8000 write known issues for follower nodes failure to extract ent plugins by thyton · Pull Request #30628 · hashicorp/vault · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

write known issues for follower nodes failure to extract ent plugins #30628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 16, 2025
Merged

write known issues for follower nodes failure to extract ent plugins #30628

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7c7adcf
write known issues for follower nodes failed to extract ent plugins
thyton May 14, 2025
58ae1a1
Merge branch 'main' into thyton/VAULT-36151/doc-known-issue-ent-plugi…
thyton May 14, 2025
1a12935
Update website/content/docs/commands/plugin/register.mdx
thyton May 15, 2025
bf766a3
Update website/content/docs/plugins/register.mdx
thyton May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion website/content/docs/commands/plugin/register.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@ of the Plugin management page for Vault compatibility requirements.

Before registering Key Management secrets engine v0.16.0+ent for the linux/amd64 system that runs Vault Enterprise,
`vault-plugin-secrets-keymgmt_v0.16.0+ent_linux_amd64.zip` needs to be downloaded from
https://releases.hashicorp.com/vault-plugin-secrets-keymgmt and placed in the plugin directory.
https://releases.hashicorp.com/vault-plugin-secrets-keymgmt and extracted to
`<plugin_directory>/vault-plugin-secrets-keymgmt_v0.16.0+ent_linux_amd64/`.

```shell-session
$ vault plugin register
Expand Down
19 changes: 13 additions & 6 deletions website/content/docs/plugins/register.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,20 +17,27 @@ Vault defaults to the manually registered plugin when you enable a new mount
with that name.


## Before you start
## Before you start

- **To register enterprise plugins, you have Vault v1.16.16+, 1.17.12+, 1.18.5+,
or 1.19.x+**.
- **To register enterprise plugins, you have Vault v1.16.21+, 1.17.17+, 1.18.10+,
or 1.19.4+**.
- **You must have admin permissions for Vault**. Specifically, you must be able
to run `plugin register` and the appropriate `enable` command.
- **You must have
[`plugin_directory`](/vault/docs/configuration#plugin_directory) set in your
Vault configuration file**.
- **You must have the plugin binary or zip file saved to the location set in
`plugin_directory`**.
- **For enterprise plugins, you must have the plugin `.zip` file extracted to
the expected location inside `plugin_directory`**.
For example, `vault-plugin-database-oracle_0.11.0+ent_linux_amd64.zip` must be
extracted to `<plugin_directory>/vault-plugin-database-oracle_0.11.0+ent_linux_amd64/`.
- **For other plugins, you must have the plugin binary saved to the
location set in `plugin_directory`**.
Comment on lines +33 to +34
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Not really a review comment but commenting here so I can find the reference again somewhat quickly.)

Note to self: I should update this documentation as part of VAULT-34905 when we start supporting the extracted artifact with metadata verification for CE plugins.

- **You must have [`api_addr`](/vault/docs/configuration#api_addr) set in your
Vault configuration file**.

See [Recommendation](/vault/docs/updates/important-changes#external-enterprise-plugins)
to register enterprise plugins on Vault v1.16.17 - v1.16.20, v1.17.13 - v1.17.16,
v1.18.6 - v1.18.9, or v1.19.0 - v1.19.3.

## Step 1: Update the plugin catalog

Expand All @@ -52,4 +59,4 @@ Enable the plugin to make it available to clients.

Verify the plugin is ready for use and running the correct version.

@include 'plugins/verify-status.mdx'
@include 'plugins/verify-status.mdx'
46 changes: 38 additions & 8 deletions website/content/docs/updates/important-changes.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ flag.
### Recommendation

Vault 1.19.0 also includes improved reporting in server logs to help diagnose
whether you have duplicate identities in your Vault instance.
whether you have duplicate identities in your Vault instance.

After upgrading, review your server logs for identity duplicate reporting.

Expand All @@ -82,7 +82,7 @@ resolves safely.
Security improvements to
[`hashicorp/cap/ldap`](https://github.com/hashicorp/cap/tree/main/ldap) ensure
that user DN searches with `upndomain` configured return an error if the search
returns more than one result.
returns more than one result.

### Recommendation

Expand Down Expand Up @@ -149,7 +149,7 @@ sensitivity on entered credentials.

Performance standby nodes cannot persist updated group membership to storage.
As a result, standby nodes return a `500` error during login or token renewal if
the external group associated with the client entity changes.
the external group associated with the client entity changes.

### Recommendation

Expand Down Expand Up @@ -259,15 +259,45 @@ $ vault write gcp/config/root rotation_period="<old_period>"

## Azure Auth fails to authenticate Uniform VMSS instances ((#azure-vmss))

| Change | Affected version | Affected deployments
| ------------ | ------------------------------------ | --------------------
| Bug | 1.16.18+, 1.17.14+, 1.18.7+, 1.19.1+ | any
| Change | Affected version | Affected deployments
| ------------ | -------------------------------------------------------------- | --------------------
| Bug | 1.16.18-1.16.20, 1.17.14-1.17.16, 1.18.7-1.18.9, 1.19.1-1.19.3 | any

A previous update to validate JWT claims against the provided VM, VMSS, and
resource group names without accounting for the uniform VMSS format introduced a
regression that causes Azure authentication from a uniform VMSS instance with a
user assigned managed identity on the VMSS to incorrectly return an error.

### Recommendation
### Recommendation

Upgrade to one of the following Vault versions: 1.16.21+, 1.17.17+, 1.18.10+,
1.19.4+


## External Vault Enterprise plugins can't run on a standby node when it becomes active ((#external-enterprise-plugins))

| Change | Affected version | Affected deployments
| ------------ | -------------------------------------------------------------- | --------------------
| Bug | 1.16.17-1.16.20, 1.17.13-1.17.16, 1.18.6-1.18.9, 1.19.0-1.19.3 | any

External Enterprise plugins can't run on a standby node when it becomes active
because standby nodes don't extract the artifact when the plugin
is registered.

### Recommendation

As a workaround, add the plugin `.zip` artifact on every node and register the plugin on the
active node. Then, extract the contents of the zip file on the follower nodes
similar to the following folder structure for
`vault-plugin-secrets-keymgmt_0.16.0+ent_darwin_arm64.zip`.

```
<plugin-directory>/vault-plugin-secrets-keymgmt_0.16.0+ent_darwin_arm64
├── metadata.json
├── metadata.json.sig
└── vault-plugin-secrets-keymgmt
```

Avoid upgrading until we fix the issue.
Alternatively, upgrade to one of the following Vault versions: 1.16.21+, 1.17.17+,
1.18.10+, 1.19.4+. See [Register external plugins](/vault/docs/plugins/register)
for more details.
4 changes: 2 additions & 2 deletions website/content/docs/updates/release-notes.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ description: >-
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Vault log file missing subsystem logs](/vault/docs/updates/important-changes#missing-logs)
| Known issue | 1.19.x | [Automated rotation stops after unseal](/vault/docs/updates/important-changes#rotation-stops)
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Azure Auth fails to authenticate Uniform VMSS instances](/vault/docs/updates/important-changes#azure-vmss)

| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [External Vault Enterprise plugins can't run on a standby node when it becomes active](/vault/docs/updates/important-changes#external-enterprise-plugins)

## Feature deprecations and EOL

Expand Down Expand Up @@ -76,7 +76,7 @@ Follow the learn more links for more information, or browse the list of

<tr>
<td style={{verticalAlign: 'middle'}}>
Faster availability after restart
Faster availability after restart
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
<td style={{verticalAlign: 'middle'}}>
Expand Down
Loading
0