Vault
Overview
This page contains the list of deprecations and important or breaking changes for Vault 1.11.x compared to 1.10. Please read it carefully.
Elasticsearch database secrets engine
The Elaticsearch Database Secrets Engine now uses the new /_security
base API
path instead of /_xpack/security
when managing Elasticsearch. If users are on
an Elasticsearch version prior to 6, they will need to switch back to the old
API path by setting the bool config option
use_old_xpack=true
.
Changes
Postgres library change
Vault 1.11+ uses pgx instead of lib/pq for Postgres connections. If you are
using parameters like fallback_application_name
that pgx does not support, you
may need to update your connection_url
before upgrading to Vault 1.11+.
Known issues
Cluster initialization hangs with retry_join
The
retry_join
feature no longer successfully attempts to rejoin the raft cluster every 2
seconds following a join failure.
The error occurs when attempting to initialize non-leader nodes with a
retry_join
stanza. This
affects multi-node raft clusters on impacted versions.
The bug was introduced by commit https://github.com/hashicorp/vault/commit/cc6409222ce246ed72d067debe6ffeb8f62f9dad and first reported in https://github.com/hashicorp/vault/issues/16486.
Impacted versions
Affects versions 1.11.1, 1.11.2, 1.10.5, and 1.10.6. Versions prior to these are unaffected.
NOTE: This error does not extend to version 1.9.8+, which is slightly different in this portion of the code and does not exhibit the same behavior.
New releases addressing this bug are coming soon.
Rotation configuration persistence issue could lose transform tokenization key versions
A rotation performed manually or via automatic time based rotation after restarting or leader change of Vault, where configuration of rotation was changed since the initial configuration of the tokenization transform can result in the loss of intermediate key versions. Tokenized values from these versions would not be decodeable. It is recommended that customers who have enabled automatic rotation disable it, and other customers avoid key rotation until the upcoming fix.
Affected versions
This issue affects Vault Enterprise with ADP versions 1.10.x and higher. A fix will be released in Vault 1.11.9, 1.12.5, and 1.13.1.
LDAP pagination issue
There was a regression introduced in 1.11.10 relating to LDAP maximum page sizes, resulting in
an error no LDAP groups found in groupDN [...] only policies from locally-defined groups available
. The issue
occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.
As a workaround, disable paged searching using the following:
vault write auth/ldap/config max_page_size=-1
Impacted versions
Affects Vault 1.11.10.
PKI storage migration revives deleted issuers
Vault 1.11 introduced Storage v1, a new storage layout that supported multiple issuers within a single mount. Bug fixes in Vault 1.11.6, 1.12.2, and 1.13.0 corrected a write-ordering issue that lead to invalid CA chains. Specifically, incorrectly ordered writes could fail due to load, resulting in the mount being re-migrated next time it was loaded or silently truncating CA chains. This collection of bug fixes introduced Storage v2.
Affected versions
Vault may incorrectly re-migrated legacy issuers created before Vault 1.11 that were migrated to Storage v1 and deleted before upgrading to a Vault version with Storage v2.
The migration fails when Vault finds managed keys associated with the legacy issuers that were removed from the managed key repository prior to the upgrade.
The migration error appears in Vault logs as:
Error during migration of PKI mount: failed to lookup public key from managed key: no managed key found with uuid
Note
Issuers created in Vault 1.11+ and direct upgrades to a Storage v2 layout are not affected.The Storage v1 upgrade bug was fixed in Vault 1.14.1, 1.13.5, and 1.12.9.