From 8cdb8fded66895ea8f91bda3d1bb46fb87524dbd Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Mon, 20 Oct 2025 16:33:16 -0700
Subject: [PATCH 01/16] add release notes and updates for deprecation/important
changes
---
.../client-count-timestamp.mdx | 29 ++
.../content/docs/updates/deprecation.mdx | 24 +-
.../docs/updates/important-changes.mdx | 10 +-
.../content/docs/updates/release-notes.mdx | 273 ++++++++++++++++++
.../content/partials/release-notes/intro.mdx | 5 +-
.../v1.21.x (rc)/data/docs-nav-data.json | 4 +
6 files changed, 323 insertions(+), 22 deletions(-)
create mode 100644 content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
create mode 100644 content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
diff --git a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
new file mode 100644
index 0000000000..9a3f470a18
--- /dev/null
+++ b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
@@ -0,0 +1,29 @@
+### Activity timestamps for client count ((#client-count-export))
+
+
+
+| Change | Affected version | Vault edition
+| ------------ | ---------------- | -------------
+| Breaking | 1.21.0+ | All
+
+
+
+Vault counts a client tokens the first time an authenticated call uses it, which
+could precede the start of the billing period.
+
+Previously, the Activity Export endpoint response included a `timestamp`
+parameter that referred to the creation time and date for the client token
+rather than the time and date when Vault counted the token.
+
+To clarify the data returned, the endpoint now returns two timestamp paramters.
+
+- **`client_first_usage_time`** - (new) indicates the first use/count of the
+ token.
+- **`token_creation_time`** - (replaces `timestamp`) indicates the creation
+ timestamp of the token.
+
+
+#### Recommendation
+
+Update any references to the old `timestamp` attribute to use
+`token_creation_time`.
\ No newline at end of file
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/deprecation.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/deprecation.mdx
index 78be0771d9..29cfb75eca 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/deprecation.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/deprecation.mdx
@@ -21,10 +21,7 @@ or raise a ticket with your support team.
-## Recent announcements
-
-
-
+## Deprecations ((#deprecations))
The Vault Support Team can provide limited help with a deprecated feature.
@@ -34,23 +31,24 @@ or raise a ticket with your support team.
more information on the product support timeline.
-@include 'deprecation/ruby-client-library.mdx'
@include 'deprecation/snowflake-password-auth.mdx'
-
-
+
+## Pending removal
@include 'deprecation/vault-agent-api-proxy.mdx'
-@include 'deprecation/aws-field-change.mdx'
+@include 'deprecation/duplicate-hcl-attributes.mdx'
-@include 'deprecation/centrify-auth-method.mdx'
-@include 'deprecation/duplicate-hcl-attributes.mdx'
+## Removed
+
+@include 'deprecation/ruby-client-library.mdx'
-
-
+@include 'deprecation/aws-field-change.mdx'
+
+@include 'deprecation/centrify-auth-method.mdx'
@include 'deprecation/active-directory-secrets-engine.mdx'
@@ -60,8 +58,6 @@ or raise a ticket with your support team.
@include 'deprecation/internal-counters-tokens-api.mdx'
-
-
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx
index 78ef8f3b21..3d3b95602d 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx
@@ -4,12 +4,6 @@ page_title: Important changes
description: >-
Deprecations, important or breaking changes, and remediation recommendations
for upgrading Vault.
-
-valid_change_types: >-
- - Change in support
- - New behavior (new defaults, new requirements, etc.)
- - Breaking change --> workaround/recommendation recommended
- - Known issue --> workaround/recommendation required
---
# Important changes
@@ -21,6 +15,8 @@ before upgrading Vault.
## Breaking changes
+@include '../../../global/partials/important-changes/breaking-changes/client-count-timestamp.mdx'
+
### Audiences required for Kubernetes authentication roles ((##k8-audience-required))
| Change | Affected version | Vault edition
@@ -49,11 +45,13 @@ vault write auth/kubernetes/role/demo \
Refer to the [Kubernetes authentication docs](/vault/docs/auth/kubernetes) for
more information.
+---
## New behavior
None.
+---
## Known issues
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
new file mode 100644
index 0000000000..76e22d5dd0
--- /dev/null
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -0,0 +1,273 @@
+---
+layout: docs
+page_title: Release notes
+description: >-
+ TBD
+---
+
+# Vault release notes
+
+Release | RC date | GA date
+------- | ---------- | ----------
+1.21.x | 2025-10-09 | 2025-10-17
+
+@include 'release-notes/intro.mdx'
+
+@include 'tips/change-tracker.mdx'
+
+
+## Executive summary
+
+Vault Enterprise 1.21 minimizes operational burden, improves pricing visibility,
+and provides increased pricing support.
