โ—Change8

v1.19.0-rc1

Breaking Changes
๐Ÿ“ฆ vault
โš  2 breakingโœจ 9 features๐Ÿ› 1 fixesโšก 1 deprecations๐Ÿ”ง 34 symbols

Summary

This release introduces Automated Root Rotation capabilities for several plugins (Enterprise only) and enhances HA status reporting via sys/health. It also tightens security by enforcing PKI issuer constraints and updating several bundled plugins.

โš ๏ธ Breaking Changes

  • auth/ldap: An error will now be returned on login if the number of entries returned from the user DN LDAP search is more than one. Previously, this might have succeeded or returned a warning.
  • secrets/aws: The AWS Secrets engine now persists entries to storage between writes. To zero out a previously configured value on an update, users must now explicitly set the field to its zero value.

Migration Steps

  1. If you rely on LDAP authentication returning warnings instead of errors for multi-entry searches, update your client logic to handle the new error.
  2. When updating AWS secrets engine configurations, if you need to clear a previously set field, you must now explicitly set that field to its zero value.
  3. If you are using the PKI secrets engine, review the new issuer constraint enforcement behavior for issuing/signing certificates.

โœจ New Features

  • Add to sys/health whether the node has been removed from the HA cluster. If the node has been removed, return code 530 by default or the value of the `removedcode` query parameter.
  • Add to sys/health whether the standby node has been able to successfully send heartbeats to the active node and the time in milliseconds since the last heartbeat. If the standby has been unable to send a heartbeat, return code 474 by default or the value of the `haunhealthycode` query parameter.
  • AWS Secrets Cross-Account Management Support (enterprise): Add support for cross-account management of static roles in AWS secrets engine.
  • Automated Root Rotation: A schedule or ttl can be defined for automated rotation of the root credential.
  • Automated Root Rotation: Adds Automated Root Rotation capabilities to the AWS Auth and AWS Secrets plugins. This allows plugin users to automate their root credential rotations based on configurable schedules/periods via the Rotation Manager. Note: Enterprise only.
  • Automated Root Rotation: Adds Automated Root Rotation capabilities to the DB Secrets plugin. This allows plugin users to automate their root credential rotations based on configurable schedules/periods via the Rotation Manager. Note: Enterprise only.
  • KMIP (enterprise): RSA key generation now enforces key sizes of 2048 or higher.
  • PKI secrets engine: Enforce the issuer constraint extensions (extended key usage, name constraints, issuer name) when issuing or signing leaf certificates.
  • Server configuration values including IPv6 addresses will be automatically translated and displayed conformant to RFC-5952 ยง4.

๐Ÿ› Bug Fixes

  • UI: Partially reverts #20431 and removes ability to download unencrypted kv v2 secret data.

๐Ÿ”ง Affected Symbols

sys/healthauth/ldapsecrets/awskmipsecrets/pkiraft/snapshotagentauth/alicloudauth/azureauth/cfauth/gcpauth/jwtauth/kerberosauth/kubernetesauth/ocidatabase/couchbasedatabase/elasticsearchdatabase/mongodbatlasdatabase/redis-elasticachedatabase/redisdatabase/snowflakecoresys/storage/raft/joinsecrets/adsecrets/alicloudsecrets/azuresecrets/gcpsecrets/gcpkmssecrets/kubernetessecrets/kvsecrets/mongodbatlassecrets/openldapsecrets/terraformstorage/raftui

โšก Deprecations

  • auth/ldap: Authentication warnings are no longer returned to the client.