1.17.0

June 12, 2024

CHANGES:

• api: Upgrade from github.com/go-jose/go-jose/v3 v3.0.3 to github.com/go-jose/go-jose/v4 v4.0.1. [GH-26527]
• audit: breaking change - Vault now allows audit logs to contain 'correlation-id' and 'x-correlation-id' headers when they are present in the incoming request. By default they are not HMAC'ed (but can be configured to HMAC by Vault Operators). [GH-26777]
• auth/alicloud: Update plugin to v0.18.0 [GH-27133]
• auth/azure: Update plugin to v0.18.0 [GH-27146]
• auth/centrify: Remove the deprecated Centrify auth method plugin [GH-27130]
• auth/cf: Update plugin to v0.17.0 [GH-27161]
• auth/gcp: Update plugin to v0.18.0 [GH-27140]
• auth/jwt: Update plugin to v0.20.2 [GH-26291]
• auth/jwt: Update plugin to v0.20.3 [GH-26890]
• auth/kerberos: Update plugin to v0.12.0 [GH-27177]
• auth/kubernetes: Update plugin to v0.19.0 [GH-27186]
• auth/oci: Update plugin to v0.16.0 [GH-27142]
• core (enterprise): Seal High Availability (HA) must be enabled by enable_multiseal in configuration.
• core/identity: improve performance for secondary nodes receiving identity related updates through replication [GH-27184]
• core: Bump Go version to 1.22.4
• core: return an additional "invalid token" error message in 403 response when the provided request token is expired, exceeded the number of uses, or is a bogus value [GH-25953]
• database/couchbase: Update plugin to v0.11.0 [GH-27145]
• database/elasticsearch: Update plugin to v0.15.0 [GH-27136]
• database/mongodbatlas: Update plugin to v0.12.0 [GH-27143]
• database/redis-elasticache: Update plugin to v0.4.0 [GH-27139]
• database/redis: Update plugin to v0.3.0 [GH-27117]
• database/snowflake: Update plugin to v0.11.0 [GH-27132]
• sdk: String templates now have a maximum size of 100,000 characters. [GH-26110]
• secrets/ad: Update plugin to v0.18.0 [GH-27172]
• secrets/alicloud: Update plugin to v0.17.0 [GH-27134]
• secrets/azure: Update plugin to v0.17.1 [GH-26528]
• secrets/azure: Update plugin to v0.19.0 [GH-27141]
• secrets/gcp: Update plugin to v0.19.0 [GH-27164]
• secrets/gcpkms: Update plugin to v0.17.0 [GH-27163]
• secrets/keymgmt (enterprise): Removed namespace label on the vault.kmse.key.count metric.
• secrets/kmip (enterprise): Update plugin to v0.15.0
• secrets/kubernetes: Update plugin to v0.8.0 [GH-27187]
• secrets/kv: Update plugin to v0.18.0 [GH-26877]
• secrets/kv: Update plugin to v0.19.0 [GH-27159]
• secrets/mongodbatlas: Update plugin to v0.12.0 [GH-27149]
• secrets/openldap: Update plugin to v0.13.0 [GH-27137]
• secrets/pki: sign-intermediate API will truncate notAfter if calculated to go beyond the signing issuer's notAfter. Previously the notAfter was permitted to go beyond leading to invalid chains. [GH-26796]
• secrets/terraform: Update plugin to v0.8.0 [GH-27147]
• ui/kubernetes: Update the roles filter-input to use explicit search. [GH-27178]
• ui: Update dependencies including D3 libraries [GH-26346]
• ui: Upgrade Ember data from 4.11.3 to 4.12.4 [GH-25272]
• ui: Upgrade Ember to version 5.4 [GH-26708]
• ui: deleting a nested secret will no longer redirect you to the nearest path segment [GH-26845]
• ui: flash messages render on right side of page [GH-25459]

FEATURES:

