Vault
Overview
This page contains the list of deprecations and important or breaking changes for Vault 0.7.0 compared to the most recent release. Please read it carefully.
Rename of backend
config key to storage
When configuring Vault, the backend
key previously used to configure
storage has now been renamed to storage
. Vault will alias the old key to the
new path, though users are encouraged to update their configuration to ensure
minimal disruption in the future when the alias is removed.
List operations always use trailing slash
Any list operation, whether via the GET
or LIST
HTTP verb, will now
internally canonicalize the path to have a trailing slash. This makes policy
writing more predictable, as it means clients will no longer work or fail
based on which client they're using or which HTTP verb they're using. However,
it also means that policies allowing list
capability must be carefully
checked to ensure that they contain a trailing slash; some policies may need
to be split into multiple stanzas to accommodate.
PKI defaults to unleased certificates
When issuing certificates from the PKI backend, by default, no leases will be
issued. If you want to manually revoke a certificate, its serial number can be
used with the pki/revoke
endpoint. Issuing leases is still possible by
enabling the generate_lease
toggle in PKI role entries (this will default to
true
for upgrades, to keep existing behavior), which will allow using lease
IDs to revoke certificates. For installations issuing large numbers of
certificates (tens to hundreds of thousands, or millions), this will
significantly improve Vault startup time since leases associated with these
certificates will not have to be loaded; however note that it also means that
revocation of a token used to issue certificates will no longer add these
certificates to a CRL. If this behavior is desired or needed, consider keeping
leases enabled and ensuring lifetimes are reasonable, and issue long-lived
certificates via a different role with leases disabled.