2018-08-16 21:22:27 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
|
page_title: Upgrading to Vault 0.11.0 - Guides
|
2018-08-16 21:22:27 +00:00
|
|
|
description: |-
|
|
|
|
|
This page contains the list of deprecations and important or breaking changes
|
|
|
|
|
for Vault 0.11.0. Please read it carefully.
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Overview
|
|
|
|
|
|
|
|
|
|
This page contains the list of deprecations and important or breaking changes
|
2018-08-28 18:00:55 +00:00
|
|
|
for Vault 0.11.0 compared to 0.10.0. Please read it carefully.
|
2018-08-16 21:22:27 +00:00
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
## Known issues
|
2018-08-30 23:09:30 +00:00
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### Nomad integration
|
2018-08-31 21:29:21 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
Users that integrate Vault with Nomad should hold off on upgrading. A modification to
|
2018-08-31 21:29:21 +00:00
|
|
|
Vault's API is causing a runtime issue with the Nomad to Vault integration.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### Minified JSON policies
|
2018-08-30 23:09:30 +00:00
|
|
|
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
Users that generate policies in minfied JSON may cause a parsing errors due to
|
|
|
|
|
a regression in the policy parser when it encounters repeating brackets. Although
|
|
|
|
|
HCL is the official language for policies in Vault, HCL is JSON compatible and JSON
|
2018-08-30 23:09:30 +00:00
|
|
|
should work in place of HCL. To work around this error, pretty print the JSON policies
|
2020-01-18 00:18:09 +00:00
|
|
|
or add spaces between repeating brackets. This regression will be addressed in
|
2018-08-30 23:09:30 +00:00
|
|
|
a future release.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### Common mount prefixes
|
2019-04-17 01:15:39 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
Before running the upgrade, users should run `vault secrets list` and `vault auth list`
|
2020-01-22 20:05:41 +00:00
|
|
|
to check their mount table to ensure that mounts do not have common prefix "folders".
|
2020-01-18 00:18:09 +00:00
|
|
|
For example, if there is a mount with path `team1/` and a mount with path `team1/secrets`,
|
|
|
|
|
Vault will fail to unseal. Before upgrade, these mounts must be remounted at a path that
|
2019-04-17 01:15:39 +00:00
|
|
|
does not share a common prefix.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
## Changes since 0.10.4
|
2018-08-16 21:22:27 +00:00
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### Request timeouts
|
2018-08-16 21:22:27 +00:00
|
|
|
|
|
|
|
|
A default request timeout of 90s is now enforced. This setting can be
|
|
|
|
|
overwritten in the config file. If you anticipate requests taking longer than
|
|
|
|
|
90s this setting should be configured before upgrading.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### `sys/` top level injection
|
2018-08-16 21:22:27 +00:00
|
|
|
|
|
|
|
|
For the last two years for backwards compatibility data for various `sys/`
|
|
|
|
|
routes has been injected into both the Secret's Data map and into the top level
|
|
|
|
|
of the JSON response object. However, this has some subtle issues that pop up
|
|
|
|
|
from time to time and is becoming increasingly complicated to maintain, so it's
|
|
|
|
|
finally being removed.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### Path fallback for list operations
|
2018-08-28 16:12:40 +00:00
|
|
|
|
|
|
|
|
For a very long time Vault has automatically adjusted `list` operations to
|
|
|
|
|
always end in a `/`, as list operations operates on prefixes, so all list
|
|
|
|
|
operations by definition end with `/`. This was done server-side so affects all
|
|
|
|
|
clients. However, this has also led to a lot of confusion for users writing
|
|
|
|
|
policies that assume that the path that they use in the CLI is the path used
|
|
|
|
|
internally. Starting in 0.11, ACL policies gain a new fallback rule for
|
|
|
|
|
listing: they will use a matching path ending in `/` if available, but if not
|
|
|
|
|
found, they will look for the same path without a trailing `/`. This allows
|
|
|
|
|
putting `list` capabilities in the same path block as most other capabilities
|
|
|
|
|
for that path, while not providing any extra access if `list` wasn't actually
|
|
|
|
|
provided there.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### Performance standbys on by default
|
2018-08-28 16:12:40 +00:00
|
|
|
|
2018-08-29 16:01:33 +00:00
|
|
|
If your flavor/license of Vault Enterprise supports Performance Standbys, they
|
2018-08-28 16:12:40 +00:00
|
|
|
are on by default. You can disable this behavior per-node with the
|
|
|
|
|
`disable_performance_standby` configuration flag.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### AWS secret engine roles
|
2020-01-18 00:18:09 +00:00
|
|
|
|
2018-08-28 16:17:43 +00:00
|
|
|
Roles in the AWS Secret Engine were previously ambiguous. For example, if the
|
|
|
|
|
`arn` parameter had been specified, that could have been interpreted as the ARN
|
|
|
|
|
of an AWS IAM policy to attach to an IAM user or it could have been the ARN of
|
|
|
|
|
an AWS role to assume. Now, types are explicit, both in terms of what
|
|
|
|
|
credential type is being requested (e.g., an IAM User or an Assumed Role?) as
|
|
|
|
|
well as the parameters being sent to vault (e.g., the IAM policy document
|
|
|
|
|
attached to an IAM user or used during a GetFederationToken call). All
|
|
|
|
|
credential retrieval remains backwards compatible as does updating role data.
