v1.17.0

1.17.0

June 12, 2024

CHANGES:

• api: Upgrade from github.com/go-jose/go-jose/v3 v3.0.3 to github.com/go-jose/go-jose/v4 v4.0.1. [GH-26527]
• audit: breaking change - Vault now allows audit logs to contain 'correlation-id' and 'x-correlation-id' headers when they
  are present in the incoming request. By default they are not HMAC'ed (but can be configured to HMAC by Vault Operators). [GH-26777]
• auth/alicloud: Update plugin to v0.18.0 [GH-27133]
• auth/azure: Update plugin to v0.18.0 [GH-27146]
• auth/centrify: Remove the deprecated Centrify auth method plugin [GH-27130]
• auth/cf: Update plugin to v0.17.0 [GH-27161]
• auth/gcp: Update plugin to v0.18.0 [GH-27140]
• auth/jwt: Update plugin to v0.20.2 [GH-26291]
• auth/jwt: Update plugin to v0.20.3 [GH-26890]
• auth/kerberos: Update plugin to v0.12.0 [GH-27177]
• auth/kubernetes: Update plugin to v0.19.0 [GH-27186]
• auth/oci: Update plugin to v0.16.0 [GH-27142]
• core (enterprise): Seal High Availability (HA) must be enabled by enable_multiseal in configuration.
• core/identity: improve performance for secondary nodes receiving identity related updates through replication [GH-27184]
• core: Bump Go version to 1.22.4
• core: return an additional "invalid token" error message in 403 response when the provided request token is expired,
  exceeded the number of uses, or is a bogus value [GH-25953]
• database/couchbase: Update plugin to v0.11.0 [GH-27145]
• database/elasticsearch: Update plugin to v0.15.0 [GH-27136]
• database/mongodbatlas: Update plugin to v0.12.0 [GH-27143]
• database/redis-elasticache: Update plugin to v0.4.0 [GH-27139]
• database/redis: Update plugin to v0.3.0 [GH-27117]
• database/snowflake: Update plugin to v0.11.0 [GH-27132]
• sdk: String templates now have a maximum size of 100,000 characters. [GH-26110]
• secrets/ad: Update plugin to v0.18.0 [GH-27172]
• secrets/alicloud: Update plugin to v0.17.0 [GH-27134]
• secrets/azure: Update plugin to v0.17.1 [GH-26528]
• secrets/azure: Update plugin to v0.19.0 [GH-27141]
• secrets/gcp: Update plugin to v0.19.0 [GH-27164]
• secrets/gcpkms: Update plugin to v0.17.0 [GH-27163]
• secrets/keymgmt (enterprise): Removed namespace label on the vault.kmse.key.count metric.
• secrets/kmip (enterprise): Update plugin to v0.15.0
• secrets/kubernetes: Update plugin to v0.8.0 [GH-27187]
• secrets/kv: Update plugin to v0.18.0 [GH-26877]
• secrets/kv: Update plugin to v0.19.0 [GH-27159]
• secrets/mongodbatlas: Update plugin to v0.12.0 [GH-27149]
• secrets/openldap: Update plugin to v0.13.0 [GH-27137]
• secrets/pki: sign-intermediate API will truncate notAfter if calculated to go beyond the signing issuer's notAfter. Previously the notAfter was permitted to go beyond leading to invalid chains. [GH-26796]
• secrets/terraform: Update plugin to v0.8.0 [GH-27147]
• ui/kubernetes: Update the roles filter-input to use explicit search. [GH-27178]
• ui: Update dependencies including D3 libraries [GH-26346]
• ui: Upgrade Ember data from 4.11.3 to 4.12.4 [GH-25272]
• ui: Upgrade Ember to version 5.4 [GH-26708]
• ui: deleting a nested secret will no longer redirect you to the nearest path segment [GH-26845]
• ui: flash messages render on right side of page [GH-25459]

FEATURES:

