Update module github.com/hashicorp/vault to v1.21.4#50062
Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits intoMay 8, 2026
Merged
Update module github.com/hashicorp/vault to v1.21.4#50062gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
Conversation
renovate
Bot
added
changelog/no-changelog
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
|
PRApprover will approve and merge this PR, FAQ, #dx-source-code-management 🛠️ PRApproval Status
➡️ Current phase: CI tests failed. Please fix the failing tests to continue. |
github-actions
Bot
added
the
short review
Contributor
|
🎯 Code Coverage (details) 🔗 Commit SHA: 65c9a91 | Docs | Datadog PR Page | Give us feedback! |
Contributor
Files inventory check summaryFile checks results against ancestor 9939400c: Results for datadog-agent_7.80.0~devel.git.584.65c9a91.pipeline.112213202-1_amd64.deb:No change detected |
Contributor
Static quality checks✅ Please find below the results from static quality gates Successful checksInfo
30 successful checks with minimal change (< 2 KiB)
|
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: 499bd14 Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | docker_containers_cpu | % cpu utilization | +1.18 | [-1.77, +4.14] | 1 | Logs |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | quality_gate_logs | % cpu utilization | +1.21 | [+0.23, +2.19] | 1 | Logs bounds checks dashboard |
| ➖ | docker_containers_cpu | % cpu utilization | +1.18 | [-1.77, +4.14] | 1 | Logs |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | +0.83 | [+0.62, +1.05] | 1 | Logs |
| ➖ | quality_gate_idle_all_features | memory utilization | +0.39 | [+0.35, +0.43] | 1 | Logs bounds checks dashboard |
| ➖ | otlp_ingest_logs | memory utilization | +0.31 | [+0.21, +0.41] | 1 | Logs |
| ➖ | file_tree | memory utilization | +0.19 | [+0.14, +0.23] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | +0.04 | [-0.48, +0.56] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | +0.02 | [-0.08, +0.12] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | +0.02 | [-0.19, +0.23] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api_v3 | ingress throughput | -0.01 | [-0.20, +0.19] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | -0.02 | [-0.45, +0.41] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | -0.04 | [-0.17, +0.10] | 1 | Logs |
| ➖ | uds_dogstatsd_20mb_12k_contexts_20_senders | memory utilization | -0.04 | [-0.09, +0.01] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | -0.05 | [-0.45, +0.36] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulative | memory utilization | -0.05 | [-0.21, +0.11] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulativetodelta_exporter | memory utilization | -0.11 | [-0.35, +0.13] | 1 | Logs |
| ➖ | otlp_ingest_metrics | memory utilization | -0.16 | [-0.32, -0.01] | 1 | Logs |
| ➖ | ddot_logs | memory utilization | -0.22 | [-0.28, -0.16] | 1 | Logs |
| ➖ | ddot_metrics_sum_delta | memory utilization | -0.22 | [-0.41, -0.04] | 1 | Logs |
| ➖ | quality_gate_idle | memory utilization | -0.28 | [-0.33, -0.22] | 1 | Logs bounds checks dashboard |
| ➖ | docker_containers_memory | memory utilization | -0.61 | [-0.73, -0.50] | 1 | Logs |
| ➖ | ddot_metrics | memory utilization | -0.88 | [-1.07, -0.68] | 1 | Logs |
| ➖ | quality_gate_metrics_logs | memory utilization | -2.08 | [-2.33, -1.83] | 1 | Logs bounds checks dashboard |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | observed_value | links |
|---|---|---|---|---|---|
| ✅ | docker_containers_cpu | simple_check_run | 10/10 | 678 ≥ 26 | |
| ✅ | docker_containers_memory | memory_usage | 10/10 | 243.39MiB ≤ 370MiB | |
| ✅ | docker_containers_memory | simple_check_run | 10/10 | 721 ≥ 26 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | 0.16GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_0ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | 0.21GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_1000ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | 0.17GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_100ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | 0.19GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_500ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | quality_gate_idle | intake_connections | 10/10 | 3 ≤ 4 | bounds checks dashboard |
| ✅ | quality_gate_idle | memory_usage | 10/10 | 142.20MiB ≤ 147MiB | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | intake_connections | 10/10 | 3 ≤ 4 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | 476.43MiB ≤ 495MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | intake_connections | 10/10 | 4 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_logs | memory_usage | 10/10 | 176.96MiB ≤ 195MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | cpu_usage | 10/10 | 352.47 ≤ 2000 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | intake_connections | 10/10 | 3 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | memory_usage | 10/10 | 373.33MiB ≤ 430MiB | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
renovate
Bot
force-pushed
the
renovate/github.com-hashicorp-vault-1.x
branch
11 times, most recently
from
65a977f to
4289f14
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-hashicorp-vault-1.x
branch
3 times, most recently
from
d6c5dcf to
c35f07f
Compare
renovate
Bot
force-pushed
the
renovate/github.com-hashicorp-vault-1.x
branch
5 times, most recently
from
4b2d4ea to
3b89b96
Compare
renovate
Bot
force-pushed
the
renovate/github.com-hashicorp-vault-1.x
branch
from
e1c2daa to
fac9514
Compare
This commit was created from the local commit with hash a4271084bd841e5124f307dadd87925278017429.
