v1.14.2

August 30, 2023

CHANGES:

• auth/azure: Update plugin to v0.16.0 [GH-22277]
• core: Bump Go version to 1.20.7.
• database/snowflake: Update plugin to v0.9.0 [GH-22516]

IMPROVEMENTS:

• auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
• core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
• kmip (enterprise): Add namespace lock and unlock support [GH-21925]
• replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
• secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
• storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
• ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
• ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
• ui: enables create and update KV secret workflow when control group present [GH-22471]
• website/docs: Fix link formatting in Vault lambda extension docs [GH-22396]

BUG FIXES:

• activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
• agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
• api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
• core (enterprise): Remove MFA Configuration for namespace when deleting namespace
• core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
• core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
  Also fix a related potential deadlock. [GH-21110]
• core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
• core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
• core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
• expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
• license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
• replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
• replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
• replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
• sdk/ldaputil: Properly escape user filters when using UPN domains
  sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
• secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
• secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
• secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
• secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
• ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
• ui: fixes max_versions default for secret metadata unintentionally overriding kv engine defaults [GH-22394]
• ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
• ui: fixes text readability issue in revoke token confirmation dialog [GH-22390]

v1.13.6

August 30, 2023

CHANGES:

• core: Bump Go version to 1.20.7.

IMPROVEMENTS:

• core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
• replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
• secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
• storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
• ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
• ui: enables create and update KV secret workflow when control group present [GH-22471]

BUG FIXES:

• activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
• api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
• core (enterprise): Remove MFA Configuration for namespace when deleting namespace
• core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
  Also fix a related potential deadlock. [GH-21110]
• core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
• core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
• core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
• expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
• license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
• replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
• replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
• replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
• sdk/ldaputil: Properly escape user filters when using UPN domains
  sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
• secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22331]
• secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
• ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
• ui: fixes max_versions default for secret metadata unintentionally overriding kv engine defaults [GH-22394]
• ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]

v1.12.10

August 30, 2023

CHANGES:

• core: Bump Go version to 1.19.12.

IMPROVEMENTS:

• core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
• replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
• storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
• ui: enables create and update KV secret workflow when control group present [GH-22471]

BUG FIXES:

• api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
• core (enterprise): Remove MFA Configuration for namespace when deleting namespace
• core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
  Also fix a related potential deadlock. [GH-21110]
• core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
• core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
• expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
• license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
• replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
• replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
• sdk/ldaputil: Properly escape user filters when using UPN domains
  sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
• secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22332]
• secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
• ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
• ui: fixes max_versions default for secret metadata unintentionally overriding kv engine defaults [GH-22394]

v1.14.1

July 25, 2023

CHANGES:

• auth/ldap: Normalize HTTP response codes when invalid credentials are provided [GH-21282]
• core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
  which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
• secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
• storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]

IMPROVEMENTS:

• core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
• eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [GH-21623]
• openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [GH-21563]
• replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
• secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [GH-21702]
• secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
• sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]

BUG FIXES:

• agent: Fix "generate-config" command documentation URL [GH-21466]
• auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21800]
• auth/token, sys: Fix path-help being unavailable for some list-only endpoints [GH-18571]
• auth/token: Fix parsing of auth/token/create fields to avoid incorrect warnings about ignored parameters [GH-18556]
• awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
  respects AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, and AWS_ROLE_SESSION_NAME. [GH-21951]
• core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
• core: Fixed issue with some durations not being properly parsed to include days. [GH-21357]
• identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
• openapi: Fix response schema for PKI Issue requests [GH-21449]
• openapi: Fix schema definitions for PKI EAB APIs [GH-21458]
• replication (enterprise): update primary cluster address after DR failover
• secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21631]
• secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [GH-21870]
• secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [GH-21870]
• secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: no managed key found with uuid. [GH-21316]
• secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
• secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
• serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
• ui: Adds missing values to details view after generating PKI certificate [GH-21635]
• ui: Fixed an issue where editing an SSH role would clear default_critical_options and default_extension if left unchanged. [GH-21739]
• ui: Fixed secrets, leases, and policies filter dropping focus after a single character [GH-21767]
• ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [GH-21562]
• ui: Fixes login screen display issue with Safari browser [GH-21582]
• ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [GH-21926]
• ui: Fixes styling of private key input when configuring an SSH key [GH-21531]
• ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]

v1.13.5

July 25, 2023

CHANGES:

• auth/ldap: Normalize HTTP response codes when invalid credentials are provided [GH-21282]
• core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
  which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
• secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.

IMPROVEMENTS:

• core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
• core: Add a new periodic metric to track the number of available policies, vault.policy.configured.count. [GH-21010]
• replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
• secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
• sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]

BUG FIXES:

• auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21799]
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
• identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
• replication (enterprise): update primary cluster address after DR failover
• secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21632]
• secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: no managed key found with uuid. [GH-21316]
• secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [GH-20664]
• secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
• secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
• serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
• ui: Fixed an issue where editing an SSH role would clear default_critical_options and default_extension if left unchanged. [GH-21739]
• ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]

v1.12.9

July 25, 2023

CHANGES:

• secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.

