Adding known issue writeup for audit log bug (#28247)

* Create 1_17_audit-log-hmac.mdx * add to 1.17 notes * add to 1.16 upgrade notes
2025-10-29 17:52:32 +00:00 · 2024-08-30 21:57:20 -04:00
parent fcd6ef2731
commit aea2151dc3
3 changed files with 19 additions and 0 deletions
--- a/website/content/docs/upgrading/upgrade-to-1.16.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.16.x.mdx
@@ -144,6 +144,8 @@ kubectl exec -ti <NAME> -- wget https://github.com/moparisthebest/static-curl/re

 ## Known issues and workarounds

+@include 'known-issues/1_17_audit-log-hmac.mdx'
+
@include 'known-issues/1_16-jwt_auth_bound_audiences.mdx'

@include 'known-issues/1_16-jwt_auth_config.mdx'
--- a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx
@@ -131,6 +131,8 @@ kubectl exec -ti <NAME> -- wget https://github.com/moparisthebest/static-curl/re

 ## Known issues and workarounds

+@include 'known-issues/1_17_audit-log-hmac.mdx'
+
@include 'known-issues/ocsp-redirect.mdx'

@include 'known-issues/agent-and-proxy-excessive-cpu-1-17.mdx'
--- a/website/content/partials/known-issues/1_17_audit-log-hmac.mdx
+++ b/website/content/partials/known-issues/1_17_audit-log-hmac.mdx
@@ -0,0 +1,15 @@
+### Client tokens and token accessors audited in plaintext
+
+#### Affected versions
+
+- 1.16.7, 1.16.8, 1.17.3, 1.17.4 
+
+#### Issue
+
+In versions 1.16.7, 1.16.8, 1.17.3, and 1.17.4 audit logs may contain non-hmac’d values for
+client_token and accessor data in the response portion. 
+A fix has been created and is released in 1.16.9 and 1.17.5.
+
+#### Workaround
+It is recommended to avoid affected versions when upgrading.
+If you are on these versions and using the audit logging feature please upgrade promptly to 1.16.9 or 1.17.5.