2022-11-17 21:57:16 +00:00
|
|
|
---
|
|
|
|
layout: docs
|
|
|
|
page_title: Upgrading to Vault 1.13.x - Guides
|
|
|
|
description: |-
|
|
|
|
This page contains the list of deprecations and important or breaking changes
|
|
|
|
for Vault 1.13.x. Please read it carefully.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Overview
|
|
|
|
|
|
|
|
This page contains the list of deprecations and important or breaking changes
|
|
|
|
for Vault 1.13.x compared to 1.12. Please read it carefully.
|
|
|
|
|
|
|
|
## Changes
|
|
|
|
|
2022-11-21 19:11:13 +00:00
|
|
|
@include 'consul-dataplane-upgrade-note.mdx'
|
|
|
|
|
2023-02-28 18:41:59 +00:00
|
|
|
### Active Directory Secrets Engine Deprecation
|
|
|
|
|
|
|
|
The Active Directory (AD) secrets engine has been deprecated as of the Vault 1.13 release.
|
|
|
|
We will continue to support the AD secrets engine in maintenance mode for six major Vault
|
|
|
|
releases. Maintenance mode means that we will fix bugs and security issues but will not add
|
|
|
|
new features. For additional information, see the [deprecation table](/vault/docs/deprecation)
|
|
|
|
and [migration guide](/vault/docs/secrets/ad/migration-guide).
|
|
|
|
|
2022-11-17 21:57:16 +00:00
|
|
|
### AliCloud Auth Role Parameter
|
|
|
|
|
|
|
|
The AliCloud auth plugin will now require the `role` parameter on login. This
|
|
|
|
has always been documented as a required field but the requirement will now be
|
|
|
|
enforced.
|
|
|
|
|
2023-03-15 22:18:44 +00:00
|
|
|
### Mounts associated with removed builtin plugins will result in core shutdown on upgrade
|
|
|
|
|
|
|
|
As of 1.13.0 Standalone (logical) DB Engines and the AppId Auth Method have been
|
|
|
|
marked with the `Removed` status. Any attempt to unseal Vault with
|
|
|
|
mounts backed by one of these builtin plugins will result in an immediate
|
|
|
|
shutdown of the Vault core.
|
|
|
|
|
|
|
|
-> **NOTE** In the event that an external plugin with the same name and type as
|
|
|
|
a deprecated builtin is deregistered, any subsequent unseal will continue to
|
|
|
|
unseal with an unusable auth backend, and a corresponding ERROR log.
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
$ vault plugin register -sha256=c805cf3b69f704dfcd5176ef1c7599f88adbfd7374e9c76da7f24a32a97abfe1 auth app-id
|
|
|
|
Success! Registered plugin: app-id
|
|
|
|
$ vault auth enable -plugin-name=app-id plugin
|
|
|
|
Success! Enabled app-id auth method at: app-id/
|
|
|
|
$ vault auth list -detailed | grep "app-id"
|
|
|
|
app-id/ app-id auth_app-id_3a8f2e24 system system default-service replicated false false map[] n/a 0018263c-0d64-7a70-fd5c-50e05c5f5dc3 n/a n/a c805cf3b69f704dfcd5176ef1c7599f88adbfd7374e9c76da7f24a32a97abfe1 n/a
|
|
|
|
$ vault plugin deregister auth app-id
|
|
|
|
Success! Deregistered plugin (if it was registered): app-id
|
|
|
|
$ vault plugin list -detailed | grep "app-id"
|
|
|
|
app-id auth v1.13.0+builtin.vault removed
|
|
|
|
$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST http://127.0.0.2:8200/v1/sys/seal
|
|
|
|
$ vault operator unseal <key1>
|
|
|
|
...
|
|
|
|
$ vault operator unseal <key2>
|
|
|
|
...
|
|
|
|
$ vault operator unseal <key3>
|
|
|
|
...
|
|
|
|
$ grep "app-id" /path/to/vault.log
|
|
|
|
[ERROR] core: skipping deprecated auth entry: name=app-id path=app-id/ error="mount entry associated with removed builtin"
|
|
|
|
[ERROR] core: skipping initialization for nil auth backend: path=app-id/ type=app-id version="v1.13.0+builtin.vault"
|
|
|
|
```
|
|
|
|
|
|
|
|
The remediation for affected mounts is to downgrade to the previously-used version of Vault
|
|
|
|
environment variable and replace any `Removed` feature with the
|
|
|
|
[preferred alternative
|
|
|
|
feature](/vault/docs/deprecation/faq#q-what-should-i-do-if-i-use-mount-filters-appid-or-any-of-the-standalone-db-engines).
|
|
|
|
|
|
|
|
For more information on the phases of deprecation, see the [Deprecation Notices
|
|
|
|
FAQ](/vault/docs/deprecation/faq#q-what-are-the-phases-of-deprecation).
