Vault v1.5.0 Release Notes
-
July 21st, 2020
๐ CHANGES:
- ๐ audit: Token TTL and issue time are now provided in the auth portion of audit logs. [GH-9091]
- 0๏ธโฃ auth/gcp: Changes the default name of the entity alias that gets created to be the role ID for both IAM and GCE authentication. [GH-99]
- ๐ง core: Remove the addition of newlines to parsed configuration when using integer/boolean values [GH-8928]
- cubbyhole: Reject reads and writes to an empty ("") path. [GH-8971]
- 0๏ธโฃ secrets/azure: Default password generation changed from uuid to cryptographically secure randomized string [GH-40]
- ๐ storage/gcs: The
credentials_file
config option has been removed. TheGOOGLE_APPLICATION_CREDENTIALS
environment variable or default credentials may be used instead [GH-9424] - storage/raft: The storage configuration now accepts a new
max_entry_size
config that will limit the total size in bytes of any entry committed via raft. It defaults to"1048576"
(1MiB). [GH-9027] - token: Token creation with custom token ID via
id
will no longer allow periods (.
) as part of the input string. The final generated token value may contain periods, such as thes.
prefix for service token indication. [GH-8646] - token: Token renewals will now return token policies within the
token_policies
, identity policies withinidentity_policies
, and the full policy set withinpolicies
. [GH-8535] - โก๏ธ go: Updated Go version to 1.14.4
๐ FEATURES:
- Monitoring: We have released a Splunk App [9] for Enterprise customers. The app is accompanied by an updated monitoring guide and a few new metrics to enable OSS users to effectively monitor Vault.
- Password Policies: Allows operators to customize how passwords are generated for select secret engines (OpenLDAP, Active Directory, Azure, and RabbitMQ).
- ๐ป Replication UI Improvements: We have redesigned the replication UI to highlight the state and relationship between primaries and secondaries and improved management workflows, enabling a more holistic understanding of multiple Vault clusters.
- Resource Quotas: As of 1.5, Vault supports specifying a quota to rate limit requests on OSS and Enterprise. Enterprise customers also have access to set quotas on the number of leases that can be generated on a path.
- ๐ OpenShift Support: We have updated the Helm charts to allow users to install Vault onto their OpenShift clusters.
- Seal Migration: We have made updates to allow migrations from auto unseal to Shamir unseal on Enterprise.
- ๐ AWS Auth Web Identity Support: We've added support for AWS Web Identities, which will be used in the credentials chain if present.
- Vault Monitor: Similar to the monitor command for Consul and Nomad, we have added the ability for Vault to stream logs from other Vault servers at varying log levels.
- ๐ AWS Secrets Groups Support: IAM users generated by Vault may now be added to IAM Groups.
- โ Integrated Storage as HA Storage: In Vault 1.5, it is possible to use Integrated Storage as HA Storage with a different storage backend as regular storage.
- OIDC Auth Provider Extensions: We've added support to OIDC Auth to incorporate IdP-specific extensions. Currently this includes expanded Azure AD groups support.
- GCP Secrets: Support BigQuery dataset ACLs in absence of IAM endpoints.
- KMIP: Add support for signing client certificates requests (CSRs) rather than having them be generated entirely within Vault.
