saltstack · dwoz · Dec 16, 2023 · Sep 14, 2022 · Sep 18, 2022 · Sep 22, 2022
@@ -0,0 +1 @@
+Fixed Salt master does not renew token
@@ -0,0 +1 @@
+Fixed vault module fetching more than one secret in one run with single-use tokens
@@ -0,0 +1 @@
+Fixed Vault verify option to work on minions when only specified in master config
@@ -0,0 +1 @@
+Fixed vault command errors configured locally
@@ -0,0 +1 @@
+Fixed sdb.get_or_set_hash with Vault single-use tokens
@@ -0,0 +1 @@
+Fixed Vault session storage to allow unlimited use tokens
@@ -0,0 +1 @@
+Added Vault AppRole and identity issuance to minions
@@ -0,0 +1 @@
+Added Vault AppRole auth mount path configuration option
@@ -0,0 +1 @@
+Added distribution of Vault authentication details via response wrapping
@@ -0,0 +1 @@
+Added Vault token lifecycle management
@@ -0,0 +1 @@
+Added Vault lease management utility
@@ -0,0 +1 @@
+Added patch option to Vault SDB driver
@@ -0,0 +1,26 @@
+from pygments.lexer import bygroups, inherit
+from pygments.lexers.configs import TerraformLexer
+from pygments.token import Keyword, Name, Punctuation, Whitespace
+
+
+class VaultPolicyLexer(TerraformLexer):
+    aliases = ["vaultpolicy"]
+    filenames = ["*.hcl"]
+    mimetypes = ["application/x-hcl-policy"]
+
+    tokens = {
+        "basic": [
+            inherit,
+            (
+                r"(path)(\s+)(\".*\")(\s+)(\{)",
+                bygroups(
+                    Keyword.Reserved, Whitespace, Name.Variable, Whitespace, Punctuation
+                ),
+            ),
+        ],
+    }
+
+
+def setup(app):
+    app.add_lexer("vaultpolicy", VaultPolicyLexer)
+    return {"parallel_read_safe": True}
@@ -153,6 +153,7 @@
     "saltrepo",
     "myst_parser",
     "sphinxcontrib.spelling",
+    "vaultpolicylexer",
     #'saltautodoc', # Must be AFTER autodoc
 ]
 

@@ -6,6 +6,49 @@
 Add release specific details below
 -->
 
+## Improved Vault integration
+This release features a much deeper integration with HashiCorp Vault, for which
+many parts of the implementation core were improved. Among other things, the Salt
+daemons now attempt to renew/revoke their access tokens and can manage long-lived leases,
+while the Salt master now distributes authentication secrets using response wrapping.
+An important new feature concerns the way Vault policies can be managed.
+
+In versions before 3006, the Salt master only issued tokens to minions, whose policies
+could be templated with the minion ID and (insecure) grain values.
+3006 introduced secure templating of those policies with pillar values, as well as
+templating of Vault external pillar paths with pillar values. These improvements reduced the
+overhead of managing Vault policies securely.
+
+In addition, the Salt master can now be configured to issue AppRoles
+to minions and manage their metadata using a similar templating approach.
+Since this metadata can be taken advantage of in templated policies on the Vault side,
+the need for many boilerplate policies is reduced even further:
+{%- raw %}
+
+```vaultpolicy
+  path "salt/data/minions/{{identity.entity.metadata.minion-id}}" {
+      capabilities = ["create", "read", "write", "delete", "patch"]
+  }
+
+  path "salt/data/roles/{{identity.entity.metadata.role}}" {
+      capabilities = ["read"]
+  }
+```
+{%- endraw %}
+
+Although existing configurations will keep working without intervention after upgrading
+the Salt master, it is strongly recommended to adjust the `peer_run` configuration to
+include the new issuance endpoints in order to avoid unnecessary overhead:
+
+```yaml
+peer_run:
+  .*:
+    - vault.get_config
+    - vault.generate_new_token
+```
+
+Please see the [Vault execution module docs](https://docs.saltproject.io/en/3007.0/ref/modules/all/salt.modules.vault.html) for
+details and setup instructions regarding AppRole issuance.
 
 <!--
 Do not edit the changelog below.