Change8

v1.21.2

📦 vaultView on GitHub →
6 features🐛 11 fixes🔧 14 symbols

Summary

This patch release focuses heavily on stability and bug fixes across core components, replication, and the secrets-sync enterprise feature, alongside dependency updates including Go 1.25.5 and UBI 10 base images.

Migration Steps

  1. If using Azure secrets engine, note the plugin update to v0.25.1+ent for improved retry handling.
  2. If using secrets-sync enterprise and forcing deletion of a destination, be aware that orphaned secrets in the external provider will require manual cleanup.

✨ New Features

  • Container images are now exported using a compressed OCI image layout.
  • UBI container images are now built on the UBI 10 minimal image.
  • Rotation manager queue check interval reduced from 10 seconds to 5 seconds for improved responsiveness.
  • Rotation logic updated: shared path rotations now only execute on the Primary cluster's active node; local path rotations execute on the cluster-local active node.
  • Rotation attempts on read-only storage are now prevented.
  • Enterprise feature: Added support for a boolean force_delete flag in secrets-sync, allowing destination deletion even if associations cannot be unsynced (use with caution).

🐛 Bug Fixes

  • Improved retry handling during Azure application and service principal creation in secrets/azure plugin to reduce transient failures.
  • Resolved a stability issue in Vault Enterprise where a panic could occur during month-end billing activity rollover.
  • HTTP: JSON limit parsing is now skipped on the cluster listener.
  • Quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
  • Fixed a rare panic during the enabling of a secondary replica with Consul storage (Enterprise).
  • Fixed a bug where a performance secondary would panic if a write was made to a local mount during rotation.
  • Secrets-sync (Enterprise): Improved unsync error handling by treating cases where the destination no longer exists as successful.
  • Secrets-sync (Enterprise): Corrected a bug where deleting the latest KV-V2 secret version caused the associated external secret to be deleted entirely; now implements a version fallback mechanism.
  • Secrets-sync (Enterprise): Fixed issue where secrets were not properly un-synced after destination config changes.
  • Secrets-sync (Enterprise): Fixed issue where sync store deletion could be attempted when sync is disabled.
  • UI/PKI: Fixed handling of values containing commas in list fields like crl_distribution_points.

🔧 Affected Symbols

auth/oci pluginsecrets/azure pluginaerospike client libraryrotation managergolang/x/cryptorotation logicsecrets-sync (enterprise)secrets/pkiactivitylog (enterprise)http listenerquotasreplication (enterprise)Consul storageui/pki