From 8976ca8e16f18e94896115fce825adc6b07da9e6 Mon Sep 17 00:00:00 2001
From: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
Date: Wed, 19 Jan 2022 11:21:10 -0800
Subject: [PATCH] docs: add known issues section to 1.9.x upgrade guide
 (#13662)

* docs: add known issues section to 1.9.x upgrade guide

* minor rephrasing on oidc known issue

* use relative references for URLs

* Update website/content/docs/upgrading/upgrade-to-1.9.x.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* update known issues section for id token

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
---
 .../content/docs/upgrading/upgrade-to-1.9.x.mdx   | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/website/content/docs/upgrading/upgrade-to-1.9.x.mdx b/website/content/docs/upgrading/upgrade-to-1.9.x.mdx
index bcffb383d864..cdb209684dbe 100644
--- a/website/content/docs/upgrading/upgrade-to-1.9.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.9.x.mdx
@@ -95,3 +95,18 @@ respects the order of suites given in `tls_cipher_suites`.
 
 See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information.
 
+## Known Issues
+
+### Identity Token Backend Key Rotations
+
+Existing Vault installations that use the [Identity Token
+backend](/api-docs/secret/identity/tokens) and have [named
+keys](/api-docs/secret/identity/tokens#create-a-named-key) generated will
+encounter a panic when any of those existing keys pass their
+`rotation_period`. This issue affects Vault 1.9.0, and is fixed in Vault 1.9.1.
+Users should upgrade directly to 1.9.1 or above in order to avoid this panic.
+
+If a panic is encountered after an upgrade to Vault 1.9.0, the named key will be
+corrupted on storage and become unusable. In this case, the key will need to be
+deleted and re-created. A fix to fully mitigate this panic will be addressed on
+Vault 1.9.3.