mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-15 11:07:00 +02:00
Code Issues Projects Releases Wiki Activity
fa03adb718
vault/website/content/docs/upgrading/upgrade-to-1.9.0.mdx
Alexander Scheel 759f94fa6d
TLS Documentation Changes (#12940) 
* Add note to TLS cipher suite configuration

Ordering is no longer respected and the tls_max_version flag must be
used for this list to be relevant (as TLSv1.3 will ignore the cipher
suite list entirely).

See blog post linked in the docs for more information.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Note that server cipher suite flag is ignored

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add upgrade note about TLS cipher suites

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-11-01 18:14:41 -04:00

78 lines
3.2 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Upgrading to Vault 1.9.0 - Guides
description: |-
This page contains the list of deprecations and important or breaking changes
for Vault 1.9.0. Please read it carefully.
---
~> Note: these are **draft** notes for a future version of Vault. They should not be considered
official guidance until the release has been completed.
# Overview
This page contains the list of deprecations and important or breaking changes
for Vault 1.9.0 compared to 1.8. Please read it carefully.
## Identity Tokens
The Identity secrets engine has changed the procedure for creating Identity
token roles. When creating a role, the key parameter is required and the key
must exist. Previously, it was possible to create a role and assign it a named
key that did not yet exist despite the documentation stating otherwise.
All calls to [create or update a role](https://www.vaultproject.io/api/secret/identity/tokens#create-or-update-a-role)
must be checked to ensure that roles are not being created or updated with
non-existent keys.
## SSH Role Parameter `allowed_extensions` Behavior Change
Prior versions of Vault allowed clients to specify any extension when requesting
SSH certificate [signing requests](https://www.vaultproject.io/api/secret/ssh#sign-ssh-key)
if their role had an `allowed_extensions` set to `""` or was missing.
Now, Vault will reject a client request that specifies extensions if the role
parameter `allowed_extensions` is empty or missing from the role they are
associated with.
To re-enable the old behavior, update the roles with a value
of `"*"` to the `allowed_extensions` parameter allowing any/all extensions to be
specified by clients.
## Deprecations
### HTTP Request Counter Deprecation
In Vault 1.9, the internal HTTP Request count
[API](https://www.vaultproject.io/api-docs/system/internal-counters#http-requests)
will be removed from the product. Calls to the endpoint will result in a 404
error with a message stating that `functionality on this path has been removed`.
Vault does not make backwards compatible guarantees on internal APIs (those
prefaced with `sys/internal`). They are subject to change and may disappear
without notice.
### Etcd v2
Support for Etcd v2 will be removed from Vault in Vault 1.10 (not this Vault
release, but the next one). The Etcd v2 API
was deprecated with the release of [Etcd
v3.5](https://etcd.io/blog/2021/announcing-etcd-3.5/), and will be
decommissioned in the Etcd v3.6 release.
Users upgrading to Vault 1.9 and planning to eventually upgrade to Vault 1.10
should prepare to [migrate](/docs/commands/operator/migrate) Vault storage to
an Etcd v3 cluster prior to upgrading to Vault 1.10. All storage migrations
should have [backups](/docs/concepts/storage#backing-up-vault-s-persisted-data)
taken prior to migration.
## TLS Cipher Suites Changes
In Vault 1.9, due to changes in Go 1.17, the `tls_prefer_server_cipher_suites`
TCP configuration parameter has been deprecated and its value will be ignored.
Additionally, Go has begun doing automated cipher suite ordering and no longer
respects the order of suites given in `tls_cipher_suites`.
See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information.
Reference in New Issue View Git Blame Copy Permalink