database/snowflake: Update plugin to v0.9.0 [GH-22516]
IMPROVEMENTS:
auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
kmip (enterprise): Add namespace lock and unlock support [GH-21925]
replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
ui: enables create and update KV secret workflow when control group present [GH-22471]
website/docs: Fix link formatting in Vault lambda extension docs [GH-22396]
BUG FIXES:
activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
core (enterprise): Remove MFA Configuration for namespace when deleting namespace
core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
Also fix a related potential deadlock. [GH-21110]
core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
sdk/ldaputil: Properly escape user filters when using UPN domains
sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]