feat: update openbao/openbao to v2.5.1 #minor

[public-glueops-renovatebot]

This PR contains the following updates:

Package	Update	Change	Pending
openbao/openbao	minor	2.4.4 → 2.5.1	v2.5.2

---

Release Notes

openbao/openbao (openbao/openbao)

v2.5.1

Compare Source

SECURITY

• Build with Go 1.25.7 to resolve CVE-2025-68121 / GO-2026-4337. [GH-2426]
• Bump go.opentelemetry.io/otel/sdk to 1.40.0 to resolve CVE-2026-24051 / GO-2026-4394 / GHSA-9h8m-3fm2-qjrq. [GH-2518]

BUG FIXES

• seal: Fix Auto Unseal failing when upgrading to v2.5.0 or downgrading from v2.5.0 to an earlier version. This affected the following providers: AliCloud KMS, AWS KMS, Azure Key Vault, GCP Cloud KMS & OCI KMS. [GH-2505]
• core/mounts: Don't attempt to upgrade legacy mount tables when in read-only standby mode. [GH-2467]
• core/expiration: Fix total lease count not being decremented when revoking irrevocable leases. [GH-2414]
• pki: Fix "context canceled" issue when processing cache invalidation, leading to pki returning 500 until reload. [GH-2472]
• command: Fix panic when the home directory cannot be trivially deduced via environment variables. [GH-2446]

CHANGES

• core/identity: Remove pre-v2.5.0 corrupt namespace identity groups during unseal; corrupt groups need to be recreated by an admin. Check for deleting corrupt group in server startup logs. [GH-2454]

What's Changed

• Document installing with native package managers on Linux by @​DrDaveD in #​2431
• Bump Go to 1.25.7 (#​2426 by @​satoqz) backported by @​satoqz in #​2451
• docs(snapshot): add kubernetes snapshot cronjob example (#​2276 by @​eyenx) backported by @​satoqz in #​2450
• Internalize github.com/mitchellh/go-homedir (#​2446 by @​satoqz) backported by @​satoqz in #​2453
• Fix extraneous grpclogfaker logging (#​2443 by @​cipherboy) backported by @​satoqz in #​2452
• Don't upgrade mount table in standby mode (#​2467 by @​satoqz) backported by @​phil9909 in #​2502
• fix decrement of total lease count after irrevocable revocation and add tests to check it (#​2414 by @​driif) backported by @​phil9909 in #​2503
• docs: add hash parameter (#​2474) by @​phil9909 in #​2504
• pki: fix "context canceled" issue when processing cache invalidation (#​2472 by @​phil9909) backported by @​phil9909 in #​2501
• Bump go-kms-wrapping to v2.7.0 (#​2505 by @​satoqz) backported by @​satoqz in #​2507
• Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#​2518) backported by @​satoqz in #​2527
• purge corrupt groups during unseal (#​2454 by @​phil9909) backported by @​satoqz in #​2529
• Ensure identity groups, entities deleted on actives (#​2531 by @​cipherboy) backported by @​cipherboy in #​2532
• Add changelog for v2.5.1 by @​satoqz in #​2511

Full Changelog: openbao/openbao@v2.5.0...v2.5.1

v2.5.0

Compare Source

[!TIP]
This release adds support for horizontal read scalability!

SECURITY

• core/sys: BREAKING: default value of disable_unauthed_rekey_endpoints is true, to continue using unauthed rekey endpoints, set disable_unauthed_rekey_endpoints=false in listeners explicitly. [GH-2125]

CHANGES

• Remove the deprecated creation_statements, revocation_statements, rollback_statements, and renew_statements fields from the dbplugin Statements protobuf message [GH-1962]
• api: The deprecated api.MountConfigOutput.PluginName field was removed. This was already always empty. [GH-2036]
• auth/jwt: Return error msg on OIDCDiscoveryURL including .well-known/openid-configuration component. [GH-2066]
• core/audit: removed jsonx as a output format option for audit mounts [GH-2047]
• sys/host-info: This endpoint may start reporting slightly higher memory usage than before (On Linux only). See https://github.com/shirou/gopsutil/releases/tag/v4.25.8 for more information. [GH-1887]

