diff --git a/content/vault/global/partials/important-changes/known-issue/multi-seal-rewrap.mdx b/content/vault/global/partials/important-changes/known-issue/multi-seal-rewrap.mdx new file mode 100644 index 0000000000..b60c437bf7 --- /dev/null +++ b/content/vault/global/partials/important-changes/known-issue/multi-seal-rewrap.mdx @@ -0,0 +1,12 @@ +### Full seal rewraps occur on DR/PR failover with multi-seal enabled ((#multi-seal-rewrap)) + +| Change | Affected versions | Fixed version | +|-------------|------------------------------------------------|---------------| +| Known issue | 1.20.x+ent, 1.19.x+ent, 1.18.x+ent, 1.16.x+ent | None | + +A full rewrap happens when Vault fails over to a DR or performance cluster with `enable_multiseal = true`. +The rewrap can lead to performance degradation until the rewrap operation completes. + +#### Recommendation + +The only workaround is to disable multi-seal support. diff --git a/content/vault/global/partials/important-changes/summary-tables/1_16.mdx b/content/vault/global/partials/important-changes/summary-tables/1_16.mdx index 6999a40e30..c1a23b4969 100644 --- a/content/vault/global/partials/important-changes/summary-tables/1_16.mdx +++ b/content/vault/global/partials/important-changes/summary-tables/1_16.mdx @@ -50,3 +50,4 @@ Found | Fixed | Workaround | Edition | Issue 1.16.16 | 1.16.20 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.16.x/updates/important-changes#ldap-static-role-rotations-on-upgrade) 1.16.17 | 1.16.21 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.16.x/updates/important-changes#external-ent-plugins) 1.16.18 | 1.16.21 | Upgrade | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.16.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances) +1.16.0 | No | No | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.16.x/upgrading/upgrade-to-1.16.x#multi-seal-rewrap) \ No newline at end of file diff --git a/content/vault/global/partials/important-changes/summary-tables/1_18.mdx b/content/vault/global/partials/important-changes/summary-tables/1_18.mdx index 71aa5c18c6..c8abc40e1b 100644 --- a/content/vault/global/partials/important-changes/summary-tables/1_18.mdx +++ b/content/vault/global/partials/important-changes/summary-tables/1_18.mdx @@ -34,3 +34,4 @@ Found | Fixed | Workaround | Edition | Issue 1.18.5 | 1.18.9 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.18.x/updates/important-changes#ldap-static-role-rotations-on-upgrade) 1.18.6 | 1.18.10 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.18.x/updates/important-changes#external-ent-plugins) 1.18.7 | 1.18.10 | **Yes** | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.18.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances) +1.18.0 | No | No | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.18.x/upgrading/upgrade-to-1.18.x#multi-seal-rewrap) \ No newline at end of file diff --git a/content/vault/global/partials/important-changes/summary-tables/1_19.mdx b/content/vault/global/partials/important-changes/summary-tables/1_19.mdx index 63308ba940..856c198f9e 100644 --- a/content/vault/global/partials/important-changes/summary-tables/1_19.mdx +++ b/content/vault/global/partials/important-changes/summary-tables/1_19.mdx @@ -43,3 +43,4 @@ Found | Fixed | Workaround | Edition | Issue 1.18.4 | No | **Yes** | All | [Failing credential refresh for Snowflake DB secrets engine key pair authentication](/vault/docs/v1.19.x/updates/important-changes#snowflake-keypair-refresh) 1.19.0 | No | No | All | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.19.x/updates/important-changes#local-auth-known-issue) 1.19.0 | No | **Yes** | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.19.x/updates/important-changes#missed-events) +1.19.0 | No | No | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.19.x/updates/important-changes#multi-seal-rewrap) \ No newline at end of file diff --git a/content/vault/global/partials/important-changes/summary-tables/1_20.mdx b/content/vault/global/partials/important-changes/summary-tables/1_20.mdx index 8540c645fc..9508e53197 100644 --- a/content/vault/global/partials/important-changes/summary-tables/1_20.mdx +++ b/content/vault/global/partials/important-changes/summary-tables/1_20.mdx @@ -31,3 +31,4 @@ Found | Fixed | Workaround | Edition | Issue 1.20.0 | 1.20.1 | **Yes** | All | [Duplicate LDAP password rotations on standby node check-in](/vault/docs/v1.20.x/updates/important-changes#ldap-checkin) 1.19.0 | No | No | All | [Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag](/vault/docs/v1.20.x/updates/important-changes#local-auth-known-issue) 1.19.0 | No | **Yes** | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.20.x/updates/important-changes#missed-events) +1.20.0 | No | No | Enterprise | [Full seal rewraps occur on DR/PR failover with multi-seal enabled](/vault/docs/v1.20.x/updates/important-changes#multi-seal-rewrap) \ No newline at end of file diff --git a/content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx b/content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx index f3c7d8a2dd..5951f4281f 100644 --- a/content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx +++ b/content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx @@ -308,3 +308,5 @@ If you use `file` audit devices, you need to: @include 'known-issues/sync-activation-flags-cache-not-updated.mdx' @include 'known-issues/enterprise-plugins.mdx' + +@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx' diff --git a/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.16.x.mdx b/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.16.x.mdx index e5afe868a3..f9b081ddf0 100644 --- a/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.16.x.mdx +++ b/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.16.x.mdx @@ -301,4 +301,6 @@ more details, and information about opt-out. @include 'known-issues/sync-activation-flags-cache-not-updated.mdx' -@include 'known-issues/enterprise-plugins.mdx' \ No newline at end of file +@include 'known-issues/enterprise-plugins.mdx' + +@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx' diff --git a/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx b/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx index bb5472314b..60f4008be7 100644 --- a/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx +++ b/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx @@ -246,3 +246,5 @@ If you use `file` audit devices, you need to: @include 'known-issues/azure-auth-fails-uniform-vmss.mdx' @include 'known-issues/enterprise-plugins.mdx' + +@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx' diff --git a/content/vault/v1.19.x/content/docs/updates/important-changes.mdx b/content/vault/v1.19.x/content/docs/updates/important-changes.mdx index bdb7ad78e8..7302051834 100644 --- a/content/vault/v1.19.x/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.19.x/content/docs/updates/important-changes.mdx @@ -516,3 +516,5 @@ filters you have two options: 1. Spread them out among the nodes of the Vault cluster. 1. Only subscribe to events on the active node of the cluster. + +@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx' \ No newline at end of file diff --git a/content/vault/v1.20.x/content/docs/updates/important-changes.mdx b/content/vault/v1.20.x/content/docs/updates/important-changes.mdx index d41171335a..03a7442d40 100644 --- a/content/vault/v1.20.x/content/docs/updates/important-changes.mdx +++ b/content/vault/v1.20.x/content/docs/updates/important-changes.mdx @@ -400,3 +400,5 @@ filters you have two options: 1. Spread them out among the nodes of the Vault cluster. 1. Only subscribe to events on the active node of the cluster. + +@include '../../../global/partials/important-changes/known-issue/multi-seal-rewrap.mdx' \ No newline at end of file