• PKI Certificate Metadata (enterprise): Add Certificate Metadata Functionality to Record and Return Client Information about a Certificate.
• Adaptive Overload Protection (enterprise): Adds Adaptive Overload Protection for write requests as a Beta feature (disabled by default). This automatically prevents overloads caused by too many write requests while maintaining optimal throughput for the hardware configuration and workload.
• Audit Filtering (enterprise) : Audit devices support expression-based filter rules (powered by go-bexpr) to determine which entries are written to the audit log.
• LDAP Secrets engine hierarchical path support: Hierarchical path handling is now supported for role and set APIs. [GH-27203]
• Plugin Identity Tokens: Adds secret-less configuration of AWS auth engine using web identity federation. [GH-26507]
• Plugin Workload Identity (enterprise): Vault can generate identity tokens for plugins to use in workload identity federation auth flows.
• Transit AES-CMAC (enterprise): Added support to create and verify AES backed cipher-based message authentication codes

IMPROVEMENTS:

• activity (enterprise): Change minimum retention window in activity log to 48 months
• agent: Added a new config option, lease_renewal_threshold, that controls the refresh rate of non-renewable leases in Agent's template engine. [GH-25212]
• agent: Agent will re-trigger auto auth if token used for rendering templates has been revoked, has exceeded the number of uses, or is a bogus value. [GH-26172]
• api: Move CLI token helper functions to importable packages in api module. [GH-25744]
• audit: timestamps across multiple audit devices for an audit entry will now match. [GH-26088]
• auth/aws: Add inferred_hostname metadata for IAM AWS authentication method. [GH-25418]
• auth/aws: add canonical ARN as entity alias option [GH-22460]
• auth/aws: add support for external_ids in AWS assume-role [GH-26628]
• auth/cert: Adds support for TLS certificate authenticaion through a reverse proxy that terminates the SSL connection [GH-17272]
• cli: Add events subscriptions commands
• command/server: Removed environment variable requirement to generate pprof files using SIGUSR2. Added CPU profile support. [GH-25391]
• core (enterprise): persist seal rewrap status, so rewrap status API is consistent on secondary nodes.
• core/activity: Include ACME client metrics to precomputed queries [GH-26519]
• core/activity: Include ACME clients in activity log responses [GH-26020]
• core/activity: Include ACME clients in vault operator usage response [GH-26525]
• core/config: reload service registration configuration on SIGHUP [GH-17598]
• core: add deadlock detection in barrier and sealwrap
• license utilization reporting (enterprise): Add retention months to license utilization reports.
• proxy/cache (enterprise): Support new configuration parameter for static secret caching, static_secret_token_capability_refresh_behavior, to control the behavior when the capability refresh request receives an error from Vault.
• proxy: Proxy will re-trigger auto auth if the token used for requests has been revoked, has exceeded the number of uses, or is an otherwise invalid value. [GH-26307]
• raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20221104090112-13395acd02c5
• replication (enterprise): Add replication heartbeat metric to telemetry
• replication (enterprise): Periodically write current time on the primary to storage, use that downstream to measure replication lag in time, expose that in health and replication status endpoints. [GH-26406]
• sdk/decompression: DecompressWithCanary will now chunk the decompression in memory to prevent loading it all at once. [GH-26464]
• sdk/helper/testcluster: add some new helpers, improve some error messages. [GH-25329]
• sdk/helper/testhelpers: add namespace helpers [GH-25270]
• secrets-sync (enterprise): Added global config path to the administrative namespace.
• secrets/pki (enterprise): Disable warnings about unknown parameters to the various CIEPS endpoints
• secrets/pki: Add a new ACME configuration parameter that allows increasing the maximum TTL for ACME leaf certificates [GH-26797]
• secrets/transform (enterprise): Add delete by token and delete by plaintext operations to Tokenization.
• storage/azure: Perform validation on Azure account name and container name [GH-26135]
• storage/raft (enterprise): add support for separate entry size limit for mount and namespace table paths in storage to allow increased mount table size without allowing other user storage entries to become larger. [GH-25992]
• storage/raft: panic on unknown Raft operations [GH-25991]
• ui (enterprise): Allow HVD users to access Secrets Sync. [GH-26841]
• ui (enterprise): Update dashboard to make activity log query using the same start time as the metrics overview [GH-26729]
• ui (enterprise): Update filters on the custom messages list view. [GH-26653]
• ui: Allow users to wrap inputted data again instead of resetting form [GH-27289]
• ui: Display ACME clients on a separate page in the UI. [GH-26020]
• ui: Hide dashboard client count card if user does not have permission to view clients. [GH-26848]
• ui: Show computed values from sys/internal/ui/mounts endpoint for auth mount configuration view [GH-26663]
• ui: Update PGP display and show error for Generate Operation Token flow with PGP [GH-26993]
• ui: Update language in Transit secret engine to reflect that not all keys are for encyryption [GH-27346]
• ui: Update userpass user form to allow setting password_hash field. [GH-26577]
• ui: fixes cases where inputs did not have associated labels [GH-26263]
• ui: show banner instead of permission denied error when batch token is expired [GH-26396]
• website/docs: Add note about eventual consietency with the MongoDB Atlas database secrets engine [GH-24152]

