Merge branch 'master' into crl-support

# Conflicts:
#	api/api.go
#	authority/config/config.go
#	cas/softcas/softcas.go
#	db/db.go

Author: Raal Goff

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,56 @@
+name: Bug Report
+description: File a bug report
+title: "[Bug]: "
+labels: ["bug", "needs triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: Tell us how to reproduce this issue.
+      placeholder: These are the steps!
+    validations:
+      required: true
+  - type: textarea
+    id: your-env
+    attributes:
+      label: Your Environment
+      value: |-
+             * OS -
+             * `step-ca` Version -
+    validations:
+      required: true
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected Behavior
+      description: What did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    id: actual-behavior
+    attributes:
+      label: Actual Behavior
+      description: What happens instead?
+    validations:
+      required: true
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional Context
+      description: Add any other context about the problem here.
+    validations:
+      required: false
+  - type: textarea
+    id: contributing
+    attributes:
+      label: Contributing
+      value: |
+             Vote on this issue by adding a 👍 reaction.
+             To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,12 +1,20 @@
 ---
 name: Documentation Request
 about: Request documentation for a feature
-title: ''
-labels: documentation, needs triage
+title: '[Docs]:'
+labels: docs, needs triage
 assignees: ''
 
 ---
 
+## Hello!
+<!-- Please leave this section as-is, it's designed to help others in the community know how to interact with our GitHub issues. -->
+
+- Vote on this issue by adding a 👍 reaction
+- If you want to document this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
+
+## Affected area/feature
+
 <!---
 Tell us which feature you'd like to see documented. 
  - Where would you like that documentation to live (command line usage output, website, github markdown on the repo)? 

.github/ISSUE_TEMPLATE/documentation-request.md

@@ -1,13 +1,24 @@
 ---
 name: Enhancement
-about: Suggest an enhancement to step certificates
+about: Suggest an enhancement to step-ca
 title: ''
 labels: enhancement, needs triage
 assignees: ''
 
 ---
 
-### What would you like to be added
+## Hello!
+<!-- Please leave this section as-is, 
+it's designed to help others in the community know how to interact with our GitHub issues. -->
 
+- Vote on this issue by adding a 👍 reaction
+- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
 
-### Why this is needed
+## Issue details
+
+<!-- Enhancement requests are most helpful when they describe the problem you're having 
+as well as articulating the potential solution you'd like to see built. -->
+
+## Why is this needed?
+
+<!-- Let us know why you think this enhancement would be good for the project or community. -->

.github/ISSUE_TEMPLATE/enhancement.md

@@ -1,4 +1,20 @@
-### Description
-Please describe your pull request.
+<!---
+Please provide answers in the spaces below each prompt, where applicable.
+Not every PR requires responses for each prompt.
+Use your discretion.
+-->
+#### Name of feature:
+
+#### Pain or issue this feature alleviates:
+
+#### Why is this important to the project (if not answered above):
+
+#### Is there documentation on how to use this feature? If so, where?
+
+#### In what environments or workflows is this feature supported?
+
+#### In what environments or workflows is this feature explicitly NOT supported (if any)?
+
+#### Supporting links/other PRs/issues:
 
 💔Thank you!

.github/PULL_REQUEST_TEMPLATE

@@ -33,7 +33,7 @@ jobs:
         uses: golangci/golangci-lint-action@v2
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: 'v1.45.0'
+          version: 'v1.45.2'
 
           # Optional: working directory, useful for monorepos
           # working-directory: somedir
@@ -139,7 +139,7 @@ jobs:
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
         with:
-          version: latest
+          version: 'v1.7.0'
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.PAT }}

.github/workflows/release.yml

@@ -33,7 +33,7 @@ jobs:
         uses: golangci/golangci-lint-action@v2
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: 'v1.45.0'
+          version: 'v1.45.2'
 
           # Optional: working directory, useful for monorepos
           # working-directory: somedir
@@ -59,8 +59,9 @@ jobs:
       -
         name: Codecov
         if: matrix.go == '1.18'
-        uses: codecov/codecov-action@v1.2.1
+        uses: codecov/codecov-action@v2
         with:
-          file: ./coverage.out # optional
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./coverage.out # optional
           name: codecov-umbrella # optional
           fail_ci_if_error: true # optional (default = false)

.github/workflows/test.yml

@@ -230,42 +230,3 @@ scoop:
   # Your app's license
   # Default is empty.
   license: "Apache-2.0"
-
-  #dockers:
-  #  - dockerfile: docker/Dockerfile
-  #    goos: linux
-  #    goarch: amd64
-  #    use_buildx: true
-  #    image_templates:
-  #    - "smallstep/step-cli:latest"
-  #    - "smallstep/step-cli:{{ .Tag }}"
-  #    build_flag_templates:
-  #    - "--platform=linux/amd64"
-  #  - dockerfile: docker/Dockerfile
-  #    goos: linux
-  #    goarch: 386
-  #    use_buildx: true
-  #    image_templates:
-  #    - "smallstep/step-cli:latest"
-  #    - "smallstep/step-cli:{{ .Tag }}"
-  #    build_flag_templates:
-  #    - "--platform=linux/386"
-  #  - dockerfile: docker/Dockerfile
-  #    goos: linux
-  #    goarch: arm
-  #    goarm: 7
-  #    use_buildx: true
-  #    image_templates:
-  #    - "smallstep/step-cli:latest"
-  #    - "smallstep/step-cli:{{ .Tag }}"
-  #    build_flag_templates:
-  #    - "--platform=linux/arm/v7"
-  #  - dockerfile: docker/Dockerfile
-  #    goos: linux
-  #    goarch: arm64
-  #    use_buildx: true
-  #    image_templates:
-  #    - "smallstep/step-cli:latest"
-  #    - "smallstep/step-cli:{{ .Tag }}"
-  #    build_flag_templates:
-  #    - "--platform=linux/arm64/v8"

