This page contains the list of deprecations and important or breaking changes for Vault 1.11.x compared to 1.10. Please read it carefully.
Elasticsearch Database Secrets Engine
The Elaticsearch Database Secrets Engine now uses the new
/_security base API
path instead of
/_xpack/security when managing Elasticsearch. If users are on
an Elasticsearch version prior to 6, they will need to switch back to the old
API path by setting the bool config option
Postgres Library Change
Vault 1.11+ uses pgx instead of lib/pq for Postgres connections. If you are
using parameters like
fallback_application_name that pgx does not support, you
may need to update your
connection_url before upgrading to Vault 1.11+.
Cluster initialization hangs with
feature no longer successfully attempts to rejoin the raft cluster every 2
seconds following a join failure.
The error occurs when attempting to initialize non-leader nodes with a
retry_join stanza. This
affects multi-node raft clusters on impacted versions.
The bug was introduced by commit https://github.com/hashicorp/vault/commit/cc6409222ce246ed72d067debe6ffeb8f62f9dad and first reported in https://github.com/hashicorp/vault/issues/16486.
Affects versions 1.11.1, 1.11.2, 1.10.5, and 1.10.6. Versions prior to these are unaffected.
NOTE: This error does not extend to version 1.9.8+, which is slightly different in this portion of the code and does not exhibit the same behavior.
New releases addressing this bug are coming soon.
Rotation configuration persistence issue could lose Transform Tokenization key versions
A rotation performed manually or via automatic time based rotation after restarting or leader change of Vault, where configuration of rotation was changed since the initial configuration of the tokenization transform can result in the loss of intermediate key versions. Tokenized values from these versions would not be decodeable. It is recommended that customers who have enabled automatic rotation disable it, and other customers avoid key rotation until the upcoming fix.
This issue affects Vault Enterprise with ADP versions 1.10.x and higher. A fix will be released in Vault 1.11.9, 1.12.5, and 1.13.1.
LDAP Pagination Issue
There was a regression introduced in 1.11.10 relating to LDAP maximum page sizes, resulting in
no LDAP groups found in groupDN [...] only policies from locally-defined groups available. The issue
occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.
As a workaround, disable paged searching using the following:
vault write auth/ldap/config max_page_size=-1
Affects Vault 1.11.10.