|
|
|
|
|
|
|
|
#### Impacted Versions
|
|
|
|
|
|
|
|
Affects upgrading from any version of Vault to 1.13.x. All other upgrade paths
|
|
|
|
are unaffected.
|
|
|
|
|
2023-03-15 14:42:02 +00:00
|
|
|
## Known Issues
|
|
|
|
|
2023-03-17 18:07:04 +00:00
|
|
|
@include 'tokenization-rotation-persistence.mdx'
|
|
|
|
|
|
|
|
@include 'ocsp-redirect.mdx'
|
2023-03-20 16:24:05 +00:00
|
|
|
|
|
|
|
### PKI Revocation Request Forwarding
|
|
|
|
|
|
|
|
If a revocation request comes in to a standby or performance secondary node,
|
|
|
|
for a certificate that is present locally, the request will not be correctly
|
|
|
|
forwarded to the active node of this cluster.
|
|
|
|
|
|
|
|
As a workaround, submit revocation requests to the active node only.
|
|
|
|
|
2023-04-07 17:34:42 +00:00
|
|
|
### STS credentials do not return a lease_duration
|
|
|
|
Vault 1.13.0 introduced a change to the AWS Secrets Engine such that it no longer creates leases for STS credentials due
|
|
|
|
to the fact that they cannot be revoked or renewed. As part of this change, a bug was introduced which causes `lease_duration`
|
|
|
|
to always return zero. This prevents the Vault Agent from refreshing STS credentials and may introduce undesired behaviour
|
|
|
|
for anything which relies on a non-zero `lease_duration`.
|
|
|
|
|
|
|
|
For applications that can control what value to look for, the `ttl` value in the response can be used to know when to
|
|
|
|
request STS credentials next.
|
|
|
|
|
|
|
|
An additional workaround for users rendering STS credentials via the Vault Agent is to set the
|
|
|
|
`static-secret-render-interval` for a template using the credentials. Setting this configuration to 15 minutes
|
|
|
|
accommodates the default minimum duration of an STS token and overrides the default render interval of 5 minutes.
|
|
|
|
|
2023-03-20 16:24:05 +00:00
|
|
|
#### Impacted Versions
|
|
|
|
|
|
|
|
Affects Vault 1.13.0 only.
|
2023-05-04 13:05:14 +00:00
|
|
|
|
2023-05-17 20:56:53 +00:00
|
|
|
### LDAP Pagination Issue
|
|
|
|
|
|
|
|
There was a regression introduced in 1.13.2 relating to LDAP maximum page sizes, resulting in
|
|
|
|
an error `no LDAP groups found in groupDN [...] only policies from locally-defined groups available`. The issue
|
|
|
|
occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.
|
|
|
|
|
|
|
|
As a workaround, disable paged searching using the following:
|
|
|
|
```shell-session
|
|
|
|
vault write auth/ldap/config max_page_size=-1
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Impacted Versions
|
|
|
|
|
|
|
|
Affects Vault 1.13.2.
|
2023-05-04 13:05:14 +00:00
|
|
|
|
|
|
|
### PKI Cross-Cluster Revocation Requests and Unified CRL/OCSP
|
|
|
|
|
|
|
|
When revoking certificates on a cluster that doesn't own the
|
|
|
|
certificate, writing the revocation request will fail with
|
|
|
|
a message like `error persisting cross-cluster revocation request`.
|
|
|
|
Similar errors will appear in the log for failure to write
|
|
|
|
unified CRL and unified delta CRL WAL entries.
|
|
|
|
|
|
|
|
As a workaround, submit revocation requests to the cluster which
|
|
|
|
issued the certificate, or use BYOC revocation. Use cluster-local
|
|
|
|
OCSP and CRLs until this is resolved.
|
|
|
|
|
|
|
|
#### Impacted Versions
|
|
|
|
|
|
|
|
Affects Vault 1.13.0 to 1.13.2. Fixed in 1.13.3.
|
|
|
|
|
|
|
|
On upgrade, all local revocations will be synchronized between
|
|
|
|
clusters; revocation requests are not persisted when failing to
|
|
|
|
write cross-cluster.
|
2023-06-08 19:59:37 +00:00
|
|
|
|
|
|
|
### Slow Startup Time When Storing PKI Certificates
|
|
|
|
|
|
|
|
There was a regression introduced in 1.13.0 where Vault is slow to start because the
|
|
|
|
PKI secret engine performs a list operation on the stored certificates. If a large number
|
|
|
|
of certificates are stored this can cause long start times on active and standby nodes.
|
|
|
|
|
|
|
|
There is currently no workaround for this other than limiting the number of certificates stored
|
|
|
|
in Vault via the [PKI tidy](/vault/api-docs/secret/pki.mdx#tidy) or using `no_store`
|
|
|
|
flag for [PKI roles](/vault/api-docs/secret/pki.mdx#createupdate-role).
|
|
|
|
|
|
|
|
#### Impacted Versions
|
|
|
|
|
|
|
|
Affects Vault 1.13.0+
|