mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-20 02:01:37 +01:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/upgrading/upgrade-to-1.15.x.mdx
Ryan Cragun ba3d9c9aa0
docs: update Docker curl upgrade guide (#28158) 
Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-08-27 11:16:32 -06:00

137 lines
4.9 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Upgrade to Vault 1.15.x - Guides
description: |-
Deprecations, important or breaking changes, and remediation recommendations
for anyone upgrading to 1.15.x from Vault 1.14.x.
---
# Overview
The Vault 1.15.x upgrade guide contains information on deprecations, important
or breaking changes, and remediation recommendations for anyone upgrading from
Vault 1.14. **Please read carefully**.
## Consul service registration
As of version 1.15, `service_tags` supplied to Vault for the purpose of [Consul
service registration](/vault/docs/configuration/service-registration/consul#service_tags)
will be **case-sensitive**.
In previous versions of Vault tags were converted to lowercase which led to issues,
for example when tags contained Traefik rules which use case-sensitive method names
such as `Host()`.
If you previously used Consul service registration tags ignoring case, or relied
on the lowercase tags created by Vault, then this change may cause unexpected behavior.
Please audit your Consul storage stanza to ensure that you either:
* Manually convert your `service_tags` to lowercase if required
* Ensure that any system that relies on the tags is aware of the new case-preserving behavior
## Rollback metrics
Vault no longer measures and reports the metrics `vault.rollback.attempts.{MOUNTPOINT}` and `vault.route.rollback.{MOUNTPOINT}` by default. The new default metrics are `vault.rollback.attempts`
and `vault.route.rollback`, which **do not** contain the mount point in the metric name.
To continue measuring `vault.rollback.attempts.{MOUNTPOINT}` and
`vault.route.rollback.{MOUNTPOINT}`, you must explicitly enable mount-specific
metrics in the `telemetry` stanza of your Vault configuration with the
[`add_mount_point_rollback_metrics`](/vault/docs/configuration/telemetry#add_mount_point_rollback_metrics)
option.
## Application of Sentinel Role Governing Policies (RGPs) via identity groups
@include 'application-of-sentinel-rgps-via-identity-groups.mdx'
### Docker image no longer contains `curl`
As of 1.15.13 and later, the `curl` binary is no longer included in the published Docker container
images for Vault and Vault Enterprise. If your workflow depends on `curl` being available in the
container, consider one of the following strategies:
#### Create a wrapper container image
Use the HashiCorp image as a base image to create a new container image with `curl` installed.
```Dockerfile
FROM hashicorp/vault-enterprise
RUN apk add curl
```
**NOTE:** While this is the preferred option it will require managing your own registry and rebuilding new images.
#### Install it at runtime dynamically
When running the image as root (not recommended), you can install it at runtime dynamically by using the `apk` package manager:
```shell-session
docker exec <CONTAINER-ID> apk add curl
```
```shell-session
kubectl exec -ti <NAME> -- apk add curl
```
When running the image as non-root without privilege escalation (recommended) you can use existing
tools to install a static binary of `curl` into the `vault` users home directory:
```shell-session
docker exec <CONTAINER-ID> wget https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64 -O /home/vault/curl && chmod +x /home/vault/curl
```
```shell-session
kubectl exec -ti <NAME> -- wget https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64 -O /home/vault/curl && chmod +x /home/vault/curl
```
**NOTE:** When using this option you'll want to verify that the static binary comes from a trusted source.
## Known issues and workarounds
@include 'known-issues/1_15-auto-upgrade.mdx'
@include 'known-issues/transit-managed-keys-panics.mdx'
@include 'known-issues/transit-managed-keys-sign-fails.mdx'
@include 'known-issues/aws-auth-panics.mdx'
@include 'known-issues/ui-collapsed-navbar.mdx'
@include 'known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx'
@include 'known-issues/internal-error-namespace-missing-policy.mdx'
@include 'known-issues/ephemeral-loggers-memory-leak.mdx'
@include 'known-issues/sublogger-levels-unchanged-on-reload.mdx'
@include 'known-issues/kv2-url-change.mdx'
@include 'known-issues/expiration-metrics-fatal-error.mdx'
@include 'known-issues/1_15_audit-use-of-log-raw-applies-to-all-devices.mdx'
@include 'known-issues/1_15_openldap-rotate-credentials.mdx'
@include 'known-issues/perf-secondary-many-mounts-deadlock.mdx'
@include 'known-issues/1_15-audit-panic-handling-with-eventlogger.mdx'
@include 'known-issues/ocsp-redirect.mdx'
@include 'known-issues/1_15-audit-vault-enterprise-perf-standby-logs-all-headers.mdx'
@include 'known-issues/perf-standbys-revert-to-standby.mdx'
@include 'known-issues/1_13-reload-census-panic-standby.mdx'
@include 'known-issues/autopilot-upgrade-upgrade-version.mdx'
@include 'known-issues/config_listener_proxy_protocol_behavior_issue.mdx'
@include 'known-issues/duplicate-identity-groups.mdx'
@include 'known-issues/manual-entity-merge-does-not-persist.mdx'
Reference in New Issue View Git Blame Copy Permalink