$npx -y @buildinternet/releases show rel_f1EE1mXLbV6UZsz8RyaNK
1.17.0
June 12, 2024
CHANGES:
api: Upgrade from github.com/go-jose/go-jose/v3 v3.0.3 to github.com/go-jose/go-jose/v4 v4.0.1. [GH-26527]
audit: breaking change - Vault now allows audit logs to contain 'correlation-id' and 'x-correlation-id' headers when they
are present in the incoming request. By default they are not HMAC'ed (but can be configured to HMAC by Vault Operators). [GH-26777]
auth/alicloud: Update plugin to v0.18.0 [GH-27133]
core (enterprise): Seal High Availability (HA) must be enabled by enable_multiseal in configuration.
core/identity: improve performance for secondary nodes receiving identity related updates through replication [GH-27184]
core: Bump Go version to 1.22.4
core: return an additional "invalid token" error message in 403 response when the provided request token is expired,
exceeded the number of uses, or is a bogus value [GH-25953]
database/couchbase: Update plugin to v0.11.0 [GH-27145]
database/elasticsearch: Update plugin to v0.15.0 [GH-27136]
database/mongodbatlas: Update plugin to v0.12.0 [GH-27143]
database/redis-elasticache: Update plugin to v0.4.0 [GH-27139]
database/redis: Update plugin to v0.3.0 [GH-27117]
database/snowflake: Update plugin to v0.11.0 [GH-27132]
sdk: String templates now have a maximum size of 100,000 characters. [GH-26110]
secrets/mongodbatlas: Update plugin to v0.12.0 [GH-27149]
secrets/openldap: Update plugin to v0.13.0 [GH-27137]
secrets/pki: sign-intermediate API will truncate notAfter if calculated to go beyond the signing issuer's notAfter. Previously the notAfter was permitted to go beyond leading to invalid chains. [GH-26796]
secrets/terraform: Update plugin to v0.8.0 [GH-27147]
ui/kubernetes: Update the roles filter-input to use explicit search. [GH-27178]
ui: Update dependencies including D3 libraries [GH-26346]
ui: Upgrade Ember data from 4.11.3 to 4.12.4 [GH-25272]
ui: deleting a nested secret will no longer redirect you to the nearest path segment [GH-26845]
ui: flash messages render on right side of page [GH-25459]
FEATURES:
PKI Certificate Metadata (enterprise): Add Certificate Metadata Functionality to Record and Return Client Information about a Certificate.
Adaptive Overload Protection (enterprise): Adds Adaptive Overload Protection
for write requests as a Beta feature (disabled by default). This automatically
prevents overloads caused by too many write requests while maintaining optimal
throughput for the hardware configuration and workload.
Audit Filtering (enterprise) : Audit devices support expression-based filter rules (powered by go-bexpr) to determine which entries are written to the audit log.
LDAP Secrets engine hierarchical path support: Hierarchical path handling is now supported for role and set APIs. [GH-27203]
Plugin Identity Tokens: Adds secret-less configuration of AWS auth engine using web identity federation. [GH-26507]
Plugin Workload Identity (enterprise): Vault can generate identity tokens for plugins to use in workload identity federation auth flows.
Transit AES-CMAC (enterprise): Added support to create and verify AES backed cipher-based message authentication codes
IMPROVEMENTS:
activity (enterprise): Change minimum retention window in activity log to 48 months
agent: Added a new config option, lease_renewal_threshold, that controls the refresh rate of non-renewable leases in Agent's template engine. [GH-25212]
agent: Agent will re-trigger auto auth if token used for rendering templates has been revoked, has exceeded the number of uses, or is a bogus value. [GH-26172]
api: Move CLI token helper functions to importable packages in api module. [GH-25744]
audit: timestamps across multiple audit devices for an audit entry will now match. [GH-26088]
auth/aws: Add inferred_hostname metadata for IAM AWS authentication method. [GH-25418]
auth/aws: add canonical ARN as entity alias option [GH-22460]
auth/aws: add support for external_ids in AWS assume-role [GH-26628]
auth/cert: Adds support for TLS certificate authenticaion through a reverse proxy that terminates the SSL connection [GH-17272]
cli: Add events subscriptions commands
command/server: Removed environment variable requirement to generate pprof
files using SIGUSR2. Added CPU profile support. [GH-25391]
core (enterprise): persist seal rewrap status, so rewrap status API is consistent on secondary nodes.