• PKI Certificate Metadata (enterprise): Add Certificate Metadata Functionality to Record and Return Client Information about a Certificate.
• Adaptive Overload Protection (enterprise): Adds Adaptive Overload Protection
  for write requests as a Beta feature (disabled by default). This automatically
  prevents overloads caused by too many write requests while maintaining optimal
  throughput for the hardware configuration and workload.
• Audit Filtering (enterprise) : Audit devices support expression-based filter rules (powered by go-bexpr) to determine which entries are written to the audit log.
• LDAP Secrets engine hierarchical path support: Hierarchical path handling is now supported for role and set APIs. [GH-27203]
• Plugin Identity Tokens: Adds secret-less configuration of AWS auth engine using web identity federation. [GH-26507]
• Plugin Workload Identity (enterprise): Vault can generate identity tokens for plugins to use in workload identity federation auth flows.
• Transit AES-CMAC (enterprise): Added support to create and verify AES backed cipher-based message authentication codes

IMPROVEMENTS:

• activity (enterprise): Change minimum retention window in activity log to 48 months
• agent: Added a new config option, lease_renewal_threshold, that controls the refresh rate of non-renewable leases in Agent's template engine. [GH-25212]
• agent: Agent will re-trigger auto auth if token used for rendering templates has been revoked, has exceeded the number of uses, or is a bogus value. [GH-26172]
• api: Move CLI token helper functions to importable packages in api module. [GH-25744]
• audit: timestamps across multiple audit devices for an audit entry will now match. [GH-26088]
• auth/aws: Add inferred_hostname metadata for IAM AWS authentication method. [GH-25418]
• auth/aws: add canonical ARN as entity alias option [GH-22460]
• auth/aws: add support for external_ids in AWS assume-role [GH-26628]
• auth/cert: Adds support for TLS certificate authenticaion through a reverse proxy that terminates the SSL connection [GH-17272]
• cli: Add events subscriptions commands
• command/server: Removed environment variable requirement to generate pprof
  files using SIGUSR2. Added CPU profile support. [GH-25391]
• core (enterprise): persist seal rewrap status, so rewrap status API is consistent on secondary nodes.
• core/activity: Include ACME client metrics to precomputed queries [GH-26519]
• core/activity: Include ACME clients in activity log responses [GH-26020]
• core/activity: Include ACME clients in vault operator usage response [GH-26525]
• core/config: reload service registration configuration on SIGHUP [GH-17598]
• core: add deadlock detection in barrier and sealwrap
• license utilization reporting (enterprise): Add retention months to license utilization reports.
• proxy/cache (enterprise): Support new configuration parameter for static secret caching, static_secret_token_capability_refresh_behavior, to control the behavior when the capability refresh request receives an error from Vault.
• proxy: Proxy will re-trigger auto auth if the token used for requests has been revoked, has exceeded the number of uses,
  or is an otherwise invalid value. [GH-26307]
• raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20221104090112-13395acd02c5
• replication (enterprise): Add replication heartbeat metric to telemetry
• replication (enterprise): Periodically write current time on the primary to storage, use that downstream to measure replication lag in time, expose that in health and replication status endpoints. [GH-26406]
• sdk/decompression: DecompressWithCanary will now chunk the decompression in memory to prevent loading it all at once. [GH-26464]
• sdk/helper/testcluster: add some new helpers, improve some error mess...

v1.15.9+ent

1.15.9 Enterprise

May 30, 2024

This release is created to share the Vault Enterprise changelog and notify consumers of availability. The attached source and assets do not include Vault Enterprise code and should not be used in place of official Docker images or binaries.

CHANGES:

• auth/jwt: Update plugin to v0.17.3 [GH-27063]
• core: Bump Go version to 1.22.2.

IMPROVEMENTS:

• secrets/pki (enterprise): Disable warnings about unknown parameters to the various CIEPS endpoints
• website/docs: Add note about eventual consietency with the MongoDB Atlas database secrets engine [GH-24152]

BUG FIXES:

• activity (enterprise): fix read-only storage error on upgrades
• core: Address a data race updating a seal's last seen healthy time attribute [GH-27014]
• pki: Fix error in cross-signing using ed25519 keys [GH-27093]
• replication (enterprise): fix "given mount path is not in the same namespace as the request" error that can occur when enabling replication for the first time on a secondary cluster
• secrets/transit: Use 'hash_algorithm' parameter if present in HMAC verify requests. Otherwise fall back to deprecated 'algorithm' parameter. [GH-27211]
• ui: Fix KVv2 cursor jumping inside json editor after initial input. [GH-27120]

v1.14.13+ent

1.14.13 Enterprise

May 30, 2024

This release is created to share the Vault Enterprise changelog and notify consumers of availability. The attached source and assets do not include Vault Enterprise code and should not be used in place of official Docker images or binaries.

