Bump github.com/openbao/openbao/api/v2 from 2.2.0 to 2.3.0

[dependabot]

Bumps github.com/openbao/openbao/api/v2 from 2.2.0 to 2.3.0.

Release notes

Sourced from github.com/openbao/openbao/api/v2's releases.

v2.3.0-beta20250528

[!TIP] This release has namespaces support!

CHANGES

• openbao: update modules and checksums to address vulnerabilities [GH-1126]
• packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also golang/go#46279. [GH-1179]
• storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]

FEATURES

• KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
• Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
  • Create, read, update, delete a hierarchical directory of namespaces
  • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
  • Migrate (remount) secrets engines and auth methods between namespaces
  • Lock and unlock namespaces
  • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
  • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
• ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

• Minor docs improvements and chore by @​karras in openbao/openbao#1005
• feat(identity/entity-alias): return metadata when listing entity-aliases by @​pree in openbao/openbao#1013
• Bump ember-cli-htmlbars from 6.0.1 to 6.3.0 in /ui by @​dependabot in openbao/openbao#1008
• Bump @​types/ember-resolver from 5.0.13 to 9.0.2 in /ui by @​dependabot in openbao/openbao#1009
• Bump qunit-dom from 2.0.0 to 3.4.0 in /ui by @​dependabot in openbao/openbao#1010
• Bump @​types/rsvp from 4.0.4 to 4.0.9 in /ui by @​dependabot in openbao/openbao#1011
• Update libraries.mdx by @​livespotty in openbao/openbao#1015
• Bump github.com/natefinch/atomic from 0.0.0-20150920032501-a62ce929ffcc to 1.0.1 by @​dependabot in openbao/openbao#1012
• Add transactions to AppRole funcs by @​suprjinx in openbao/openbao#992
• Add transaction wrappers to database endpoints by @​suprjinx in openbao/openbao#995
• Cleanup leftover DR Token CLI and API options by @​JanMa in openbao/openbao#1018
• Add API and CLI commands to promote/demote nodes in the Raft cluster by @​JanMa in openbao/openbao#996
• Revive Valkey plugin by @​cipherboy in openbao/openbao#1019
• Fix prerelease image tagging by @​JanMa in openbao/openbao#1030
• Bump d3-transition from 1.3.2 to 3.0.1 in /ui by @​dependabot in openbao/openbao#1032
• Bump swagger-ui-dist from 5.18.2 to 5.19.0 in /ui by @​dependabot in openbao/openbao#1034
• Bump github.com/hashicorp/cap from 0.3.0 to 0.8.0 by @​dependabot in openbao/openbao#1036
• FIX: UI missing checkmarks by @​arminfelder in openbao/openbao#1042
• Add blog post for horizontal scalability by @​cipherboy in openbao/openbao#1049
• fix: fix the wrong error return value by @​cangqiaoyuzhuo in openbao/openbao#1055
• Simplify Goreleaser templates by @​JanMa in openbao/openbao#1039
• Bump typescript from 5.7.3 to 5.8.2 in /website by @​dependabot in openbao/openbao#1057
• Bump prettier-eslint-cli from 7.1.0 to 8.0.1 in /ui by @​dependabot in openbao/openbao#1059
• Bump actions/cache to v4, use pinning by @​cipherboy in openbao/openbao#1064

... (truncated)

Changelog

Sourced from github.com/openbao/openbao/api/v2's changelog.

2.3.0-beta20250528

May 28, 2025

SECURITY:

• sdk/framework: prevent information disclosure on invalid request. HCSEC-2025-09 / CVE-2025-4166. [GH-1323]

CHANGES:

• openbao: update modules and checksums to address vulnerabilities [GH-1126]
• packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also golang/go#46279. [GH-1179]
• storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]

FEATURES:

• KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
• Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
  • Create, read, update, delete a hierarchical directory of namespaces
  • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
  • Migrate (remount) secrets engines and auth methods between namespaces
  • Lock and unlock namespaces
  • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
  • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
• ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

IMPROVEMENTS:

• When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
• approle: Use transactions for read + write operations [GH-992]
• auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
• core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
• core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
• core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
• core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
• database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
• database: Use transactions for read-then-write methods in the database package [GH-995]
• pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
• ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
• storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]

BUG FIXES:

• api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315]
• cli: Return a quoted string URL when -output-curl-string flag is passed in [GH-1038]
• oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178]
• pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139]
• sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (openbao/go-kms-wrapping#32). This is unlikely to have caused many real-world issues so far. [GH-1349]
• secrets/pki: Remove null value for subproblems encoding, fixing compatibility with certain ACME clients like certbot. [GH-1236]
• storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299]

... (truncated)

Commits

• d62e0d3 Track lock in namespace entry directly (#1367)
• 083b18e Add check and set for policies (#1162)
• 289107a Namespaces locking/unlocking implementation (#1347)
• b64584f Add policy and path expiration (#1142)
• 894d10e Add NeoNephos to supporters section of homepage (#1363)
• fe626d0 Support clearing views via pagination, with transaction (#1102)
• 8f4cdc0 Describe how user access and roles are managed to cover OSPS-AC-02.01 (#1359)
• 4078e2c Use per-namespace storage layouts for identity (#1360)
• 4bc5100 Update contributors and maintainers information (#1305)
• c98a130 add hsm docker distribution to downloads page (#1353)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Looks like github.com/openbao/openbao/api/v2 is up-to-date now, so this is no longer needed.