Skip to main content

OpenBao 2.5.x release notes

v2.5.0-beta20251125

Release date: November 25, 2025

SECURITY

  • core/sys: BREAKING: default value of disable_unauthed_rekey_endpoints is true, to continue using unauthed rekey endpoints, set disable_unauthed_rekey_endpoints=false in listeners explicitly. [GH-2125]

CHANGES

  • sdk: Remove the deprecated creation_statements, revocation_statements, rollback_statements, and renew_statements fields from the dbplugin Statements protobuf message. [GH-1962]
  • api: The deprecated api.MountConfigOutput.PluginName field was removed. This was already always empty. [GH-2036]
  • auth/jwt: Return error msg on OIDCDiscoveryURL including '.well-known/openid-configuration' component. [GH-2066]
  • core/audit: removed jsonx as an output format option for audit mounts. [GH-2047]
  • sys/host-info: This endpoint may start reporting slightly higher memory usage than before (On Linux only). See https://github.com/shirou/gopsutil/releases/tag/v4.25.8 for more information. [GH-1887]

FEATURES

  • Add declarative plugin distribution via OCI images: using the plugin configuration keyword.
    • Plugins can be automatically downloaded via the plugin_auto_download=true option.
    • Plugins can be manually downloaded via the bao plugin init command.
    • Plugins can be automatically registered via the plugin_auto_register=true option, regardless if they were manually provisioned or from OCI images. [GH-1824]
  • Support Horizontal Read Scalability: all existing HA standby nodes are automatically upgraded with read support.
    • Requests which only perform storage read operations will be handled locally on the standby node.
    • Requests which perform a storage write operation (or as indicated by plugins) are forwarded to the active leader.
    • Results are eventually consistent: a write may not be immediately visible on the standby.
    • To disable, set disable_standby_reads=true in the config file before startup. [GH-1986]
  • core/identity: Add Client Credentials flow to OIDC Provider. [GH-1732]

IMPROVEMENTS

  • audit: Add http audit device for low-volume, webhook-based audit event reporting. [GH-1709]
  • auth/jwt: Add type checking to role. [GH-1854]
  • command: server, operator diagnose and operator validate-config now support the environment variable BAO_CONFIG_FILE for the -config command option. [GH-2115]
  • core/metrics: Support custom path for metrics on metrics-only listeners. [GH-1853]
  • core/policies: Add endpoint to allow detailed listing of a subset of policies. [GH-1965]
  • core: Added metrics_only and disallow_metrics options to control metrics endpoint exposure on a per-listener basis. [GH-1834]
  • database/valkey: Adds the ability to configure the Valkey database connection using a single connection_url parameter. [GH-1923]
  • database: All database plugins now ignore "not found" errors on revoke by default. See Plugin Author Guide for rationale. [GH-2101]
  • openapi: Add response schemas for token store operations and update operation suffixes. [GH-1840]
  • pki: Add allowed_ip_sans_cidr parameter to PKI role system, to provide additional checks for IP SANs. [GH-1833]
  • storage/postgresql: Implement physical.FencingHABackend to minimize chances that writes on secondary nodes occur. [GH-1571]
  • transit: Add associated_data parameter to generate data key. [GH-1828]
  • sdk/framework: Add Response.SchemaName to allow custom response schema names in the generated OpenAPI spec. [GH-1714]

DEPRECATIONS

  • core/seal: Remove the undocumented "aead" seal mechanism. Consider switching to the static seal instead as a replacement. [GH-1910]
  • core: Remove FeatureFlags parsing and related code. [GH-2045]
  • sdk: Remove sdk/v2/helper/license package. [GH-2045]
  • ui: Remove internal/ui/feature-flags endpoint and all its usage. [GH-2045]

BUG FIXES

  • auth/jwt: Fix ordering of variable declarations in CEL program roles [GH-1854]
  • secrets/pki: Fix ordering of variable declarations in CEL program roles [GH-1854]
  • database/valkey: The creation_statements parameter now correctly accepts a standard array of strings for ACL rules (e.g., ["+@read", "~*"]). Previously, it incorrectly required a stringified JSON array. The old format is still supported for backward compatibility. [GH-1959]
  • physical/postgresql: Ensure underlying HA lock removal from database causes lock loss, write failures [GH-2100]
  • seal/pkcs11: Remove strict requirement of key label. (https://github.com/openbao/go-kms-wrapping/pull/56)