+
+
+### Highlights
+
+- Static role support for Azure enabled workflows that require managed,
+ long-lived Azure credentials.
+- Smoother integration with bring-your-own DNS, AWS, Azure Privatelink, and
+ custom domains.
+- Expanded Terraform Vault Provider support for provisioning and resource
+ management with Terraform.
+- Emerging security policy management with IBM Z RACF passphrase support.
+- Enhanced logging and auditing that increases traceability and compliance.
+- Machine identity and authentication support for SPIFFE frameworks.
+
+
+## New features
+
+
+
+
+ | Feature |
+ Summary |
+ Benefit |
+
+
+
+
+ | SPIFFE authentication |
+
+ Use the SPIFFE authentication plugin to leverage SPIFFE frameworks based
+ SVIDS. With the SPIFFEE plugin, clients can authenticate to Vault and
+ request SVIDs to authenticate in SPIFFE environment.
+ |
+
+ Increases flexibility to authenticate workloads with SPIFFE authentication
+ methods and enables new workloads that require SPIFFE.
+ |
+
+
+ | MFA TOTP self-enrollment |
+
+ Configure multi-factor authenication in Vault to let clients self-enroll
+ with QR codes during login when they do not have a TOTP configured.
+ |
+
+ Applies MFA TOTP enforcements to users before they exist instead of
+ requiring operators to manually generate and send users an enrollment QR
+ code.
+ |
+
+
+ | KV v2 version attribution |
+
+ Query the metadata endpoint with read and list requests for for KV v2
+ secrets to get the human-readable name of the user who created the
+ targeted secret version.
+ |
+
+ Simplifies information gathering by replacing manual audit log reviews
+ with a straightforward metadata query.
+ |
+
+
+ | Cumulative client counts endpoint |
+
+ Easily query the number of Vault clients consumed by a namespace and all
+ its descendants.
+ |
+
+ Provides easier access to client utilization data in environments with
+ nested namespace structures.
+ |
+
+
+ | Root rotation for Snowflake key-pairs |
+
+ Perform on-demand and scheduled rotations for key-pair root credentials in
+ the Snowflake plugin.
+ |
+
+ Fully automates the rotation of key-pair root credentials for Snowflake
+ |
+
+
+ | Static roles in the Azure Secret Engine |
+
+ Rotate Azure static roles tied to long-lived credentials on demand with
+ initialization or imported credentials.
+ |
+
+ Simplify lifecycle management for long-lived Azure credentials for key
+ workflows instead of juggling dynamic secrets that Vault revokes when the
+ workflow client disconnects.
+ |
+
+
+
+
+## Existing feature improvements
+
+
+
+
+ | Feature |
+ Summary |
+ Improvement |
+
+
+
+
+ | Client count dashboard |
+
+ View a list of individual clients in the client count aggregate from the
+ new **Client list** tab in the client count dashboard.
+ |
+
+ Simplifies data access for preliminary analysis.
+ |
+
+
+ | Secret recovery |
+
+ Use the Vault GUI or API to automatically load snapshots and recover
+ individual database static roles or SSH config CA/managed keys.
+ |
+
+ Lets you delegate recovery of individual secrets and provide a granular,
+ flexible recovery mechanism for technical and non-technical users.
+ |
+
+
+ | Attestation evidence for credential rotation |
+
+ Use Vault server logs to review the details for successful and failed
+ automated root rotations and static role rotation for the database and
+ LDAP secrets engines.
+ |
+
+ Improved transparancy and confidence that root credential rotation
+ happened properly for less complicated compliance checks.
+ |
+
+
+ | RACF passphrase support in the LDAP plugin |
+
+ Use RACF passphrases (up to 100 characters) with the LDAP secrets engine
+ plugin.
+ |
+
+ Supports longer, more secure RACF passphrases and helps you keep up with
+ changing security policy requirements..
+ |
+
+
+ | Eventing in the LDAP Secrets Engine |
+
+ The LDAP secrets engine now
+ [emits events](/vault/docs/concepts/events#event-types) including rotation
+ success and failure events.
+ |
+
+ Expands functionality of the LDAP secrets engine plugin with new events.
+ |
+
+
+ | Dedicated rotation URL for LDAP authentication |
+
+ The LDAP authentication plugin supports root account rotation with a
+ dedicated URL.
+ |
+
+ Supports root account rotation even when you configure the plugin with the
+ Global Catalog URL of an AD Forest.
+ |
+
+
+ | Counter of PKI certificates issued |
+
+ Track and review the number of PKI certificates issued, cluster-wide by a
+ given Vault cluster with built-in accounting.
+ |
+
+ Improved transparancy and tracking for certificate logistics.
+ |
+
+
+
+
+
+
+## Bug fixes
+
+None.
+
+
+
+## Vault companion updates
+
+
+
+
+ | Companion |
+ Summary |
+ Benefit |
+
+
+
+
+ | Vault Secrets Operator CSI driver |
+
+ Use CSI drivers with Vault Secrets Operator to mapped Vault secrets
+ as protected secrets directly into application pods with shared volumes.
+ |
+
+ Use protected secrets to leverage Vault security even in environments that
+ limit the use of native Kubernetes secrets.
+ |
+
+
+ | Vault Secrets Store CSI provider |
+
+ Red Hat has certified the Vault Secrets Store CSI provider for use on
+ OpenShift.
+ |
+
+ Use Vault Secret Store even in environments that require Red Hat Open
+ Shift certification for all system components.
+ |
+
+
+ | External key management provider |
+
+ Grant database administrators full control over the versions of `transit`
+ keys used to wrap and unwrap data encryption keys for SQL Server.
+ |
+
+ Reduces the number of keys and simplifies the database restore process
+ from encrypted backups.
+ |
+
+
+
+
+
+## Feature deprecations and EOL
+
+Deprecated in 1.21.x | Retired in 1.21.x
+-------------------- | ---------------
+None | [Snowflake DB password authentication](/vault/docs/updates/deprecation#snowflake-db-password-auth)
+
+@include 'release-notes/deprecation-note.mdx'
\ No newline at end of file
diff --git a/content/vault/v1.21.x (rc)/content/partials/release-notes/intro.mdx b/content/vault/v1.21.x (rc)/content/partials/release-notes/intro.mdx
index 54bd81c8ab..8d61b2e732 100644
--- a/content/vault/v1.21.x (rc)/content/partials/release-notes/intro.mdx
+++ b/content/vault/v1.21.x (rc)/content/partials/release-notes/intro.mdx
@@ -1,6 +1,7 @@
Release notes provide an at-a-glance summary of key updates to new versions of
-Vault. For a comprehensive list of product updates, improvements, and bug fixes
-refer to the [changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
+Vault Enterprise. For a comprehensive list of product updates, improvements, and
+bug fixes refer to the
+[changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
included with the Vault code on GitHub.
We encourage you to
diff --git a/content/vault/v1.21.x (rc)/data/docs-nav-data.json b/content/vault/v1.21.x (rc)/data/docs-nav-data.json
index af5df94c8b..d0df1d786e 100644
--- a/content/vault/v1.21.x (rc)/data/docs-nav-data.json
+++ b/content/vault/v1.21.x (rc)/data/docs-nav-data.json
@@ -281,6 +281,10 @@
{
"title": "Recent updates",
"routes": [
+ {
+ "title": "Release notes",
+ "path": "updates/release-notes"
+ },
{
"title": "Important changes",
"path": "updates/important-changes"
From 1f62845bf2f435627691977663f88dd308208ffb Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 11:49:21 -0700
Subject: [PATCH 02/16] Apply suggestion from @gsantos-hc
Co-authored-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
---
.../breaking-changes/client-count-timestamp.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
index 9a3f470a18..e8dc24e86d 100644
--- a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
+++ b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
@@ -1,4 +1,4 @@
-### Activity timestamps for client count ((#client-count-export))
+### Renamed timestamp fields for client count activity export ((#client-count-export))
From e1574ceb1422babe9ebf3c725398f7e2ba63f783 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 11:59:52 -0700
Subject: [PATCH 03/16] apply feedback
---
.../client-count-timestamp.mdx | 22 +++++++++++--------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
index e8dc24e86d..abe467bd64 100644
--- a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
+++ b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
@@ -8,22 +8,26 @@
-Vault counts a client tokens the first time an authenticated call uses it, which
-could precede the start of the billing period.
+Vault counts a client the first time that client makes an authenticated API
+during the billing period.
Previously, the Activity Export endpoint response included a `timestamp`
-parameter that referred to the creation time and date for the client token
-rather than the time and date when Vault counted the token.
+field that reflected the creation time and date for the client token, which
+could precede the start of the billing period, rather than the time and date
+of the first authenticated API call.
