Releases: Nike-Inc/cerberus
v4.4.0
- Allow admin to update any SDB configuration
- Upgrade dependencies
v4.3.3
Make x-amz-security-token header optional for IAM users
v4.3.2
Increase c3p0 checkout timeout to 30 seconds
v4.3.1
Redact sensitive header in error message
v4.3.0
Provide metrics for data key rotation job
Missed 4.2.0:
Update dashboard dependencies
v4.1.1
Fix audit log not uploaded to s3
v4.1.0
- Corrected file path for database migrations
- Fixed metadata filtering by SDB name for admin endpoint
- Upgraded gradlew to release version
- Updated Travis credentials
v4.0.0
TL;DR: We refactored Cerberus from a Guice/Riposte project to a composable multi-project Springboot application.
The major breaking changes are operational breaking changes
Cerberus 4.+ now requires Java 11.
You will also need to create a new config YAML rather than relying on the CLI to generate config and store it for you.
See: https://github.com/Nike-Inc/cerberus#configuration
When upgrading from < 4.x use the view-config command on the Lifecycle Management CLI (Requires Java 8) to get your current config and secrets.
You might need to use SDK Man on your local machine if you dev to switch between JRE's until all our projects use Java 11.
cerberus-lm-cli -e ${envName} view-config --config-path cms/environment.properties
The API changes should be mostly backward compatible
We did technically make a few "Breaking changes" that you shouldn't see on the normal happy path.
- When you list secrets on an empty SDB / Path an empty list is now returned instead of a 404.
Most of our clients already catch the 404 and make it an empty list anyways.
This was legacy behavior from when we still used Hashicorp Vault, which just confused people, so we fixed it. - Some of the status codes changed from 200 to 201 or 204 and vice versa to be more standardized as Springboot enforces some of this behavior by default.
- Some of the status codes changed from 400 to 401 or 403 and vice versa to be more standardized as Springboot enforces some of this behavior by default.
- KMS authentication endpoints are deprecated and turned off by default. You can enable them in the config YAML.
- We now always return a Backstopper error object, previously on /v1/secret/*** we returned a legacy Vault error object.
This might break the unhappy path on some of our clients and cause a deserialization issue to bubble up instead of the real underlying cause.
We hypothesis that this will only affect new uses of Cerberus and should have no impact on projects already established with Cerberus.
We are working on updating any clients that don't handle this change gracefully.
Additional Notes
This is going to put the create an environment docs and the life cycle management CLI in a bad state while we work on updating those.
v.3.35.0
- Add timeout for db connection pool waiting and retry with back off AWS STS Get Caller Identity requests
- Hystrix tweaks
v3.34.0
Add metric collection for data key caching