forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
backport of commit 7b2ff1f (hashicorp#19382)
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
- Loading branch information
1 parent
a5edc66
commit 478b6f1
Showing
2 changed files
with
117 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
--- | ||
layout: docs | ||
page_title: 1.13.0 | ||
description: |- | ||
This page contains release notes for Vault 1.13.0 | ||
--- | ||
|
||
# Vault 1.13.0 Release Notes | ||
|
||
**Software Release date:** March 1, 2023 | ||
|
||
**Summary:** Vault Release 1.13.0 offers features and enhancements that improve | ||
the user experience while solving critical issues previously encountered by our | ||
customers. We are providing an overview of improvements in this set of release | ||
notes. | ||
|
||
We encourage you to [upgrade](/vault/docs/upgrading) to the latest release of | ||
Vault to take advantage of the new benefits provided. With this latest release, | ||
we offer solutions to critical feature gaps that were identified previously. | ||
Please refer to the | ||
[Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#1130-rc1) | ||
within the Vault release for further information on product improvements, | ||
including a comprehensive list of bug fixes. | ||
|
||
Some of these enhancements and changes in this release include the following: | ||
|
||
- **PKI improvements:** | ||
- **Cross Cluster PKI Certificate Revocation:** Introducing a new unified | ||
OCSP responder and CRL builder that enables a certificate revocations and | ||
CRL view across clusters for a given PKI mount. | ||
- **PKI UI Beta:** New UI introducing cross-signing flow, overview page, | ||
roles and keys view. | ||
- **Health Checks:** Provide a health overview of PKI mounts for proactive | ||
actions and troubleshooting. | ||
- **Command Line:** Simplified CLI to discover, rotate issuers and related | ||
commands for PKI mounts | ||
|
||
- **Azure Auth Improvements:** | ||
- **Rotate-root support:** Add the ability to rotate the root account's | ||
client secret defined in the auth method's configuration via the new | ||
`rotate-root` endpoint. | ||
- **Managed Identities authentication:** The auth method now allows any Azure | ||
resource that supports managed identities to authenticate with Vault. | ||
- **VMSS Flex authentication:** Add support for Virtual Machine Scale Set | ||
(VMSS) Flex authentication. | ||
|
||
- **GCP Secrets Impersonated Account Support:** Add support for GCP service | ||
account impersonation, allowing callers to generate a GCP access token without | ||
requiring Vault to store or retrieve a GCP service account key for each role. | ||
- **Managed Keys in Transit Engine:** Support for offloading Transit Key | ||
operations to HSMs/external KMS. | ||
- **KMIP Secret Engine Enhancements:** Implemented Asymmetric Key Lifecycle | ||
Server and Advanced Cryptographic Server profiles. Added support for RSA keys | ||
and operations such as: MAC, MAC Verify, Sign, Sign Verify, RNG Seed and RNG | ||
Retrieve. | ||
- **Vault as a SSM:** Support is planned for an upcoming Vault PKCS#11 Provider | ||
version to include mechanisms for encryption, decryption, signing and | ||
signature verification for AES and RSA keys. | ||
- **Replication (enterprise):** We fixed a bug that could cause a cluster to | ||
wind up in a permanent merkle-diff/merkle-sync loop and never enter | ||
stream-wals, particularly in cases of high write loads on the primary cluster. | ||
- **Share Secrets in Independent Namespaces (enterprise):** You can now add | ||
users from namespaces outside a namespace hierarchy to a group in a given | ||
namespace hierarchy. For Vault Agent, you can now grant it access to secrets | ||
outside the namespace where it authenticated, and reduce the number of Agents | ||
you need to run. | ||
- **User Lockout:** Vault now supports configuration to lock out users when they | ||
have consecutive failed login attempts. | ||
- **Event System (Alpha):** Vault has a new experimental event system. Events | ||
are currently only generated on writes to the KV secrets engine, but external | ||
plugins can also be updated to start generating events. | ||
- **Kubernetes authentication plugin bug fix:** Ensures a consistent TLS | ||
configuration for all k8s API requests. This fixes a bug where it was possible | ||
for the http.Client's Transport to be missing the necessary root CAs to ensure | ||
that all TLS connections between the auth engine and the Kubernetes API were | ||
validated against the configured set of CA certificates. | ||
- **Kubernetes Secretes Engine on Vault UI:** Introducing Kubernetes secret | ||
engine support on the UI | ||
- **Client Count UI improvements:** Combining current month and previous history | ||
into one dashboard | ||
- **OCSP Support in the TLS Certificate Auth Method:** The auth method now can | ||
check for revoked certificates using the OCSP protocol. | ||
- **UI Wizard removal:** The UI Wizard has been removed from the UI since the | ||
information was occasionally out-of-date and did not align with the latest | ||
changes. A new and enhanced UI experience is planned in a future release. | ||
|
||
- **Vault Agent improvements:** | ||
- Auto-auth introduced `token_file` method which reads an existing token from | ||
a file. The token file method is designed for development and testing. It | ||
is not suitable for production deployment. | ||
- Listeners for the Vault Agent can define a role set to `metrics_only` so | ||
that a service can be configured to listen on a particular port to collect | ||
metrics. | ||
- Vault Agent can read configurations from multiple files. | ||
- Users can specify the log file path using the `-log-file` command flag or | ||
`VAULT_LOG_FILE` environment variable. This is particularly useful when | ||
Vault Agent is running as a Windows service. | ||
|
||
- **OpenAPI-based Go & .NET Client Libraries (Public Beta):** Use the new Go & | ||
.NET client libraries to interact with the Vault API from your applications. | ||
- [OpenAPI-based Go client library](https://github.com/hashicorp/vault-client-go/) | ||
- [OpenAPI-based .NET client library](https://github.com/hashicorp/vault-client-dotnet/) | ||
|
||
## Known issues | ||
|
||
There are no known issues documented for this release. | ||
|
||
## Feature Deprecations and EOL | ||
|
||
Please refer to the [Deprecation Plans and Notice](/vault/docs/deprecation) page | ||
for up-to-date information on feature deprecations and plans. A [Feature | ||
Deprecation FAQ](/vault/docs/deprecation/faq) page addresses questions about | ||
decisions made about Vault feature deprecations. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters