The module lifecycle stageGeneral Availability
The module has requirements for installation

v1.16.18

  • Revert module weight to install on DKP 1.71
  • Updated base images to v0.5.69
  • CVE-2026-39883

v1.16.17

  • CI: CVE-2026-25645, CVE-2025-66418, CVE-2025-66471, CVE-2026-21441
  • CVE-2026-34986
  • Updated base images to v0.5.65
  • Refactor sealwrap for compatibility with Vault EE.
  • Added changelog generator
  • Refractor auto snapshots. Compatible with Vault EE storage.

v1.16.16

  • Fix tests and openapi generation for seal and step-down methods.
  • fix vulnerability in debug logs kv replication
  • Fix Acme tests
  • GHSA-jqcq-xjh3-6g23, CVE-2026-33186
  • Use VAULT_CACERT instead of /etc/ssl/certs

v1.16.15

  • ACME config parameter max_ttl
  • Check leader only on isleaderreadyok request
  • UI: Fixed scroll in transit engine pages
  • Set IV for CKK_KUZNECHIK
  • CE and EE features paths fix
  • Safe unlock for tranist
  • sealwrap sys/managed-keys
  • Increased startup probe time

v1.16.14

  • Fixed CVEs. Updated base images
  • CLI-only build tag (d8-cli)

v1.16.13

  • Openapi spec for TOTP MFA
  • Removed weight for module
  • CVE fixes
  • Move language toggle logic from template helper to controller action
  • Is Ready for HA endpoint
  • Use generated PGP keys insead of keybase.io for airgapped tests
  • Refactor namespaces API
  • Namespace lock

v1.16.11

  • Added metrics to snapshot-auto
  • Updated base images to v0.5.51
  • Deleted dupicated code
  • Stronghold CE namespace check
  • Tune kubernetes_local auth default ttl and token type
  • GOST support for “Automatic” binary
  • Patch OIDC redirect URI
  • Changed OIDC redirect URI
  • Namespace can be nil (for deleted namespaces)
  • Updated base images to v0.5.50
  • Detecting namespace both by Header and by Path
  • OIDC Provider path
  • Fixed OIDC provider functions for namespaces
  • Sealwrap keys like Vault EE
  • Fix failing tests (TestBatchTokens)
  • Deadlock bugfix
  • DMT compliance
  • Vendor autopatching
  • Use Arbiter Nodes to deploy replicas
  • Fix fetching specialPaths for external plugins
  • Enhance module enable/disable steps and add troubleshooting guide
  • Added module description for site rendering
  • DMT linter issue
  • Docs add quorum fix

v1.16.0

  • Added support for namespaces (Namespaces).
  • Multi-factor authentication (MFA) with TOTP and Multifactor.
  • Deckhouse Stronghold CE (Community Edition) available for free installation.
  • Web UI support for managing OIDC roles, AppRole, and password policies.
  • Added replication metrics.
  • Added SealWrap — additional encryption for the most sensitive internal data on top of Stronghold’s standard cryptographic barrier.
  • Added CryptoPro seal wrapper for scenarios using Russian cryptography.
  • Web UI has fuller Russian localization and a dark theme.
  • Added ClickHouse support and a web UI to work with it.
  • Added TLS 1.3 with GOST ciphers Magma and Kuznyechik.
  • Added support for GOST 34.10-2012 X.509 certificates.

v1.15.0

  • Scheduled backup of Raft snapshots to S3 or the filesystem with API-driven management.
  • Extended KV replication capabilities.
  • Improved web UI.
  • Automatic unseal via HSM/PKCS#11, including Rutoken ECP 3.0 support.

v1.1.0

  • Automatic unseal with keys held in Stronghold node memory
  • Russian-language user interface
  • Listed in the Russian software registry, entry No. 22339 dated 24.04.2024
  • Integration with the platform secrets delivery module `secrets-store-integration``

v1.0.0

  • Deployment as a DKP module
  • Integration with platform DEX authentication