v1.14.0

1.14.0

June 21, 2023

BREAKING CHANGES:

• secrets/pki: Maintaining running count of certificates will be turned off by default.
  To re-enable keeping these metrics available on the tidy status endpoint, enable
  maintain_stored_certificate_counts on tidy-config, to also publish them to the
  metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]

CHANGES:

• auth/alicloud: Updated plugin from v0.14.0 to v0.15.0 [GH-20758]
• auth/azure: Updated plugin from v0.13.0 to v0.15.0 [GH-20816]
• auth/centrify: Updated plugin from v0.14.0 to v0.15.1 [GH-20745]
• auth/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20725]
• auth/jwt: Updated plugin from v0.15.0 to v0.16.0 [GH-20799]
• auth/kubernetes: Update plugin to v0.16.0 [GH-20802]
• core: Bump Go version to 1.20.5.
• core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. [GH-20834]
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
• database/couchbase: Updated plugin from v0.9.0 to v0.9.2 [GH-20764]
• database/redis-elasticache: Updated plugin from v0.2.0 to v0.2.1 [GH-20751]
• replication (enterprise): Add a new parameter for the update-primary API call
  that allows for setting of the primary cluster addresses directly, instead of
  via a token.
• secrets/ad: Updated plugin from v0.10.1-0.20230329210417-0b2cdb26cf5d to v0.16.0 [GH-20750]
• secrets/alicloud: Updated plugin from v0.5.4-beta1.0.20230330124709-3fcfc5914a22 to v0.15.0 [GH-20787]
• secrets/aure: Updated plugin from v0.15.0 to v0.16.0 [GH-20777]
• secrets/database/mongodbatlas: Updated plugin from v0.9.0 to v0.10.0 [GH-20882]
• secrets/database/snowflake: Updated plugin from v0.7.0 to v0.8.0 [GH-20807]
• secrets/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20818]
• secrets/keymgmt: Updated plugin to v0.9.1
• secrets/kubernetes: Update plugin to v0.5.0 [GH-20802]
• secrets/mongodbatlas: Updated plugin from v0.9.1 to v0.10.0 [GH-20742]
• secrets/pki: Allow issuance of root CAs without AIA, when templated AIA information includes issuer_id. [GH-21209]
• secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. [GH-20654]

FEATURES:

• AWS Static Roles: The AWS Secrets Engine can manage static roles configured by users. [GH-20536]
• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• Environment Variables through Vault Agent: Introducing a new process-supervisor mode for Vault Agent which allows injecting secrets as environment variables into a child process using a new env_template configuration stanza. The process-supervisor configuration can be generated with a new vault agent generate-config helper tool. [GH-20530]
• MongoDB Atlas Database Secrets: Adds support for client certificate credentials [GH-20425]
• MongoDB Atlas Database Secrets: Adds support for generating X.509 certificates on dynamic roles for user authentication [GH-20882]
• NEW PKI Workflow in UI: Completes generally available rollout of new PKI UI that provides smoother mount configuration and a more guided user experience [GH-pki-ui-improvements]
• Secrets/Auth Plugin Multiplexing: The plugin will be multiplexed when run
  as an external plugin by vault versions that support secrets/auth plugin
  multiplexing (> 1.12) [GH-19215]
• Sidebar Navigation in UI: A new sidebar navigation panel has been added in the UI to replace the top navigation bar. [GH-19296]
• Vault PKI ACME Server: Support for the ACME certificate lifecycle management protocol has been added to the Vault PKI Plugin. This allows standard ACME clients, such as the EFF's certbot and the CNCF's k8s cert-manager, to request certificates from a Vault server with no knowledge of Vault APIs or authentication mechanisms. For public-facing Vault instances, we recommend requiring External Account Bindings (EAB) to limit the ability to request certificates to only authenticated clients. [GH-20752]
• Vault Proxy: Introduced Vault Proxy, a new subcommand of the Vault binary that can be invoked using vault proxy -config=config.hcl. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [GH-20548]
• OCI Auto-Auth: Add OCI (Oracle Cloud Infrastructure) auto-auth method [GH-19260]

IMPROVEMENTS:

