HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.11.x. View latest version.

Overview

This page contains the list of deprecations and important or breaking changes for Vault 1.11.x compared to 1.10. Please read it carefully.

Elasticsearch database secrets engine

The Elaticsearch Database Secrets Engine now uses the new /_security base API path instead of /_xpack/security when managing Elasticsearch. If users are on an Elasticsearch version prior to 6, they will need to switch back to the old API path by setting the bool config option use_old_xpack=true.

Changes

Postgres library change

Vault 1.11+ uses pgx instead of lib/pq for Postgres connections. If you are using parameters like fallback_application_name that pgx does not support, you may need to update your connection_url before upgrading to Vault 1.11+.

Known issues

Cluster initialization hangs with retry_join

The retry_join feature no longer successfully attempts to rejoin the raft cluster every 2 seconds following a join failure.

The error occurs when attempting to initialize non-leader nodes with a retry_join stanza. This affects multi-node raft clusters on impacted versions.

The bug was introduced by commit https://github.com/hashicorp/vault/commit/cc6409222ce246ed72d067debe6ffeb8f62f9dad and first reported in https://github.com/hashicorp/vault/issues/16486.

Impacted versions

Affects versions 1.11.1 and 1.10.5. Versions prior to these are unaffected.

NOTE: This error does not extend to version 1.9.8, which is slightly different in this portion of the code and does not exhibit the same behavior.

New releases addressing this bug are coming soon.

Rotation configuration persistence issue could lose transform tokenization key versions

A rotation performed manually or via automatic time based rotation after restarting or leader change of Vault, where configuration of rotation was changed since the initial configuration of the tokenization transform can result in the loss of intermediate key versions. Tokenized values from these versions would not be decodeable. It is recommended that customers who have enabled automatic rotation disable it, and other customers avoid key rotation until the upcoming fix.

Affected versions

This issue affects Vault Enterprise with ADP versions 1.10.x and higher. A fix will be released in Vault 1.11.9, 1.12.5, and 1.13.1.

LDAP pagination issue

There was a regression introduced in 1.11.10 relating to LDAP maximum page sizes, resulting in an error no LDAP groups found in groupDN [...] only policies from locally-defined groups available. The issue occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.

As a workaround, disable paged searching using the following:

vault write auth/ldap/config max_page_size=-1

Impacted versions

Affects Vault 1.11.10.