Docs: Add known issue for 1.12.1 builtin plugin version upgrades (#17783)

This commit is contained in:
Tom Proctor 2022-11-02 21:36:49 +00:00 committed by GitHub
parent e9ced09e70
commit ab658a3479
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -16,3 +16,59 @@ for Vault 1.12.x compared to 1.11. Please read it carefully.
Vault Enterprise will now perform a supported storage check at startup. There is no impact on open-source Vault users.
@include 'ent-supported-storage.mdx'
## Known Issues
### Pinning to builtin plugin versions may cause failure on upgrade
1.12.0 introduced plugin versions, and with it, the ability to explicitly specify
the builtin version of a plugin when mounting an auth, database or secrets plugin.
For example, `vault auth enable -plugin-version=v1.12.0+builtin.vault approle`. If
there are any mounts where the _builtin_ version was explicitly specified in this way,
Vault may fail to start on upgrading to 1.12.1 due to the specified version no
longer being available.
To check whether a mount path is affected, read the tune information, or the
database config. The affected plugins are `snowflake-database-plugin@v0.6.0+builtin`
and any plugins with `+builtin.vault` metadata in their version. In this example,
both mounts are affected because `plugin_version` is explicitly set and is one of
the affected versions. All mounts where the version was omitted, or the plugin is
external (regardless of whether the version was specified) are unaffected.
-> **NOTE:** Make sure you use Vault CLI 1.12.0 or later to check mounts.
```shell-session
$ vault read sys/auth/approle/tune
Key Value
--- -----
...
plugin_version v1.12.0+builtin.vault
$ vault read database/config/snowflake
Key Value
--- -----
...
plugin_name snowflake-database-plugin
plugin_version v0.6.0+builtin
```
As it is not currently possible to unset the plugin version, there are 3 possible
remediations if you have any affected mounts:
* Upgrade Vault directly to 1.12.2 once released
* Upgrade to an external version of the plugin before upgrading to 1.12.1;
* Using the [tune API](/api-docs/system/auth#tune-auth-method) for auth methods
* Using the [tune API](/api-docs/system/mounts#tune-mount-configuration) for secrets plugins
* Or using the [configure connection](/api-docs/secret/databases#configure-connection)
API for database plugins
* Unmount and remount the path without a version specified before upgrading to 1.12.1.
**Note:** This will delete all data and leases associated with the mount.
The bug was introduced by commit
https://github.com/hashicorp/vault/commit/c36330f4c713b886a8a23c08cbbd862a7c530fc8.
#### Impacted Versions
Affects upgrading from 1.12.0 to 1.12.1. All other upgrade paths are unaffected.
1.12.2 will introduce a fix that enables upgrades from affected deployments of
1.12.0.