From 8af62ad7a2739e0002bdd9672ce78e1b8b8e28e8 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Fri, 15 Nov 2024 12:00:16 -0500 Subject: [PATCH] Release notes backport for 1.18 (#28915) * VAULT-32201 release notes for product usage reporting (#28904) * VAULT-32201 release notes for product usage reporting * Add note about default report months * Better release notes * Update website/content/docs/upgrading/upgrade-to-1.18.x.mdx Co-authored-by: divyaac --------- Co-authored-by: divyaac --- website/content/docs/release-notes/1.16.1.mdx | 33 ++++++------ website/content/docs/release-notes/1.17.0.mdx | 29 +++++----- website/content/docs/release-notes/1.18.0.mdx | 17 +++--- .../docs/upgrading/upgrade-to-1.16.x.mdx | 53 +++++++++++++++++++ .../docs/upgrading/upgrade-to-1.17.x.mdx | 53 +++++++++++++++++++ .../docs/upgrading/upgrade-to-1.18.x.mdx | 11 +++- 6 files changed, 159 insertions(+), 37 deletions(-) diff --git a/website/content/docs/release-notes/1.16.1.mdx b/website/content/docs/release-notes/1.16.1.mdx index c7ed79e6fe51..6fe8ee563e48 100644 --- a/website/content/docs/release-notes/1.16.1.mdx +++ b/website/content/docs/release-notes/1.16.1.mdx @@ -13,21 +13,24 @@ description: |- ## Important changes -| Version | Change | -|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 1.16.0+ | [Existing clusters do not show the current Vault version in UI by default](/vault/docs/upgrading/upgrade-to-1.16.x#default-policy-changes) | -| 1.16.0+ | [Default LCQ enabled when upgrading pre-1.9](/vault/docs/upgrading/upgrade-to-1.16.x#default-lcq-pre-1.9-upgrade) | -| 1.16.0+ | [External plugin environment variables take precedence over server variables](/vault/docs/upgrading/upgrade-to-1.16.x#external-plugin-variables) | -| 1.16.0+ | [LDAP auth entity alias names no longer include upndomain](/vault/docs/upgrading/upgrade-to-1.16.x#ldap-auth-entity-alias-names-no-longer-include-upndomain) | -| 1.16.0+ | [Secrets Sync now requires a one-time flag to operate](/vault/docs/upgrading/upgrade-to-1.16.x#secrets-sync-now-requires-setting-a-one-time-flag-before-use) | -| 1.16.0+ | [Azure secrets engine role creation failing](/vault/docs/upgrading/upgrade-to-1.16.x#azure-secrets-engine-role-creation-failing) | -| 1.16.1 - 1.16.3 | [New nodes added by autopilot upgrades provisioned with the wrong version](/vault/docs/upgrading/upgrade-to-1.15.x#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version) | -| 1.15.8+ | [Autopilot upgrade for Vault Enterprise fails](/vault/docs/upgrading/upgrade-to-1.15.x#autopilot) | -| 1.16.5 | [Listener stops listening on untrusted upstream connection with particular config settings](/vault/docs/upgrading/upgrade-to-1.16.x#listener-proxy-protocol-config) | -| 1.16.3 - 1.16.6 | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/upgrading/upgrade-to-1.16.x#dangling-entity-alias-in-memory) | -| 0.7.0+ | [Duplicate identity groups created](/vault/docs/upgrading/upgrade-to-1.16.x#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster) | | -| Known Issue (0.7.0+) | [Manual entity merges fail](/vault/docs/upgrading/upgrade-to-1.16.x#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage) -| Known Issue (1.16.7-1.16.8) | [Some values in the audit logs not hmac'd properly](/vault/docs/upgrading/upgrade-to-1.16.x#client-tokens-and-token-accessors-audited-in-plaintext) | +| Version | Change | +|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 1.16.0+ | [Existing clusters do not show the current Vault version in UI by default](/vault/docs/upgrading/upgrade-to-1.16.x#default-policy-changes) | +| 1.16.0+ | [Default LCQ enabled when upgrading pre-1.9](/vault/docs/upgrading/upgrade-to-1.16.x#default-lcq-pre-1.9-upgrade) | +| 1.16.0+ | [External plugin environment variables take precedence over server variables](/vault/docs/upgrading/upgrade-to-1.16.x#external-plugin-variables) | +| 1.16.0+ | [LDAP auth entity alias names no longer include upndomain](/vault/docs/upgrading/upgrade-to-1.16.x#ldap-auth-entity-alias-names-no-longer-include-upndomain) | +| 1.16.0+ | [Secrets Sync now requires a one-time flag to operate](/vault/docs/upgrading/upgrade-to-1.16.x#secrets-sync-now-requires-setting-a-one-time-flag-before-use) | +| 