Skip to content

v1.21.2

Latest

Choose a tag to compare

@hc-github-team-es-release-engineering hc-github-team-es-release-engineering released this 07 Jan 18:09
781ba45

1.21.2

January 07, 2026

CHANGES:

  • auth/oci: bump plugin to v0.20.1
  • core: Bump Go version to 1.25.5
  • packaging: Container images are now exported using a compressed OCI image layout.
  • packaging: UBI container images are now built on the UBI 10 minimal image.
  • secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
  • storage: Upgrade aerospike client library to v8.

IMPROVEMENTS:

  • core: check rotation manager queue every 5 seconds instead of 10 seconds to improve responsiveness
  • go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.
  • rotation: Ensure rotations for shared paths only execute on the Primary cluster's active node. Ensure rotations for local paths execute on the cluster-local active node.
  • sdk/rotation: Prevent rotation attempts on read-only storage.
  • secrets-sync (enterprise): Added support for a boolean force_delete flag (default: false). When set to true, this flag allows deletion of a destination even if its associations cannot be unsynced. This option should be used only as a last-resort deletion mechanism, as any secrets already synced to the external provider will remain orphaned and require manual cleanup.
  • secrets/pki: Avoid loading issuer information multiple times per leaf certificate signing.

BUG FIXES:

  • core/activitylog (enterprise): Resolve a stability issue where Vault Enterprise could encounter a panic during month-end billing activity rollover.
  • http: skip JSON limit parsing on cluster listener.
  • quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
  • replication (enterprise): fix rare panic due to race when enabling a secondary with Consul storage.
  • rotation: Fix a bug where a performance secondary would panic if a write was made to a local mount.
  • secret-sync (enterprise): Improved unsync error handling by treating cases where the destination no longer exists as successful.
  • secrets-sync (enterprise): Corrected a bug where the deletion of the latest KV-V2 secret version caused the associated external secret to be deleted entirely. The sync job now implements a version fallback mechanism to find and sync the highest available active version, ensuring continuity and preventing the unintended deletion of the external secret resource.
  • secrets-sync (enterprise): Fix issue where secrets were not properly un-synced after destination config changes.
  • secrets-sync (enterprise): Fix issue where sync store deletion could be attempted when sync is disabled.
  • ui/pki: Fix handling of values that contain commas in list fields like crl_distribution_points.