Β« Changelog History


Vault v1.12.0 Release Notes

  • October 13, 2022

    πŸ”„ CHANGES:

    • πŸ”Œ api: Exclusively use GET /sys/plugins/catalog endpoint for listing plugins, and add details field to list responses. [GH-17347]
    • πŸ—„ auth: GET /sys/auth/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • πŸ—„ auth: GET /sys/auth endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • πŸ—„ auth: POST /sys/auth/:type endpoint response contains a warning for Deprecated auth methods. [GH-17058]
    • auth: auth enable returns an error and POST /sys/auth/:type endpoint reports an error for Pending Removal auth methods. [GH-17005]
    • πŸ”€ core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
    • core: Bump Go version to 1.19.2.
    • core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
    • identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
    • ⬆️ licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license expiration time is before the build date of the binary.
    • πŸ”Œ plugins: Add plugin version to auth register, list, and mount table [GH-16856]
    • πŸ”Œ plugins: GET /sys/plugins/catalog/:type/:name endpoint contains deprecation status for builtin plugins. [GH-17077]
    • πŸ”Œ plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
    • πŸ”Œ plugins: GET /sys/plugins/catalog/ endpoint contains deprecation status in detailed list. [GH-17077]
    • πŸ”Œ plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
    • πŸ”Œ plugins: plugin info displays deprecation status for builtin plugins. [GH-17077]
    • πŸ”Œ plugins: plugin list now accepts a -detailed flag, which display deprecation status and version info. [GH-17077]
    • 🚚 secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
    • secrets: All database-specific (standalone DB) secrets engines are now marked Pending Removal. [GH-17038]
    • πŸ—„ secrets: GET /sys/mounts/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • πŸ—„ secrets: GET /sys/mounts endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
    • πŸ—„ secrets: POST /sys/mounts/:type endpoint response contains a warning for Deprecated secrets engines. [GH-17058]
    • secrets: secrets enable returns an error and POST /sys/mount/:type endpoint reports an error for Pending Removal secrets engines. [GH-17005]

    πŸ”‹ FEATURES:

    • πŸ‘ GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
    • LDAP Secrets Engine: Adds the ldap secrets engine with service account check-outΒ functionality for all supported schemas. [GH-17152]
    • OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
    • Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
    • πŸ”Œ Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
    • πŸ”Œ Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
    • Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
    • πŸ‘ HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
    • πŸ’» ui: UI support for Okta Number Challenge. [GH-15998]
    • πŸ”Œ Plugin Versioning: Vault supports registering, managing, and running plugins with semantic versions specified.

    πŸ‘Œ IMPROVEMENTS:

