Hi all,
The Vault team is announcing the first release candidate for Vault 1.20. Release candidates must not be used in production, but your feedback is critical for a smooth final release.
The 1.20 Community Edition and Enterprise release candidate binaries are available on our releases portal[1,10].
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].
Major upgrade considerations for Vault 1.20 are:
- Reliability Improvements for Memory Management: Users of Vault Integrated Storage must configure the
disable_mlockoption before upgrading. Previously, the default was false. This value must now be explicitly configured or the Vault server will fail to start.
The major features and improvements in Vault 1.20 are:
- PKI Support for SCEP (Enterprise): Vault PKI enables customers to automate certificate enrollment of network and end-user corporate devices that are compatible with SCEP (Simple Certificate Enrollment Protocol)
- SSH Managed Keys (Enterprise): Enables customers to configure SSH secrets engine to delegate signing via HSMs, to address high assurance needs.
- Development Cluster Configuration (Enterprise): Added
development_clusteras a field to Vault’s utilization reports, to assist with accurate license metering. - Identity-based and collective rate limit quotas (Enterprise): Extends the rate limit quotas feature with new
group_byfield. Instead of relying on IPs, customers can now group_by entity ID or set collective limits on traffic going to a namespace, path, mount, or global. - Event notifications data consistency (Enterprise): Event notifications include metadata to prevent stale data reads from secondary nodes during periods of high Vault load.
- Secret Recovery (Enterprise): Adds the capability to load a snapshot and recover an individual secret from the snapshot, avoiding the need to restore the cluster from backup for a single value. In 1.20, this is only supported for KV_V1 and cubbyhole. If you have feedback on additional secrets engines to prioritize for 1.21, please reach out to your primary contact within HashiCorp or file a GitHub issue.
- Usage Dashboard (Enterprise): Adds the ability for users to have a cluster by cluster view of usage of Vault, what secrets engine are being used, how users are authenticating, the status of your clusters (including DR and PR), and global lease count quota consumption. Please reach out to your primary contact within HashiCorp for more information about future reporting enhancements, and keep an eye on our release notes.
See the Changelog at [3] for the full list of improvements and bug fixes.
See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.
Community [6] and Enterprise [7] Docker images will be available soon.
Upgrading
See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].
We hope you enjoy Vault 1.20 RC1!
Sincerely, The Vault Team
[1] Vault v1.20.0-rc1 Binaries | HashiCorp Releases
[2] Security at HashiCorp
[3] https://github.com/hashicorp/vault/blob/main/CHANGELOG.md
[4] Upgrade Vault | Vault | HashiCorp Developer
[5] Vault release notes | Vault | HashiCorp Developer
[6] https://hub.docker.com/r/hashicorp/vault
[7] https://hub.docker.com/r/hashicorp/vault-enterprise
[8] Deprecation notices | Vault | HashiCorp Developer
[9] Vault - HashiCorp Discuss
[10] Vault v1.20.0-rc1+ent Binaries | HashiCorp Releases