v1.11.0
1.11.0
Unreleased
CHANGES:
- auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [GH-14954]
- auth: Remove support for legacy MFA
(https://www.vaultproject.io/docs/v1.10.x/auth/mfa) [GH-14869] - core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
- core: Bump Go version to 1.17.9. [GH-go-ver-1110]
- licensing (enterprise): Remove support for stored licenses and associated
sys/license
andsys/license/signed
endpoints in favor of autoloaded licenses. - replication (enterprise): The
/sys/replication/performance/primary/mount-filter
endpoint has been removed. Please use Paths Filter instead. - ui: Upgrade Ember to version 3.28 [GH-14763]
FEATURES:
- Non-Disruptive Intermediate/Root Certificate Rotation: This allows
import, generation and configuration of any number of keys and/or issuers
within a PKI mount, providing operators the ability to rotate certificates
in place without affecting existing client configurations. [GH-15277] - api/command: Global -output-policy flag to determine minimum required policy HCL for a given operation [GH-14899]
- nomad: Bootstrap Nomad ACL system if no token is provided [GH-12451]
- storage/dynamodb: Added
AWS_DYNAMODB_REGION
environment variable. [GH-15054]
IMPROVEMENTS:
- agent/auto-auth: Add
min_backoff
to the method stanza for configuring initial backoff duration. [GH-15204] - agent: Update consult-template to v0.29.0 [GH-15293]
- agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [GH-15092]
- api: Add ability to pass certificate as PEM bytes to api.Client. [GH-14753]
- api: Add context-aware functions to vault/api for each API wrapper function. [GH-14388]
- api: Added MFALogin() for handling MFA flow when using login helpers. [GH-14900]
- api: If the parameters supplied over the API payload are ignored due to not
being what the endpoints were expecting, or if the parameters supplied get
replaced by the values in the endpoint's path itself, warnings will be added to
the non-empty responses listing all the ignored and replaced parameters. [GH-14962] - api: Provide a helper method WithNamespace to create a cloned client with a new NS [GH-14963]
- api: Use the context passed to the api/auth Login helpers. [GH-14775]
- auth/okta: Add support for Google provider TOTP type in the Okta auth method [GH-14985]
- auth: enforce a rate limit for TOTP passcode validation attempts [GH-14864]
- cli/debug: added support for retrieving metrics from DR clusters if
unauthenticated_metrics_access
is enabled [GH-15316] - cli/vault: warn when policy name contains upper-case letter [GH-14670]
- cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [GH-14807]
- cockroachdb: add high-availability support [GH-12965]
- core (enterprise): Include
termination_time
insys/license/status
response - core (enterprise): Include termination time in
license inspect
command output - core : check uid and permissions of config dir, config file, plugin dir and plugin binaries [GH-14817]
- core,transit: Allow callers to choose random byte source including entropy augmentation sources for the sys/tools/random and transit/random endpoints. [GH-15213]
- core/activity: Order month data in ascending order of timestamps [GH-15259]
- core: Add new DB methods that do not prepare statements. [GH-15166]
- core: Fix some identity data races found by Go race detector (no known impact yet). [GH-15123]
- core: Include build date in
sys/seal-status
andsys/version-history
endpoints. [GH-14957] - core: Upgrade github.org/x/crypto/ssh [GH-15125]
- sdk: Change OpenAPI code generator to extract request objects into /components/schemas and reference them by name. [GH-14217]
- secrets/consul: Add support for Consul node-identities and service-identities [GH-15295]
- secrets/consul: Vault is now able to automatically bootstrap the Consul ACL system. [GH-10751]
- secrets/pki: Warn when
generate_lease
andno_store
are both set totrue
on requests. [GH-14292] - sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
- storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [GH-15042]
- ui: Parse schema refs from OpenAPI [GH-14508]
- ui: Remove storybook. [GH-15074]
- ui: Replaces the IvyCodemirror wrapper with a custom ember modifier. [GH-14659]
- website/docs: added a link to an Enigma secret plugin. [GH-14389]
BUG FIXES:
- Fixed panic when adding or modifying a Duo MFA Method in Enterprise
- agent: Fix log level mismatch between ERR and ERROR [GH-14424]
- api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
- api: Fixes bug where OutputCurlString field was unintentionally being copied over during client cloning [GH-14968]
- api: Respect increment value in grace period calculations in LifetimeWatcher [GH-14836]
- auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
- auth: forward requests subject to login MFA from perfStandby to Active node [GH-15009]
- auth: load login MFA configuration upon restart [GH-15261]
- cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
- cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
- cli: kv get command now honors trailing spaces to retrieve secrets [GH-15188]
- core (enterprise): Allow local alias create RPCs to persist alias metadata
- core (enterprise): Fix some races in merkle index flushing code found in testing
- core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [GH-15224]
- core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
- core/metrics: Fix incorrect table size metric for local mounts [GH-14755]
- core: Fix double counting for "route" metrics [GH-12763]
- core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
- core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
- core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
- core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
- core: fixed systemd reloading notification [GH-15041]
- core: fixing excessive unix file permissions [GH-14791]
- core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
- core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
- core: report unused or redundant keys in server configuration [GH-14752]
- core: time.After() used in a select statement can lead to memory leak [GH-14814]
- rafft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
- raft: Ensure initialMmapSize is set to 0 on Windows [GH-14977]
- replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [GH-14622]
- sdk/cidrutil: Only check if cidr contains remote address for IP addresses [GH-14487]
- sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]
- sdk: Fix OpenApi spec generator to remove duplicate sha_256 parameter [GH-15163]
- secrets/database: Ensure that a
connection_url
password is redacted in all cases. [GH-14744] - secrets/pki: Fix handling of "any" key type with default zero signature bits value. [GH-14875]
- secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [GH-14943]
- ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not accepted in this field. [GH-15046]
- ui: Fix KV secret showing in the edit form after a user creates a new version but doesn't have read capabilities [GH-14794]
- ui: Fix issue with KV not recomputing model when you changed versions. [GH-14941]
- ui: Fixes edit auth method capabilities issue [GH-14966]
- ui: Fixes issue logging in with OIDC from a listed auth mounts tab [GH-14916]
- ui: fix firefox inability to recognize file format of client count csv export [GH-15364]
- ui: fix search-select component showing blank selections when editing group member entity [GH-15058]
- ui: masked values no longer give away length or location of special characters [GH-15025]