IMPROVEMENTS:

• core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
• replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
• secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling

BUG FIXES:

• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
• identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
• replication (enterprise): update primary cluster address after DR failover
• secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21633]
• secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: no managed key found with uuid. [GH-21316]
• secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [GH-20664]
• secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
• secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
• serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
• ui: Fixed an issue where editing an SSH role would clear default_critical_options and default_extension if left unchanged. [GH-21739]

v1.14.0

1.14.0

June 21, 2023

BREAKING CHANGES:

• secrets/pki: Maintaining running count of certificates will be turned off by default.
  To re-enable keeping these metrics available on the tidy status endpoint, enable
  maintain_stored_certificate_counts on tidy-config, to also publish them to the
  metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]

CHANGES:

• auth/alicloud: Updated plugin from v0.14.0 to v0.15.0 [GH-20758]
• auth/azure: Updated plugin from v0.13.0 to v0.15.0 [GH-20816]
• auth/centrify: Updated plugin from v0.14.0 to v0.15.1 [GH-20745]
• auth/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20725]
• auth/jwt: Updated plugin from v0.15.0 to v0.16.0 [GH-20799]
• auth/kubernetes: Update plugin to v0.16.0 [GH-20802]
• core: Bump Go version to 1.20.5.
• core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. [GH-20834]
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
• database/couchbase: Updated plugin from v0.9.0 to v0.9.2 [GH-20764]
• database/redis-elasticache: Updated plugin from v0.2.0 to v0.2.1 [GH-20751]
• replication (enterprise): Add a new parameter for the update-primary API call
  that allows for setting of the primary cluster addresses directly, instead of
  via a token.
• secrets/ad: Updated plugin from v0.10.1-0.20230329210417-0b2cdb26cf5d to v0.16.0 [GH-20750]
• secrets/alicloud: Updated plugin from v0.5.4-beta1.0.20230330124709-3fcfc5914a22 to v0.15.0 [GH-20787]
• secrets/aure: Updated plugin from v0.15.0 to v0.16.0 [GH-20777]
• secrets/database/mongodbatlas: Updated plugin from v0.9.0 to v0.10.0 [GH-20882]
• secrets/database/snowflake: Updated plugin from v0.7.0 to v0.8.0 [GH-20807]
• secrets/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20818]
• secrets/keymgmt: Updated plugin to v0.9.1
• secrets/kubernetes: Update plugin to v0.5.0 [GH-20802]
• secrets/mongodbatlas: Updated plugin from v0.9.1 to v0.10.0 [GH-20742]
• secrets/pki: Allow issuance of root CAs without AIA, when templated AIA information includes issuer_id. [GH-21209]
• secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. [GH-20654]

FEATURES:

• AWS Static Roles: The AWS Secrets Engine can manage static roles configured by users. [GH-20536]
• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• Environment Variables through Vault Agent: Introducing a new process-supervisor mode for Vault Agent which allows injecting secrets as environment variables into a child process using a new env_template configuration stanza. The process-supervisor configuration can be generated with a new vault agent generate-config helper tool. [GH-20530]
• MongoDB Atlas Database Secrets: Adds support for client certificate credentials [GH-20425]
• MongoDB Atlas Database Secrets: Adds support for generating X.509 certificates on dynamic roles for user authentication [GH-20882]
• NEW PKI Workflow in UI: Completes generally available rollout of new PKI UI that provides smoother mount configuration and a more guided user experience [GH-pki-ui-improvements]
• Secrets/Auth Plugin Multiplexing: The plugin will be multiplexed when run
  as an external plugin by vault versions that support secrets/auth plugin
  multiplexing (> 1.12) [GH-19215]
• Sidebar Navigation in UI: A new sidebar navigation panel has been added in the UI to replace the top navigation bar. [GH-19296]
• Vault PKI ACME Server: Support for the ACME certificate lifecycle management protocol has been added to the Vault PKI Plugin. This allows standard ACME clients, such as the EFF's certbot and the CNCF's k8s cert-manager, to request certificates from a Vault server with no knowledge of Vault APIs or authentication mechanisms. For public-facing Vault instances, we recommend requiring External Account Bindings (EAB) to limit the ability to request certificates to only authenticated clients. [GH-20752]
• Vault Proxy: Introduced Vault Proxy, a new subcommand of the Vault binary that can be invoked using vault proxy -config=config.hcl. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [GH-20548]
• OCI Auto-Auth: Add OCI (Oracle Cloud Infrastructure) auto-auth method [GH-19260]

IMPROVEMENTS:

