HashiCorp has released version 1.13 of Vault, its secret and identity management platform. This release includes workflows for accessing multiple multi-namespace spaces, enhancements to the Google Cloud secrets engine, usability improvements to MFA, and certificate revocation for cross-cluster management. HashiCorp has also released Vault as a managed service for Microsoft Azure environments.
Vault 1.13 focuses on core Vault secrets workflows, as well as team workflows, integrations, and visibility. Key features in this release include enhancements to:
- multi-namespace access workflows
- Azure authentication method
- Google Cloud secrets engine
- KMIP’s secrets engine
- MFA login
- storage Agent
- certificate revocation for inter-cluster management
Additional new features include:
- Event-based notifications (alpha)
- Repository Operator (beta)
- HCP connection for Vault self-management (private beta)
- PKI health checks
- Managed transit keys
When clients have secrets distributed across multiple (independent) namespaces, their applications need to authenticate to Vault multiple times, creating an unnecessary burden. Additionally, clients using Vault Agent must run separate Vault Agent instances to communicate with each namespace. Vault 1.13 includes namespace enhancements to alleviate these challenges by enabling a single Agent instance to be able to retrieve secrets from multiple namespaces.
MFA login improvements
Since version 1.10, Vault has introduced Login MFA, a standardized configuration for integration with Duo, PingIdentity, Okta, and TOTP, but some customers have found UI challenges with these configurations. With these enhancements introduced in 1.13, customers will be able to more easily migrate to Login MFA. Login MFA will be easier to configure and debug.
Vault Operator (Beta)
Kubernetes applications using Vault to manage secrets haveusers wanting the ability to use a side module or the CSI secrets store provider to inject secrets into files. This was creating a number of challenges.
First, these approaches required applications to be modified if they wanted to be able to read from a file. Additionally, the applications needed to be aware of when the certificates were modified in order to be able to read from the file again.
Vault Agent enhancements
Vault 1.13 includes several enhancements to Vault Agent.
Users can get started with Vault Agent without the need to set up authentication methods. This feature is intended for training and testing. It is not recommended for use in production environments.
HCP connection for self-managed Vault (private beta)
In Vault 1.13 and the HashiCorp Cloud Platform (HCP), we have introduced a feature to enable active connections between self-managed Vault and HCP clusters. The feature is similar to Consul’s global dashboard.
Vault Agent can now read configurations from multiple files.
Vault Agent saves logging when there is a mismatch between the agent and the server.
HCP connection for self-managed Vault (private beta)
In Vault 1.13 and the HashiCorp Cloud Platform (HCP), we have introduced a feature to enable active connections between self-managed Vault and HCP clusters. The feature is similar to Consul’s global dashboard.
More details on these and other changes included in this release can be found in the release post. An upgrade guide is available to assist with the upgrade process for existing clusters. Vault can be found either as open source or in an enterprise release.