vault@v1.21.4 ships an inconsistent module graph: its source uses the 2-arg ActivationFunc that lives in its in-tree sdk, but its go.mod requires vault/sdk@v0.21.0 from the proxy — a snapshot of vault's main branch with a 3-arg signature that was never backported to release/1.21.x. Upstream papers this over with `replace ... => ./sdk`, which doesn't propagate to consumers, so external builds of github.com/hashicorp/vault/vault fail with an ActivationFunc signature mismatch. Pin sdk to a pseudoversion of the v1.21.4 release commit. That's the exact sdk source the main module is built against in HashiCorp's CI, and it's two months newer than sdk/v0.21.0 with all release/1.21.x backports applied. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
s-alad
approved these changes
May 8, 2026
Contributor
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
|
chouetz
pushed a commit
that referenced
this pull request
May 13, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) | `v1.21.2` → `v1.21.4` |  |  | --- ### Release Notes <details> <summary>hashicorp/vault (github.com/hashicorp/vault)</summary> ### [`v1.21.4`](https://redirect.github.com/hashicorp/vault/releases/tag/v1.21.4) [Compare Source](https://redirect.github.com/hashicorp/vault/compare/v1.21.3...v1.21.4) SECURITY: - Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229 - Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503 - vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229 - vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394 CHANGES: - core: Bump Go version to 1.25.7 - mfa/duo: Upgrade duo\_api\_golang client to 0.2.0 to include the new Duo certificate authorities - ui: Remove ability to bulk delete secrets engines from the list view. IMPROVEMENTS: - core/seal: Enhance sys/seal-backend-status to provide more information about seal backends. - secrets/kmip (Enterprise): Obey configured best\_effort\_wal\_wait\_duration when forwarding kmip requests. - secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support. BUG FIXES: - core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities - core/identity (enterprise): Fix excessive logging when updating existing aliases - core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys. - plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header. - secrets (pki): Allow issuance of certificates without the server\_flag key usage from SCEP, EST and CMPV2 protocols. - secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes. - secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage - secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms. - secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true - secrets/pki: allow glob-style DNS names in alt\_names. ### [`v1.21.3`](https://redirect.github.com/hashicorp/vault/releases/tag/v1.21.3) [Compare Source](https://redirect.github.com/hashicorp/vault/compare/v1.21.2...v1.21.3) #### February 05, 2026 **SECURITY:** auth/cert: ensure that the certificate being renewed matches the certificate attached to the session. **CHANGES:** core: Bump Go version to 1.25.6 **FEATURES:** UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries **IMPROVEMENTS:** core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials sdk: Add alias\_metadata to tokenutil fields that auth method roles use. secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels). secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response. **BUG FIXES:** agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying core (enterprise): Fix crash when seal HSM is disconnected default-auth: Fix issue when specifying "root" explicitly in Default Auth UI identity: Fix issue where Vault may consume more memory than intended under heavy authentication load. secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings ui: Fixes login form so ?with=<path> query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing\_visibility="unauth" ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/DataDog/datadog-agent). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJjaGFuZ2Vsb2cvbm8tY2hhbmdlbG9nIiwiZGVwZW5kZW5jaWVzIiwiZGVwZW5kZW5jaWVzLWdvIiwicWEvbm8tY29kZS1jaGFuZ2UiXX0=--> Co-authored-by: s-alad <saad.naji@datadoghq.com> Co-authored-by: dd-octo-sts[bot] <200755185+dd-octo-sts[bot]@users.noreply.github.com> Co-authored-by: devflow.devflow-routing-intake <devflow.devflow-routing-intake@kubernetes.us1.ddbuild.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.21.2→v1.21.4Release Notes
hashicorp/vault (github.com/hashicorp/vault)
v1.21.4Compare Source
SECURITY:
cloudflare/circlto v1.6.3 to resolve CVE-2026-1229filippo.io/edwards25519to v1.1.1 to resolve GO-2026-4503cloudflare/circlto v1.6.3 to resolve CVE-2026-1229go.opentelemetry.io/otel/sdkto v1.40.0 to resolve GO-2026-4394CHANGES:
IMPROVEMENTS:
BUG FIXES:
v1.21.3Compare Source
February 05, 2026
SECURITY:
auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.
CHANGES:
core: Bump Go version to 1.25.6
FEATURES:
UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries
IMPROVEMENTS:
core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
sdk: Add alias_metadata to tokenutil fields that auth method roles use.
secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.
BUG FIXES:
agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
core (enterprise): Fix crash when seal HSM is disconnected
default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
ui: Fixes login form so ?with= query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector
Configuration
📅 Schedule: (UTC)
* 0-4,22-23 * * 1-5)* * * * 0,6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.