Vault - 1.14.0

-rc1

June 08, 2023

CHANGES:

• auth/alicloud: Updated plugin from v0.14.0 to v0.15.0 [GH-20758]
• auth/azure: Updated plugin from v0.13.0 to v0.15.0 [GH-20816]
• auth/centrify: Updated plugin from v0.14.0 to v0.15.1 [GH-20745]
• auth/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20725]
• auth/jwt: Updated plugin from v0.15.0 to v0.16.0 [GH-20799]
• auth/kubernetes: Update plugin to v0.16.0 [GH-20802]
• core: Bump Go version to 1.20.4.
• core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. [GH-20834]
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
• database/couchbase: Updated plugin from v0.9.0 to v0.9.2 [GH-20764]
• database/redis-elasticache: Updated plugin from v0.2.0 to v0.2.1 [GH-20751]
• replication (enterprise): Add a new parameter for the update-primary API call
  that allows for setting of the primary cluster addresses directly, instead of
  via a token.
• secrets/ad: Updated plugin from v0.10.1-0.20230329210417-0b2cdb26cf5d to v0.16.0 [GH-20750]
• secrets/alicloud: Updated plugin from v0.5.4-beta1.0.20230330124709-3fcfc5914a22 to v0.15.0 [GH-20787]
• secrets/aure: Updated plugin from v0.15.0 to v0.16.0 [GH-20777]
• secrets/database/mongodbatlas: Updated plugin from v0.9.0 to v0.10.0 [GH-20882]
• secrets/database/snowflake: Updated plugin from v0.7.0 to v0.8.0 [GH-20807]
• secrets/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20818]
• secrets/keymgmt: Updated plugin to v0.9.1
• secrets/kubernetes: Update plugin to v0.5.0 [GH-20802]
• secrets/mongodbatlas: Updated plugin from v0.9.1 to v0.10.0 [GH-20742]
• secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. [GH-20654]

FEATURES:

• AWS Static Roles: The AWS Secrets Engine can manage static roles configured by users. [GH-20536]
• Automated License Utilization Reporting: Added automated license
  utilization reporting, which sends minimal product-license metering
  data
  to HashiCorp without requiring you to manually collect and report them.
• MongoDB Atlas Database Secrets: Adds support for generating X.509 certificates on dynamic roles for user authentication [GH-20882]
• NEW PKI Workflow in UI: Completes generally available rollout of new PKI UI that provides smoother mount configuration and a more guided user experience [GH-pki-ui-improvements]
• Vault PKI ACME Server: Support for the ACME certificate lifecycle management protocol has been added to the Vault PKI Plugin. This allows standard ACME clients, such as the EFF's certbot and the CNCF's k8s cert-manager, to request certificates from a Vault server with no knowledge of Vault APIs or authentication mechanisms. For public-facing Vault instances, we recommend requiring External Account Bindings (EAB) to limit the ability to request certificates to only authenticated clients. [GH-20752]
• Vault Proxy: Introduced Vault Proxy, a new subcommand of the Vault binary that can be invoked using vault proxy -config=config.hcl. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [GH-20548]
• cli: Add 'agent generate-config' sub-command [GH-20530]
• Sidebar Navigation in UI: A new sidebar navigation panel has been added in the UI to replace the top navigation bar.

IMPROVEMENTS:

• activitylog: EntityRecord protobufs now contain a ClientType field for
  distinguishing client sources. [GH-20626]
• agent: Add integration tests for agent running in process supervisor mode [GH-20741]
• agent: Add logic to validate env_template entries in configuration [GH-20569]
• agent: initial implementation of a process runner for injecting secrets via environment variables via vault agent [GH-20628]
• api: GET ... /sys/internal/counters/activity?current_billing_period=true now
  results in a response which contains the full billing period [GH-20694]
• audit: forwarded requests can now contain host metadata on the node it was sent 'from' or a flag to indicate that it was forwarded.
• auth/kerberos: Enable plugin multiplexing
  auth/kerberos: Upgrade plugin dependencies [GH-20771]
• command/server (enterprise): -dev-three-node now creates perf standbys instead of regular standbys. [GH-20629]
• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
• core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
• core, secrets/pki, audit: Update dependency go-jose to v3 due to v2 deprecation. [GH-20559]
• core: Add possibility to decode a generated encoded root token via the rest API [GH-20595]
• core: include namespace path in granting_policies block of audit log
• core: include reason for ErrReadOnly on PBPWF writing failures
• core: report intermediate error messages during request forwarding [GH-20643]
• database/elasticsearch: Upgrade plugin dependencies [GH-20767]
• database/redis: Upgrade plugin dependencies [GH-20763]
• sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
• secrets/consul: Improve error message when ACL bootstrapping fails. [GH-20891]
• secrets/gcpkms: Enable plugin multiplexing
  secrets/gcpkms: Upgrade plugin dependencies [GH-20784]
• secrets/pki: add subject key identifier to read key response [GH-20642]
• secrets/transit: Respond to writes with updated key policy, cache configuration. [GH-20652]
• secrets/transit: Support BYOK-encrypted export of keys to securely allow synchronizing specific keys and version across clusters. [GH-20736]
• ui: Add filtering by auth type and auth name to the Authentication Method list view. [GH-20747]
• ui: Update Web CLI with examples and a new kv-get command for reading kv v2 data and metadata [GH-20590]

BUG FIXES:

• agent: Fix bug with 'cache' stanza validation [GH-20934]
• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Fix panic when using invalid accessor for control-group request
• core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
• core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
• core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
• core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert sscGenCounter
  resulting in 412 errors.
• core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
• core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [GH-20783]
• license (enterprise): Fix bug where license would update even if the license didn't change.
• replication (enterprise): Fix a caching issue when replicating filtered data to
  a performance secondary. This resulted in the data being set to nil in the cache
  and a "invalid value" error being returned from the API.
• replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
• replication (enterprise): Fix bug where reloading external plugin on a secondary would
  break replication.
• replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
• replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
• secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [GH-20664]
• secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
• secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
• secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
• secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [GH-20668]
• secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
  secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
  sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
• ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]
• ui: fixes auto_rotate_period ttl input for transit keys [GH-20731]
• ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [GH-20907]