1.11.0

Unreleased

CHANGES:

• auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [GH-14954]
• auth: Remove support for legacy MFA (https://www.vaultproject.io/docs/v1.10.x/auth/mfa) [GH-14869]
• core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
• core: Bump Go version to 1.17.9. [GH-go-ver-1110]
• licensing (enterprise): Remove support for stored licenses and associated sys/license and sys/license/signed endpoints in favor of autoloaded licenses.
• replication (enterprise): The /sys/replication/performance/primary/mount-filter endpoint has been removed. Please use Paths Filter instead.
• ui: Upgrade Ember to version 3.28 [GH-14763]

FEATURES:

• Non-Disruptive Intermediate/Root Certificate Rotation: This allows import, generation and configuration of any number of keys and/or issuers within a PKI mount, providing operators the ability to rotate certificates in place without affecting existing client configurations. [GH-15277]
• api/command: Global -output-policy flag to determine minimum required policy HCL for a given operation [GH-14899]
• nomad: Bootstrap Nomad ACL system if no token is provided [GH-12451]
• storage/dynamodb: Added AWS_DYNAMODB_REGION environment variable. [GH-15054]

IMPROVEMENTS:

• agent/auto-auth: Add min_backoff to the method stanza for configuring initial backoff duration. [GH-15204]
• agent: Update consult-template to v0.29.0 [GH-15293]
• agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [GH-15092]
• api: Add ability to pass certificate as PEM bytes to api.Client. [GH-14753]
• api: Add context-aware functions to vault/api for each API wrapper function. [GH-14388]
• api: Added MFALogin() for handling MFA flow when using login helpers. [GH-14900]
• api: If the parameters supplied over the API payload are ignored due to not being what the endpoints were expecting, or if the parameters supplied get replaced by the values in the endpoint's path itself, warnings will be added to the non-empty responses listing all the ignored and replaced parameters. [GH-14962]
• api: Provide a helper method WithNamespace to create a cloned client with a new NS [GH-14963]
• api: Use the context passed to the api/auth Login helpers. [GH-14775]
• auth/okta: Add support for Google provider TOTP type in the Okta auth method [GH-14985]
• auth: enforce a rate limit for TOTP passcode validation attempts [GH-14864]
• cli/debug: added support for retrieving metrics from DR clusters if unauthenticated_metrics_access is enabled [GH-15316]
• cli/vault: warn when policy name contains upper-case letter [GH-14670]
• cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [GH-14807]
• cockroachdb: add high-availability support [GH-12965]
• core (enterprise): Include termination_time in sys/license/status response
• core (enterprise): Include termination time in license inspect command output
• core : check uid and permissions of config dir, config file, plugin dir and plugin binaries [GH-14817]
• core,transit: Allow callers to choose random byte source including entropy augmentation sources for the sys/tools/random and transit/random endpoints. [GH-15213]
• core/activity: Order month data in ascending order of timestamps [GH-15259]
• core: Add new DB methods that do not prepare statements. [GH-15166]
• core: Fix some identity data races found by Go race detector (no known impact yet). [GH-15123]
• core: Include build date in sys/seal-status and sys/version-history endpoints. [GH-14957]
• core: Upgrade github.org/x/crypto/ssh [GH-15125]
• sdk: Change OpenAPI code generator to extract request objects into /components/schemas and reference them by name. [GH-14217]
• secrets/consul: Add support for Consul node-identities and service-identities [GH-15295]
• secrets/consul: Vault is now able to automatically bootstrap the Consul ACL system. [GH-10751]
• secrets/pki: Warn when generate_lease and no_store are both set to true on requests. [GH-14292]
• sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
• storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [GH-15042]
• ui: Parse schema refs from OpenAPI [GH-14508]
• ui: Remove storybook. [GH-15074]
• ui: Replaces the IvyCodemirror wrapper with a custom ember modifier. [GH-14659]
• website/docs: added a link to an Enigma secret plugin. [GH-14389]

BUG FIXES:

• Fixed panic when adding or modifying a Duo MFA Method in Enterprise
• agent: Fix log level mismatch between ERR and ERROR [GH-14424]
• api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
• api: Fixes bug where OutputCurlString field was unintentionally being copied over during client cloning [GH-14968]
• api: Respect increment value in grace period calculations in LifetimeWatcher [GH-14836]
• auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
• auth: forward requests subject to login MFA from perfStandby to Active node [GH-15009]
• auth: load login MFA configuration upon restart [GH-15261]
• cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
• cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
• cli: kv get command now honors trailing spaces to retrieve secrets [GH-15188]
• core (enterprise): Allow local alias create RPCs to persist alias metadata
• core (enterprise): Fix some races in merkle index flushing code found in testing
• core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [GH-15224]
• core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
• core/metrics: Fix incorrect table size metric for local mounts [GH-14755]
• core: Fix double counting for "route" metrics [GH-12763]
• core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
• core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
• core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
• core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
• core: fixed systemd reloading notification [GH-15041]
• core: fixing excessive unix file permissions [GH-14791]
• core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
• core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
• core: report unused or redundant keys in server configuration [GH-14752]
• core: time.After() used in a select statement can lead to memory leak [GH-14814]
• rafft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
• raft: Ensure initialMmapSize is set to 0 on Windows [GH-14977]
• replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [GH-14622]
• sdk/cidrutil: Only check if cidr contains remote address for IP addresses [GH-14487]
• sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]
• sdk: Fix OpenApi spec generator to remove duplicate sha_256 parameter [GH-15163]
• secrets/database: Ensure that a connection_url password is redacted in all cases. [GH-14744]
• secrets/pki: Fix handling of "any" key type with default zero signature bits value. [GH-14875]
• secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [GH-14943]
• ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not accepted in this field. [GH-15046]
• ui: Fix KV secret showing in the edit form after a user creates a new version but doesn't have read capabilities [GH-14794]
• ui: Fix issue with KV not recomputing model when you changed versions. [GH-14941]
• ui: Fixes edit auth method capabilities issue [GH-14966]
• ui: Fixes issue logging in with OIDC from a listed auth mounts tab [GH-14916]
• ui: fix firefox inability to recognize file format of client count csv export [GH-15364]
• ui: fix search-select component showing blank selections when editing group member entity [GH-15058]
• ui: masked values no longer give away length or location of special characters [GH-15025]