    • βœ… :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
    • βœ… activity (enterprise): Added new clients unit tests to test accuracy of estimates
    • agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
    • agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
    • agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
    • agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
    • agent: Send notifications to systemd on start and stop. [GH-9802]
    • api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
    • api: Add a sentinel error for missing KV secrets [GH-16699]
    • auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
    • auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses. πŸ”§ When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474]
    • 0️⃣ auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
    • auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
    • πŸ“‡ auth/cert: Add metadata to identity-alias [GH-14751]
    • auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
    • auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
    • πŸ‘ auth/gcp: Add support for GCE regional instance groups [GH-16435]
    • ⚑️ auth/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17160]
    • πŸ‘ auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
    • 🐧 auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
    • auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
    • auth/kerberos: add remove_instance_name parameter to the login CLI and theΒ Kerberos config in Vault. This removes any instance names found in the keytabΒ service principal name. [GH-16594]
    • πŸ”Œ auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
    • πŸ‘ auth/oci: Add support for role resolution. [GH-17212]
    • πŸ“œ auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
    • ⚠ cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
    • πŸ—„ cli: auth and secrets list -detailed commands now show Deprecation Status for builtin plugins. [GH-16849]
    • πŸ”Œ cli: vault plugin list now has a details field in JSON format, and version and type information in table format. [GH-17347]
    • command/audit: Improve missing type error message [GH-16409]
    • command/server: add -dev-tls and -dev-tls-cert-dir subcommands to create a Vault dev server with generated certificates and private key. [GH-16421]
    • command: Fix shell completion for KV v2 mounts [GH-16553]
    • πŸ‘ core (enterprise): Add HTTP PATCH support for namespaces with an associated namespace patch CLI command
    • πŸ”§ core (enterprise): Add check to vault server command to ensure configured storage backend is supported.
    • πŸ“‡ core (enterprise): Add custom metadata support for namespaces
    • πŸ”Š core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
    • πŸ”¨ core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
    • πŸ”Š core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
    • πŸ›  core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
    • core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
    • πŸ›  core/quotas: Added ability to add path suffixes for rate-limit resource quotas [GH-15989]
    • core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [GH-16115]
    • βœ… core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
    • 🌲 core: Add sys/loggers and sys/loggers/:name endpoints to provide ability to modify logging verbosity [GH-16111]
    • πŸ‘ core: Handle and log deprecated builtin mounts. Introduces VAULT_ALLOW_PENDING_REMOVAL_MOUNTS to override shutdown and error when attempting to mount Pending Removal builtin plugins. [GH-17005]
    • 🌲 core: Limit activity log client count usage by namespaces [GH-16000]
    • ⬆️ core: Upgrade github.com/hashicorp/raft [GH-16609]
    • 🚚 core: remove gox [GH-16353]
    • πŸ“„ docs: Clarify the behaviour of local mounts in the context of DR replication [GH-16218]
    • πŸ‘ identity/oidc: Adds support for detailed listing of clients and providers. [GH-16567]
    • identity/oidc: Adds the client_secret_post token endpoint authentication method. [GH-16598]
    • identity/oidc: allows filtering the list providers response by an allowed_client_id [GH-16181]
    • identity: Prevent possibility of data races on entity creation. [GH-16487]
    • physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [GH-15866]
    • πŸ”Œ plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins [GH-16995]
    • πŸ”Œ plugins: Add Deprecation Status method to builtinregistry. [GH-16846]
    • πŸ”Œ plugins: Added environment variable flag to opt-out specific plugins from multiplexing [GH-16972]
    • πŸ”Œ plugins: Adding version to plugin GRPC interface [GH-17088]
    • πŸ”Œ plugins: Plugin catalog supports registering and managing plugins with semantic version information. [GH-16688]
    • πŸ”€ replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer.
    • secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [GH-15809]
    • πŸ‘ secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs [GH-16519]
    • secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [GH-16124]
    • secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (cn_validations). [GH-15996]
    • secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. [GH-16494]
    • secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [GH-15742]
    • 0️⃣ secrets/ad: set config default length only if password_policy is missing [GH-16140]
    • secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. [GH-17045]
    • secrets/database/hana: Add ability to customize dynamic usernames [GH-16631]
    • πŸ‘ secrets/database/snowflake: Add multiplexing support [GH-17159]
    • ⚑️ secrets/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17174]
    • ⚑️ secrets/gcpkms: Update dependencies: google.golang.org/[email protected]. [GH-17199]
    • ⬆️ secrets/kubernetes: upgrade to v0.2.0 [GH-17164]
    • secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. [GH-16702]
    • secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field [GH-16935]
    • ⚠ secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL [GH-17073]
    • secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. [GH-16958]
    • secrets/pki: Add ability to periodically rebuild CRL before expiry [GH-16762]
    • 🚚 secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. [GH-16900]
    • πŸ‘ secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs [GH-16563]
    • πŸ‘ secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
    • secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. [GH-16676]
    • secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). [GH-16564]
    • secrets/pki: Allow revocation via proving possession of certificate's private key [GH-16566]
    • 🐎 secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance [GH-16871]
    • secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. [GH-16249]
    • 0️⃣ secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. [GH-16874]
    • πŸ— secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. [GH-16773]
    • secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. [GH-16056]
    • 0️⃣ secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
    • 0️⃣ secrets/ssh: Allow the use of Identity templates in the default_user field [GH-16351]
    • secrets/transit: Add a dedicated HMAC key type, which can be used with key import. [GH-16668]
    • secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. [GH-17118]
    • πŸ”§ secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. [GH-16549]
    • ssh: Addition of an endpoint ssh/issue/:role to allow the creation of signed key pairs [GH-15561]
    • ⏱ storage/cassandra: tuning parameters for clustered environments connection_timeout, initial_connection_timeout, simple_retry_policy_retries. [GH-10467]
    • πŸ“š storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [GH-14455]
    • πŸ’» ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [GH-15852]
    • πŸ’» ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated [GH-17139]
    • 🚚 ui: Removed deprecated version of core-js 2.6.11 [GH-15898]
    • πŸ’» ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. [GH-16489]
    • πŸ’» ui: Replaces non-inclusive terms [GH-17116]
    • πŸ’» ui: redirect_to param forwards from auth route when authenticated [GH-16821]
    • πŸ“š website/docs: API generate-recovery-token documentation. [GH-16213]
    • πŸ“š website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period [GH-16950]
    • 🚚 website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc [GH-17139]
    • ⚑️ website/docs: Update replication docs to mention Integrated Storage [GH-16063]
    • πŸ“„ website/docs: changed to echo for all string examples instead of (<<<) here-string. [GH-9081]

