CHANGES:
* cli: The raft configuration command has been renamed to list-peers to
avoid confusion.
FEATURES:
* Kerberos Authentication: Vault now supports Kerberos authentication using
a SPNEGO token. Login can be performed using the Vault CLI, API, or agent.
* Kubernetes Service Discovery: A new Kubernetes service discovery feature
where, if configured, Vault will tag Vault pods with their current health
status. For more, see #8249.
* MongoDB Atlas Secrets: Vault can now generate dynamic credentials for
both MongoDB Atlas databases as well as the Atlas programmatic interface.
* OpenLDAP Secrets Engine: We now support password management of existing
OpenLDAP user entries. For more, see #8360.
* Redshift Database Secrets Engine: The database secrets engine now
supports static and dynamic secrets for the Amazon Web Services (AWS)
Redshift service.
* Service Registration Config: A newly introduced service_registration
configuration stanza, that allows for service registration to be configured
separately from the storage backend. For more, see #7887.
* Transform Secrets Engine (Enterprise): A new secrets engine that handles
secure data transformation and tokenization against provided input value.
* Integrated Storage: Promoted out of beta and into general availability
for both open-source and enterprise workloads.
IMPROVEMENTS:
* agent: add option to force the use of the auth-auth token, and ignore the
Vault token in the request [GH-8101]
* api: Restore and fix DNS SRV Lookup [GH-8520]
* audit: HMAC http_raw_body in audit log; this ensures that large
authenticated Prometheus metrics responses get replaced with short HMAC
values [GH-8130]
* audit: Generate-root, generate-recovery-token, and
generate-dr-operation-token requests and responses are now
audited. [GH-8301]
* auth/aws: Reduce the number of simultaneous STS client credentials needed
[GH-8161]
* auth/azure: subscription ID, resource group, vm and vmss names are now
stored in alias metadata [GH-30]
* auth/jwt: Additional OIDC callback parameters available for CLI logins
[GH-80 & GH-86]
* auth/jwt: Bound claims may be optionally configured using globs [GH-89]
* auth/jwt: Timeout during OIDC CLI login if process doesn't complete
within 2 minutes [GH-97]
* auth/jwt: Add support for the form_post response mode [GH-98]
* auth/jwt: add optional client_nonce to authorization flow [GH-104]
* auth/okta: Upgrade okta sdk lib, which should improve handling of groups
[GH-8143]
* aws: Add support for v2 of the instance metadata service (see issue 7924
for all linked PRs)
* core: Separate out service discovery interface from storage interface to
allow new types of service discovery not coupled to storage [GH-7887]
* core: Add support for telemetry option metrics_prefix [GH-8340]
* core: Entropy Augmentation can now be used with AWS KMS and Vault Transit
seals
* core: Allow tls_min_version to be set to TLS 1.3 [GH-8305]
* cli: Incorrect TLS configuration will now correctly fail [GH-8025]
* identity: Allow specifying a custom client_id for identity tokens
[GH-8165]
* metrics/prometheus: improve performance with high volume of metrics
updates [GH-8507]
* replication (enterprise): Fix race condition causing clusters with high
throughput writes to sometimes fail to enter streaming-wal mode
* replication (enterprise): Secondary clusters can now perform an extra
gRPC call to all nodes in a primary cluster in an attempt to resolve the
active node's address
* replication (enterprise): The replication status API now outputs
last_performance_wal, last_dr_wal, and connection_state values
* replication (enterprise): DR secondary clusters can now be recovered by
the replication/dr/secondary/recover API
* replication (enterprise): We now allow for an alternate means to create a
Disaster Recovery token, by using a batch token that is created with an ACL
that allows for access to one or more of the DR endpoints.
* secrets/database/mongodb: Switched internal MongoDB driver to
mongo-driver [GH-8140]
* secrets/database/mongodb: Add support for x509 client authorization to
MongoDB [GH-8329]
* secrets/database/oracle: Add support for static credential rotation
[GH-26]
* secrets/consul: Add support to specify TLS options per Consul backend
[GH-4800]
* secrets/gcp: Allow specifying the TTL for a service key [GH-54]
* secrets/gcp: Add support for rotating root keys [GH-53]
* secrets/gcp: Handle version 3 policies for Resource Manager IAM requests
[GH-77]
* secrets/nomad: Add support to specify TLS options per Nomad backend
[GH-8083]
* secrets/ssh: Allowed users can now be templated with identity information
[GH-7548]
* secrets/transit: Adding RSA3072 key support [GH-8151]
* storage/consul: Vault returns now a more descriptive error message when
only a client cert or a client key has been provided [GH-4930]
* storage/raft: Nodes in the raft cluster can all be given possible leader
addresses for them to continuously try and join one of them, thus
automating the process of join to a greater extent [GH-7856]
* storage/raft: Fix a potential deadlock that could occur on leadership
transition [GH-8547]
* storage/raft: Refresh TLS keyring on snapshot restore [GH-8546]
* storage/etcd: Bumped etcd client API SDK [GH-7931 & GH-4961 & GH-4349 &
GH-7582]
* ui: Make Transit Key actions more prominent [GH-8304]
* ui: Add Core Usage Metrics [GH-8347]
* ui: Add refresh Namespace list on the Namespace dropdown, and redesign of
Namespace dropdown menu [GH-8442]
* ui: Update transit actions to codeblocks & automatically encode plaintext
unless indicated [GH-8462]
* ui: Display the results of transit key actions in a modal window
[GH-8462]
* ui: Transit key version styling updates & ability to copy key from
dropdown [GH-8480]
BUG FIXES:
* agent: Fix issue where TLS options are ignored for agent template feature
[GH-7889]
* auth/jwt: Use lower case role names for default_role to match the role
case convention [GH-100]
* auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to
lookup the group membership of the given user [GH-6325]
* cli: Support autocompletion for nested mounts [GH-8303]
* cli: Fix CLI namespace autocompletion [GH-8315]
* identity: Fix incorrect caching of identity token JWKS responses
[GH-8412]
* metrics/stackdriver: Fix issue that prevents the stackdriver metrics
library to create unnecessary stackdriver descriptors [GH-8073]
* replication: Fix issue causing cubbyholes in namespaces on performance
secondaries to not work.
* seal (enterprise): Fix seal migration when transactional seal wrap
backend is in use.
* secrets/database/influxdb: Fix potential panic if connection to the
InfluxDB database cannot be established [GH-8282]
* secrets/database/mysql: Ensures default static credential rotation
statements are used [GH-8240]
* secrets/database/mysql: Fix inconsistent query parameter names: {{name}}
or {{username}} for different queries. Now it allows for either for
backwards compatibility [GH-8240]
* secrets/database/postgres: Fix inconsistent query parameter names:
{{name}} or {{username}} for different queries. Now it allows for either
for backwards compatibility [GH-8240]
* secrets/pki: Support FQDNs in DNS Name [GH-8288]
* storage/raft: Allow seal migration to be performed on Vault clusters
using raft storage [GH-8103]
* telemetry: Prometheus requests on standby nodes will now return an error
instead of forwarding the request to the active node [GH-8280]
* ui: Fix broken popup menu on the transit secrets list page [GH-8348]
* ui: Update headless Chrome flag to fix yarn run test:oss [GH-8035]
* ui: Update CLI to accept empty strings as param value to reset
previously-set values
* ui: Fix bug where error states don't clear when moving between action
tabs on Transit [GH-8354]