open-vault/website/content/docs/upgrading/upgrade-to-0.6.0.mdx

55 lines
2.2 KiB
Plaintext

---
layout: docs
page_title: Upgrading to Vault 0.6.0 - Guides
description: |-
This page contains the list of breaking changes for Vault 0.6. Please read it
carefully.
---
# Overview
This page contains the list of breaking changes for Vault 0.6 compared to the
previous release. Please read it carefully.
## PKI backend does not issue leases for CA certificates
When a token expires, it revokes all leases associated with it. This means that
long-lived CA certs need correspondingly long-lived tokens, something that is
easy to forget, resulting in an unintended revocation of the CA certificate
when the token expires. To prevent this, root and intermediate CA certs no
longer have associated leases. To revoke these certificates, use the
`pki/revoke` endpoint.
CA certificates that have already been issued and acquired leases will report
to the lease manager that revocation was successful, but will not actually be
revoked and placed onto the CRL.
## The `auth/token/revoke-prefix` endpoint has been removed
As part of addressing a minor security issue, this endpoint has been removed in
favor of using `sys/revoke-prefix` for prefix-based revocation of both tokens
and secrets leases.
## Go API uses `json.Number` for decoding
When using the Go API, it now calls `UseNumber()` on the decoder object. As a
result, rather than always decode as a `float64`, numbers are returned as a
`json.Number`, where they can be converted, with proper error checking, to
`int64`, `float64`, or simply used as a `string` value. This fixes some display
errors where numbers were being decoded as `float64` and printed in scientific
notation.
## List operations return `404` on no keys found
Previously, list operations on an endpoint with no keys found would return an
empty response object. Now, a `404` will be returned instead.
## Consul TTL checks automatically registered
If using the Consul HA storage backend, Vault will now automatically register
itself as the `vault` service and perform its own health checks/lifecycle
status management. This behavior can be adjusted or turned off in Vault's
configuration; see the
[documentation](/vault/docs/configuration/storage/consul#check_timeout)
for details.