1.16.0+ | [Azure secrets engine role creation failing](/vault/docs/upgrading/upgrade-to-1.16.x#azure-secrets-engine-role-creation-failing) | +| 1.16.1 - 1.16.3 | [New nodes added by autopilot upgrades provisioned with the wrong version](/vault/docs/upgrading/upgrade-to-1.15.x#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version) | +| 1.15.8+ | [Autopilot upgrade for Vault Enterprise fails](/vault/docs/upgrading/upgrade-to-1.15.x#autopilot) | +| 1.16.5 | [Listener stops listening on untrusted upstream connection with particular config settings](/vault/docs/upgrading/upgrade-to-1.16.x#listener-proxy-protocol-config) | +| 1.16.3 - 1.16.6 | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/upgrading/upgrade-to-1.16.x#dangling-entity-alias-in-memory) | +| 0.7.0+ | [Duplicate identity groups created](/vault/docs/upgrading/upgrade-to-1.16.x#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster) | | +| Known Issue (0.7.0+) | [Manual entity merges fail](/vault/docs/upgrading/upgrade-to-1.16.x#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage) | +| Known Issue (1.16.7-1.16.8) | [Some values in the audit logs not hmac'd properly](/vault/docs/upgrading/upgrade-to-1.16.x#client-tokens-and-token-accessors-audited-in-plaintext) | +| New default (1.16.13) | [Vault product usage metrics reporting](/vault/docs/upgrading/upgrade-to-1.6.x#product-usage-reporting) | +| Deprecation (1.16.13) | [`default_report_months` is deprecated for the `sys/internal/counters` API](/vault/docs/upgrading/upgrade-to-1.16.x#activity-log-changes) | + ## Vault companion updates diff --git a/website/content/docs/release-notes/1.17.0.mdx b/website/content/docs/release-notes/1.17.0.mdx index ead4d7efde6f..bc80494378f1 100644 --- a/website/content/docs/release-notes/1.17.0.mdx +++ b/website/content/docs/release-notes/1.17.0.mdx @@ -13,19 +13,22 @@ description: |- ## Important changes -| Change | Description | -|------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| New default (1.17) | [Allowed audit headers now have unremovable defaults](/vault/docs/upgrading/upgrade-to-1.17.x#audit-headers) | -| Opt out feature (1.17) | [PKI sign-intermediate now truncates `notAfter` field to signing issuer](/vault/docs/upgrading/upgrade-to-1.17.x#pki-truncate) | -| Beta feature deprecated (1.17) | [Request limiter deprecated](/vault/docs/upgrading/upgrade-to-1.17.x#request-limiter) | -| Known issue (1.17.0+) | [PKI OCSP GET requests can return HTTP redirect responses](/vault/docs/upgrading/upgrade-to-1.17.x#pki-ocsp) | -| Known issue (1.17.0) | [Vault Agent and Vault Proxy consume excessive amounts of CPU](/vault/docs/upgrading/upgrade-to-1.17.x#agent-proxy-cpu-1-17) | -| Known issue (1.15.8 - 1.15.9, 1.16.0 - 1.16.3) | [Autopilot upgrade for Vault Enterprise fails](/vault/docs/upgrading/upgrade-to-1.16.x#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version) | -| Known issue (1.17.0 - 1.17.2) | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/upgrading/upgrade-to-1.17.x#dangling-entity-alias-in-memory) | -| Known Issue (0.7.0+) | [Duplicate identity groups created](/vault/docs/upgrading/upgrade-to-1.17.x#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster) -| Known Issue (0.7.0+) | [Manual entity merges fail](/vault/docs/upgrading/upgrade-to-1.17.x#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage) -| Known Issue (1.17.3-1.17.4) | [Some values in the audit logs not hmac'd properly](/vault/docs/upgrading/upgrade-to-1.17.x#client-tokens-and-token-accessors-audited-in-plaintext) -| Known Issue (1.17.0-1.17.5) | [Cached activation flags for secrets sync on follower nodes are not updated](/vault/docs/upgrading/upgrade-to-1.17.x#cached-activation-flags-for-secrets-sync-on-follower-nodes-are-not-updated) +| Change | Description | +|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| New default (1.17) | [Allowed audit headers now have unremovable defaults](/vault/docs/upgrading/upgrade-to-1.17.x#audit-headers) | +| Opt out feature (1.17) | [PKI sign-intermediate now truncates `notAfter` field to signing issuer](/vault/docs/upgrading/upgrade-to-1.17.x#pki-truncate) | +| Beta