Vault 1.19.0-rc1 released!

[Tom Chwojko-Frank]

Hi all,

The Vault team is announcing the release candidate for 1.19. Release candidates must not be used in production, but your feedback is critical for a smooth final release.

The 1.19 Community Edition release candidate[1]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing secu...@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

The major features and improvements in these releases are:

• Vault PKI Support for Constrained CAs: [ENT] Customers can set up constrained  intermediate CAs to limit certificate issuance to specific workloads to improve security. This feature will also enable secure delegation of PKI administration.

• Vault Supports PQC algorithms (ml-dsa):[ENT] Vault Transit engine support for ml-dsa (sig/verify) PQC algorithm enables customers to experiment with, and validate their systems for post-quantum readiness.  

• Resolution of Identity duplicates: Bugs in older versions of Vault have caused some users' clusters to have duplicate entries in the Identity engine, which can trigger unexpected behavior. There is now a flag that can be set for a one-time cleanup of all duplicate Identity artifacts in the cluster. To determine if your cluster has duplicates and for further instructions, please follow this guide[10]. We have also made Vault's loading of entities faster and more deterministic to prevent duplicates in the future.

• External Enterprise Plugins: Vault Enterprise secrets engines and authentication plugins are able to be run external to the Vault binary, for deployments that require plugin-specific control of outbound network traffic via HTTP_PROXY environment variables.

• Client Counting Bug Fixes: We addressed some issues that were causing errors or discrepancies when counting client activity on authentication methods or in namespaces that were deleted when the activity was counted. We also normalized start and end times for client counting queries across our APIs to ensure consistency.

See the Changelog at [3] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.

Community [6] and Enterprise [7] Docker images will be available soon.

---

Upgrading

See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].

We hope you enjoy Vault 1.19.0-rc1!

Sincerely, The Vault Team

[1] https://releases.hashicorp.com/vault/1.19.0-rc1  

[2] https://www.hashicorp.com/security

[3] https://github.com/hashicorp/vault/blob/main/CHANGELOG.md 

[4] https://developer.hashicorp.com/vault/docs/upgrading

[5] https://developer.hashicorp.com/vault/docs/v1.19.x/release-notes

[6] https://hub.docker.com/r/hashicorp/vault

[7] https://hub.docker.com/r/hashicorp/vault-enterprise

[8] https://developer.hashicorp.com/vault/docs/deprecation

[9] https://discuss.hashicorp.com/c/vault

[10] https://developer.hashicorp.com/vault/docs/upgrading/deduplication