core/activity: Include ACME client metrics to precomputed queries [GH-26519]
core/activity: Include ACME clients in activity log responses [GH-26020]
core/activity: Include ACME clients in vault operator usage response [GH-26525]
core/config: reload service registration configuration on SIGHUP [GH-17598]
core: add deadlock detection in barrier and sealwrap
proxy/cache (enterprise): Support new configuration parameter for static secret caching, static_secret_token_capability_refresh_behavior, to control the behavior when the capability refresh request receives an error from Vault.
proxy: Proxy will re-trigger auto auth if the token used for requests has been revoked, has exceeded the number of uses,
or is an otherwise invalid value. [GH-26307]
raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20221104090112-13395acd02c5
replication (enterprise): Add replication heartbeat metric to telemetry
replication (enterprise): Periodically write current time on the primary to storage, use that downstream to measure replication lag in time, expose that in health and replication status endpoints. [GH-26406]
sdk/decompression: DecompressWithCanary will now chunk the decompression in memory to prevent loading it all at once. [GH-26464]
sdk/helper/testcluster: add some new helpers, improve some error messages. [GH-25329]
secrets-sync (enterprise): Added global config path to the administrative namespace.
secrets/pki (enterprise): Disable warnings about unknown parameters to the various CIEPS endpoints
secrets/pki: Add a new ACME configuration parameter that allows increasing the maximum TTL for ACME leaf certificates [GH-26797]
secrets/transform (enterprise): Add delete by token and delete by plaintext operations to Tokenization.
storage/azure: Perform validation on Azure account name and container name [GH-26135]
storage/raft (enterprise): add support for separate entry size limit for mount
and namespace table paths in storage to allow increased mount table size without
allowing other user storage entries to become larger. [GH-25992]
storage/raft: panic on unknown Raft operations [GH-25991]
ui (enterprise): Allow HVD users to access Secrets Sync. [GH-26841]
ui (enterprise): Update dashboard to make activity log query using the same start time as the metrics overview [GH-26729]
ui (enterprise): Update filters on the custom messages list view. [GH-26653]
ui: Allow users to wrap inputted data again instead of resetting form [GH-27289]
ui: Display ACME clients on a separate page in the UI. [GH-26020]
ui: Hide dashboard client count card if user does not have permission to view clients. [GH-26848]
ui: Show computed values from sys/internal/ui/mounts endpoint for auth mount configuration view [GH-26663]
ui: Update PGP display and show error for Generate Operation Token flow with PGP [GH-26993]
ui: Update language in Transit secret engine to reflect that not all keys are for encyryption [GH-27346]
ui: Update userpass user form to allow setting password_hash field. [GH-26577]
ui: fixes cases where inputs did not have associated labels [GH-26263]
ui: show banner instead of permission denied error when batch token is expired [GH-26396]
website/docs: Add note about eventual consietency with the MongoDB Atlas database secrets engine [GH-24152]
DEPRECATIONS:
Request Limiter Beta(enterprise): This Beta feature added in 1.16 has been
superseded by Adaptive Overload Protection and will be removed.
secrets/azure: Deprecate field "password_policy" as we are not able to set it anymore with the new MS Graph API. [GH-25637]
BUG FIXES:
activity (enterprise): fix read-only storage error on upgrades
agent: Correctly constructs kv-v2 secret paths in nested namespaces. [GH-26863]
agent: Fixes a high Vault load issue, by restarting the Conusl template server after backing off instead of immediately. [GH-25497]
agent: vault.namespace no longer gets incorrectly overridden by auto_auth.namespace, if set [GH-26427]
api: fixed a bug where LifetimeWatcher routines weren't respecting exponential backoff in the presence of unexpected errors [GH-26383]
audit: Operator changes to configured audit headers (via /sys/config/auditing)
will now force invalidation and be reloaded from storage when data is replicated
to other nodes.
auth/ldap: Fix login error for group search anonymous bind. [GH-26200]
auth/ldap: Fix login error missing entity alias attribute value. [GH-26200]
auto-auth: Addressed issue where having no permissions to renew a renewable token caused auto-auth to attempt to renew constantly with no backoff [GH-26844]
cli/debug: Fix resource leak in CLI debug command. [GH-26167]
cli: fixed a bug where the Vault CLI would error out if
HOME was not set. [GH-26243]
core (enterprise): Fix 403s returned when forwarding invalid token to active node from secondary.
core (enterprise): Fix an issue that prevented the seal re-wrap status from reporting that a re-wrap is in progress for up to a second.
core (enterprise): fix bug where raft followers disagree with the seal type after returning to one seal from two. [GH-26523]
core (enterprise): fix issue where the Seal HA rewrap system may remain running when an active node steps down.
core/audit: Audit logging a Vault request/response will now use a minimum 5 second context timeout.