FEATURES

• Add declarative plugin distribution via OCI images: using the plugin configuration keyword.
  • Plugins can be automatically downloaded via the plugin_auto_download=true option.
  • Plugins can be manually downloaded via the bao plugin init command.
  • Plugins can be automatically registered via the plugin_auto_register=true option, regardless if they were manually provisioned or from OCI images. [GH-1824]
• Support Horizontal Read Scalability: all existing HA standby nodes are automatically upgraded with read support.
  • Requests which only perform storage read operations will be handled locally on the standby node.
  • Requests which perform a storage write operation (or as indicated by plugins) are forwarded to the active leader.
  • Results are eventually consistent: a write may not be immediately visible on the standby.
  • To disable, set disable_standby_reads=true in the config file before startup. [GH-1986]
• OIDC Provider: Add Client Credentials flow to OIDC Provider. [GH-1732]
• sdk/framework: add Response.SchemaName to allow custom response schema names in the generated OpenAPI spec. [GH-1714]

IMPROVEMENTS

• audit: Add http audit device for low-volume, webhook-based audit event reporting. [GH-1709]
• auth/jwt: Add type checking to role. [GH-1854]
• command: Add environment variables to provide configuration for Proxy, Agent, and bao operator migrate via BAO_PROXY_CONFIG_PATH, BAO_AGENT_CONFIG_PATH, and BAO_MIGRATE_CONFIG_PATH. [GH-2153]
• command: Support BAO_CONFIG_PATH in plugin init, just like server &c do. [GH-2164]
• command: server, operator diagnose and 'operator validate-config` now support the environment variable BAO_CONFIG_FILE for the -config command option. [GH-2115]
• core/metrics: Support custom path for metrics on metrics-only listeners. [GH-1853]
• core/namespaces: Use JobManager for namespace deletion, decreasing lock contention. [GH-2226]
• core/policies: Add endpoint to allow detailed listing of a subset of policies. [GH-1965]
• core/policies: Use per-namespace write lock, improving parallelism. [GH-2226]
• core: Added metrics_only and disallow_metrics options to control metrics endpoint exposure on a per-listener basis. [GH-1834]
• database/valkey: Adds the ability to configure the Valkey database connection using a single connection_url parameter. [GH-1923]
• database: all database plugins now ignore "not found" errors on revoke by default. See Plugin Author Guide for rationale. [GH-2101]
• openapi: Add response schemas for token store operations and update operation suffixes. [GH-1840]
• pki: add allowed_ip_sans_cidr parameter to PKI role system, to provide additional checks for IP SANs. [GH-1833]
• storage/postgresql: implement physical.FencingHABackend to minimize chances that writes on secondary nodes occur. [GH-1571]
• transit: Add associated_data parameter to generate data key. [GH-1828]
• website: Add an example of current role statement from Valkey. [GH-1811]

DEPRECATIONS

• core/seal: Remove the undocumented "aead" seal mechanism. Consider switching to the static seal instead as a replacement. [GH-1910]
• core: Removed FeatureFlags parsing and related code. [GH-2045]
• sdk: Removed sdk/v2/helper/license package. [GH-2045]
• ui: Removed internal/ui/feature-flags endpoint and all its usage. [GH-2045]

