This page contains the list of deprecations and important or breaking changes for Vault 1.11.x compared to 1.10. Please read it carefully.
The Elaticsearch Database Secrets Engine now uses the new
/_security base API
path instead of
/_xpack/security when managing Elasticsearch. If users are on
an Elasticsearch version prior to 6, they will need to switch back to the old
API path by setting the bool config option
Vault 1.11+ uses pgx instead of lib/pq for Postgres connections. If you are
using parameters like
fallback_application_name that pgx does not support, you
may need to update your
connection_url before upgrading to Vault 1.11+.
feature no longer successfully attempts to rejoin the raft cluster every 2
seconds following a join failure.
The bug was introduced by commit https://github.com/hashicorp/vault/commit/cc6409222ce246ed72d067debe6ffeb8f62f9dad and first reported in https://github.com/hashicorp/vault/issues/16486.
Affects versions 1.11.1, 1.11.2, 1.10.5, and 1.10.6. Versions prior to these are unaffected.
NOTE: This error does not extend to version 1.9.8+, which is slightly different in this portion of the code and does not exhibit the same behavior.
New releases addressing this bug are coming soon.
A rotation performed manually or via automatic time based rotation after restarting or leader change of Vault, where configuration of rotation was changed since the initial configuration of the tokenization transform can result in the loss of intermediate key versions. Tokenized values from these versions would not be decodeable. It is recommended that customers who have enabled automatic rotation disable it, and other customers avoid key rotation until the upcoming fix.
This issue affects Vault Enterprise with ADP versions 1.10.x and higher. A fix will be released in Vault 1.11.9, 1.12.5, and 1.13.1.
There was a regression introduced in 1.11.10 relating to LDAP maximum page sizes, resulting in
no LDAP groups found in groupDN [...] only policies from locally-defined groups available. The issue
occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.
As a workaround, disable paged searching using the following:
vault write auth/ldap/config max_page_size=-1
Affects Vault 1.11.10.
Vault 1.11 introduced Storage v1, a new storage layout that supported multiple issuers within a single mount. Bug fixes in Vault 1.11.6, 1.12.2, and 1.13.0 corrected a write-ordering issue that lead to invalid CA chains. Specifically, incorrectly ordered writes could fail due to load, resulting in the mount being re-migrated next time it was loaded or silently truncating CA chains. This collection of bug fixes introduced Storage v2.
Vault may incorrectly re-migrated legacy issuers created before Vault 1.11 that were migrated to Storage v1 and deleted before upgrading to a Vault version with Storage v2.
The migration fails when Vault finds managed keys associated with the legacy issuers that were removed from the managed key repository prior to the upgrade.
The migration error appears in Vault logs as:
Error during migration of PKI mount: failed to lookup public key from managed key: no managed key found with uuid
NoteIssuers created in Vault 1.11+ and direct upgrades to a Storage v2 layout are not affected.
The Storage v1 upgrade bug was fixed in Vault 1.14.1, 1.13.5, and 1.12.9.