Vault 1.16.0-rc1 released!

[Tony Wittinger]

Hi all,

The Vault team is announcing the release candidate for 1.16.

Community Edition binary can be downloaded at [1]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing secu...@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

The major features and improvements in these releases are:

• Default Lease Count Quota applies a new global default lease count quota of 300k leases for all new installs of Vault (upgraded clusters not included).

• Seal HA (Enterprise):  To ensure high availability of Vault, admin users can configure more than one seal for auto-unseal and seal wrapping in the event that the current seal provider is non-operational. 

• PKI Enrollment over Secure Transport (EST) (Enterprise Beta): with native support for EST protocol, customers can easily automate certificate enrollment of EST compatible devices at scale. Note: This feature is in Beta and not intended for production use. 

• Vault Secrets Sync (Enterprise Beta) syncs secrets from the source in Vault to native secrets managers in AWS, Azure, GCP, GitHub, and Vercel

• Increased batch size for WAL writes (Enterprise) improves write throughput for customers using Integrated Storage

• Manual snapshot reporting (Enterprise) allows users to create manual exports of product-license metering data to report to HashiCorp. 

• Containerized Vault Plugins (on Linux only) enable plugins to run in protected runtime environments such as gVisor

• Plugin environment variables now override environment variables for the Vault server, allowing per-plugin settings for HTTP_PROXY, among others

• Plugin Workload Identity: Vault can generate identity tokens for plugins to use in workload identity federation authentication flows. This allows the AWS secret engine to be configured without needing sensitive security credentials.

• Event Notifications alert subscribers of supported Vault events, enabling immediate followup actions

• Customizable UI Banners deliver time-sensitive messages from Vault administrators to users logging in to the Vault UI

• Vault Proxy Static Secret Caching now supports caching static (KVv1 and KVv2) secrets - multiple requests to Vault Proxy by the same user for the same secret will only require a single request to the Vault server

• Vault Audit Log Filtering allows users to configure filters that determine which audit entries are sent to which audit devices

• Controlled Access to Unauthenticated Endpoints gives admins more control over how unauthenticated endpoints in Vault can be accessed and in some cases what information they return

• Adaptive concurrency limits to resource-constrained HTTP request paths prevent excessive loads on the Vault server

• Experimental raft-wal option for backing log store removes risk of infinite snapshot loops for follower nodes in large-scale Integrated Storage deployments

See the Changelog at [3] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.

Community [6] and Enterprise [7] Docker images will be available soon.

---

Upgrading

See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].

We hope you enjoy Vault 1.16.0-rc1!

Sincerely, The Vault Team

[1] https://releases.hashicorp.com/vault/1.16.0-rc1

[2] https://www.hashicorp.com/security

[3] https://github.com/hashicorp/vault/blob/main/CHANGELOG.md 

[4] https://developer.hashicorp.com/vault/docs/upgrading

[5] https://developer.hashicorp.com/vault/docs/v1.16.x/release-notes

[6] https://hub.docker.com/r/hashicorp/vault

[7] https://hub.docker.com/r/hashicorp/vault-enterprise

[8] https://developer.hashicorp.com/vault/docs/deprecation

[9] https://discuss.hashicorp.com/c/vault