-To clarify the data returned, the endpoint now returns two timestamp paramters.
+To clarify the data returned, the endpoint now returns two timestamp paramters:
-- **`client_first_usage_time`** - (new) indicates the first use/count of the
- token.
+- **`client_first_usage_time`** - (new) indicates the client first made an
+ authenticated API call during the billing period.
- **`token_creation_time`** - (replaces `timestamp`) indicates the creation
timestamp of the token.
#### Recommendation
-Update any references to the old `timestamp` attribute to use
-`token_creation_time`.
\ No newline at end of file
+Review your use of the `timestamp` field and:
+
+1. Consider if the context makes `client_first_usage_time` a more appropriate
+ timestamp.
+1. Update any remaining references to `timestamp` to use `token_creation_time`.
From d9bce389f7b9fadbf013d39d4b0588a38dc18565 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 12:01:22 -0700
Subject: [PATCH 04/16] Apply suggestion from @gsantos-hc
Co-authored-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
---
.../vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index 76e22d5dd0..94c61f50b6 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -132,7 +132,7 @@ and provides increased pricing support.
| Client count dashboard |
- View a list of individual clients in the client count aggregate from the
+ View a list of individual clients in each client count aggregate from the
new **Client list** tab in the client count dashboard.
|
From 3a9003d0d87cca5427b3a616fdc4cdb5bc4acd50 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 12:01:41 -0700
Subject: [PATCH 05/16] Apply suggestion from @gsantos-hc
Co-authored-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
---
.../vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index 94c61f50b6..6b4dab979f 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -198,8 +198,8 @@ and provides increased pricing support.
|
| Counter of PKI certificates issued |
- Track and review the number of PKI certificates issued, cluster-wide by a
- given Vault cluster with built-in accounting.
+ Track the monthly total number of PKI certificates issued cluster-wide by a
+ given Vault cluster.
|
Improved transparancy and tracking for certificate logistics.
From f0f8636f863da9373ee7030c28824825aefddbd0 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 12:01:50 -0700
Subject: [PATCH 06/16] Apply suggestion from @gsantos-hc
Co-authored-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
---
.../vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index 6b4dab979f..38cfbdc653 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -202,7 +202,7 @@ and provides increased pricing support.
given Vault cluster.
|
- Improved transparancy and tracking for certificate logistics.
+ Improved visibility into PKI usage.
|
From 2007190baf2e41a7dc62c557ba1df9a3498a8036 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 12:03:23 -0700
Subject: [PATCH 07/16] Change VSO entry title
---
.../vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index 38cfbdc653..25dce81a8d 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -228,7 +228,7 @@ None.
- | Vault Secrets Operator CSI driver |
+ Vault Secrets Operator |
Use CSI drivers with Vault Secrets Operator to mapped Vault secrets
as protected secrets directly into application pods with shared volumes.
From 9d8d3a7a5d23793c535166eb0dcd9885998a3010 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 12:04:28 -0700
Subject: [PATCH 08/16] Add MS SQL
---
.../vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index 25dce81a8d..50d1349552 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -250,7 +250,7 @@ None.
|
- | External key management provider |
+ MS SQL external key management provider |
Grant database administrators full control over the versions of `transit`
keys used to wrap and unwrap data encryption keys for SQL Server.
From 00b5b467103d73a0b0c5b2243a27b75bb305c896 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 12:06:10 -0700
Subject: [PATCH 09/16] tweak csi driver language
---
.../vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index 50d1349552..fc3456a027 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -230,8 +230,8 @@ None.
|
| Vault Secrets Operator |
- Use CSI drivers with Vault Secrets Operator to mapped Vault secrets
- as protected secrets directly into application pods with shared volumes.
+ Maps Vault secrets directly into application pods with shared volumes
+ as protected secrets using CSI drivers.
|
Use protected secrets to leverage Vault security even in environments that
From 1e45165eec65b6ef8e7f80e4fccb6ed2c816ba0a Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 13:22:01 -0700
Subject: [PATCH 10/16] apply feedback
---
.../v1.21.x (rc)/content/docs/updates/release-notes.mdx | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index fc3456a027..de5d6f262b 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -230,12 +230,12 @@ None.
|
| Vault Secrets Operator |
- Maps Vault secrets directly into application pods with shared volumes
- as protected secrets using CSI drivers.
+ Map Vault secrets directly into application pods with shared volumes
+ as [protected secrets using CSI drivers](/vault/docs/deploy/kubernetes/vso/csi).
|
- Use protected secrets to leverage Vault security even in environments that
- limit the use of native Kubernetes secrets.
