Overview
The Vault 1.15.x upgrade guide contains information on deprecations, important or breaking changes, and remediation recommendations for anyone upgrading from Vault 1.14. Please read carefully.
Consul service registration
As of version 1.15, service_tags
supplied to Vault for the purpose of Consul
service registration
will be case-sensitive.
In previous versions of Vault tags were converted to lowercase which led to issues,
for example when tags contained Traefik rules which use case-sensitive method names
such as Host()
.
If you previously used Consul service registration tags ignoring case, or relied on the lowercase tags created by Vault, then this change may cause unexpected behavior.
Please audit your Consul storage stanza to ensure that you either:
- Manually convert your
service_tags
to lowercase if required - Ensure that any system that relies on the tags is aware of the new case-preserving behavior
Rollback metrics
Vault no longer measures and reports the metrics vault.rollback.attempts.{MOUNTPOINT}
and vault.route.rollback.{MOUNTPOINT}
by default. The new default metrics are vault.rollback.attempts
and vault.route.rollback
, which do not contain the mount point in the metric name.
To continue measuring vault.rollback.attempts.{MOUNTPOINT}
and
vault.route.rollback.{MOUNTPOINT}
, you must explicitly enable mount-specific
metrics in the telemetry
stanza of your Vault configuration with the
add_mount_point_rollback_metrics
option.
Application of Sentinel Role Governing Policies (RGPs) via identity groups
As of versions 1.15.0
, 1.14.4
, and 1.13.8
, the Sentinel RGPSs derived from membership in identity groups apply
only to entities in the same and child namespaces, relative to the identity group.
Also, the group_policy_application_mode
only applies to
to ACL policies. Vault Sentinel Role Governing Policies (RGPs) are not affected by group policy application mode.