BREAKING CHANGES:
CHANGES:
FEATURES:
env_template configuration stanza. The process-supervisor configuration can be generated with a new vault agent generate-config helper tool. [GH-20530]vault proxy -config=config.hcl. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [GH-20548]IMPROVEMENTS:
reload option to cert auth configuration in case of external renewals of local x509 key-pairs. [GH-19002]remove_jwt_follows_symlinks (default: false), that, if set to true will now remove the JWT, instead of the symlink to the JWT, if a symlink to a JWT has been provided in the path option, and the remove_jwt_after_reading config option is set to true (default). [GH-18863]/sys/internal/counters/config endpoint now contains read-only
minimum_retention_months. [GH-20150]/sys/internal/counters/config endpoint now contains read-only
reporting_enabled and billing_start_timestamp fields. [GH-20086]VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]kv-get command for reading kv v2 data and metadata [GH-20590]BUG FIXES:
max_page_size properly [GH-20453]new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.sscGenCounter
resulting in 412 errors.TypeInt64 schema field. [GH-18729]operation_all to persist after deselecting all operation checkboxes [GH-19139]BREAKING CHANGES:
CHANGES:
FEATURES:
IMPROVEMENTS:
/sys/internal/counters/config endpoint now contains read-only
minimum_retention_months. [GH-20150]/sys/internal/counters/config endpoint now contains read-only
reporting_enabled and billing_start_timestamp fields. [GH-20086]OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]BUG FIXES:
BREAKING CHANGES:
CHANGES:
FEATURES:
IMPROVEMENTS:
/sys/internal/counters/config endpoint now contains read-only
minimum_retention_months. [GH-20150]/sys/internal/counters/config endpoint now contains read-only
reporting_enabled and billing_start_timestamp fields. [GH-20086]OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]BUG FIXES:
CHANGES:
FEATURES:
IMPROVEMENTS:
/sys/internal/counters/config endpoint now contains read-only
minimum_retention_months. [GH-20150]/sys/internal/counters/config endpoint now contains read-only
reporting_enabled and billing_start_timestamp fields. [GH-20086]OPTOUT_LICENSE_REPORTING environment variable. [GH-3939]BUG FIXES:
CHANGES:
FEATURES:
vault proxy -config=config.hcl. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [GH-20548]IMPROVEMENTS:
VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]kv-get command for reading kv v2 data and metadata [GH-20590]BUG FIXES:
max_page_size properly [GH-20453]new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.sscGenCounter
resulting in 412 errors.CHANGES:
IMPROVEMENTS:
mount_point field to audit requests and response entries [GH-20411]VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]BUG FIXES:
max_page_size properly [GH-20453]CHANGES:
IMPROVEMENTS:
mount_point field to audit requests and response entries [GH-20411]VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]BUG FIXES:
max_page_size properly [GH-20453]CHANGES:
IMPROVEMENTS:
VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]BUG FIXES:
max_page_size properly [GH-20453]CHANGES:
IMPROVEMENTS:
raft sub-field to the storage and ha_storage details provided by the
/sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]connection_timeout to tune connection timeout duration
for all LDAP plugins. [GH-20144]BUG FIXES:
-dev-tls flag on Windows [GH-20257]new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.sscGenCounter
resulting in 412 errors.. [GH-19799]CHANGES:
IMPROVEMENTS:
raft sub-field to the storage and ha_storage details provided by the
/sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]connection_timeout to tune connection timeout duration
for all LDAP plugins. [GH-20144]BUG FIXES:
-dev-tls flag on Windows [GH-20257]new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.sscGenCounter
resulting in 412 errors.. [GH-19799]CHANGES:
IMPROVEMENTS:
raft sub-field to the storage and ha_storage details provided by the
/sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]connection_timeout to tune connection timeout duration
for all LDAP plugins. [GH-20144]BUG FIXES:
new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.sscGenCounter
resulting in 412 errors.. [GH-19799]IMPROVEMENTS:
VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]BUG FIXES:
password_policy has changed. [GH-19640]IMPROVEMENTS:
VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]BUG FIXES:
password_policy has changed. [GH-19641]IMPROVEMENTS:
VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]BUG FIXES:
CHANGES:
IMPROVEMENTS:
BUG FIXES:
sys/leases/lookup, sys/leases/revoke, and sys/leases/renew endpoints if provided lease_id is null [GH-18951]CHANGES:
IMPROVEMENTS:
BUG FIXES:
sys/leases/lookup, sys/leases/revoke, and sys/leases/renew endpoints if provided lease_id is null [GH-18951]CHANGES:
IMPROVEMENTS:
BUG FIXES:
sys/leases/lookup, sys/leases/revoke, and sys/leases/renew endpoints if provided lease_id is null [GH-18951]SECURITY:
secret is unsupported by this backend will be thrown by the lease manager. [GH-18874]CHANGES:
