Vault
Overview
The Vault 1.18.x upgrade guide contains information on deprecations, important or breaking changes, and remediation recommendations for anyone upgrading from Vault 1.17. Please read carefully.
Important changes
Activity Log Changes
Default Activity Log Querying Period
The field default_report_months
can no longer be configured or read. Any previously set values
will be ignored by the system.
Attempts to modify default_report_months
through the
/sys/internal/counters/config
endpoint, will result in the following warning from Vault:
WARNING! The following warnings were returned from Vault:
* default_report_months is deprecated: defaulting to billing start time
The current_billing_period
toggle for /sys/internal/counters/activity
is also deprecated, as this will be set
true by default.
Attempts to set current_billing_period
will result in the following warning from Vault:
WARNING! The following warnings were returned from Vault:
* current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing period
Docker image no longer contains curl
The curl
binary is no longer included in the published Docker container images for Vault and Vault
Enterprise. If your workflow depends on curl
being available in the container, consider one of the
following strategies:
Create a wrapper container image
Use the HashiCorp image as a base image to create a new container image with curl
installed.
FROM hashicorp/vault-enterprise
RUN apk add curl
NOTE: While this is the preferred option it will require managing your own registry and rebuilding new images.
Install it at runtime dynamically
When running the image as root (not recommended), you can install it at runtime dynamically by using the apk
package manager:
docker exec <CONTAINER-ID> apk add curl
kubectl exec -ti <NAME> -- apk add curl
When running the image as non-root without privilege escalation (recommended) you can use existing
tools to install a static binary of curl
into the vault
users home directory:
docker exec <CONTAINER-ID> wget https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64 -O /home/vault/curl && chmod +x /home/vault/curl
kubectl exec -ti <NAME> -- wget https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64 -O /home/vault/curl && chmod +x /home/vault/curl
NOTE: When using this option you'll want to verify that the static binary comes from a trusted source.
Request limiter configuration removal
Vault 1.16.0 included an experimental request limiter. The limiter was disabled
by default with an opt-in request_limiter
configuration.
Further testing indicated that an alternative approach improves performance and reduces risk for many workloads. Vault 1.17.0 included a new adaptive overload protection feature that prevents outages when Vault is overwhelmed by write requests.
Adaptive overload protection was a beta feature in 1.17.0.
As of Vault 1.18.0, the adaptive overload protection feature for writes is now GA and enabled by default for the integrated storage backend.
The beta request_limiter
configuration stanza is officially removed in Vault 1.18.0.
Vault will output two types of warnings if the request_limiter
stanza is
detected in your Vault config.
- A UI warning message printed to
stderr
:
WARNING: Request Limiter configuration is no longer supported; overriding server configuration to disable
- A log line with level
WARN
, appearing in Vault's logs:
... [WARN] unknown or unsupported field request_limiter found in configuration at config.hcl:22:1
Product usage reporting
As of 1.18.2, Vault will collect anonymous product usage metrics for HashiCorp. This information will be collected alongside client activity data, and will be sent automatically if automated reporting is configured, or added to manual reports if manual reporting is preferred.
See the main page for Vault product usage metrics reporting for more details, and information about opt-out.
Known issues and workarounds
Duplicate HSM Keys
Affected Versions
- All versions that support migration from Shamir to HSM-backed unseal in HSM-HA configurations.
Issue
During a migration from Shamir to an HSM-backed unseal configuration with HSM - High Availability (HA), duplicate HSM keys may be created.
- Unseal failures: Nodes may fail to unseal after a restart, with errors such as CKR_DATA_INVALID.
- Duplicate HSM keys: These may be created, resulting in intermittent KV read failures with errors such as CKR_SIGNATURE_INVALID and CKR_KEY_HANDLE_INVALID. These issues can occur even after a seal migration to HSM that initially appeared successful. The root cause is under investigation, with potential links to key handling during HA configuration or migration processes.
Workaround
As a workaround, always run Vault with generate_key = false
, creating the required keys within the HSM manually during the setup process.