CHANGES:

• auth/jwt: Update plugin to v0.16.1 [GH-27122]
• core: Bump Go version to 1.22.2.

IMPROVEMENTS:

• website/docs: Add note about eventual consietency with the MongoDB Atlas database secrets engine [GH-24152]

BUG FIXES:

• activity (enterprise): fix read-only storage error on upgrades
• pki: Fix error in cross-signing using ed25519 keys [GH-27093]
• replication (enterprise): fix "given mount path is not in the same namespace as the request" error that can occur when enabling replication for the first time on a secondary cluster
• secrets/transit: Use 'hash_algorithm' parameter if present in HMAC verify requests. Otherwise fall back to deprecated 'algorithm' parameter. [GH-27211]

v1.16.3

1.16.3

May 30, 2024

CHANGES:

• auth/jwt: Update plugin to v0.20.3 [GH-26890]
• core/identity: improve performance for secondary nodes receiving identity related updates through replication [GH-27184]
• core: Bump Go version to 1.22.2.

IMPROVEMENTS:

• secrets/pki (enterprise): Disable warnings about unknown parameters to the various CIEPS endpoints
• ui: Update PGP display and show error for Generate Operation Token flow with PGP [GH-26993]

BUG FIXES:

• activity (enterprise): fix read-only storage error on upgrades
• auto-auth: Addressed issue where having no permissions to renew a renewable token caused auto-auth to attempt to renew constantly with no backoff [GH-26844]
• core (enterprise): Fix an issue that prevented the seal re-wrap status from reporting that a re-wrap is in progress for up to a second.
• core/audit: Audit logging a Vault request/response will now use a minimum 5 second context timeout.
  If the existing context deadline occurs later than 5s in the future, it will be used, otherwise a
  new context, separate from the original will be used. [GH-26616]
• core: Add missing field delegated_auth_accessors to GET /sys/mounts/:path API response [GH-26876]
• core: Address a data race updating a seal's last seen healthy time attribute [GH-27014]
• core: Fix redact_version listener parameter being ignored for some OpenAPI related endpoints. [GH-26607]
• events (enterprise): Fix bug preventing subscribing and receiving events within a namepace.
• pki: Fix error in cross-signing using ed25519 keys [GH-27093]
• replication (enterprise): fix "given mount path is not in the same namespace as the request" error that can occur when enabling replication for the first time on a secondary cluster
• secrets-sync (enterprise): Secondary nodes in a cluster now properly check activation-flags values.
• secrets/azure: Update vault-plugin-secrets-azure to 0.17.2 to include a bug fix for azure role creation [GH-26896]
• secrets/pki (enterprise): cert_role parameter within authenticators.cert EST configuration handler could not be set
• secrets/transit: Use 'hash_algorithm' parameter if present in HMAC verify requests. Otherwise fall back to deprecated 'algorithm' parameter. [GH-27211]
• ui: Fix KVv2 cursor jumping inside json editor after initial input. [GH-27120]
• ui: Fix KVv2 json editor to allow null values. [GH-27094]
• ui: Fix broken help link in console for the web command. [GH-26858]
• ui: Fix link to v2 generic secrets engine from secrets list page. [GH-27019]
• ui: Prevent perpetual loading screen when Vault needs initialization [GH-26985]
• ui: Refresh model within a namespace on the Secrets Sync overview page. [GH-26790]

v1.17.0-rc1

[VAULT-27613] This is an automated pull request to build all artifact…

…s for a release (#27253)

v1.15.8+ent

1.15.8 Enterprise

April 24, 2024

This release is created to share the Vault Enterprise changelog and notify consumers of availability. The attached source and assets do not include Vault Enterprise code and should not be used in place of official Docker images or binaries.

