HashiCorp’s Vault is now available in v1.1 bringing agent caching, and support for OIDC roles to the secrets management tool.

Since the first major release in December 2018 the team has been busy improving authentication in the JWT backend, and fixing UI issues amongst other things. But the first minor version of the 1.x series also comes with a couple of handy new features.

Vault clusters for example can now be automatically unsealed from a separate cluster through transit encryption. Also, the JWT authentication backend has been extended by an OpenID Connect authentication flow, meaning users can login through the browser, if a compliant provider is in place. Initiation for this can be done via the Vault UI or the login command in the CLI.

If sending requests directly to the Vault Agent makes sense for your use case, say you work in edge computing, this can now be realised by configuring the client-side daemon as a caching proxy. Requests will then be proxied to the Vault server and cached locally in Agent. Since the proxy can also use the automatic authentication feature, Agent can manage the token lifecycle so that clients don’t need to authenticate to Vault when sending Agent requests.

On high availability standby nodes, Vault’s cluster port will always be open in the updated version. To match a single directory in the definition of an access control list’s path, the + character is now available for wild card searches.

Those interested in better integration with monitoring tool Prometheus will be glad to find pull support through a new endpoint has been made available. Non-Windows users can now use SIGUSR2 to dump stack traces of all running goroutines to the server log if needed.
With the 1.1 release, netRPC plugins have been deprecated in favour of gRPC based ones, so you might want to think about updating if you’re still running those. Group claims not at the top level have to be specified as a JSONPointer, since the groups_claim_delimiter_pattern field has been removed.