• api: Add Config.TLSConfig method to fetch the TLS configuration from a client config. [GH-20265]
• physical/etcd: Upgrade etcd3 client to v3.5.7 [GH-20261]
• activitylog: EntityRecord protobufs now contain a ClientType field for
  distinguishing client sources. [GH-20626]
• agent: Add integration tests for agent running in process supervisor mode [GH-20741]
• agent: Add logic to validate env_template entries in configuration [GH-20569]
• agent: Added reload option to cert auth configuration in case of external renewals of local x509 key-pairs. [GH-19002]
• agent: JWT auto-auth has a new config option, remove_jwt_follows_symlinks (default: false), that, if set to true will now remove the JWT, instead of the symlink to the JWT, if a symlink to a JWT has been provided in the path option, and the remove_jwt_after_reading config option is set to true (default). [GH-18863]
• agent: Vault Agent now reports its name and version as part of the User-Agent header in all requests issued. [GH-19776]
• agent: initial implementation of a process runner for injecting secrets via environment variables via vault agent [GH-20628]
• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• api: property based testing for LifetimeWatcher sleep duration calculation [GH-17919]
• audit: add plugin metadata, including plugin name, type, version, sha256, and whether plugin is external, to audit logging [GH-19814]
• audit: forwarded requests can now contain host metadata on the node it was sent 'from' or a flag to indicate that it was forwarded.
• auth/cert: Better return OCSP validation errors during login to the caller. [GH-20234]
• auth/kerberos: Enable plugin multiplexing
  auth/kerberos: Upgrade plugin dependencies [GH-20771]
• auth/ldap: allow configuration of alias dereferencing in LDAP search [GH-18230]
• auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI [GH-18225]
• auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider. [GH-19247]
• build: Prefer GOBIN when set over GOPATH/bin when building the binary [GH-19862]
• cli: Add walkSecretsTree helper function, which recursively walks secrets rooted at the given path [GH-20464...

v1.13.4

1.13.4

June 21, 2023

BREAKING CHANGES:

• secrets/pki: Maintaining running count of certificates will be turned off by default.
  To re-enable keeping these metrics available on the tidy status endpoint, enable
  maintain_stored_certificate_counts on tidy-config, to also publish them to the
  metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]

CHANGES:

• core: Bump Go version to 1.20.5.

FEATURES:

• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• core (enterprise): Add background worker for automatic reporting of billing
  information. [GH-19625]

IMPROVEMENTS:

• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• core (enterprise): add configuration for license reporting [GH-19891]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core (enterprise): vault server command now allows for opt-out of automated
  reporting via the OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]
• core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
• core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
• ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]

BUG FIXES:

• agent: Fix bug with 'cache' stanza validation [GH-20934]
• core (enterprise): Don't delete backend stored data that appears to be filterable
  on this secondary if we don't have a corresponding mount entry.
• core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
  have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation. [GH-21260]
• core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
• core: Don't exit just because we think there's a potential deadlock. [GH-21342]
• core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
• identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
• replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
• replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
• replication (enterprise): Fix regression causing token creation against a role
  with a new entity alias to be incorrectly forwarded from perf standbys. [GH-21100]
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]

v1.12.8

1.12.8

June 21, 2023

BREAKING CHANGES:

• secrets/pki: Maintaining running count of certificates will be turned off by default.
  To re-enable keeping these metrics available on the tidy status endpoint, enable
  maintain_stored_certificate_counts on tidy-config, to also publish them to the
  metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]

CHANGES:

• core: Bump Go version to 1.19.10.

FEATURES:

• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• core (enterprise): Add background worker for automatic reporting of billing
  information. [GH-19625]

IMPROVEMENTS:

• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• core (enterprise): add configuration for license reporting [GH-19891]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core (enterprise): vault server command now allows for opt-out of automated
  reporting via the OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]
• core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
• core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
• ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]

BUG FIXES:

• core (enterprise): Don't delete backend stored data that appears to be filterable
  on this secondary if we don't have a corresponding mount entry.
• core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [GH-18766]
• core/activity: de-duplicate namespaces when historical and current month data are mixed [GH-18452]
• core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [GH-17856]
• core/activity: include mount counts when de-duplicating current and historical month data [GH-18598]
• core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [GH-18916]
• core/activity: return partial month counts when querying a historical date range and no historical data exists. [GH-17935]
• core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
  have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation. [GH-21260]
• core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
• core: Don't exit just because we think there's a potential deadlock. [GH-21342]
• core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
• identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
• replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
• replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]

v1.11.12

1.11.12

June 21, 2023

CHANGES:

• core: Bump Go version to 1.19.10.
• licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades
  will not be allowed if the license termination time is before the build date of the binary.

