Vault
Vault 1.8.0
Vault 1.8 release highlights
Licensing Changes: There are a few key licensing changes that are introduced with 1.8:
- Autoloading of licenses which simplifies the license installation workflow via the ability to load a license from an environment variable or from the disk
- The need for a valid license for Vault to successfully boot-up for EULA compliance.
- The license can be in-storage (as is the case prior to 1.8), providing a seamless experience when existing clusters are upgraded to 1.8. Support for in-storage licenses will be removed in a future release, and so it is recommended that customers migrate to autoloaded licenses.
- For new cluster deployments, licenses must be autoloaded.
- Support for license-free trial period for Enterprise binaries (30 min/6h) has been removed, and a default 1-day grace time for eval licenses has now been introduced.
Vault Diagnose: A new vault operator diagnose
command enables faster troubleshooting and user-friendly diagnostics in situations when Vault is not starting.
Secrets engine enhancements
- Key Management Secrets Engine (Enterprise ADP-KM Module Only): Key Management Secrets Engine that was released as generally available for Azure in Vault 1.7, is now generally available for AWS.
- UI for the Database Secrets Engine: Expansion of the UI for the database secrets engine, allowing for users to interact with MSSQL and MySQL database engines via the Vault UI.
- GCP Static Accounts: The GCP secrets engine now has the ability to use existing service accounts for generation of service account keys and access tokens.
- Username templating: With Vault 1.8 users have the ability to customize usernames for the snowflake, redshift, elasticsearch, influxdb, rabbitmq and mongodb atlas database engines.
- Active Directory: Vault now has the ability to manually rotate a credential for an account being managed via the AD secrets engine.
Other enhancements
ServiceNow Credential Resolver: Vault can now act as an external credential store for the ServiceNow MID servers when using a ServiceNow workflow for service discovery
RedHat certified helm charts: Vault’s Kubernetes Helm charts are now certified by RedHat!
Integrated Storage Autopilot: Autopilot capabilities to monitor and manage clusters are now supported with DR.
SSH Secrets Engine identity template support: When configuring a role for the SSH Secrets Engine, users may now specify Vault identity templates in the default_extensions field. This allows Vault to conform to the required identity semantics for services such as GitHub Enterprise when functioning as an SSH CA.
Expiration manager improvements
- Fair-sharing logic to help with lease revocations
- The ability to mark some leases as irrevocable
- The addition of an HTTP API and a CLI for operators to obtain information about irrevocable leases, to be able to tidy them
Vault Agent Enhancements: The following Vault Agent enhancements have been added to 1.8 to improve the operational experience.
- Infinite Retry: This release reintroduces the default behavior of agent template indefinitely retrying and not exit on failures.
- Configurable timeout for non-renewable secrets: Agent template now has the ability to configure how often to fetch non-renewable secrets (from the default 5m)
- Update Agent Auth with GCP to use new SignJWT endpoint: This enhancement should benefit GCP customers who want to use the Vault Agent to authenticate using GCP’s IAM Service Account Credentials for signing JWTs.
Control Group triggers: This enhancement provides flexibility to customers to apply control groups to only certain permissions in a path. Vault now supports a new parameter called controlled_capabilities in the control_group stanza factors. This is a list of permissions, which when invoked will result in the control group workflow only being triggered if the operation that initiated the request is included in the list.
Password policies in namespaces: Vault now supports setting up password policies in namespaces
Obscuring secret Values in the UI: Vault now provides the ability to mask secrets on entry - whether they be KV secrets or certificates - anywhere secrets are entered in the UI.
Deprecations:
The following API endpoints have been deprecated and will be removed in a future release:
POST sys/license
to store licenses in storage; it is recommended to use License Autoloading instead./gcp/token/:roleset
and/gcp/key/:roleset
paths for generating secrets for rolesets
For more detailed information, please refer to the Changelog.