• api: Add Config.TLSConfig method to fetch the TLS configuration from a client config. [GH-20265]
• physical/etcd: Upgrade etcd3 client to v3.5.7 [GH-20261]
• activitylog: EntityRecord protobufs now contain a ClientType field for
  distinguishing client sources. [GH-20626]
• agent: Add integration tests for agent running in process supervisor mode [GH-20741]
• agent: Add logic to validate env_template entries in configuration [GH-20569]
• agent: Added reload option to cert auth configuration in case of external renewals of local x509 key-pairs. [GH-19002]
• agent: JWT auto-auth has a new config option, remove_jwt_follows_symlinks (default: false), that, if set to true will now remove the JWT, instead of the symlink to the JWT, if a symlink to a JWT has been provided in the path option, and the remove_jwt_after_reading config option is set to true (default). [GH-18863]
• agent: Vault Agent now reports its name and version as part of the User-Agent header in all requests issued. [GH-19776]
• agent: initial implementation of a process runner for injecting secrets via environment variables via vault agent [GH-20628]
• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• api: property based testing for LifetimeWatcher sleep duration calculation [GH-17919]
• audit: add plugin metadata, including plugin name, type, version, sha256, and whether plugin is external, to audit logging [GH-19814]
• audit: forwarded requests can now contain host metadata on the node it was sent 'from' or a flag to indicate that it was forwarded.
• auth/cert: Better return OCSP validation errors during login to the caller. [GH-20234]
• auth/kerberos: Enable plugin multiplexing
  auth/kerberos: Upgrade plugin dependencies [GH-20771]
• auth/ldap: allow configuration of alias dereferencing in LDAP search [GH-18230]
• auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI [GH-18225]
• auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider. [GH-19247]
• build: Prefer GOBIN when set over GOPATH/bin when building the binary [GH-19862]
• cli: Add walkSecretsTree helper function, which recursively walks secrets rooted at the given path [GH-20464...

v1.13.4

1.13.4

June 21, 2023

BREAKING CHANGES:

• secrets/pki: Maintaining running count of certificates will be turned off by default.
  To re-enable keeping these metrics available on the tidy status endpoint, enable
  maintain_stored_certificate_counts on tidy-config, to also publish them to the
  metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]

CHANGES:

• core: Bump Go version to 1.20.5.

FEATURES:

• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• core (enterprise): Add background worker for automatic reporting of billing
  information. [GH-19625]

IMPROVEMENTS:

• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• core (enterprise): add configuration for license reporting [GH-19891]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core (enterprise): vault server command now allows for opt-out of automated
  reporting via the OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]
• core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
• core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
• ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]

BUG FIXES:

• agent: Fix bug with 'cache' stanza validation [GH-20934]
• core (enterprise): Don't delete backend stored data that appears to be filterable
  on this secondary if we don't have a corresponding mount entry.
• core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
  have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation. [GH-21260]
• core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
• core: Don't exit just because we think there's a potential deadlock. [GH-21342]
• core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
• identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
• replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
• replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
• replication (enterprise): Fix regression causing token creation against a role
  with a new entity alias to be incorrectly forwarded from perf standbys. [GH-21100]
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]

v1.12.8

1.12.8

June 21, 2023

BREAKING CHANGES:

• secrets/pki: Maintaining running count of certificates will be turned off by default.
  To re-enable keeping these metrics available on the tidy status endpoint, enable
  maintain_stored_certificate_counts on tidy-config, to also publish them to the
  metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]

CHANGES:

• core: Bump Go version to 1.19.10.

FEATURES:

• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• core (enterprise): Add background worker for automatic reporting of billing
  information. [GH-19625]

IMPROVEMENTS:

• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• core (enterprise): add configuration for license reporting [GH-19891]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core (enterprise): vault server command now allows for opt-out of automated
  reporting via the OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]
• core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
• core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
• ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]

BUG FIXES:

• core (enterprise): Don't delete backend stored data that appears to be filterable
  on this secondary if we don't have a corresponding mount entry.
• core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [GH-18766]
• core/activity: de-duplicate namespaces when historical and current month data are mixed [GH-18452]
• core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [GH-17856]
• core/activity: include mount counts when de-duplicating current and historical month data [GH-18598]
• core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [GH-18916]
• core/activity: return partial month counts when querying a historical date range and no historical data exists. [GH-17935]
• core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
  have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation. [GH-21260]
• core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
• core: Don't exit just because we think there's a potential deadlock. [GH-21342]
• core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
• identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
• replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
• replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]

v1.11.12

1.11.12

June 21, 2023

CHANGES:

• core: Bump Go version to 1.19.10.
• licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades
  will not be allowed if the license termination time is before the build date of the binary.

FEATURES:

• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• core (enterprise): Add background worker for automatic reporting of billing
  information. [GH-19625]

IMPROVEMENTS:

• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• core (enterprise): add configuration for license reporting [GH-19891]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core (enterprise): vault server command now allows for opt-out of automated
  reporting via the OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]
• core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
• core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
• core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
• core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
• core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
• core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
• core: Limit activity log client count usage by namespaces [GH-16000]
• storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
• ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]

BUG FIXES:

• core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [GH-18766]
• core/activity: de-duplicate namespaces when historical and current month data are mixed [GH-18452]
• core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [GH-17856]
• core/activity: include mount counts when de-duplicating current and historical month data [GH-18598]
• core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [GH-18916]
• core/activity: return partial month counts when querying a historical date range and no historical data exists. [GH-17935]
• core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
  have its own changelog entry. [GH-21260]
• core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
• core: Don't exit just because we think there's a potential deadlock. [GH-21342]
• core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
• identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
• replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
• replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs