Vault
Overview
This page contains the list of deprecations and important or breaking changes for Vault 1.6.0 compared to 1.5. Please read it carefully.
Go version
Vault 1.6.0 is built with Go 1.15. Please review the Go Release Notes for full details. A few items of particular note:
- Go 1.15 has dropped support for 32-bit binaries on macOS, iOS, iPadOS, watchOS, and tvOS, and Vault is no longer issuing darwin_386 binaries
- Go 1.15 no longer treats the
CommonName
field on X.509 certificates as a host name. X.509 certificates should be validated and potentially regenerated before upgrading if they do not have Subject Alternative Names.
Transform secrets engine storage upgrade
The Transform Secrets Engine (Enterprise only) will automatically upgrade the storage of its configuration in order to accommodate the new transformation type oriented configuration API. Secondaries will receive the modifications via replication.
Database engine interface upgrade
The Database Engine has changed the underlying interface between Vault and each database implementation. This change allows use of password policies within the Database engine. The API for the Database Engine has not changed, only the underlying interface between Vault and the database plugins. All built-in database plugins (as well as the Oracle plugin) have been upgraded to the new interface so no user actions are needed. Vault will continue to recognize existing custom database plugins but the old interface should be considered deprecated and may be removed in a future release. See our upgrade guide for custom databases for more information on upgrading custom database plugins.
Alpine 3.14
Docker images for Vault 1.6.6+, 1.7.4+, and 1.8.2+ are built with Alpine 3.14, due to a security issue in Alpine 3.13 (CVE-2021-36159). Some users on older versions of Docker may run into issues with these images. See the following for more details:
- https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2
- https://about.gitlab.com/blog/2021/08/26/its-time-to-upgrade-docker-engine/
Known issues
Due to the known issue, Transform Secrets Engine users are recommended to upgrade to version 1.6.4. Due to the known issue, Lease Count Quota users with DR Secondaries are recommended to upgrade to version 1.6.6.
Transform storage upgrades fixed
The Transform Secrets Engine storage upgrade introduced in 1.6.0 introduced malformed configuration for transformations configured earlier than 1.6.0, resulting in an error using these transformations if Vault is restarted after the upgrade. This issue exists on Vault 1.6.0 through 1.6.3, and is fixed in Vault 1.6.4 and 1.7.0. Transformations configured on 1.6.0 or higher are unaffected.
Lease count quota invalidations on DR secondaries fixed
Lease count quota invalidation causes DR Secondaries to panic and experience a hard shutdown. This issue exists prior to Vault 1.6.6 and 1.7.4. It is fixed in Vault 1.6.6, 1.7.4, and 1.8.0.