Vault 1.16.0-rc2 released!

Release Notifications
1

Hi all,

The Vault team is announcing the second release candidate for 1.16. Release candidates must not be used in production, but your feedback is critical for a smooth final release.

Community Edition binary can be downloaded at [1]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

The major features and improvements in these releases are:

  • Default Lease Count Quota applies a new global default lease count quota of 300k leases for all new installs of Vault (upgraded clusters not included).
  • Ability to enable adaptive concurrency limits (Beta) to resource-constrained HTTP request paths, preventing excessive load on the Vault server
  • Seal HA (Enterprise): To ensure high availability of Vault, admin users can configure more than one seal for auto-unseal and seal wrapping in the event that the current seal provider is non-operational.
  • PKI Enrollment over Secure Transport (EST) (Enterprise Beta): with native support for EST protocol, customers can easily automate certificate enrollment of EST compatible devices at scale. Note: This feature is in Beta and not intended for production use.
  • Vault Secrets Sync (Enterprise Beta) syncs secrets from the source in Vault to native secrets managers in AWS, Azure, GCP, GitHub, and Vercel
  • Increased batch size for WAL writes (Enterprise) improves write throughput for customers using Integrated Storage
  • Manual snapshot reporting (Enterprise) allows users to create manual exports of product-license metering data to report to HashiCorp.
  • Containerized Vault Plugins (on Linux only) enable plugins to run in protected runtime environments such as gVisor
  • Plugin environment variables now override environment variables for the Vault server, allowing per-plugin settings for HTTP_PROXY, among others
  • Plugin Workload Identity: Vault can generate identity tokens for plugins to use in workload identity federation authentication flows. This allows the AWS secret engine to be configured without needing sensitive security credentials.
  • Event Notifications alert subscribers of supported Vault events, enabling immediate follow-up actions
  • Customizable UI Banners deliver time-sensitive messages from Vault administrators to users logging in to the Vault UI
  • Vault Proxy Static Secret Caching now supports caching static (KVv1 and KVv2) secrets - multiple requests to Vault Proxy by the same user for the same secret will only require a single request to the Vault server
  • Vault Audit Log Filtering allows users to configure filters that determine which audit entries are sent to which audit devices
  • Controlled Access to Unauthenticated Endpoints gives admins more control over how unauthenticated endpoints in Vault can be accessed and in some cases what information they return
  • Experimental raft-wal option for backing log store removes risk of infinite snapshot loops for follower nodes in large-scale Integrated Storage deployments

See the Changelog at [3] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.

Community [6] and Enterprise [7] Docker images will be available soon.

Upgrading

See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].

We hope you enjoy Vault 1.16.0-rc2!

Sincerely, The Vault Team

[1] Vault v1.16.0-rc2 Binaries | HashiCorp Releases
[2] Security at HashiCorp
[3] https://github.com/hashicorp/vault/blob/main/CHANGELOG.md
[4] Upgrading Vault - Guides | Vault | HashiCorp Developer
[5] Release Notes | Vault | HashiCorp Developer
[6] Docker
[7] Docker
[8] Feature Deprecation Notice | Vault | HashiCorp Developer
[9] Vault - HashiCorp Discuss