Vault v1.13.0 Release Notes
-
๐ Unreleased
๐ CHANGES:
- auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
- auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users. This will only be used internally for implementing user lockout. [GH-17104]
- core: Bump Go version to 1.19.2.
- ๐ plugins:
GET /database/config/:name
endpoint now returns an additionalplugin_version
field in the response data. [GH-16982] - ๐ plugins:
GET /sys/auth/:path/tune
andGET /sys/mounts/:path/tune
endpoints may now return an additionalplugin_version
field in the response data if set. [GH-17167] - ๐ plugins:
GET
for/sys/auth
,/sys/auth/:path
,/sys/mounts
, and/sys/mounts/:path
paths now return additionalplugin_version
,running_plugin_version
andrunning_sha256
fields in the response data for each mount. [GH-17167] - secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [GH-15869]
- โฌ๏ธ ui: Upgrade Ember to version 4.4.0 [GH-17086]
๐ FEATURES:
- ๐ง core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [GH-17338]
๐ IMPROVEMENTS:
- โฌ๏ธ Reduced binary size [GH-17678]
- โ agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [GH-16872]
- api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
- ๐ auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [GH-17540]
- ๐ cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [GH-17650]
- ๐ cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [GH-14945]
- ๐ core/identity: Add machine-readable output to body of response upon alias clash during entity merge [GH-17459]
- core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [GH-17265]
- โก๏ธ core: Update protoc from 3.21.5 to 3.21.7 [GH-17499]
- database/snowflake: Allow parallel requests to Snowflake [GH-17593]
- ๐ plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
- ๐ plugins: Allow selecting builtin plugins by their reported semantic version of the form
vX.Y.Z+builtin
orvX.Y.Z+builtin.vault
. [GH-17289] - ๐ sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
- โก๏ธ secrets/aws: Update dependencies [PR-17747] [GH-17747]
- โฌ๏ธ secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
- secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [GH-17779]
- ๐ secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
- secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [GH-17774]
- secrets/ssh: Evaluate ssh validprincipals user template before splitting [GH-16622]
- secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [GH-17638]
- secrets/transit: Add support for PKCSv1_5_NoOID RSA signatures [GH-17636]
- storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
- sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems.
๐ BUG FIXES:
- cli: Fix issue preventing kv commands from executing properly when the mount path provided by
-mount
flag and secret key path are the same. [GH-17679] - ๐ cli: Remove empty table heading for
vault secrets list -detailed
output. [GH-17577] - ๐ core/managed-keys (enterprise): Return better error messages when encountering key creation failures
- โ core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
- ๐ง core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [GH-17612]
- core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
- core: Fix vault operator init command to show the right curl string with -output-curl-string and right policy hcl with -output-policy [GH-17514]
- โ core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
- ๐จ core: Refactor lock grabbing code to simplify stateLock deadlock investigations [GH-17187]
- ๐ core: fix GPG encryption to support subkeys. [GH-16224]
- ๐ core: fix a start up race condition where performance standbys could go into a ๐ mount loop if default policies are not yet synced from the active node. [GH-17801]
- core: fix race when using SystemView.ReplicationState outside of a request context [GH-17186]
- core: prevent memory leak when using control group factors in a policy [GH-17532]
- core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
- login: Store token in tokenhelper for interactive login MFA [GH-17040]
- ๐ openapi: fix gen_openapi.sh script to correctly load vault plugins [GH-17752]
- ๐ plugins/kv: KV v2 returns 404 instead of 500 for request paths that incorrectly include a trailing slash. [GH-17339]
- ๐ plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
- secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
- secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
- secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
- ๐ secrets/pki: Fixes duplicate otherName in certificates created by the sign-verbatim endpoint. [GH-16700]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
- 0๏ธโฃ ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
- ๐ท ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
- ๐ป ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
- ๐ ui: Remove default value of 30 to TtlPicker2 if no value is passed in. [GH-17376]