Vault v1.13.0 Release Notes

  • ๐Ÿš€ Unreleased

    ๐Ÿ”„ CHANGES:

    • auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
    • auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users. This will only be used internally for implementing user lockout. [GH-17104]
    • core: Bump Go version to 1.19.2.
    • ๐Ÿ”Œ plugins: GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]
    • ๐Ÿ”Œ plugins: GET /sys/auth/:path/tune and GET /sys/mounts/:path/tune endpoints may now return an additional plugin_version field in the response data if set. [GH-17167]
    • ๐Ÿ”– plugins: GET for /sys/auth, /sys/auth/:path, /sys/mounts, and /sys/mounts/:path paths now return additional plugin_version, running_plugin_version and running_sha256 fields in the response data for each mount. [GH-17167]
    • secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [GH-15869]
    • โฌ†๏ธ ui: Upgrade Ember to version 4.4.0 [GH-17086]

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ”ง core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [GH-17338]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • โฌ‡๏ธ Reduced binary size [GH-17678]
    • โœ… agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [GH-16872]
    • api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
    • ๐Ÿ‘ auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [GH-17540]
    • ๐Ÿ‘ cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [GH-17650]
    • ๐Ÿ‘ cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [GH-14945]
    • ๐Ÿ”€ core/identity: Add machine-readable output to body of response upon alias clash during entity merge [GH-17459]
    • core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [GH-17265]
    • โšก๏ธ core: Update protoc from 3.21.5 to 3.21.7 [GH-17499]
    • database/snowflake: Allow parallel requests to Snowflake [GH-17593]
    • ๐Ÿ”Œ plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
    • ๐Ÿ”Œ plugins: Allow selecting builtin plugins by their reported semantic version of the form vX.Y.Z+builtin or vX.Y.Z+builtin.vault. [GH-17289]
    • ๐Ÿ‘ sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
    • โšก๏ธ secrets/aws: Update dependencies [PR-17747] [GH-17747]
    • โฌ†๏ธ secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
    • secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [GH-17779]
    • ๐Ÿ‘ secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
    • secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [GH-17774]
    • secrets/ssh: Evaluate ssh validprincipals user template before splitting [GH-16622]
    • secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [GH-17638]
    • secrets/transit: Add support for PKCSv1_5_NoOID RSA signatures [GH-17636]
    • storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
    • sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems.

    ๐Ÿ› BUG FIXES:

    • cli: Fix issue preventing kv commands from executing properly when the mount path provided by -mount flag and secret key path are the same. [GH-17679]
    • ๐Ÿšš cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
    • ๐Ÿ‘ core/managed-keys (enterprise): Return better error messages when encountering key creation failures
    • โœ… core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
    • ๐Ÿ”ง core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [GH-17612]
    • core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
    • core: Fix vault operator init command to show the right curl string with -output-curl-string and right policy hcl with -output-policy [GH-17514]
    • โš  core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
    • ๐Ÿ”จ core: Refactor lock grabbing code to simplify stateLock deadlock investigations [GH-17187]
    • ๐Ÿ‘ core: fix GPG encryption to support subkeys. [GH-16224]
    • ๐ŸŽ core: fix a start up race condition where performance standbys could go into a ๐Ÿ”€ mount loop if default policies are not yet synced from the active node. [GH-17801]
    • core: fix race when using SystemView.ReplicationState outside of a request context [GH-17186]
    • core: prevent memory leak when using control group factors in a policy [GH-17532]
    • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
    • login: Store token in tokenhelper for interactive login MFA [GH-17040]
    • ๐Ÿ”Œ openapi: fix gen_openapi.sh script to correctly load vault plugins [GH-17752]
    • ๐Ÿ”Œ plugins/kv: KV v2 returns 404 instead of 500 for request paths that incorrectly include a trailing slash. [GH-17339]
    • ๐Ÿ”Œ plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
    • secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
    • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
    • secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
    • ๐Ÿ›  secrets/pki: Fixes duplicate otherName in certificates created by the sign-verbatim endpoint. [GH-16700]
    • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
    • 0๏ธโƒฃ ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
    • ๐Ÿ‘ท ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
    • ๐Ÿ’ป ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
    • ๐Ÿšš ui: Remove default value of 30 to TtlPicker2 if no value is passed in. [GH-17376]