v1.8.12

backport of commit 0e8bcc15cc0201fd8416b36501af60f8b73de480 (#15783)

Co-authored-by: akshya96 <[email protected]>

v1.10.3

backport of commit 5b8ebf602fe5773dddf133c5e3d88aa75bb580aa (#15324)

Co-authored-by: TylerGelinas <[email protected]>
Co-authored-by: Heather Simon <[email protected]>

v1.10.2

Backport of Vault documentation: updated docs to include a note about…

v1.9.6

Backport of Add upgrade note for #15147. into release/1.9.x (#15160)

v1.8.11

Backport of fix raft tls key rotation panic when rotation time in pas…

v1.10.1

Backport of Upgrade hashicorp/consul-template dependency into release…

v1.9.5

backport of commit 57eba1d02bdf789cc0238de8ea63998a26c9bcee (#15085)

Co-authored-by: Calvin Leung Huang <[email protected]>

v1.8.10

backport of commit 57eba1d02bdf789cc0238de8ea63998a26c9bcee (#15086)

Co-authored-by: Calvin Leung Huang <[email protected]>

v1.10.0

1.10.0

March 23, 2022

CHANGES:

• core: Changes the unit of default_lease_ttl and max_lease_ttl values returned by
  the /sys/config/state/sanitized endpoint from nanoseconds to seconds. [GH-14206]
• core: Bump Go version to 1.17.7. [GH-14232]
• plugin/database: The return value from POST /database/config/:name has been updated to "204 No Content" [GH-14033]
• secrets/azure: Changes the configuration parameter use_microsoft_graph_api to use the Microsoft
  Graph API by default. [GH-14130]
• storage/etcd: Remove support for v2. [GH-14193]
• ui: Upgrade Ember to version 3.24 [GH-13443]

FEATURES:

• Database plugin multiplexing: manage multiple database connections with a single plugin process [GH-14033]
• Login MFA: Single and two phase MFA is now available when authenticating to Vault. [GH-14025]
• Mount Migration: Vault supports moving secrets and auth mounts both within and across namespaces.
• Postgres in the UI: Postgres DB is now supported by the UI [GH-12945]
• Report in-flight requests: Adding a trace capability to show in-flight requests, and a new gauge metric to show the total number of in-flight requests [GH-13024]
• Server Side Consistent Tokens: Service tokens have been updated to be longer (a minimum of 95 bytes) and token prefixes for all token types are updated from s., b., and r. to hvs., hvb., and hvr. for service, batch, and recovery tokens respectively. Vault clusters with integrated storage will now have read-after-write consistency by default. [GH-14109]
• Transit SHA-3 Support: Add support for SHA-3 in the Transit backend. [GH-13367]
• Transit Time-Based Key Autorotation: Add support for automatic, time-based key rotation to transit secrets engine, including in the UI. [GH-13691]
• UI Client Count Improvements: Restructures client count dashboard, making use of billing start date to improve accuracy. Adds mount-level distribution and filtering. [GH-client-counts]
• Agent Telemetry: The Vault Agent can now collect and return telemetry information at the /agent/v1/metrics endpoint.

IMPROVEMENTS:

• agent: Adds ability to configure specific user-assigned managed identities for Azure auto-auth. [GH-14214]
• agent: The agent/v1/quit endpoint can now be used to stop the Vault Agent remotely [GH-14223]
• api: Allow cloning api.Client tokens via api.Config.CloneToken or api.Client.SetCloneToken(). [GH-13515]
• api: Define constants for X-Vault-Forward and X-Vault-Inconsistent headers [GH-14067]
• api: Implements Login method in Go client libraries for GCP and Azure auth methods [GH-13022]
• api: Implements Login method in Go client libraries for LDAP auth methods [GH-13841]
• api: Trim newline character from wrapping token in logical.Unwrap from the api package [GH-13044]
• api: add api method for modifying raft autopilot configuration [GH-12428]
• api: respect WithWrappingToken() option during AppRole login authentication when used with secret ID specified from environment or from string [GH-13241]
• audit: The audit logs now contain the port used by the client [GH-12790]
• auth/aws: Enable region detection in the CLI by specifying the region as auto [GH-14051]
• auth/cert: Add certificate extensions as metadata [GH-13348]
• auth/jwt: The Authorization Code flow makes use of the Proof Key for Code Exchange (PKCE) extension. [GH-13365]
• auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility [GH-13595]
• auth/ldap: Add a response warning and server log whenever the config is accessed
  if userfilter doesn't consider userattr [GH-14095]
• auth/ldap: Add username to alias metadata [GH-13669]
• auth/ldap: Add username_as_alias configurable to change how aliases are named [GH-14324]
• auth/okta: Update okta-sdk-golang dependency to version v2.9.1 for improved request backoff handling [GH-13439]
• auth/token: The auth/token/revoke-accessor endpoint is now idempotent and will
  not error out if the token has already been revoked. [GH-13661]
• auth: reading sys/auth/:path now returns the configuration for the auth engine mounted at the given path [GH-12793]
• cli: interactive CLI for login mfa [GH-14131]
• command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
• core/ha: Add new mechanism for keeping track of peers talking to active node, and new 'operator members' command to view them. [GH-13292]
• core/identity: Support updating an alias' custom_metadata to be empty. [GH-13395]
• core/pki: Support Y10K value in notAfter field to be compliant with IEEE 802.1AR-2018 standard [GH-12795]
• core/pki: Support Y10K value in notAfter field when signing non-CA certificates [GH-13736]
• core: Add duration and start_time to completed requests log entries [GH-13682]
• core: Add support to list password policies at sys/policies/password [GH-12787]
• core: Add support to list version history via API at sys/version-history and via CLI with vault version-history [GH-13766]
• core: Fixes code scanning alerts [GH-13667]
• core: Periodically test the health of connectivity to auto-seal backends [GH-13078]
• core: Reading sys/mounts/:path now returns the configuration for the secret engine at the given path [GH-12792]
• core: Replace "master key" terminology with "root key" [GH-13324]
• core: Small changes to ensure goroutines terminate in tests [GH-14197]
• core: Systemd unit file included with the Linux packages now sets the service type to notify. [GH-14385]
• core: Update github.com/prometheus/client_golang to fix security vulnerability CVE-2022-21698. [GH-14190]
• core: Vault now supports the PROXY protocol v2. Support for UNKNOWN connections
  has also been added to the PROXY protocol v1. [GH-13540]
• http (enterprise): Serve /sys/license/status endpoint within namespaces
• identity/oidc: Adds a default OIDC provider [GH-14119]
• identity/oidc: Adds a default key for OIDC clients [GH-14119]
• identity/oidc: Adds an allow_all assignment that permits all entities to authenticate via an OIDC client [GH-14119]
• identity/oidc: Adds proof key for code exchange (PKCE) support to OIDC providers. [GH-13917]
• sdk: Add helper for decoding root tokens [GH-10505]
• secrets/azure: Adds support for rotate-root. #70 [GH-13034]
• secrets/consul: Add support for consul enterprise namespaces and admin partitions. [GH-13850]
• secrets/consul: Add support for consul roles. [GH-14014]
• secrets/database/influxdb: Switch/upgrade to the influxdb1-client module [GH-12262]
• secrets/database: Add database configuration parameter 'disable_escaping' for username and password when connecting to a database. [GH-13414]
• secrets/kv: add full secret path output to table-formatted responses [GH-14301]
• secrets/kv: add patch suppor...

v1.10.0-rc1

Update VersionPrerelease for 1.10 RC1 (#14308)

* update build and ci to point to release branch

* update version prerelease for 1.10 branch to be rc1 in prep for release