FEATURES:

• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• core (enterprise): Add background worker for automatic reporting of billing
  information. [GH-19625]

IMPROVEMENTS:

• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• api: /sys/internal/counters/config endpoint now contains read-only
  minimum_retention_months. [GH-20150]
• api: /sys/internal/counters/config endpoint now contains read-only
  reporting_enabled and billing_start_timestamp fields. [GH-20086]
• core (enterprise): add configuration for license reporting [GH-19891]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core (enterprise): vault server command now allows for opt-out of automated
  reporting via the OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]
• core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
• core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
• core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
• core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
• core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
• core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
• core: Limit activity log client count usage by namespaces [GH-16000]
• storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
• ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]

BUG FIXES:

• core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [GH-18766]
• core/activity: de-duplicate namespaces when historical and current month data are mixed [GH-18452]
• core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [GH-17856]
• core/activity: include mount counts when de-duplicating current and historical month data [GH-18598]
• core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [GH-18916]
• core/activity: return partial month counts when querying a historical date range and no historical data exists. [GH-17935]
• core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will
  have its own changelog entry. [GH-21260]
• core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
• core: Don't exit just because we think there's a potential deadlock. [GH-21342]
• core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
• identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
• replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
• replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs

v1.14.0-rc1

1.14.0-rc1

June 08, 2023

CHANGES:

• auth/alicloud: Updated plugin from v0.14.0 to v0.15.0 [GH-20758]
• auth/azure: Updated plugin from v0.13.0 to v0.15.0 [GH-20816]
• auth/centrify: Updated plugin from v0.14.0 to v0.15.1 [GH-20745]
• auth/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20725]
• auth/jwt: Updated plugin from v0.15.0 to v0.16.0 [GH-20799]
• auth/kubernetes: Update plugin to v0.16.0 [GH-20802]
• core: Bump Go version to 1.20.4.
• core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. [GH-20834]
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
• database/couchbase: Updated plugin from v0.9.0 to v0.9.2 [GH-20764]
• database/redis-elasticache: Updated plugin from v0.2.0 to v0.2.1 [GH-20751]
• replication (enterprise): Add a new parameter for the update-primary API call
  that allows for setting of the primary cluster addresses directly, instead of
  via a token.
• secrets/ad: Updated plugin from v0.10.1-0.20230329210417-0b2cdb26cf5d to v0.16.0 [GH-20750]
• secrets/alicloud: Updated plugin from v0.5.4-beta1.0.20230330124709-3fcfc5914a22 to v0.15.0 [GH-20787]
• secrets/aure: Updated plugin from v0.15.0 to v0.16.0 [GH-20777]
• secrets/database/mongodbatlas: Updated plugin from v0.9.0 to v0.10.0 [GH-20882]
• secrets/database/snowflake: Updated plugin from v0.7.0 to v0.8.0 [GH-20807]
• secrets/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20818]
• secrets/keymgmt: Updated plugin to v0.9.1
• secrets/kubernetes: Update plugin to v0.5.0 [GH-20802]
• secrets/mongodbatlas: Updated plugin from v0.9.1 to v0.10.0 [GH-20742]
• secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. [GH-20654]

FEATURES:

• AWS Static Roles: The AWS Secrets Engine can manage static roles configured by users. [GH-20536]
• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• MongoDB Atlas Database Secrets: Adds support for generating X.509 certificates on dynamic roles for user authentication [GH-20882]
• NEW PKI Workflow in UI: Completes generally available rollout of new PKI UI that provides smoother mount configuration and a more guided user experience [GH-pki-ui-improvements]
• Vault PKI ACME Server: Support for the ACME certificate lifecycle management protocol has been added to the Vault PKI Plugin. This allows standard ACME clients, such as the EFF's certbot and the CNCF's k8s cert-manager, to request certificates from a Vault server with no knowledge of Vault APIs or authentication mechanisms. For public-facing Vault instances, we recommend requiring External Account Bindings (EAB) to limit the ability to request certificates to only authenticated clients. [GH-20752]
• Vault Proxy: Introduced Vault Proxy, a new subcommand of the Vault binary that can be invoked using vault proxy -config=config.hcl. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [GH-20548]
• cli: Add 'agent generate-config' sub-command [GH-20530]
• Sidebar Navigation in UI: A new sidebar navigation panel has been added in the UI to replace the top navigation bar.