feature deprecated (1.17) | [Request limiter deprecated](/vault/docs/upgrading/upgrade-to-1.17.x#request-limiter) | +| Known issue (1.17.0+) | [PKI OCSP GET requests can return HTTP redirect responses](/vault/docs/upgrading/upgrade-to-1.17.x#pki-ocsp) | +| Known issue (1.17.0) | [Vault Agent and Vault Proxy consume excessive amounts of CPU](/vault/docs/upgrading/upgrade-to-1.17.x#agent-proxy-cpu-1-17) | +| Known issue (1.15.8 - 1.15.9, 1.16.0 - 1.16.3) | [Autopilot upgrade for Vault Enterprise fails](/vault/docs/upgrading/upgrade-to-1.16.x#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version) | +| Known issue (1.17.0 - 1.17.2) | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/upgrading/upgrade-to-1.17.x#dangling-entity-alias-in-memory) | +| Known issue (1.17.0 - 1.17.3) | [AWS Auth AssumeRole requires an external ID even if none is set](/vault/docs/upgrading/upgrade-to-1.17.x#aws-auth-role-configuration-requires-an-external_id) | +| Known Issue (0.7.0+) | [Duplicate identity groups created](/vault/docs/upgrading/upgrade-to-1.17.x#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster) | +| Known Issue (0.7.0+) | [Manual entity merges fail](/vault/docs/upgrading/upgrade-to-1.17.x#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage) | +| Known Issue (1.17.3-1.17.4) | [Some values in the audit logs not hmac'd properly](/vault/docs/upgrading/upgrade-to-1.17.x#client-tokens-and-token-accessors-audited-in-plaintext) | +| Known Issue (1.17.0-1.17.5) | [Cached activation flags for secrets sync on follower nodes are not updated](/vault/docs/upgrading/upgrade-to-1.17.x#cached-activation-flags-for-secrets-sync-on-follower-nodes-are-not-updated) | +| New default (1.17.9) | [Vault product usage metrics reporting](/vault/docs/upgrading/upgrade-to-1.17.x#product-usage-reporting) | +| Deprecation (1.17.9) | [`default_report_months` is deprecated for the `sys/internal/counters` API](/vault/docs/upgrading/upgrade-to-1.17.x#activity-log-changes) | ## Vault companion updates diff --git a/website/content/docs/release-notes/1.18.0.mdx b/website/content/docs/release-notes/1.18.0.mdx index 3c8d4f35e0ac..765b3415e78d 100644 --- a/website/content/docs/release-notes/1.18.0.mdx +++ b/website/content/docs/release-notes/1.18.0.mdx @@ -13,11 +13,12 @@ description: |- ## Important changes -| Change | Description -| --------------------------- | ----------- -| New default (1.18.0) | [Default activity log querying period](/vault/docs/upgrading/upgrade-to-1.18.x#default-activity-log-querying-period) -| New default (1.18.0) | [Docker image no longer contains curl](/vault/docs/upgrading/upgrade-to-1.18.x#docker-image-no-longer-contains-curl) -| Beta feature removed (1.18) | [Request limiter removed](/vault/docs/upgrading/upgrade-to-1.18.x#request-limiter-configuration-removal) +| Change | Description | +|-----------------------------|----------------------------------------------------------------------------------------------------------------------| +| New default (1.18.0) | [Default activity log querying period](/vault/docs/upgrading/upgrade-to-1.18.x#default-activity-log-querying-period) | +| New default (1.18.0) | [Docker image no longer contains curl](/vault/docs/upgrading/upgrade-to-1.18.x#docker-image-no-longer-contains-curl) | +| Beta feature removed (1.18) | [Request limiter removed](/vault/docs/upgrading/upgrade-to-1.18.x#request-limiter-configuration-removal) | +| New default (1.18.2) | [Vault product usage metrics reporting](/vault/docs/upgrading/upgrade-to-1.18.x#product-usage-reporting) | ## Vault companion updates @@ -63,7 +64,7 @@ Follow the learn more links for more information, or browse the list of ENHANCED - Overall stability improvements. + Overall stability improvements.

Learn more: Autopilot overview @@ -71,7 +72,7 @@ Follow the learn more links for more information, or browse the list of - Client count + Client count ENHANCED @@ -88,7 +89,7 @@ Follow the learn more links for more information, or browse the list of GA Enable PKI support for automated certificate enrollment with CMPv2 - protocols for 5G networks per 3G PP standards. + protocols for 5G networks per 3G PP standards.

