Add chroot known-issue and sync activation-flag release note (#27558)

* Add chroot known-issue and activation-flag release note * Fix reference link
2025-10-30 10:12:35 +00:00 · 2024-06-21 13:05:12 -05:00
parent 2482674312
commit 5f078e2d39
3 changed files with 25 additions and 0 deletions
--- a/website/content/docs/release-notes/1.16.1.mdx
+++ b/website/content/docs/release-notes/1.16.1.mdx
@@ -19,6 +19,7 @@ description: |-
 | 1.16.0+         | [Default LCQ enabled when upgrading pre-1.9](/vault/docs/upgrading/upgrade-to-1.16.x#default-lcq-pre-1.9-upgrade) |
 | 1.16.0+         | [External plugin environment variables take precedence over server variables](/vault/docs/upgrading/upgrade-to-1.16.x#external-plugin-variables)
 | 1.16.0+         | [LDAP auth entity alias names no longer include upndomain](/vault/docs/upgrading/upgrade-to-1.16.x#ldap-auth-entity-alias-names-no-longer-include-upndomain)
+| 1.16.0+         | [Secrets Sync now requires a one-time flag to operate](/vault/docs/upgrading/upgrade-to-1.16.x#secrets-sync-now-requires-setting-a-one-time-flag-before-use)
 | 1.16.0+         | [Azure secrets engine role creation failing](/vault/docs/upgrading/upgrade-to-1.16.x#azure-secrets-engine-role-creation-failing)
 | 1.16.1 - 1.16.3 | [New nodes added by autopilot upgrades provisioned with the wrong version](/vault/docs/upgrading/upgrade-to-1.15.x#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version)
 | 1.15.8+         | [Autopilot upgrade for Vault Enterprise fails](/vault/docs/upgrading/upgrade-to-1.15.x#autopilot)
--- a/website/content/docs/upgrading/upgrade-to-1.16.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.16.x.mdx
@@ -81,6 +81,13 @@ userattr="userprincipalname"
 Refer to the [LDAP auth method (API)](/vault/api-docs/auth/ldap) page for
 more details on the configuration.

+### Secrets Sync now requires setting a one-time flag before use
+
+To use the Secrets Sync feature, the feature must be activated with a new one-time
+operation called an activation-flag. The feature is gated until a Vault operator
+decides to trigger the flag. More information can be found in the
+[secrets sync documentation](/vault/docs/sync#activating-the-feature).
+
 ## Known issues and workarounds

@include 'known-issues/1_16-jwt_auth_bound_audiences.mdx'
@@ -104,3 +111,5 @@ more details on the configuration.
@include 'known-issues/1_13-reload-census-panic-standby.mdx'

@include 'known-issues/autopilot-upgrade-upgrade-version.mdx'
+
+@include 'known-issues/1_16_secrets-sync-chroot-activation.mdx'
--- a/website/content/partials/known-issues/1_16_secrets-sync-chroot-activation.mdx
+++ b/website/content/partials/known-issues/1_16_secrets-sync-chroot-activation.mdx
@@ -0,0 +1,15 @@
+### Secrets Sync cannot be activated from chroot namespace
+
+#### Affected versions
+
+- 1.16.0+
+
+#### Issue
+
+Secrets Sync cannot be activated from the chroot namespace. The Secrets Sync feature
+now requires a new activation-flag to be enabled before it can be used. Writing to
+any `sys/activation-flags/` path currently requires root namespace access.
+
+#### Workaround
+Users can request a Vault operator to activate the feature from the root namespace
+if they lack the necessary access.