will ensure that
the mount is created anyway unless the--no-mount
option is given. The flag
will not unmount an existingsecret
mount in versions of Vault which mount
secret
by default. -
safe auth approle
- Added the ability to auth via AppRole
Safe v1.1.0
Bug Fixes
safe target
no longer cares if your current target is valid
before overwriting it.
Breaking Changes
These are things that should have been done in 1.0.0 to maintain
backward compatibility with older versions of safe`s export calls.
safe export
will now make a v1-style export if it is able to.
These can be imported by older versions of safe.safe export
's--shallow
and--only-alive
flags are now the
default behaviors. They can be flipped with the new--all
and--deleted
flags, respectively.
Safe v1.0.2
Bug Fixes
- safe commands no longer 403 when the auth token's policies does not have
access to sys endpoints. - paths and tree operations work correctly when the Vault has a secret at the
root of a mount.
Safe v1.0.1
Bug Fixes
safe paths
without the--keys
flag has output again.
Safe v1.0.0
New Features
safe
now supports the versioned KV v2 backend! (Fixes #138)- Commands that write will append new versions to versioned backends.
- Commands that read will read the newest version (if undeleted) by default.
Older versions can be read with thePATH^VERSION
syntax
(i.e.mysecret:mykey^2
). - Commands that delete will operate on the newest version by default. You can
target specific versions with thePATH^VERSION
syntax. By default, versions
will be marked as deleted. They can be destroyed with the-D
flag onsafe delete
.
All versions of a secret can be targeted with the-a
flag onsafe delete
. safe paths
andsafe tree
now has a-q
flag. Because scripts using paths have
thus far assumed that only paths with accessible secrets will be returned, we need to
make sure that this behavior was preserved by default. However, Vault returns deleted
or destroyed secrets from list requests. Therefore, we have to make extra calls to make
sure that the latest version of the secret is alive.-q
(quick) skips those checks to
get you a result faster, even though any secret with remaining metadata will be returned.safe versions
is now a command. It shows all the existing version numbers for a
secret with their respective states. v1 backends are abstracted as versioned backends
that only ever have one living version.safe undelete
is now a command. It undeletes a version that was marked as deleted.
It errs if you try it on a v1 backend because I can't get your cert back and I'm sorry.safe revert
reads in an older version and writes it as the newest version of a secret.
It's a no-op if the newest version is specified. You can revert to versions marked as
deleted with the-d
flag. This will cause the version to be undeleted, read, and then
redeleted. The resulting newest version will be left alive.
Improvements
- Operations which walk the tree recursively now operate concurrently. This can lead
to a significant speed increase in environments where there is noticeable latency when
communicating with the Vault server. See:tree
,paths
,delete -R
, etc - x509 reissue and x509 renew now show up in
safe help x509
safe curl
's--data-only
flag is now in the help (thanks, @lvets)- We can
safe local
all the way up to Vault 1.0.1 (and possibly even beyond) (Fixes #171) safe tree /
andsafe paths /
will now show all secrets across all KV mounts.
Bug Fixes
- We can read non-strings out of the Vault again (Fixes #178).
safe rekey
's key prompt is fixed and now won't just ask you for the first keyn
times
Breaking Changes
- Exports are now in a new format. While this version of safe can import versions of the old
format, this version of safe will produce exports that older versions of safe will not be able
to import.
Safe v0.9.9
Improvements
safe local
's internals have been updated to work with Vault 0.11.2+
Safe v0.9.8
New Features
- Safe honours the new
$SAFE_TARGET
environment variable to override the the safe target without using -T or callingsafe target
. This can be used for scripts that want to target a specific vault without modifying the user's current target in~/.saferc
Safe v0.9.6
Improvements
-
safe x509 renew
can now recover from missing CRLs and missing
serial numbers, in case you've imported the certificate and
private key from somewhere else. -
safe x509 validate
now complains is a certificate is listed as
a CA but does not have its serial number or CRL.