role field on login [GH-19005]builtin in their metadata remain unaffected. [GH-18051]GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]GET /sys/auth/:path/tune and GET /sys/mounts/:path/tune endpoints may now return an additional plugin_version field in the response data if set. [GH-17167]GET for /sys/auth, /sys/auth/:path, /sys/mounts, and /sys/mounts/:path paths now return additional plugin_version, running_plugin_version and running_sha256 fields in the response data for each mount. [GH-17167]FEATURES:
sys/config/group-policy-application API, policies can be configured to apply outside of namespace hierarchy, allowing this kind of cross-namespace sharing.IMPROVEMENTS:
token_file auto-auth configuration to allow using a pre-existing token for Vault Agent. [GH-18740]metrics_only role, serving only metrics, as part of the listener's new top level role option. [GH-18101]elide_list_responses option, providing a countermeasure for a common source of oversized audit log entries [GH-18128]abort_on_error parameter to CLI login command to help in non-interactive contexts [GH-19076]vault operator rekey prompts to describe recovery keys when -target=recovery [GH-18892]events.alpha1 experiment. [GH-18682]sys/loggers and sys/loggers/:name endpoints [GH-17979]detect_deadlocks config to optionally detect core state deadlocks [GH-18604]vault operator migrate in order to speed up a migration. [GH-18817]sys/config/group-policy-application, to allow group policies to be configurable
to apply to a group in any namespace. The default, within_namespace_hierarchy, is the current behaviour.{mountPath} to {<type>_mount_path} [GH-18663]vX.Y.Z+builtin or vX.Y.Z+builtin.vault. [GH-17289]tls_server_name and tls_skip_verify parameters [GH-18799]default_follows_latest_issuer. [GH-17824]config/auto-tidy, config/crl, and roles/:role. [GH-18222]retry_join_as_non_voter config option. [GH-18030]go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/trace to v1.11.2 [GH-18589]DEPRECATIONS:
BUG FIXES:
token_bound_cidrs validation when using /32 blocks for role and secret ID [GH-18145]-mount flag and secret key path are the same. [GH-17679]vault secrets list -detailed output. [GH-17577]vault server command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other than raft or consul.permission denied for all HelpOperations on sudo-protected paths [GH-18568]sys/leases/lookup, sys/leases/revoke, and sys/leases/renew endpoints if provided lease_id is null [GH-18951]partial_success_response_code on decryption failures. [GH-18310]default and add default-service and default-batch to UI token_type for auth mount and tuning. [GH-19290]SECURITY:
secret is unsupported by this backend will be thrown by the lease manager. [GH-18874]CHANGES:
role field on login [GH-19005]builtin in their metadata remain unaffected. [GH-18051]GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]GET /sys/auth/:path/tune and GET /sys/mounts/:path/tune endpoints may now return an additional plugin_version field in the response data if set. [GH-17167]GET for /sys/auth, /sys/auth/:path, /sys/mounts, and /sys/mounts/:path paths now return additional plugin_version, running_plugin_version and running_sha256 fields in the response data for each mount. [GH-17167]FEATURES:
IMPROVEMENTS:
token_file auto-auth configuration to allow using a pre-existing token for Vault Agent. [GH-18740]metrics_only role, serving only metrics, as part of the listener's new top level role option. [GH-18101]elide_list_responses option, providing a countermeasure for a common source of oversized audit log entries [GH-18128]abort_on_error parameter to CLI login command to help in non-interactive contexts [GH-19076]vault operator rekey prompts to describe recovery keys when -target=recovery [GH-18892]events.alpha1 experiment. [GH-18682]sys/loggers and sys/loggers/:name endpoints [GH-17979]detect_deadlocks config to optionally detect core state deadlocks [GH-18604]vault operator migrate in order to speed up a migration. [GH-18817]sys/config/group-policy-application, to allow group policies to be configurable to apply to a group in any namespace. The default, within_namespace_hierarchy, is the current behaviour.{mountPath} to {<type>_mount_path} [GH-18663]vX.Y.Z+builtin or vX.Y.Z+builtin.vault. [GH-17289]tls_server_name and tls_skip_verify parameters [GH-18799]default_follows_latest_issuer. [GH-17824]config/auto-tidy, config/crl, and roles/:role. [GH-18222]retry_join_as_non_voter config option. [GH-18030]<a> tag usage [GH-17866]go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/trace to v1.11.2 [GH-18589]BUG FIXES:
token_bound_cidrs validation when using /32 blocks for role and secret ID [GH-18145]-mount flag and secret key path are the same. [GH-17679]vault secrets list -detailed output. [GH-17577]vault server command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other than raft or consul.permission denied for all HelpOperations on sudo-protected paths [GH-18568]sys/leases/lookup, sys/leases/revoke, and sys/leases/renew endpoints if provided lease_id is null [GH-18951]partial_success_response_code on decryption failures. [GH-18310]CHANGES:
IMPROVEMENTS:
sys/loggers and sys/loggers/:name endpoints [GH-17979]tls_server_name and tls_skip_verify parameters [GH-18799]BUG FIXES:
token_bound_cidrs validation when using /32 blocks for role and secret ID [GH-18145]partial_success_response_code on decryption failures. [GH-18310]