Update module github.com/hashicorp/vault to v1.21.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/hashicorp/vault	v1.21.2 → v1.21.4

---

Release Notes

hashicorp/vault (github.com/hashicorp/vault)

v1.21.4

Compare Source

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394

CHANGES:

• core: Bump Go version to 1.25.7
• mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
• ui: Remove ability to bulk delete secrets engines from the list view.

IMPROVEMENTS:

• core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
• secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
• secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.

BUG FIXES:

• core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
• core/identity (enterprise): Fix excessive logging when updating existing aliases
• core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
• plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
• secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
• secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
• secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
• secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
• secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
• secrets/pki: allow glob-style DNS names in alt_names.

v1.21.3

Compare Source

February 05, 2026

SECURITY:

auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

CHANGES:

core: Bump Go version to 1.25.6

FEATURES:

UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries

IMPROVEMENTS:

core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
sdk: Add alias_metadata to tokenutil fields that auth method roles use.
secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.

BUG FIXES:

agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
core (enterprise): Fix crash when seal HSM is disconnected
default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
ui: Fixes login form so ?with= query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
filippo.io/edwards25519	v1.1.0 -> v1.1.1
github.com/duosecurity/duo_api_golang	v0.0.0-20190308151101-6c680f768e74 -> v0.0.0-20250430191550-ac36954387e7
github.com/hashicorp/vault/sdk	v0.20.0 -> v0.21.0

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

• ✅ PR is eligible for auto-approval by rule datadog-agent-renovate - 2026-05-07T18:00:41Z
• ⬜ CI tests passed
• ⬜ Approved
• ⬜ Merge Started
• ⬜ Merged

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor 9939400c:

Results for datadog-agent_7.80.0~devel.git.583.1cfd312.pipeline.112047482-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 9939400
📊 Static Quality Gates Dashboard
🔗 SQG Job

32 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	742.613 MiB
✅	agent_deb_amd64_fips	700.640 MiB
✅	agent_heroku_amd64	309.245 MiB
✅	agent_rpm_amd64	742.597 MiB
✅	agent_rpm_amd64_fips	700.624 MiB
✅	agent_rpm_arm64	720.506 MiB
✅	agent_rpm_arm64_fips	681.621 MiB
✅	agent_suse_amd64	742.597 MiB
✅	agent_suse_amd64_fips	700.624 MiB
✅	agent_suse_arm64	720.506 MiB
✅	agent_suse_arm64_fips	681.621 MiB
✅	docker_agent_amd64	802.801 MiB
✅	docker_agent_arm64	805.542 MiB
✅	docker_agent_jmx_amd64	993.720 MiB
✅	docker_agent_jmx_arm64	985.241 MiB
✅	docker_cluster_agent_amd64	206.662 MiB
✅	docker_cluster_agent_arm64	220.697 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_host_profiler_amd64	302.168 MiB
✅	docker_host_profiler_arm64	313.663 MiB
✅	docker_dogstatsd_amd64	39.511 MiB
✅	docker_dogstatsd_arm64	37.691 MiB
✅	dogstatsd_deb_amd64	30.169 MiB
✅	dogstatsd_deb_arm64	28.294 MiB
✅	dogstatsd_rpm_amd64	30.169 MiB
✅	dogstatsd_suse_amd64	30.169 MiB
✅	iot_agent_deb_amd64	44.518 MiB
✅	iot_agent_deb_arm64	41.494 MiB
✅	iot_agent_deb_armhf	42.234 MiB
✅	iot_agent_rpm_amd64	44.518 MiB
✅	iot_agent_suse_amd64	44.518 MiB

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: b1cb2c00-cd7d-42ba-9212-049d76b3c292

Baseline: 43df774
Comparison: 1cfd312
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+0.92	[-2.01, +3.86]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+1.93	[+0.94, +2.92]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	+1.30	[+1.09, +1.51]	1	Logs
➖	docker_containers_cpu	% cpu utilization	+0.92	[-2.01, +3.86]	1	Logs
➖	otlp_ingest_metrics	memory utilization	+0.26	[+0.11, +0.42]	1	Logs
➖	ddot_logs	memory utilization	+0.24	[+0.16, +0.31]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.22	[+0.19, +0.26]	1	Logs bounds checks dashboard
➖	quality_gate_idle	memory utilization	+0.19	[+0.14, +0.24]	1	Logs bounds checks dashboard
➖	file_to_blackhole_100ms_latency	egress throughput	+0.12	[-0.02, +0.27]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.05	[-0.52, +0.62]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.05	[-0.00, +0.10]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.04	[-0.40, +0.49]	1	Logs
➖	docker_containers_memory	memory utilization	+0.03	[-0.07, +0.13]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.02	[-0.38, +0.42]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	+0.01	[-0.21, +0.23]	1	Logs
➖	quality_gate_security_idle	memory utilization	-0.00	[-0.07, +0.07]	1	Logs bounds checks dashboard
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.10, +0.09]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.02	[-0.25, +0.20]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	-0.04	[-0.28, +0.19]	1	Logs
➖	quality_gate_security_mean_fs_load	memory utilization	-0.13	[-0.16, -0.09]	1	Logs bounds checks dashboard
➖	quality_gate_security_no_fs_load	memory utilization	-0.15	[-0.26, -0.04]	1	Logs bounds checks dashboard
➖	ddot_metrics	memory utilization	-0.15	[-0.35, +0.04]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	-0.15	[-0.34, +0.03]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	-0.65	[-0.90, -0.40]	1	Logs bounds checks dashboard
➖	ddot_metrics_sum_cumulative	memory utilization	-0.89	[-1.04, -0.73]	1	Logs
➖	otlp_ingest_logs	memory utilization	-1.08	[-1.19, -0.97]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	694 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	244.15MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	688 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.16GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.21GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.17GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	142.05MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	476.07MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	176.32MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	355.22 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	375.90MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_security_idle	cpu_usage	10/10	24.21 ≤ 40	bounds checks dashboard
✅	quality_gate_security_idle	memory_usage	10/10	290.87MiB ≤ 330MiB	bounds checks dashboard
✅	quality_gate_security_mean_fs_load	cpu_usage	10/10	54.67 ≤ 70	bounds checks dashboard
✅	quality_gate_security_mean_fs_load	memory_usage	10/10	269.13MiB ≤ 320MiB	bounds checks dashboard
✅	quality_gate_security_no_fs_load	cpu_usage	10/10	20.85 ≤ 40	bounds checks dashboard
✅	quality_gate_security_no_fs_load	memory_usage	10/10	275.09MiB ≤ 320MiB	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_security_mean_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_security_mean_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_security_idle, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_security_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_security_no_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_security_no_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.