Vault - 1.13.0

Unreleased

CHANGES:

• auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
• auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
  This will only be used internally for implementing user lockout. [GH-17104]
• core: Bump Go version to 1.19.2.
• plugins: GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]
• plugins: GET /sys/auth/:path/tune and GET /sys/mounts/:path/tune endpoints may now return an additional plugin_version field in the response data if set. [GH-17167]
• plugins: GET for /sys/auth, /sys/auth/:path, /sys/mounts, and /sys/mounts/:path paths now return additional plugin_version, running_plugin_version and running_sha256 fields in the response data for each mount. [GH-17167]
• secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [GH-15869]
• ui: Upgrade Ember to version 4.4.0 [GH-17086]

FEATURES:

• core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [GH-17338]

IMPROVEMENTS:

• Reduced binary size [GH-17678]
• agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [GH-16872]
• api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
• auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a
  Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [GH-17540]
• cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [GH-17650]
• cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [GH-14945]
• core/identity: Add machine-readable output to body of response upon alias clash during entity merge [GH-17459]
• core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [GH-17265]
• core: Update protoc from 3.21.5 to 3.21.7 [GH-17499]
• database/snowflake: Allow parallel requests to Snowflake [GH-17593]
• plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
• plugins: Allow selecting builtin plugins by their reported semantic version of the form vX.Y.Z+builtin or vX.Y.Z+builtin.vault. [GH-17289]
• sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
• secrets/aws: Update dependencies [PR-17747] [GH-17747]
• secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
• secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [GH-17779]
• secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
• secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [GH-17774]
• secrets/ssh: Evaluate ssh validprincipals user template before splitting [GH-16622]
• secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [GH-17638]
• secrets/transit: Add support for PKCSv1_5_NoOID RSA signatures [GH-17636]
• storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
• sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems.

BUG FIXES:

• cli: Fix issue preventing kv commands from executing properly when the mount path provided by -mount flag and secret key path are the same. [GH-17679]
• cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
• core/managed-keys (enterprise): Return better error messages when encountering key creation failures
• core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
• core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [GH-17612]
• core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
• core: Fix vault operator init command to show the right curl string with -output-curl-string and right policy hcl with -output-policy [GH-17514]
• core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
• core: Refactor lock grabbing code to simplify stateLock deadlock investigations [GH-17187]
• core: fix GPG encryption to support subkeys. [GH-16224]
• core: fix a start up race condition where performance standbys could go into a
  mount loop if default policies are not yet synced from the active node. [GH-17801]
• core: fix race when using SystemView.ReplicationState outside of a request context [GH-17186]
• core: prevent memory leak when using control group factors in a policy [GH-17532]
• core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
• login: Store token in tokenhelper for interactive login MFA [GH-17040]
• openapi: fix gen_openapi.sh script to correctly load vault plugins [GH-17752]
• plugins/kv: KV v2 returns 404 instead of 500 for request paths that incorrectly include a trailing slash. [GH-17339]
• plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
• secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
• secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
• secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
• secrets/pki: Fixes duplicate otherName in certificates created by the sign-verbatim endpoint. [GH-16700]
• secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
• ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
• ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
• ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
• ui: Remove default value of 30 to TtlPicker2 if no value is passed in. [GH-17376]