If the existing context deadline occurs later than 5s in the future, it will be used, otherwise a
new context, separate from the original will be used. [GH-26616]
core/metrics: store cluster name in unencrypted storage to prevent blank cluster name [GH-26878]
core/namespace (enterprise): Privileged namespace paths provided in the administrative_namespace_path config will now be canonicalized.
core/seal: During a seal reload through SIGHUP, only write updated seal barrier on an active node [GH-26381]
core/seal: allow overriding of VAULT_GCPCKMS_SEAL_KEY_RING and VAULT_GCPCKMS_SEAL_CRYPTO_KEY environment keys in seal-ha
core: Add missing field delegated_auth_accessors to GET /sys/mounts/:path API response [GH-26876]
core: Address a data race updating a seal's last seen healthy time attribute [GH-27014]
core: Fix redact_version listener parameter being ignored for some OpenAPI related endpoints. [GH-26607]
core: Only reload seal configuration when enable_multiseal is set to true. [GH-26166]
core: when listener configuration chroot_namespace is active, Vault will no longer report that the configuration is invalid when Vault is sealed
events (enterprise): Fix bug preventing subscribing and receiving events within a namepace.
events (enterprise): Terminate WebSocket connection when token is revoked.
openapi: added the missing migrate parameter for the unseal endpoint in vault/logical_system_paths.go [GH-25550]
pki: Fix error in cross-signing using ed25519 keys [GH-27093]
plugin/wif: fix a bug where the namespace was not set for external plugins using workload identity federation [GH-26384]
replication (enterprise): fix "given mount path is not in the same namespace as the request" error that can occur when enabling replication for the first time on a secondary cluster
replication (enterprise): fixed data integrity issue with the processing of identity aliases causing duplicates to occur in rare cases
router: Fix missing lock in MatchingSystemView. [GH-25191]
secret/database: Fixed race condition where database mounts may leak connections [GH-26147]
secrets-sync (enterprise): Fixed an issue with syncing to target projects in GCP
secrets/azure: Update vault-plugin-secrets-azure to 0.17.2 to include a bug fix for azure role creation [GH-26896]
secrets/pki (enterprise): cert_role parameter within authenticators.cert EST configuration handler could not be set
secrets/pki: fixed validation bug which rejected ldap schemed URLs in crl_distribution_points. [GH-26477]
secrets/transform (enterprise): Fix a bug preventing the use of alternate schemas on PostgreSQL token stores.
secrets/transit: Use 'hash_algorithm' parameter if present in HMAC verify requests. Otherwise fall back to deprecated 'algorithm' parameter. [GH-27211]
storage/raft (enterprise): Fix a bug where autopilot automated upgrades could fail due to using the wrong upgrade version
storage/raft (enterprise): Fix a regression introduced in 1.15.8 that causes
autopilot to fail to discover new server versions and so not trigger an upgrade. [GH-27277]
storage/raft: prevent writes from impeding leader transfers, e.g. during automated upgrades [GH-25390]
transform (enterprise): guard against a panic looking up a token in exportable mode with barrier storage.
ui: Do not show resultant-ACL banner when ancestor namespace grants wildcard access. [GH-27263]
ui: Fix KVv2 json editor to allow null values. [GH-27094]
ui: Fix a bug where disabling TTL on the AWS credential form would still send TTL value [GH-27366]
ui: Fix broken help link in console for the web command. [GH-26858]
ui: Fix configuration link from Secret Engine list view for Ember engines. [GH-27131]
ui: Fix link to v2 generic secrets engine from secrets list page. [GH-27019]
ui: Prevent perpetual loading screen when Vault needs initialization [GH-26985]
ui: Refresh model within a namespace on the Secrets Sync overview page. [GH-26790]
ui: Remove possibility of returning an undefined timezone from date-format helper [GH-26693]
ui: Resolved accessibility issues with Web REPL. Associated label and help text with input, added a conditional to show the console/ui-panel only when toggled open, added keyboard focus trap. [GH-26872]
ui: fix issue where a month without new clients breaks the client count dashboard [GH-27352]
ui: fixed a bug where the replication pages did not update display when navigating between DR and performance [GH-26325]
ui: fixes undefined start time in filename for downloaded client count attribution csv [GH-26485]