Learn more: CMPv2 in the Vault PKI plugin diff --git a/website/content/docs/upgrading/upgrade-to-1.16.x.mdx b/website/content/docs/upgrading/upgrade-to-1.16.x.mdx index d969b48e8595..9646a9858009 100644 --- a/website/content/docs/upgrading/upgrade-to-1.16.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.16.x.mdx @@ -94,6 +94,50 @@ operation called an activation-flag. The feature is gated until a Vault operator decides to trigger the flag. More information can be found in the [secrets sync documentation](/vault/docs/sync#activating-the-feature). +### Activity Log Changes + +#### Default Activity Log Querying Period + +As of 1.16.13 and later, the field `default_report_months` can no longer be configured or read. Any previously set values +will be ignored by the system. + + +Attempts to modify `default_report_months` through the +[/sys/internal/counters/config](/vault/api-docs/system/internal-counters#update-the-client-count-configuration) +endpoint, will result in the following warning from Vault: + + + + ```shell-session + + WARNING! The following warnings were returned from Vault: + + * default_report_months is deprecated: defaulting to billing start time + + + ``` + + + + +The `current_billing_period` toggle for `/sys/internal/counters/activity` is also deprecated, as this will be set +true by default. + +Attempts to set `current_billing_period` will result in the following warning from Vault: + + + + ```shell-session + + WARNING! The following warnings were returned from Vault: + + * current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing period + + + ``` + + + ### Auto-rolled billing start date As of 1.16.7 and later, the billing start date (license start date if not configured) automatically rolls over to the latest billing year at the end of the last cycle. @@ -142,6 +186,15 @@ kubectl exec -ti -- wget https://github.com/moparisthebest/static-curl/re **NOTE:** When using this option you'll want to verify that the static binary comes from a trusted source. +### Product usage reporting + +As of 1.16.13, Vault will collect anonymous product usage metrics for HashiCorp. This information will be collected +alongside activity information, and will be sent automatically if automated reporting is configured, or added to manual +reports if manual reporting is preferred. + +See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for +more details, and information about opt-out. + ## Known issues and workarounds @include 'known-issues/1_17_audit-log-hmac.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx index 7b94b6646ed1..60b0ba1d3e3d 100644 --- a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx @@ -81,6 +81,50 @@ Users may not be able to log into Vault if the JWT role is configured incorrectly. For additional details, refer to the [JWT auth method (API)](/vault/api-docs/auth/jwt) documentation. +### Activity Log Changes + +#### Default Activity Log Querying Period + +As of 1.17.9 and later, the field `default_report_months` can no longer be configured or read. Any previously set values +will be ignored by the system. + + +Attempts to modify `default_report_months` through the +[/sys/internal/counters/config](/vault/api-docs/system/internal-counters#update-the-client-count-configuration) +endpoint, will result in the following warning from Vault: + + + + ```shell-session + + WARNING! The following warnings were returned from Vault: + + * default_report_months is deprecated: defaulting to billing start time + + + ``` + + + + +The `current_billing_period` toggle for `/sys/internal/counters/activity` is also deprecated, as this will be set +true by default. + +Attempts to set `current_billing_period` will result in the following warning from Vault: + + + + ```shell-session + + WARNING! The following warnings were returned from Vault: + + * current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing period + + + ``` + + + ### Auto-rolled billing start date As of 1.17.3 and later, the billing start date (license start date if not configured) rolls over to the latest billing year at the end of the last cycle. @@ -129,6 +173,15 @@ kubectl exec -ti -- wget https://github.com/moparisthebest/static-curl/re **NOTE:** When using this option you'll want to verify that the static binary comes from a trusted source. +### Product usage reporting + +As of 1.17.9, Vault will collect anonymous product usage metrics for HashiCorp. This information will be collected +alongside activity information, and will be sent automatically if automated reporting is configured, or added to manual +reports if manual reporting is preferred. + +See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for +more details, and information about opt-out. + ## Known issues and workarounds @include 'known-issues/1_17_audit-log-hmac.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.18.x.mdx b/website/content/docs/upgrading/upgrade-to-1.18.x.mdx index 1b561dcbf117..7a43e8ec0096 100644 --- a/website/content/docs/upgrading/upgrade-to-1.18.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.18.x.mdx @@ -128,4 +128,13 @@ WARNING: Request Limiter configuration is no longer supported; overriding server ```text ... [WARN] unknown or unsupported field request_limiter found in configuration at config.hcl:22:1 -``` \ No newline at end of file +``` + +### Product usage reporting + +As of 1.18.2, Vault will collect anonymous product usage metrics for HashiCorp. This information will be collected +alongside client activity data, and will be sent automatically if automated reporting is configured, or added to manual +reports if manual reporting is preferred. + +See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for +more details, and information about opt-out.