๐ IMPROVEMENTS:
- audit: Replication status requests are no longer audited. [GH-8877]
- audit: Added mount_type field to requests and responses. [GH-9167]
- ๐ auth/aws: Add support for Web Identity credentials [GH-7738]
- ๐ auth/jwt: Support users that are members of more than 200 groups on Azure [GH-120]
- ๐ auth/kerberos: Support identities without userPrincipalName [GH-44]
- ๐ auth/kubernetes: Allow disabling
iss
validation [GH-91] - 0๏ธโฃ auth/kubernetes: Try reading the ca.crt and TokenReviewer JWT from the default service account [GH-83]
- ๐ cli: Support reading TLS parameters from file for the
vault operator raft join
command. [GH-9060] - ๐ cli: Add a new subcommand,
vault monitor
, for tailing server logs in the console. [GH-8477] - ๐ core: Add the Go version used to build a Vault binary to the server message output. [GH-9078]
- ๐ง core: Added Password Policies for user-configurable password generation [GH-8637]
- core: New telemetry metrics covering token counts, token creation, KV secret counts, lease creation. [GH-9239] [GH-9250] [GH-9244] [GH-9052]
- โก๏ธ physical/gcs: The storage backend now uses a dedicated client for HA lock updates to prevent lock table update failures when flooded by other client requests. [GH-9424]
- โก๏ธ physical/spanner: The storage backend now uses a dedicated client for HA lock updates to prevent lock table update failures when flooded by other client requests. [GH-9423]
- ๐ plugin: Add SDK method,
Sys.ReloadPlugin
, and CLI command,vault plugin reload
, for reloading plugins. [GH-8777] - ๐ plugin (enterprise): Add a scope field to plugin reload, which when global, reloads the plugin anywhere in a cluster. [GH-9347]
- ๐ sdk/framework: Support accepting TypeFloat parameters over the API [GH-8923]
- โก๏ธ secrets/aws: Add iam_groups parameter to role create/update [GH-8811]
- ๐ secrets/database: Add static role rotation for MongoDB Atlas database plugin [GH-11]
- ๐ secrets/database: Add static role rotation for MSSQL database plugin [GH-9062]
- secrets/database: Allow InfluxDB to use insecure TLS without cert bundle [GH-8778]
- ๐ secrets/gcp: Support BigQuery dataset ACLs in absence of IAM endpoints [GH-78]
- secrets/pki: Allow 3072-bit RSA keys [GH-8343]
- secrets/ssh: Add a CA-mode role option to specify signing algorithm [GH-9096]
- ๐ง secrets/ssh: The Vault SSH Helper can now be configured to reference a mount in a namespace [GH-44]
- secrets/transit: Transit requests that make use of keys now include a new field
key_version
in their responses [GH-9100] - secrets/transit: Improving transit batch encrypt and decrypt latencies [GH-8775]
- sentinel: Add a sentinel config section, and "additional_enabled_modules", a list of Sentinel modules that may be imported in addition to the defaults.
- โก๏ธ ui: Update TTL picker styling on SSH secret engine [GH-8891]
- ๐ง ui: Only render the JWT input field of the Vault login form on mounts configured for JWT auth [GH-8952]
- ๐ป ui: Add replication dashboards. Improve replication management workflows. [GH-8705].
- โก๏ธ ui: Update alert banners to match design systems black text. [GH-9463].
๐ BUG FIXES:
- 0๏ธโฃ auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI) auth method could not authenticate when the plugin backend was mounted at a non-default path. [GH-7]
- ๐ core: Extend replicated cubbyhole fix in 1.4.0 to cover case where a performance primary is also a DR primary [GH-9148]
- replication (enterprise): Use the PrimaryClusterAddr if it's been set
- seal/awskms: fix AWS KMS auto-unseal when AWS_ROLE_SESSION_NAME not set [GH-9416]
- ๐ sentinel: fix panic due to concurrent map access when rules iterate over metadata maps
- ๐ secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [GH-9186]
- secrets/database: Fix issue where rotating root database credentials while Vault's storage backend is unavailable causes Vault to lose access to the database [GH-8782]
- ๐ secrets/database: Fix issue that prevents performance standbys from connecting to databases after a root credential rotation [GH-9129]
- ๐ secrets/database: Fix parsing of multi-line PostgreSQL statements [GH-8512]
- โก๏ธ secrets/gcp: Fix issue were updates were not being applied to the
token_scopes
of a roleset. [GH-90] - ๐ secrets/kv: Return the value of delete_version_after when reading kv/config, even if it is set to the default. [GH-42]
- ๐ป ui: Add Toggle component into core addon so it is available in KMIP and other Ember Engines.[GH-8913]
- ๐ป ui: Disallow max versions value of large than 9999999999999999 on kv2 secrets engine. [GH-9242]
- โฌ๏ธ ui: Add and upgrade missing dependencies to resolve a failure with
make static-dist
. [GH-9277]