IMPROVEMENTS:

• activitylog: EntityRecord protobufs now contain a ClientType field for
  distinguishing client sources. [GH-20626]
• agent: Add integration tests for agent running in process supervisor mode [GH-20741]
• agent: Add logic to validate env_template entries in configuration [GH-20569]
• agent: initial implementation of a process runner for injecting secrets via environment variables via vault agent [GH-20628]
• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• audit: forwarded requests can now contain host metadata on the node it was sent 'from' or a flag to indicate that it was forwarded.
• auth/kerberos: Enable plugin multiplexing
  auth/kerberos: Upgrade plugin dependencies [GH-20771]
• command/server (enterprise): -dev-three-node now creates perf standbys instead of regular standbys. [GH-20629]
• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core, secrets/pki, audit: Update dependency go-jose to v3 due to v2 deprecation. [GH-20559]
• core: Add possibility to decode a generated encoded root token via the rest API [GH-20595]
• core: include namespace path in granting_policies block of audit log
• core: include reason for ErrReadOnly on PBPWF writing failures
• core: report intermediate error messages during request forwarding [GH-20643]
• database/elasticsearch: Upgrade plugin dependencies [GH-20767]
• database/redis: Upgrade plugin dependencies [GH-20763]
• sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
• secrets/consul: Improve error message when ACL bootstrapping fails. [GH-20891]
• secrets/gcpkms: Enable plugin multiplexing
  secrets/gcpkms: Upgrade plugin dependencies [GH-20784]
• secrets/pki: add subject key identifier to read key response [GH-20642]
• secrets/transit: Respond to writes with updated key policy, cache configuration. [GH-20652]
• secrets/transit: Support BYOK-encrypted export of keys to securely allow synchronizing specific keys and version across clusters. [GH-20736]
• ui: Add filtering by auth type and auth name to the Authentication Method list view. [GH-20747]
• ui: Update Web CLI with examples and a new kv-get command for reading kv v2 data and metadata [GH-20590]

BUG FIXES:

• agent: Fix bug with 'cache' stanza validation [GH-20934]
• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Fix panic when using invalid accessor for control-group request
• core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
• core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
• core (en...

v1.13.3

1.13.3

June 08, 2023

CHANGES:

• core: Bump Go version to 1.20.4.
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
• replication (enterprise): Add a new parameter for the update-primary API call
  that allows for setting of the primary cluster addresses directly, instead of
  via a token.
• storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]

IMPROVEMENTS:

• Add debug symbols back to builds to fix Dynatrace support [GH-20519]
• audit: add a mount_point field to audit requests and response entries [GH-20411]
• autopilot: Update version to v0.2.0 to add better support for respecting min quorum [GH-19472]
• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• core: Add possibility to decode a generated encoded root token via the rest API [GH-20595]
• core: include namespace path in granting_policies block of audit log
• core: report intermediate error messages during request forwarding [GH-20643]
• openapi: Fix generated types for duration strings [GH-20841]
• sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
• secrets/pki: add subject key identifier to read key response [GH-20642]

BUG FIXES:

• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
• cli: disable printing flags warnings messages for the ssh command [GH-20502]
• command/server: fixes panic in Vault server command when running in recovery mode [GH-20418]
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
• core/identity: Allow updates of only the custom-metadata for entity alias. [GH-20368]
• core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
• core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [GH-20783]
• core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
• replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
• replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
• secrets/pki: Include per-issuer enable_aia_url_templating in issuer read endpoint. [GH-20354]
• secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
• secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [GH-20668]
• secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
  secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
  sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
• ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]
• ui: fixes issue creating mfa login enforcement from method enforcements tab [GH-20603]
• ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [GH-20907]

v1.12.7

1.12.7

June 08, 2023

CHANGES:

• core: Bump Go version to 1.19.9.
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]

IMPROVEMENTS:

• audit: add a mount_point field to audit requests and response entries [GH-20411]
• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• core: include namespace path in granting_policies block of audit log
• openapi: Fix generated types for duration strings [GH-20841]
• sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
• secrets/pki: add subject key identifier to read key response [GH-20642]
• ui: update TTL picker for consistency [GH-18114]

BUG FIXES:

• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
• cli: disable printing flags warnings messages for the ssh command [GH-20502]
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
• core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
• replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
• replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
• secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
• secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
  secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
  sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
• ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]

v1.11.11

1.11.11

June 08, 2023

CHANGES:

• core: Bump Go version to 1.19.9.
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]

IMPROVEMENTS:

• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• secrets/pki: add subject key identifier to read key response [GH-20642]
• ui: update TTL picker for consistency [GH-18114]

BUG FIXES:

• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
• core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
• replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
• replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
• secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation

v1.13.2

1.13.2

April 26, 2023

CHANGES:

• core: Bump Go version to 1.20.3.

IMPROVEMENTS:

• Add debug symbols back to builds to fix Dynatrace support [GH-20294]
• cli/namespace: Add detailed flag to output additional namespace information
  such as namespace IDs and custom metadata. [GH-20243]
• core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
• core: Add a raft sub-field to the storage and ha_storage details provided by the
  /sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]
• core: include reason for ErrReadOnly on PBPWF writing failures
• sdk/ldaputil: added connection_timeout to tune connection timeout duration
  for all LDAP plugins. [GH-20144]
• secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [GH-20201]
• sys/wrapping: Add example how to unwrap without authentication in Vault [GH-20109]
• ui: Allows license-banners to be dismissed. Saves preferences in localStorage. [GH-19116]

BUG FIXES:

• auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
• command/server: Fix incorrect paths in generated config for -dev-tls flag on Windows [GH-20257]
• core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
• core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
• core/seal: Fix handling of HMACing of seal-wrapped storage entries from HSMs using CKM_AES_CBC or CKM_AES_CBC_PAD.
• core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert sscGenCounter
  resulting in 412 errors.
• core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
• helper/random: Fix race condition in string generator helper [GH-19875]
• kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
• pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [GH-20220]
• replication (enterprise): Fix a caching issue when replicating filtered data to
  a performance secondary. This resulted in the data being set to nil in the cache
  and a "invalid value" error being returned from the API.
• replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
• sdk/helper/ocsp: Workaround bug in Go's ocsp.ParseResponse(...), causing validation to fail with embedded CA certificates.
  auth/cert: Fix OCSP validation against Vault's PKI engine. [GH-20181]
• secrets/aws: Revert changes that removed the lease on STS credentials, while leaving the new ttl field in place. [GH-20034]
• secrets/pki: Ensure cross-cluster delta WAL write failure only logs to avoid unattended forwarding. [GH-20057]
• secrets/pki: Fix building of unified delta CRLs and recovery during unified delta WAL write failures. [GH-20058]
• secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
• secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
• ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
• ui: Fix bad link to namespace when namespace name includes . [GH-19799]
• ui: fixes browser console formatting for help command output [GH-20064]
• ui: fixes remaining doc links to include /vault in path [GH-20070]
• ui: remove use of htmlSafe except when first sanitized [GH-20235]
• website/docs: Fix Kubernetes Auth Code Example to use the correct whitespace in import. [GH-20216]

v1.12.6

1.12.6

April 26, 2023

CHANGES:

• core: Bump Go version to 1.19.8.

IMPROVEMENTS:

• cli/namespace: Add detailed flag to output additional namespace information
  such as namespace IDs and custom metadata. [GH-20243]
• core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
• core: Add a raft sub-field to the storage and ha_storage details provided by the
  /sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]
• sdk/ldaputil: added connection_timeout to tune connection timeout duration
  for all LDAP plugins. [GH-20144]
• secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [GH-20201]

BUG FIXES:

• auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
• command/server: Fix incorrect paths in generated config for -dev-tls flag on Windows [GH-20257]
• core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
• core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
• core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert sscGenCounter
  resulting in 412 errors.
• core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
• helper/random: Fix race condition in string generator helper [GH-19875]
• kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
• openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [GH-18554]
• pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [GH-20220]
• replication (enterprise): Fix a caching issue when replicating filtered data to
  a performance secondary. This resulted in the data being set to nil in the cache
  and a "invalid value" error being returned from the API.
• replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
• secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
• secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
• ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
• ui: Fix bad link to namespace when namespace name includes . [GH-19799]
• ui: fixes browser console formatting for help command output [GH-20064]
• ui: remove use of htmlSafe except when first sanitized [GH-20235]