    πŸ› BUG FIXES:

    • πŸ“œ agent/template: Fix parsing error for the exec stanza [GH-16231]
    • πŸ”§ agent: Agent will now respect max_retries retry configuration even when caching is set. [GH-16970]
    • ⚑️ agent: Update consul-template for pkiCert bug fixes [GH-16087]
    • πŸ‘ api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [GH-15835]
    • ⚠ api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [GH-16794]
    • πŸ’» api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P.+) endpoints where it was not properly handling /auth/ [GH-15552]
    • api: properly handle switching to/from unix domain socket when changing client address [GH-11904]
    • auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
    • auth/kerberos: Maintain headers set by the client [GH-16636]
    • βͺ auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17161]
    • ⚠ auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
    • πŸ”§ command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
    • core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [GH-15583]
    • πŸ“‡ core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts.
    • core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
    • core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
    • 🚚 core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
    • core/managed-keys (enterprise): fix panic when having cache_disable true
    • πŸ›  core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases
    • core/quotas: Added globbing functionality on the end of path suffix quota paths [GH-16386]
    • core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
    • core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
    • core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
    • πŸ”Œ core: Fix panic when the plugin catalog returns neither a plugin nor an error. [GH-17204]
    • πŸ“œ core: Fixes parsing boolean values for ha_storage backends in config [GH-15900]
    • core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
    • core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
    • database: Invalidate queue should cancel context first to avoid deadlock [GH-15933]
    • 🏁 debug: Fix panic when capturing debug bundle on Windows [GH-14399]
    • 🚚 debug: Remove extra empty lines from vault.log when debug command is run [GH-16714]
    • identity (enterprise): Fix a data race when creating an entity for a local alias.
    • πŸ‘ identity/oidc: Adds claims_supported to discovery document. [GH-16992]
    • identity/oidc: Change the state parameter of the Authorization Endpoint to optional. [GH-16599]
    • identity/oidc: Detect invalid redirect_uri values sooner in validation of theΒ Authorization Endpoint. [GH-16601]
    • πŸ›  identity/oidc: Fixes validation of the request and request_uri parameters. [GH-16600]
    • πŸ›  openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [GH-15552]
    • πŸ”Œ plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
    • πŸ”Œ plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [GH-16673]
    • πŸ”Œ plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
    • quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [GH-15735]
    • replication (enterprise): Fix data race in SaveCheckpoint()
    • replication (enterprise): Fix data race in saveCheckpoint.
    • πŸ”€ replication (enterprise): Fix possible data race during merkle diff/sync
    • 0️⃣ secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
    • secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
    • 🐎 secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
    • secrets/kv: Fix kv get issue preventing the ability to read a secret when providing a leading slash [GH-16443]
    • secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers [GH-16865]
    • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
    • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
    • secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [GH-16813]
    • secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [GH-16721]
    • secrets/pki: LIST issuers endpoint is now unauthenticated. [GH-16830]
    • πŸ”§ secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
    • secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
    • storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
    • storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
    • storage/raft: Fix retry_join initialization failure [GH-16550]
    • storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [GH-17019]
    • 0️⃣ ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
    • πŸ’» ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
    • πŸ’» ui: Fix info tooltip submitting form [GH-16659]
    • πŸ’» ui: Fix issue logging in with JWT auth method [GH-16466]
    • πŸ’» ui: Fix lease force revoke action [GH-16930]
    • ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]
    • πŸ’» ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [GH-15681]
    • πŸ’» ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
    • πŸ’» ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]
    • vault: Fix a bug where duplicate policies could be added to an identity group. [GH-15638]