Hi folks,
The Vault team is announcing the release candidate of Vault 1.13.0!
Open-source and Enterprise binaries can be downloaded at [1].
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].
The major features and improvements in the 1.13.0 release candidate are:
-
PKI improvements:
- Cross Cluster PKI Certificate Revocation: Introducing a new unified OCSP responder and CRL builder that enables a certificate revocations and CRL view across clusters for a given PKI mount.
- PKI UI Beta: New UI introducing cross-signing flow, overview page, roles and keys view.
- Health Checks: Provide a health overview of PKI mounts for proactive actions and troubleshooting.
- Command Line: Simplified CLIs to discover, rotate issuers and related commands for PKI mounts
-
Azure Auth Improvements:
- Rotate-root support: Add the ability to rotate the root account’s client secret defined in the auth method’s configuration via the new
rotate-rootendpoint. - Managed Identities authentication: The auth method now allows any Azure resource that supports managed identities to authenticate with Vault.
- VMSS Flex authentication: Add support for Virtual Machine Scale Set (VMSS) Flex authentication.
- Rotate-root support: Add the ability to rotate the root account’s client secret defined in the auth method’s configuration via the new
-
GCP Secrets Impersonated Account Support: Add support for GCP service account impersonation, allowing callers to generate a GCP access token without requiring Vault to store or retrieve a GCP service account key for each role.
-
Managed Keys in Transit Engine: Support for offloading Transit Key operations to HSMs/external KMS.
-
KMIP Secret Engine Enhancements: Implemented Asymmetric Key Lifecycle Server and Advanced Cryptographic Server profiles. Added support for RSA keys and operations such as: MAC, MAC Verify, Sign, Sign Verify, RNG Seed and RNG Retrieve.
-
Vault as a SSM: Support added to the Vault PKCS#11 provider for mechanisms to create RSA keys. Additionally, the provider now has mechanisms for encryption, decryption, signing and signature verification for AES and RSA keys.
-
Replication (enterprise): We fixed a bug that could cause a cluster to wind up in a permanent merkle-diff/merkle-sync loop and never enter stream-wals, particularly in cases of high write loads on the primary cluster.
-
Share Secrets in Independent Namespaces (enterprise): You can now add users from namespaces outside a namespace hierarchy to a group in a given namespace hierarchy. For Vault Agent, you can now grant it access to secrets outside the namespace where it authenticated, and reduce the number of Agents you need to run.
-
User Lockout: Vault now supports configuration to lock out users when they have consecutive failed login attempts.
-
Event System (Alpha): Vault has a new experimental event system. Events are currently only generated on writes to the KV secrets engine, but external plugins can also be updated to start generating events.
-
Kubernetes authentication plugin bug fix: Ensures a consistent TLS configuration for all k8s API requests. This fixes a bug where it was possible for the http.Client’s Transport to be missing the necessary root CAs to ensure that all TLS connections between the auth engine and the Kubernetes API were validated against the configured set of CA certificates.
-
Kubernetes Secretes Engine on Vault UI: Introducing Kubernetes secret engine support on the UI
-
Client Count UI improvements: Combining current month and previous history into one dashboard
See the Changelog at [3] for the full list of improvements and bug fixes.
See the Feature Deprecation Notice and Plans page [7] for our upcoming feature deprecation plans.
Upcoming in Vault 1.14 we will stop publishing official Dockerhub images and publish only our Verified Publisher images. Users of Docker images should pull from “hashicorp/vault” instead of “vault”.
OSS [5] and Enterprise [6] Docker images will be available soon.
Upgrading
See [4] for general upgrade instructions, and [9] for upgrade instructions and known issues for 1.12.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [8].
We hope you enjoy Vault 1.13.0!
Sincerely,
The Vault Team
[1] https://releases.hashicorp.com/vault
[3] vault/CHANGELOG.md at main · hashicorp/vault · GitHub
[4] Upgrading Vault - Guides | Vault | HashiCorp Developer
[5] Docker
[6] Docker