Vault
Overview
This page contains the list of deprecations and important or breaking changes for Vault 1.0.3 compared to 1.1.0. Please read it carefully.
JWT backend changes
Specifying the group claims parameter has changed to use a standards based lookup. The groups_claim_delimiter_pattern has been removed and if the groups claim is not at the top level, it can now be specified as a JSONPointer.
Additionally, roles now have a "role type" parameter with a default type of "oidc". To configure new JWT roles, a role type of "jwt" must be explicitly specified.
Deprecated CLI commands removed
CLI commands deprecated in 0.9.2 are now removed. Please see the CLI help output for updated commands.
Additional changes
- Vault no longer automatically mounts a k/v backend at the "secret/" path when initializing Vault.
- Vault's cluster port will now be opened on HA standby nodes.
- Vault no longer supports running netRPC plugins. These were deprecated in favor of gRPC based plugins and any plugin built since 0.9.4 defaults to gRPC. Older plugins may need to be recompiled against the latest Vault dependencies.
Known issues
NOTE: This is a known issue applicable to Vault Enterprise.
During upgrades to 1.1.0, 1.1.1 or 1.1.2, Vault replication secondaries may require an automatically-triggered reindex, either if upgrading from a pre-0.8 version of Vault or if a previously-issued reindex operation has failed in the past. In these reindex scenarios, the secondary cluster will perform a complete WAL replay, which can take a long time and is a partially blocking operation.
This is fixed in Vault 1.1.3, and we recommend upgrading to Vault 1.1.3+ rather than any prior 1.1.x version. We also strongly recommend upgrading your Vault cluster to 1.1.3 if you are running Vault Enterprise 1.1.0, 1.1.1 or 1.1.2.