Releases: doomsday-project/doomsday
Releases · doomsday-project/doomsday
v0.9.4 - Update Golang to 1.20.5
This release compiles with Golang 1.20.5
Additionally, this fixes a bug from the previous version where the --version command was displaying unknown
.
v0.9.3 - Support ARM-Based Macs, Build with Go 1.18.3
The Mac-RISC is back and it's better than ever.
v0.9.2 - JQuery Bump
This release contains a bump to the version of JQuery packaged with the Web UI, bumping it to 3.5.1, which contains a fix to an XSS vulnerability (thanks @scottillogical).
v0.9.1 - Vault Root Token Fix
Bug Fixes
The Vault backend will no longer try to refresh a root token (and subsequently fail). An aside, it's not recommended to use a Vault root token for Doomsday in production environments - Doomsday only needs read and list privileges!
v0.9.0 - New Scheduler and Other Fun Things
New Features
- Vault now supports Vault Enterprise namespaces through the
namespace
property in the Vault backend configuration properties. - Vault, Credhub, and OpsMan backends now support specifying CA certs to trust when connecting. These are all done through
ca_certs
properties in each of these respective backends' properties.
Improvements
- CredHub now parses some additional information. Namely: the
ca
key ofcertificate
types. And then all of the keys ofvalue
andjson
types. Those certificates can't hide from me forever. - The scheduler is now multithreaded, so more than one backend can be scraped at a time. This should ease the clogging of large slow backends early in the queue order from completely stopping up smaller, quicker backends that may be waiting their turn.
- The logic for authentication scheduling has been tweaked to allow the backends multiple potential chances to reauthenticate before their auth expires, whereas before, they really probably only got one chance each auth cycle.
- tlsclient client should no longer discard all fetched information when one host fails to be gathered.
Bug Fixes
- tlsclient should no longer explode when you configure a host that is an IPv4 address.
- Doomsday should no longer crash if the Credhub backend stumbles upon a certificate key which is null. I don't even know how you make a certificate key null, but now we should handle it.
- The "Show All" button is no longer missing from the Web UI dashboard when there are no certificates expiring soon.
Additional Stuff
- When queuing adhoc scrapes through
doomsday refresh
, it no longer pushes back the normally scheduled scrape. - Adhoc scrapes no longer are dropped if they are within a certain time window of a previous scrape on that backend. Instead, they will be skipped if there is currently a scrape for that running, or that would be run before the adhoc scrape is run.
v0.8.1 - Vault KVv2 Resiliency
New Features
- The Vault backend now has a trace option for using in debugging HTTP requests to Vault.
Improvements
- Vault errors now display the HTTP status code that caused the error.
- Vault scrape jobs would previously bomb if a Get request received a 404. This may occur because the targeted backend is KV v2 and the most recent version of the given secret was deleted. This will no longer cause Doomsday to invalidate the entire scrape.
v0.8.0 - Auth Stuff
New Features
- Vault AppRole is now supported as an auth method. The
auth.role_id
andauth.role_secret
properties of the Vault backend configure this. The token returned can be refreshed. - Vault periodic tokens are now supported as an auth method. If the token given is renewable, Doomsday will attempt to renew it.
- If the storage backend encodes individual keys as YAML (or JSON), Doomsday will now parse the structure and look for certificates therein.
Backend Improvements
- The Vault backend now reuses connections between requests. It now scrapes noticeably faster as a result.
- The Credhub and Ops Manager backends are now slightly more resilient, as they will try to perform a Password authentication to get a new token if their token has expired and password auth was configured, instead of just being unable to renew.
Bug Fixes
- Credhub and OpsMan backends no longer leak file descriptors when talking to UAA.
- The Web UI's scrollbar no longer falls under the navbar
Web UI
- The Web UI has been converted to Typescript and is now targeting ECMAScript 6. This may break support for some older browsers.
- The Web UI now features a new font that better distinguishes between upper and lower case letters.
- Added a Show All button at the bottom of the dashboard that shows all the certs Doomsday is tracking.
v0.7.0 - Vault KV v2
Improvements
- The Vault backend now supports KV version 2.
v0.6.0 - Web UI
New Features
- The web UI exists now! There isn't complete parity with what's capable on the command line, but the web UI will currently give you a dashboard of what is expiring soon. The web UI should not need to fetch any libraries from the public internet to function. The Web UI was the bulk of the work for this release, but it just gets this one measly bullet point.
Improvements
- Previously, a certificate was considered unique if it was found at a unique path in a configured backend. This wasn't very robust. Now, a cert is considered unique if the SHA1 of the raw certificate data is unique. This allows us to correlate instances of the same cert from different paths in the same backend, or even across different backends entirely.
Bug Fixes
- Previously, configuration would err if a backend was configured without a name. Backend name once again defaults to the backend type name if not specified, so this error shouldn't happen unless you configure two backends of the same type without a name.
- The doomsday server fetching secrets on single-core machines was broken because there would be no workers allocated to actually doing the fetch. It would just happily get nothing at all. This is fixed now.
- We weren't catching potential errors when talking to UAA servers (which affects the Credhub and Ops Manager backend types). This could lead to the doomsday server crashing as it tries to read a response body that never existed. Fixed! Thanks @daviddob
Breaking Changes
- Due to a certificate now being able to be found at multiple paths, the
path
string in the/v1/cache
endpoint objects has been moved topaths
. This object is an array of objects containing abackend
andlocation
.
v0.5.0 - Notifications
New Features
- Notifications! You can send notifications on a configured schedule to either Slack (slack.com) or SHOUT! (github.com/jhunt/shout)
Enhancements
- The refresh interval for each individual storage backend is now configurable.
- Logging output now includes timestamps
- Logging now gives more information about each refresh of storage backends.
- Better error handling around improperly configuring the Vault URL