Hi all,
The Vault team is announcing the release candidate for 1.16.
Community Edition binary can be downloaded at [1]. Enterprise binaries are available to customers as well.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].
The major features and improvements in these releases are:
- Default Lease Count Quota applies a new global default lease count quota of 300k leases for all new installs of Vault (upgraded clusters not included).
- Seal HA (Enterprise): To ensure high availability of Vault, admin users can configure more than one seal for auto-unseal and seal wrapping in the event that the current seal provider is non-operational.
- PKI Enrollment over Secure Transport (EST) (Enterprise Beta): with native support for EST protocol, customers can easily automate certificate enrollment of EST compatible devices at scale. Note: This feature is in Beta and not intended for production use.
- Vault Secrets Sync (Enterprise Beta) syncs secrets from the source in Vault to native secrets managers in AWS, Azure, GCP, GitHub, and Vercel
- Increased batch size for WAL writes (Enterprise) improves write throughput for customers using Integrated Storage
- Manual snapshot reporting (Enterprise) allows users to create manual exports of product-license metering data to report to HashiCorp.
- Containerized Vault Plugins (on Linux only) enable plugins to run in protected runtime environments such as gVisor
- Plugin environment variables now override environment variables for the Vault server, allowing per-plugin settings for HTTP_PROXY, among others
- Plugin Workload Identity: Vault can generate identity tokens for plugins to use in workload identity federation authentication flows. This allows the AWS secret engine to be configured without needing sensitive security credentials.
- Event Notifications alert subscribers of supported Vault events, enabling immediate followup actions
- Customizable UI Banners deliver time-sensitive messages from Vault administrators to users logging in to the Vault UI
- Vault Proxy Static Secret Caching now supports caching static (KVv1 and KVv2) secrets - multiple requests to Vault Proxy by the same user for the same secret will only require a single request to the Vault server
- Vault Audit Log Filtering allows users to configure filters that determine which audit entries are sent to which audit devices
- Controlled Access to Unauthenticated Endpoints gives admins more control over how unauthenticated endpoints in Vault can be accessed and in some cases what information they return
- Adaptive concurrency limits to resource-constrained HTTP request paths prevent excessive loads on the Vault server
- Experimental raft-wal option for backing log store removes risk of infinite snapshot loops for follower nodes in large-scale Integrated Storage deployments
See the Changelog at [3] for the full list of improvements and bug fixes.
See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.
Community [6] and Enterprise [7] Docker images will be available soon.
Upgrading
See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].
We hope you enjoy Vault 1.16.0-rc1!
Sincerely, The Vault Team
[1] Vault v1.16.0-rc1 Binaries | HashiCorp Releases
[2] https://www.hashicorp.com/security
[3] vault/CHANGELOG.md at main · hashicorp/vault · GitHub
[4] Upgrading Vault - Guides | Vault | HashiCorp Developer
[5] Release Notes | Vault | HashiCorp Developer
[6] https://hub.docker.com/r/hashicorp/vault
[7] Docker
[8] Feature Deprecation Notice | Vault | HashiCorp Developer
[9] Vault - HashiCorp Discuss