Skip to content

Releases: egen/safe

Safe v1.3.0

25 Jun 19:56
Compare
Choose a tag to compare

New Features

  • SSH tunneling is now supported as a proxy. ssh+socks5:// is the scheme you'll
    want to use in your proxy environment variables to take advantage of this. For
    more information on how to use this, check out safe envvars

  • SAFE_ALL_PROXY is now a supported environment variable - it will set the values
    for both HTTP_PROXY and HTTPS_PROXY.

Safe v1.2.1

24 Jun 15:25
Compare
Choose a tag to compare

Bug Fixes

  • Upgraded to compiling with Go 1.12.6. This should fix some DNS timeout problems referenced by #185 (Thanks @geofffranks)

Safe v1.2.0

12 Jun 20:18
Compare
Choose a tag to compare

Bug Fixes

  • Fix versions command description

New Features

  • safe envvars - New command that displays available environment variables for use with safe

  • Auto-mount secret on safe init and safe local - In more recent
    versions of Vault, secret is not mounted by default. Safe will ensure that
    the mount is created anyway unless the --no-mount option is given. The flag
    will not unmount an existing secret mount in versions of Vault which mount
    secret by default.

  • safe auth approle - Added the ability to auth via AppRole

Safe v1.1.0

06 Feb 20:57
Compare
Choose a tag to compare

Bug Fixes

  • safe target no longer cares if your current target is valid
    before overwriting it.

Breaking Changes

These are things that should have been done in 1.0.0 to maintain
backward compatibility with older versions of safe`s export calls.

  • safe export will now make a v1-style export if it is able to.
    These can be imported by older versions of safe.
  • safe export's --shallow and --only-alive flags are now the
    default behaviors. They can be flipped with the new --all and --deleted
    flags, respectively.

Safe v1.0.2

25 Jan 19:59
Compare
Choose a tag to compare

Bug Fixes

  • safe commands no longer 403 when the auth token's policies does not have
    access to sys endpoints.
  • paths and tree operations work correctly when the Vault has a secret at the
    root of a mount.

Safe v1.0.1

23 Jan 21:54
Compare
Choose a tag to compare

Bug Fixes

  • safe paths without the --keys flag has output again.

Safe v1.0.0

18 Jan 21:59
Compare
Choose a tag to compare

New Features

  • safe now supports the versioned KV v2 backend! (Fixes #138)
  • Commands that write will append new versions to versioned backends.
  • Commands that read will read the newest version (if undeleted) by default.
    Older versions can be read with the PATH^VERSION syntax
    (i.e. mysecret:mykey^2).
  • Commands that delete will operate on the newest version by default. You can
    target specific versions with the PATH^VERSION syntax. By default, versions
    will be marked as deleted. They can be destroyed with the -D flag on safe delete.
    All versions of a secret can be targeted with the -a flag on safe delete.
  • safe paths and safe tree now has a -q flag. Because scripts using paths have
    thus far assumed that only paths with accessible secrets will be returned, we need to
    make sure that this behavior was preserved by default. However, Vault returns deleted
    or destroyed secrets from list requests. Therefore, we have to make extra calls to make
    sure that the latest version of the secret is alive. -q (quick) skips those checks to
    get you a result faster, even though any secret with remaining metadata will be returned.
  • safe versions is now a command. It shows all the existing version numbers for a
    secret with their respective states. v1 backends are abstracted as versioned backends
    that only ever have one living version.
  • safe undelete is now a command. It undeletes a version that was marked as deleted.
    It errs if you try it on a v1 backend because I can't get your cert back and I'm sorry.
  • safe revert reads in an older version and writes it as the newest version of a secret.
    It's a no-op if the newest version is specified. You can revert to versions marked as
    deleted with the -d flag. This will cause the version to be undeleted, read, and then
    redeleted. The resulting newest version will be left alive.

Improvements

  • Operations which walk the tree recursively now operate concurrently. This can lead
    to a significant speed increase in environments where there is noticeable latency when
    communicating with the Vault server. See: tree, paths, delete -R, etc
  • x509 reissue and x509 renew now show up in safe help x509
  • safe curl's --data-only flag is now in the help (thanks, @lvets)
  • We can safe local all the way up to Vault 1.0.1 (and possibly even beyond) (Fixes #171)
  • safe tree / and safe paths / will now show all secrets across all KV mounts.

Bug Fixes

  • We can read non-strings out of the Vault again (Fixes #178).
  • safe rekey's key prompt is fixed and now won't just ask you for the first key n times

Breaking Changes

  • Exports are now in a new format. While this version of safe can import versions of the old
    format, this version of safe will produce exports that older versions of safe will not be able
    to import.

Safe v0.9.9

26 Oct 14:07
Compare
Choose a tag to compare

Improvements

  • safe local's internals have been updated to work with Vault 0.11.2+

Safe v0.9.8

11 Oct 20:33
Compare
Choose a tag to compare

New Features

  • Safe honours the new $SAFE_TARGET environment variable to override the the safe target without using -T or calling safe target. This can be used for scripts that want to target a specific vault without modifying the user's current target in ~/.saferc

Safe v0.9.6

12 Sep 16:12
Compare
Choose a tag to compare

Improvements

  • safe x509 renew can now recover from missing CRLs and missing
    serial numbers, in case you've imported the certificate and
    private key from somewhere else.

  • safe x509 validate now complains is a certificate is listed as
    a CA but does not have its serial number or CRL.