Skip to content

Latest commit

 

History

History
45 lines (37 loc) · 2.22 KB

upgrade-to-0.7.0.mdx

File metadata and controls

45 lines (37 loc) · 2.22 KB
Raw
layout page_title description
docs
Upgrading to Vault 0.7.0 - Guides
This page contains the list of deprecations and important or breaking changes for Vault 0.7.0. Please read it carefully.

Overview

This page contains the list of deprecations and important or breaking changes for Vault 0.7.0 compared to the most recent release. Please read it carefully.

Rename of backend config key to storage

When configuring Vault, the backend key previously used to configure storage has now been renamed to storage. Vault will alias the old key to the new path, though users are encouraged to update their configuration to ensure minimal disruption in the future when the alias is removed.

List operations always use trailing slash

Any list operation, whether via the GET or LIST HTTP verb, will now internally canonicalize the path to have a trailing slash. This makes policy writing more predictable, as it means clients will no longer work or fail based on which client they're using or which HTTP verb they're using. However, it also means that policies allowing list capability must be carefully checked to ensure that they contain a trailing slash; some policies may need to be split into multiple stanzas to accommodate.

PKI defaults to unleased certificates

When issuing certificates from the PKI backend, by default, no leases will be issued. If you want to manually revoke a certificate, its serial number can be used with the pki/revoke endpoint. Issuing leases is still possible by enabling the generate_lease toggle in PKI role entries (this will default to true for upgrades, to keep existing behavior), which will allow using lease IDs to revoke certificates. For installations issuing large numbers of certificates (tens to hundreds of thousands, or millions), this will significantly improve Vault startup time since leases associated with these certificates will not have to be loaded; however note that it also means that revocation of a token used to issue certificates will no longer add these certificates to a CRL. If this behavior is desired or needed, consider keeping leases enabled and ensuring lifetimes are reasonable, and issue long-lived certificates via a different role with leases disabled.