BUG FIXES

• agent/auth: Fix token reissue error with kerberos method. [GH-2373]
• auth/jwt: Fix ordering of variable declarations in CEL program roles. [GH-1854]
• core/identity: Ensure periodic func only operates on a single namespace at a time, decreasing storage contention. [GH-2226]
• core/identity: fix corrupt data being stored when referencing member_group_ids across namespaces (requires unsafe_cross_namespace_identity=true) [GH-2321]
• core/namespaces: Ensure namespace creation is interruptable, allowing namespace deletion for cleanup. [GH-2226]
• core/namespaces: Fix deadlock on namespace creation, deletion due to transaction/lock ordering. [GH-2226]
• core/namespaces: Fix storage failures in namespace creation leading to a total system deadlock. [GH-2166]
• core/namespaces: improve recovery from partial deletion of namespaces, preventing server startup failure. [GH-2188]
• database/valkey: The creation_statements parameter now correctly accepts a standard array of strings for ACL rules (e.g., ["+@​read", "~*"]). Previously, it incorrectly required a stringified JSON array. The old format is still supported for backward compatibility. [GH-1959]
• helper/jobmanager: Fix queue length metrics to report as gauges. [GH-2226]
• physical/postgresql: ensure underlying HA lock removal from database causes lock loss, write failures. [GH-2100]
• raft: return correct raft leader id from read replica nodes when using bao operator raft list-peers. [GH-2331]
• sdk/logical: Use created transaction for WithTransaction callback. [GH-2226]
• secrets/pki: Fix ordering of variable declarations in CEL program roles. [GH-1854]

What's Changed over Beta

• Fix audit log configuration on active node (#​2169 by @​cipherboy) backported by @​phil9909 in #​2170
• backport: detect platform to download correct OCI image variant (#​2183 by @​JanMa) backported by @​JanMa in #​2186
• Fix standby namespace deletion (#​2188 by @​cipherboy) backported by @​phil9909 in #​2206
• Update go-kms-wrapping/wrappers/static (#​2292 by @​JanMa) backported by @​satoqz in #​2297
• Support BAO_CONFIG_PATH in plugin init (#​2164 by @​satoqz) backported by @​phil9909 in #​2304
• Fix deadlock in transactional namespace creation (#​2166 by @​satoqz) backported by @​phil9909 in #​2303
• Add BAO_{AGENT,PROXY,MIGRATE}_CONFIG_PATH variables (#​2153 by @​kyounghunJang) backported by @​satoqz in #​2306
• Fix incorrectly returned leader nodes from read replicas (#​2331 by @​phyrog) backported by @​phyrog in #​2334
• Fix timing issue in runAutoseal test function (#​2335 by @​phyrog) backported by @​phyrog in #​2348
• Forward secret mount disable request (#​2357 by @​wslabosz-reply) backported by @​phil9909 in #​2359
• Fix cross namespace identity corrupts data (#​2321 by @​phil9909) backported by @​phil9909 in #​2358
• SDK: Update Docker client packages (#​2339 by @​JanMa) backported by @​phil9909 in #​2374
• Build with Go 1.25.6 & bump dependencies by @​satoqz in #​2367
• Clean up created backends when an error occurs later (#​2371 by @​phyrog) backported by @​phyrog in #​2389
• Fix namespace locking, transaction issues around creation, deletion (#​2226 by @​cipherboy) backported by @​satoqz in #​2391
• Bump container base images (#​2393 by @​satoqz) backported by @​satoqz in #​2394
• Fix race condition in mount invalidation (#​2361 by @​phyrog) backported by @​phyrog in #​2397
• Fix data race when cloning API client (#​2399 by @​satoqz) backported by @​satoqz in #​2400
• Fix duplicate headers in bao agent re-authentication (#​2373 by @​tsipinakis) backported by @​satoqz in #​2401
• Fix mount cleanup again... (#​2402 by @​satoqz) backported by @​satoqz in #​2403
• feat(goreleaser): publish packages to S3 (#​1870 by @​pree) backported by @​satoqz in #​2405
• Bump API to v2.5.1 in SDK by @​satoqz in #​2410
• Bump SDK to v2.5.1 in main module by @​satoqz in #​2411
• Add v2.5.0 release notes by @​satoqz in #​2409

Release notes: https://openbao.org/docs/release-notes/2-5-0/#v250
Full Changelog: openbao/openbao@v2.4.0...v2.5.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.