DEPRECATIONS:

• Request Limiter Beta(enterprise): This Beta feature added in 1.16 has been superseded by Adaptive Overload Protection and will be removed.
• secrets/azure: Deprecate field "password_policy" as we are not able to set it anymore with the new MS Graph API. [GH-25637]

BUG FIXES:

• activity (enterprise): fix read-only storage error on upgrades
• agent: Correctly constructs kv-v2 secret paths in nested namespaces. [GH-26863]
• agent: Fixes a high Vault load issue, by restarting the Conusl template server after backing off instead of immediately. [GH-25497]
• agent: vault.namespace no longer gets incorrectly overridden by auto_auth.namespace, if set [GH-26427]
• api: fixed a bug where LifetimeWatcher routines weren't respecting exponential backoff in the presence of unexpected errors [GH-26383]
• audit: Operator changes to configured audit headers (via /sys/config/auditing) will now force invalidation and be reloaded from storage when data is replicated to other nodes.
• auth/ldap: Fix login error for group search anonymous bind. [GH-26200]
• auth/ldap: Fix login error missing entity alias attribute value. [GH-26200]
• auto-auth: Addressed issue where having no permissions to renew a renewable token caused auto-auth to attempt to renew constantly with no backoff [GH-26844]
• cli/debug: Fix resource leak in CLI debug command. [GH-26167]
• cli: fixed a bug where the Vault CLI would error out if HOME was not set. [GH-26243]
• core (enterprise): Fix 403s returned when forwarding invalid token to active node from secondary.
• core (enterprise): Fix an issue that prevented the seal re-wrap status from reporting that a re-wrap is in progress for up to a second.
• core (enterprise): fix bug where raft followers disagree with the seal type after returning to one seal from two. [GH-26523]
• core (enterprise): fix issue where the Seal HA rewrap system may remain running when an active node steps down.
• core/audit: Audit logging a Vault request/response will now use a minimum 5 second context timeout. If the existing context deadline occurs later than 5s in the future, it will be used, otherwise a new context, separate from the original will be used. [GH-26616]
• core/metrics: store cluster name in unencrypted storage to prevent blank cluster name [GH-26878]
• core/namespace (enterprise): Privileged namespace paths provided in the administrative_namespace_path config will now be canonicalized.
• core/seal: During a seal reload through SIGHUP, only write updated seal barrier on an active node [GH-26381]
• core/seal: allow overriding of VAULT_GCPCKMS_SEAL_KEY_RING and VAULT_GCPCKMS_SEAL_CRYPTO_KEY environment keys in seal-ha
• core: Add missing field delegated_auth_accessors to GET /sys/mounts/:path API response [GH-26876]
• core: Address a data race updating a seal's last seen healthy time attribute [GH-27014]
• core: Fix redact_version listener parameter being ignored for some OpenAPI related endpoints. [GH-26607]
• core: Only reload seal configuration when enable_multiseal is set to true. [GH-26166]
• core: when listener configuration chroot_namespace is active, Vault will no longer report that the configuration is invalid when Vault is sealed
• events (enterprise): Fix bug preventing subscribing and receiving events within a namepace.
• events (enterprise): Terminate WebSocket connection when token is revoked.
