Add activation-flags cluster known issue (#28341)

2025-11-01 19:17:58 +00:00 · 2024-09-13 17:40:31 -05:00
parent c7ed13f1a2
commit 7112c7be5d
2 changed files with 25 additions and 0 deletions
--- a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx
@@ -148,3 +148,5 @@ kubectl exec -ti <NAME> -- wget https://github.com/moparisthebest/static-curl/re
@include 'known-issues/manual-entity-merge-does-not-persist.mdx'

@include 'known-issues/aws-auth-external-id.mdx'
+
+@include 'known-issues/sync-activation-flags-cache-not-updated.mdx'
--- a/website/content/partials/known-issues/sync-activation-flags-cache-not-updated.mdx
+++ b/website/content/partials/known-issues/sync-activation-flags-cache-not-updated.mdx
@@ -0,0 +1,23 @@
+### Cached activation flags for secrets sync on follower nodes are not updated
+
+#### Affected versions
+
+- 1.16.0 - 1.16.2
+- 1.17.0 - 1.17.5
+
+#### Issue
+
+Vault 1.16 introduced secrets sync with a one-time flag required to activate the
+feature before use. Writing the activation flag to enable secrets sync is forwarded
+to leader nodes for storage and distributed to follower nodes, but the in-memory
+cache for this flag is not updated on the followers. 
+
+This prevents any secrets sync endpoints (those starting with `sys/sync/`) from
+being usable on follower nodes in a cluster.
+
+#### Workaround
+
+The cache is force-updated on all nodes when the leader node steps down and the
+cluster promotes a new leader. First, activate the secrets sync feature as described
+in the [documentation](/vault/docs/sync#activating-the-feature). Then, have the leader node
+step down.