Overview
This page contains the list of breaking changes for Vault 0.6 compared to the previous release. Please read it carefully.
PKI backend does not issue leases for CA certificates
When a token expires, it revokes all leases associated with it. This means that
long-lived CA certs need correspondingly long-lived tokens, something that is
easy to forget, resulting in an unintended revocation of the CA certificate
when the token expires. To prevent this, root and intermediate CA certs no
longer have associated leases. To revoke these certificates, use the
pki/revoke
endpoint.
CA certificates that have already been issued and acquired leases will report to the lease manager that revocation was successful, but will not actually be revoked and placed onto the CRL.
The auth/token/revoke-prefix
endpoint has been removed
As part of addressing a minor security issue, this endpoint has been removed in
favor of using sys/revoke-prefix
for prefix-based revocation of both tokens
and secrets leases.
Go API uses json.Number
for decoding
When using the Go API, it now calls UseNumber()
on the decoder object. As a
result, rather than always decode as a float64
, numbers are returned as a
json.Number
, where they can be converted, with proper error checking, to
int64
, float64
, or simply used as a string
value. This fixes some display
errors where numbers were being decoded as float64
and printed in scientific
notation.
List operations return 404
on no keys found
Previously, list operations on an endpoint with no keys found would return an
empty response object. Now, a 404
will be returned instead.
Consul TTL checks automatically registered
If using the Consul HA storage backend, Vault will now automatically register
itself as the vault
service and perform its own health checks/lifecycle
status management. This behavior can be adjusted or turned off in Vault's
configuration; see the
documentation
for details.