.goreleaser.yml

@@ -4,16 +4,70 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [Unreleased - 0.18.3] - DATE
+### TEMPLATE -- do not alter or remove
+---
+## [x.y.z] - aaaa-bb-cc
 ### Added
-- Added support for renew after expiry using the claim `allowRenewAfterExpiry`.
+### Changed
+### Deprecated
+### Removed
+### Fixed
+### Security
+---
+
+## [Unreleased]
+### Changed
+- Certificates signed by an issuer using an RSA key will be signed using the same algorithm as the issuer certificate was signed with. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.
+
+## [0.20.0] - 2022-05-26
+### Added
+- Added Kubernetes auth method for Vault RAs.
+- Added support for reporting provisioners to linkedca.
+- Added support for certificate policies on authority level.
+- Added a Dockerfile with a step-ca build with HSM support.
+- A few new WithXX methods for instantiating authorities
+### Changed
+- Context usage in HTTP APIs.
+- Changed authentication for Vault RAs.
+- Error message returned to client when authenticating with expired certificate.
+- Strip padding from ACME CSRs.
+### Deprecated
+- HTTP API handler types.
+### Fixed
+- Fixed SSH revocation.
+- CA client dial context for js/wasm target.
+- Incomplete `extraNames` support in templates.
+- SCEP GET request support.
+- Large SCEP request handling.
+
+## [0.19.0] - 2022-04-19
+### Added
+- Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`.
 - Added support for `extraNames` in X.509 templates.
+- Added `armv5` builds.
+- Added RA support using a Vault instance as the CA.
+- Added `WithX509SignerFunc` authority option.
+- Added a new `/roots.pem` endpoint to download the CA roots in PEM format.
+- Added support for Azure `Managed Identity` tokens.
+- Added support for automatic configuration of linked RAs.
+- Added support for the `--context` flag. It's now possible to start the 
+  CA with `step-ca --context=abc` to use the configuration from context `abc`.
+  When a context has been configured and no configuration file is provided
+  on startup, the configuration for the current context is used.
+- Added startup info logging and option to skip it (`--quiet`).
+- Added support for renaming the CA (Common Name).
 ### Changed
-- Made SCEP CA URL paths dynamic
-- Support two latest versions of Go (1.17, 1.18)
+- Made SCEP CA URL paths dynamic.
+- Support two latest versions of Go (1.17, 1.18).
+- Upgrade go.step.sm/crypto to v0.16.1.
+- Upgrade go.step.sm/linkedca to v0.15.0.
 ### Deprecated
+- Go 1.16 support.
 ### Removed
 ### Fixed
+- Fixed admin credentials on RAs.
+- Fixed ACME HTTP-01 challenges for IPv6 identifiers.
+- Various improvements under the hood.
 ### Security
 
 ## [0.18.2] - 2022-03-01
@@ -49,7 +103,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Support for multiple certificate authority contexts.
 - Support for generating extractable keys and certificates on a pkcs#11 module.
 ### Changed
-- Support two latest versions of golang (1.16, 1.17)
+- Support two latest versions of Go (1.16, 1.17)
 ### Deprecated
 - go 1.15 support
 

CHANGELOG.md

@@ -151,7 +151,7 @@ integration: bin/$(BINNAME)
 #########################################
 
 fmt:
-	$Q gofmt -l -w $(SRC)
+	$Q gofmt -l -s -w $(SRC)
 
 lint:
 	$Q golangci-lint run --timeout=30m

Makefile

@@ -54,7 +54,7 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te
 - [Short-lived certificates](https://smallstep.com/blog/passive-revocation.html) with automated enrollment, renewal, and passive revocation
 - Capable of high availability (HA) deployment using [root federation](https://smallstep.com/blog/step-v0.8.3-federation-root-rotation.html) and/or multiple intermediaries
 - Can operate as [an online intermediate CA for an existing root CA](https://smallstep.com/docs/tutorials/intermediate-ca-new-ca)
-- [Badger, BoltDB, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)
+- [Badger, BoltDB, Postgres, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)
 
 ### ⚙️ Many ways to automate
 
@@ -68,6 +68,7 @@ You can issue certificates in exchange for:
 - [Cloud instance identity documents](https://smallstep.com/blog/embarrassingly-easy-certificates-on-aws-azure-gcp/), for VMs on AWS, GCP, and Azure
 - [Single-use, short-lived JWK tokens](https://smallstep.com/docs/step-ca/provisioners#jwk) issued by your CD tool — Puppet, Chef, Ansible, Terraform, etc.
 - A trusted X.509 certificate (X5C provisioner)
+- A host certificate from your Nebula network
 - A SCEP challenge (SCEP provisioner)
 - An SSH host certificates needing renewal (the SSHPOP provisioner)
 - Learn more in our [provisioner documentation](https://smallstep.com/docs/step-ca/provisioners)