+ Deliver secrets from Vault to Kubernetes workloads in deployments that
+ restrict the use of native K8s secrets.
|
From e2d6c0da50ab1e1830e9f78d92a5fed01df3bd8c Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 13:43:07 -0700
Subject: [PATCH 11/16] Apply suggestion from @gsantos-hc
Co-authored-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
---
.../breaking-changes/client-count-timestamp.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
index abe467bd64..6a081df2db 100644
--- a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
+++ b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
@@ -16,7 +16,7 @@ field that reflected the creation time and date for the client token, which
could precede the start of the billing period, rather than the time and date
of the first authenticated API call.
-To clarify the data returned, the endpoint now returns two timestamp paramters:
+To clarify the data returned, the endpoint now returns two timestamp parameters:
- **`client_first_usage_time`** - (new) indicates the client first made an
authenticated API call during the billing period.
From f48f32d655412d53b15f905c4f940a7395f5308f Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 13:43:19 -0700
Subject: [PATCH 12/16] Apply suggestion from @gsantos-hc
Co-authored-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
---
.../breaking-changes/client-count-timestamp.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
index 6a081df2db..4ee5e5a888 100644
--- a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
+++ b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
@@ -18,7 +18,7 @@ of the first authenticated API call.
To clarify the data returned, the endpoint now returns two timestamp parameters:
-- **`client_first_usage_time`** - (new) indicates the client first made an
+- **`client_first_usage_time`** - (new) indicates when the client first made an
authenticated API call during the billing period.
- **`token_creation_time`** - (replaces `timestamp`) indicates the creation
timestamp of the token.
From aea8891236ebb13cfbfbb7cda55dd498d2122d68 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 13:44:04 -0700
Subject: [PATCH 13/16] Apply suggestion from @gsantos-hc
Co-authored-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
---
.../content/docs/updates/release-notes.mdx | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index de5d6f262b..9a30328056 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -205,6 +205,18 @@ and provides increased pricing support.
Improved visibility into PKI usage.
+
+ | License utilization and product usage data updates |
+
+ Vault collects and reports additional data points to HashiCorp for
+ improved
+ [license utilization reporting](../license/utilization/auto-reporting) and
+ [anonymized product usage reporting](../license/product-usage-reporting).
+ |
+
+ Improved product insights and roadmap prioritization.
+ |
+
From 27f8aab539a6cc962cbe8a190bbc4f2e939efe6b Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:41:42 -0700
Subject: [PATCH 14/16] tweaks
---
.../v1.21.x (rc)/content/docs/updates/release-notes.mdx | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index 9a30328056..82b319857f 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -247,13 +247,13 @@ None.
Deliver secrets from Vault to Kubernetes workloads in deployments that
- restrict the use of native K8s secrets.
+ restrict the use of native K8s secrets.
|
| Vault Secrets Store CSI provider |
- Red Hat has certified the Vault Secrets Store CSI provider for use on
+ Red Hat certified the Vault Secrets Store CSI provider for use on
OpenShift.
|
@@ -268,7 +268,7 @@ None.
keys used to wrap and unwrap data encryption keys for SQL Server.
|
- Reduces the number of keys and simplifies the database restore process
+ Reduce the number of keys and simplifies the database restore process
from encrypted backups.
|
From 1bffc25871de854203b1712d6f8950dadcd67097 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:44:39 -0700
Subject: [PATCH 15/16] fix
---
.../vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
index 82b319857f..3d0d3b91a1 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
@@ -268,7 +268,7 @@ None.
keys used to wrap and unwrap data encryption keys for SQL Server.
- Reduce the number of keys and simplifies the database restore process
+ Reduce the number of keys and simplify the database restore process
from encrypted backups.
|
From 1692e486ef8cbb6909e343c17df9fd17ad158d80 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:38:59 -0700
Subject: [PATCH 16/16] Remove version fencing to deal with preview build error
---
.../breaking-changes/client-count-timestamp.mdx | 4 ----
1 file changed, 4 deletions(-)
diff --git a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
index 4ee5e5a888..799e62a4bd 100644
--- a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
+++ b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
@@ -1,13 +1,9 @@
### Renamed timestamp fields for client count activity export ((#client-count-export))
-
-
| Change | Affected version | Vault edition
| ------------ | ---------------- | -------------
| Breaking | 1.21.0+ | All
-
-
Vault counts a client the first time that client makes an authenticated API
during the billing period.