|
|
|
|
|
However, the data returned when reading role data is now different and
|
|
|
|
|
breaking, so anything which reads role data out of Vault will need to be
|
|
|
|
|
updated to handle the new role data format.
|
|
|
|
|
|
|
|
|
|
While creating/updating roles remains backwards compatible, the old parameters
|
|
|
|
|
are now considered deprecated. You should use the new parameters as documented
|
|
|
|
|
in the API docs.
|
|
|
|
|
|
|
|
|
|
As part of this, the `/aws/creds/` and `/aws/sts/` endpoints have been merged,
|
|
|
|
|
with the behavior only differing as specified below. The `/aws/sts/` endpoint
|
|
|
|
|
is considered deprecated and should only be used when needing backwards
|
|
|
|
|
compatibility.
|
|
|
|
|
|
|
|
|
|
All roles will be automatically updated to the new role format when accessed.
|
|
|
|
|
However, due to the way role data was previously being stored in Vault, it's
|
|
|
|
|
possible that invalid data was stored that both make the upgrade impossible as
|
|
|
|
|
well as would have made the role unable to retrieve credentials. In this
|
|
|
|
|
situation, the previous role data is returned in an `invalid_data` key so you
|
|
|
|
|
can inspect what used to be in the role and correct the role data if desired.
|
|
|
|
|
One consequence of the prior AWS role storage format is that a single Vault
|
|
|
|
|
role could have led to two different AWS credential types being retrieved when
|
|
|
|
|
a `policy` parameter was stored. In this case, these legacy roles will be
|
|
|
|
|
allowed to retrieve both IAM User and Federation Token credentials, with the
|
|
|
|
|
credential type depending on the path used to access it (IAM User if accessed
|
|
|
|
|
via the `/aws/creds/<role_name>` endpoint and Federation Token if accessed via
|
|
|
|
|
the `/aws/sts/<role_name>` endpoint).
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
## Full list since 0.10.0
|
2018-08-16 21:22:27 +00:00
|
|
|
|
2018-08-29 16:01:33 +00:00
|
|
|
### Revocations of dynamic secrets leases now asynchronous
|
2018-08-16 21:22:27 +00:00
|
|
|
|
|
|
|
|
Dynamic secret lease revocation are now queued/asynchronous rather
|
|
|
|
|
than synchronous. This allows Vault to take responsibility for revocation
|
|
|
|
|
even if the initial attempt fails. The previous synchronous behavior can be
|
|
|
|
|
attained via the `-sync` CLI flag or `sync` API parameter. When in
|
|
|
|
|
synchronous mode, if the operation results in failure it is up to the user
|
|
|
|
|
to retry.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### CLI retries
|
2018-08-16 21:22:27 +00:00
|
|
|
|
|
|
|
|
The CLI will no longer retry commands on 5xx errors. This was a
|
|
|
|
|
source of confusion to users as to why Vault would "hang" before returning a
|
|
|
|
|
5xx error. The Go API client still defaults to two retries.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### Identity entity alias metadata
|
2018-08-16 21:22:27 +00:00
|
|
|
|
|
|
|
|
You can no longer manually set metadata on
|
|
|
|
|
entity aliases. All alias data (except the canonical entity ID it refers to)
|
|
|
|
|
is intended to be managed by the plugin providing the alias information, so
|
|
|
|
|
allowing it to be set manually didn't make sense.
|
|
|
|
|
|
2023-07-18 21:07:55 +00:00
|
|
|
### Convergent encryption version 3
|
2018-08-16 21:22:27 +00:00
|
|
|
|
|
|
|
|
If you are using `transit`'s convergent encryption feature, which prior to this
|
|
|
|
|
release was at version 2, we recommend
|
2023-01-26 00:12:15 +00:00
|
|
|
[rotating](/vault/api-docs/secret/transit#rotate-key)
|
2018-08-16 21:22:27 +00:00
|
|
|
your encryption key (the new key will use version 3) and
|
2023-01-26 00:12:15 +00:00
|
|
|
[rewrapping](/vault/api-docs/secret/transit#rewrap-data)
|
2018-08-16 21:22:27 +00:00
|
|
|
your data to mitigate the chance of offline plaintext-confirmation attacks.
|
|
|
|
|
|
|
|
|
|
### PKI duration return types
|
|
|
|
|
|
|
|
|
|
The PKI backend now returns durations (e.g. when reading a role) as an integer
|
|
|
|
|
number of seconds instead of a Go-style string.
|