Hi all,
The Vault team is announcing the GA release of 1.17, as well as the release of Vault Enterprise 1.16.4 and 1.15.10.
The 1.17 Community Edition release can be downloaded at [1]. Enterprise binaries are also available on our release portal [2]. Community [7] and Enterprise [8] Docker images are also available.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing
secu...@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [3].
The major features and improvements in these releases are:
- Seal HA (Enterprise): To ensure high availability of Vault, admin users can configure multiple KMS with independent seal keys for auto-unseal and seal wrapping, thus ensuring that Vault is continually operating even with non-availability of a given seal backend.
- PKI-Enrollment over Secure Transport (EST) (Enterprise): With native support for EST protocol, customers can easily automate certificate enrollment of devices (e.g Network, IoT..) & services, at scale.
- PKI-Certificate Metadata (Enterprise): Business context information (metadata) can be supplied with certificate signing request and upon issuance of the certifcate, the associated metadata can be retrieved.
- Cipher-based Message Authentication Code (CMAC) (Enterprise): Transit engine supports the CMAC authenticated message digest algorithm based on AES (Advanced Encryption Standard). AES-CMAC is commonly used for message integrity and authenticity in protocols (TLS, IPSec…).
- Separation of ACME clients (Enterprise): Client counting now distinguishes ACME clients from non-entity clients.
- Replication lag detection (Enterprise): Allows users to know when a downstream Vault node or cluster is lagging significantly behind its primary/leader.
- Safer method to increase namespace and mount limits (Enterprise): Adds a field to increase storage entry size only for namespaces and mounts without risking other entries degrading in performance.
- Adaptive Overload Protection (Enterprise Beta): Automatically prevents overloads caused by too many write requests. This feature, disabled by default, replaces the now deprecated beta Request Limiter in the 1.16 release with a more targeted approach to overload handling.
- Workload Identity Federation (Enterprise): Added Workload Identify Federation to the GCP Secrets Engine, GCP Auth Method, Azure Secrets Engine, Azure Auth Method, and AWS Auth Method
- Auto Auth Improvements: Vault Agent and Vault Proxy configured with Auto Auth will attempt to re-authenticate to the Vault Cluster if the Auto Auth token is revoked, exceeds its maximum number of retries, or is invalid.
This release also
fixes a bug where not setting autopilot_upgrade_version in Vault config would result in the inability to complete an autopilot automated upgrade.
See the Changelog at [4] for the full list of improvements and bug fixes.
See the Feature Deprecation Notice and Plans page [9] for our upcoming feature deprecation plans.
---
Upgrading
See [5] for general upgrade instructions and [6] for upgrade instructions and known issues.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [10].
We hope you enjoy Vault 1.17.0!
Sincerely, The Vault Team
[1]
https://releases.hashicorp.com/vault/1.17.0[2]
https://releases.hashicorp.com[3]
https://www.hashicorp.com/security[4]
https://github.com/hashicorp/vault/blob/main/CHANGELOG.md [5]
https://developer.hashicorp.com/vault/docs/upgrading[6]
https://developer.hashicorp.com/vault/docs/v1.17.x/release-notes[7]
https://hub.docker.com/r/hashicorp/vault[8]
https://hub.docker.com/r/hashicorp/vault-enterprise[9]
https://developer.hashicorp.com/vault/docs/deprecation[10]
https://discuss.hashicorp.com/c/vault