CHANGES:

• core: Bump Go version to 1.21.9.
• ui: Update dependencies including D3 libraries [GH-26346]

IMPROVEMENTS:

• activity (enterprise): Change minimum retention window in activity log to 48 months
• core: make the best effort timeout for encryption count tracking persistence configurable via an environment variable. [GH-25636]
• license utilization reporting (enterprise): Add retention months to license utilization reports.
• sdk/decompression: DecompressWithCanary will now chunk the decompression in memory to prevent loading it all at once. [GH-26464]
• ui: show banner instead of permission denied error when batch token is expired [GH-26396]

BUG FIXES:

• core (enterprise): fix bug where raft followers disagree with the seal type after returning to one seal from two. [GH-26523]
• secrets/pki: fixed validation bug which rejected ldap schemed URLs in crl_distribution_points. [GH-26477]
• storage/raft (enterprise): Fix a bug where autopilot automated upgrades could fail due to using the wrong upgrade version
• ui: fixed a bug where the replication pages did not update display when navigating between DR and performance [GH-26325]

v1.15.7+ent

1.15.7 Enterprise

March 28, 2024

This release is created to share the Vault Enterprise changelog and notify consumers of availability. The attached source and assets do not include Vault Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• auth/cert: validate OCSP response was signed by the expected issuer and serial number matched request [GH-26091]

IMPROVEMENTS:

• auth/cert: Allow validation with OCSP responses with no NextUpdate time [GH-25912]
• core (enterprise): Avoid seal rewrapping in some specific unnecessary cases.
• core (enterprise): persist seal rewrap status, so rewrap status API is consistent on secondary nodes.
• ui: remove leading slash from KV version 2 secret paths [GH-25874]

BUG FIXES:

• audit: Operator changes to configured audit headers (via /sys/config/auditing)
  will now force invalidation and be reloaded from storage when data is replicated
  to other nodes.
• auth/cert: Address an issue in which OCSP query responses were not cached [GH-25986]
• auth/cert: Allow cert auth login attempts if ocsp_fail_open is true and OCSP servers are unreachable [GH-25982]
• cli: fixes plugin register CLI failure to error when plugin image doesn't exist [GH-24990]
• core (enterprise): fix issue where the Seal HA rewrap system may remain running when an active node steps down.
• core/login: Fixed a potential deadlock when a login fails and user lockout is enabled. [GH-25697]
• replication (enterprise): fixed data integrity issue with the processing of identity aliases causing duplicates to occur in rare cases
• ui: Fix kubernetes auth method roles tab [GH-25999]
• ui: call resultant-acl without namespace header when user mounted at root namespace [GH-25766]

v1.14.12+ent

1.14.12 Enterprise

April 24, 2024

This release is created to share the Vault Enterprise changelog and notify consumers of availability. The attached source and assets do not include Vault Enterprise code and should not be used in place of official Docker images or binaries.

CHANGES:

• core: Bump Go version to 1.21.9.
• ui: Update dependencies including D3 libraries [GH-26346]

IMPROVEMENTS:

• activity (enterprise): Change minimum retention window in activity log to 48 months
• core: make the best effort timeout for encryption count tracking persistence configurable via an environment variable. [GH-25636]
• license utilization reporting (enterprise): Add retention months to license utilization reports.
• sdk/decompression: DecompressWithCanary will now chunk the decompression in memory to prevent loading it all at once. [GH-26464]
• ui: show banner instead of permission denied error when batch token is expired [GH-26396]

BUG FIXES:

• secrets/pki: fixed validation bug which rejected ldap schemed URLs in crl_distribution_points. [GH-26477]
• storage/raft (enterprise): Fix a bug where autopilot automated upgrades could fail due to using the wrong upgrade version

v1.14.11+ent

1.14.11 Enterprise

March 28, 2024

This release is created to share the Vault Enterprise changelog and notify consumers of availability. The attached source and assets do not include Vault Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• auth/cert: validate OCSP response was signed by the expected issuer and serial number matched request [GH-26091]

CHANGES:

• core: Bump Go version to 1.21.8.

IMPROVEMENTS:

• auth/cert: Allow validation with OCSP responses with no NextUpdate time [GH-25912]
• openapi: Fix generated types for duration strings [GH-20841]
• raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20221104090112-13395acd02c5

BUG FIXES:

• auth/cert: Address an issue in which OCSP query responses were not cached [GH-25986]
• auth/cert: Allow cert auth login attempts if ocsp_fail_open is true and OCSP servers are unreachable [GH-25982]
• core/login: Fixed a potential deadlock when a login fails and user lockout is enabled. [GH-25697]
• openapi: Fixing response fields for rekey operations [GH-25509]
• ui: Fix kubernetes auth method roles tab [GH-25999]

v1.16.2

[VAULT-26312] This is an automated pull request to build all artifact…

…s for a release (#26587)