Skip to content

Releases: hashicorp/vault

v1.11.5

01 Nov 16:41
9934cc3
Compare
Choose a tag to compare

1.11.5

November 2, 2022

IMPROVEMENTS:

  • database/snowflake: Allow parallel requests to Snowflake [GH-17594]
  • sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

BUG FIXES:

  • core/managed-keys (enterprise): Return better error messages when encountering key creation failures
  • core/managed-keys (enterprise): fix panic when having cache_disable true
  • core: prevent memory leak when using control group factors in a policy [GH-17532]
  • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
  • kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
  • login: Store token in tokenhelper for interactive login MFA [GH-17040]
  • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
  • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17384]
  • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
  • ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
  • ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

v1.12.1

01 Nov 21:25
e34f8a1
Compare
Choose a tag to compare

1.12.1

November 2, 2022

IMPROVEMENTS:

  • api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
  • database/snowflake: Allow parallel requests to Snowflake [GH-17593]
  • plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
  • sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

BUG FIXES:

  • cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
  • core/managed-keys (enterprise): Return better error messages when encountering key creation failures
  • core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
  • core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
  • core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
  • core: prevent memory leak when using control group factors in a policy [GH-17532]
  • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
  • kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
  • kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
  • login: Store token in tokenhelper for interactive login MFA [GH-17040]
  • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
  • ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

v1.10.8

01 Nov 14:40
ecc766a
Compare
Choose a tag to compare

1.10.8

November 2, 2022

BUG FIXES:

  • core/managed-keys (enterprise): Return better error messages when encountering key creation failures
  • core/managed-keys (enterprise): fix panic when having cache_disable true
  • core: prevent memory leak when using control group factors in a policy [GH-17532]
  • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
  • login: Store token in tokenhelper for interactive login MFA [GH-17040]
  • secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
  • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
  • ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

v1.12.0

12 Oct 15:58
558abfa
Compare
Choose a tag to compare

1.12.0

October 13, 2022

CHANGES:

  • api: Exclusively use GET /sys/plugins/catalog endpoint for listing plugins, and add details field to list responses. [GH-17347]
  • auth: GET /sys/auth/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
  • auth: GET /sys/auth endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
  • auth: POST /sys/auth/:type endpoint response contains a warning for Deprecated auth methods. [GH-17058]
  • auth: auth enable returns an error and POST /sys/auth/:type endpoint reports an error for Pending Removal auth methods. [GH-17005]
  • core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
  • core: Bump Go version to 1.19.2.
  • core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
  • identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
  • licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
  • plugins: Add plugin version to auth register, list, and mount table [GH-16856]
  • plugins: GET /sys/plugins/catalog/:type/:name endpoint contains deprecation status for builtin plugins. [GH-17077]
  • plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
  • plugins: GET /sys/plugins/catalog/ endpoint contains deprecation status in detailed list. [GH-17077]
  • plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
  • plugins: plugin info displays deprecation status for builtin plugins. [GH-17077]
  • plugins: plugin list now accepts a -detailed flag, which display deprecation status and version info. [GH-17077]
  • secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
  • secrets: All database-specific (standalone DB) secrets engines are now marked Pending Removal. [GH-17038]
  • secrets: GET /sys/mounts/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
  • secrets: GET /sys/mounts endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
  • secrets: POST /sys/mounts/:type endpoint response contains a warning for Deprecated secrets engines. [GH-17058]
  • secrets: secrets enable returns an error and POST /sys/mount/:type endpoint reports an error for Pending Removal secrets engines. [GH-17005]

FEATURES:

  • GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
  • LDAP Secrets Engine: Adds the ldap secrets engine with service account check-out functionality for all supported schemas. [GH-17152]
  • OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
  • Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
  • Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
  • Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
  • Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
  • HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
  • ui: UI support for Okta Number Challenge. [GH-15998]

IMPROVEMENTS:

  • :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
  • activity (enterprise): Added new clients unit tests to test accuracy of estimates
  • agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
  • agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
  • agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
  • agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
  • agent: Send notifications to systemd on start and stop. [GH-9802]
  • api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
  • api: Add a sentinel error for missing KV secrets [GH-16699]
  • auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
  • auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses.
    When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474]
  • auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
  • auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
  • auth/cert: Add metadata to identity-alias [GH-14751]
  • auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
  • auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
  • auth/gcp: Add support for GCE regional instance groups [GH-16435]
  • auth/gcp: Updates dependencies: google.golang.org/api@v0.83.0, github.com/hashicorp/go-gcp-common@v0.8.0. [GH-17160]
  • auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
  • auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
  • auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
  • auth/kerberos: add remove_instance_name parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594]
  • auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
  • auth/oci: Add support for role resolution. [GH-17212]
  • auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
  • cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
  • cli: auth and secrets list -detailed commands now show Deprecation Status for builtin plugins. [GH-16849]
  • cli: vault plugin list now has a details field in JSON format, and version and type information in table format. [[GH-17347](https://github.com/hashicorp/vault...
Read more

v1.12.0-rc1

30 Sep 18:58
2c6f09a
Compare
Choose a tag to compare
v1.12.0-rc1 Pre-release
Pre-release
core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319) (#17365)

* docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc

v1.11.4

29 Sep 22:14
b47a9e7
Compare
Choose a tag to compare
backport of commit 7f22056686b5a8e71c66e73eeaab4403809b791c (#17039)

Co-authored-by: Troy Ready <troy@troyready.com>

v1.10.7

29 Sep 22:04
f7968a9
Compare
Choose a tag to compare
backport of commit 6c399c1c3b1c24ee830ef62d7966687a01dc5833 (#17287)

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>

v1.9.10

29 Sep 21:10
8efbff5
Compare
Choose a tag to compare
Backport of #17138: Populate CRL data on backend startup (#17150)

* Load existing CRLs on startup and after invalidate (#17138)

* Load existing CRLs on startup and after invalidate

* changelog

* Populate during renew calls also (#17143)

* Remove unused config fetch

v1.11.3

31 Aug 17:29
17250b2
Compare
Choose a tag to compare
Backport of UI/OIDC auth bug for hcp namespace flag into release/1.11…

v1.10.6

31 Aug 14:57
45020b0
Compare
Choose a tag to compare
Backport of UI/OIDC auth bug for hcp namespace flag into release/1.10…