• openapi: Fixing approle reponse duration types [GH-25510]
• openapi: added the missing migrate parameter for the unseal endpoint in vault/logical_system_paths.go [GH-25550]
• pki: Fix error in cross-signing using ed25519 keys [GH-27093]
• plugin/wif: fix a bug where the namespace was not set for external plugins using workload identity federation [GH-26384]
• replication (enterprise): fix "given mount path is not in the same namespace as the request" error that can occur when enabling replication for the first time on a secondary cluster
• replication (enterprise): fixed data integrity issue with the processing of identity aliases causing duplicates to occur in rare cases
• router: Fix missing lock in MatchingSystemView. [GH-25191]
• secret/database: Fixed race condition where database mounts may leak connections [GH-26147]
• secrets-sync (enterprise): Fixed an issue with syncing to target projects in GCP
• secrets/azure: Update vault-plugin-secrets-azure to 0.17.2 to include a bug fix for azure role creation [GH-26896]
• secrets/pki (enterprise): cert_role parameter within authenticators.cert EST configuration handler could not be set
• secrets/pki: fixed validation bug which rejected ldap schemed URLs in crl_distribution_points. [GH-26477]
• secrets/transform (enterprise): Fix a bug preventing the use of alternate schemas on PostgreSQL token stores.
• secrets/transit: Use 'hash_algorithm' parameter if present in HMAC verify requests. Otherwise fall back to deprecated 'algorithm' parameter. [GH-27211]
• storage/raft (enterprise): Fix a bug where autopilot automated upgrades could fail due to using the wrong upgrade version
• storage/raft (enterprise): Fix a regression introduced in 1.15.8 that causes autopilot to fail to discover new server versions and so not trigger an upgrade. [GH-27277]
• storage/raft: prevent writes from impeding leader transfers, e.g. during automated upgrades [GH-25390]
• transform (enterprise): guard against a panic looking up a token in exportable mode with barrier storage.
• ui: Do not show resultant-ACL banner when ancestor namespace grants wildcard access. [GH-27263]
• ui: Fix KVv2 cursor jumping inside json editor after initial input. [GH-27120]
• ui: Fix KVv2 json editor to allow null values. [GH-27094]
• ui: Fix a bug where disabling TTL on the AWS credential form would still send TTL value [GH-27366]
• ui: Fix broken help link in console for the web command. [GH-26858]
• ui: Fix configuration link from Secret Engine list view for Ember engines. [GH-27131]
• ui: Fix link to v2 generic secrets engine from secrets list page. [GH-27019]
• ui: Prevent perpetual loading screen when Vault needs initialization [GH-26985]
• ui: Refresh model within a namespace on the Secrets Sync overview page. [GH-26790]
• ui: Remove possibility of returning an undefined timezone from date-format helper [GH-26693]
• ui: Resolved accessibility issues with Web REPL. Associated label and help text with input, added a conditional to show the console/ui-panel only when toggled open, added keyboard focus trap. [GH-26872]
• ui: fix issue where a month without new clients breaks the client count dashboard [GH-27352]
• ui: fixed a bug where the replication pages did not update display when navigating between DR and performance [GH-26325]
• ui: fixes undefined start time in filename for downloaded client count attribution csv [GH-26485]