It has been a busy week at Hashicorp, delivering not one but two new releases: HashiCorp Vault 1.5 and Consul Service on Azure. The first we will talk about is Vault 1.5. The second release is a shiny new service for the venerable Hashicorp Consul product: HashiCorp Consul Service on Azure.
HashiCorp Vault 1.5
With vault 1.4 only being released in April of this year the quick arrival of 1.5 is a bit of a surprise. Vault 1.4 was quite a transformational release; I personally thought that they would have taken a little bit of time to catch their breath. But no! Version 1.5 is already here.
Where 1.4 concentrated on architectural and internal changes to increase stability and easing the deployment of highly available configurations, 1.5 is more focused on functional integration and monitoring.
What are the main features of this release?
- Monitor Telemetry and Log Data with Splunk (Enterprise only): Vault has integrated a Splunk Application into Vault Enterprise. This application will enhance visibility for the security team and operation staff in multi-tenant environments. The application comes with seven pre-configured dashboards:
The Application comes with a newly updated Performance Tuning Guide which includes recommendations on metrics to be monitored together with an explanation as to why metric X is a good value to monitor and what the values actually represent.
- Resource Quotas (free and Enterprise Edition): Vault 1.5 can now support the specification of a quota to rate-limit requests for both Open Source and Enterprise. For Enterprise customers, there is a further enhancement to set quotas on the number of leases that can be generated on a path, a valuable enhancement that can aid significantly in the prevention of a DDoS attack.
- Red Hat OpenShift Support (free and Enterprise Edition): Not specifically a Vault improvement, but Hashicorp has updated their Helm charts to allow users to install Vault onto their OpenShift clusters.
- Integrated Storage as HA Storage (free and Enterprise Edition): Another banner point feature is the ability to use integrated storage for HA storage, their argument for this is that not all integrated storage’s back-end supports HA, for example Amazon S3, Cassandra, and MSSQL. By allowing local storage to arbitrate HA coordination it is possible to have a multi-node Vault solution. I have to say at first I thought why not just use the RAFT integration in vault 1.4 but this is actually a very sensible approach for those that have a pre-existing single node Vault Deployment which uses S3, Cassandra or MSSQL as its storage target.
- Replication UI Improvements (Enterprise only): The UI of the Enterprise replication feature has been improved to better highlight the relationships between the Primary and Secondary nodes and allows a cleaner and more holistic understanding in Multi-Clustered Vault environments. There have also been improvements in management workflows.
- VMware and NetApp Certifications (Enterprise Only): Vault has successfully completed product compatibility validations for both VMware vSphere and NetApp ONTAP for use as an external key manager solution using the built-in Key Management Interoperability Protocol (or KMIP) standard.
Other improvements in the Vault 1.5 release
In addition to the key announcements there have been several other minor features that have been merged into the product between the release of 1.4 and 1.5 these are summarized below:
- Vault Monitor: Similar to the monitor command for HashiCorp Consul and Nomad, they added a new “vault monitor” command, which lets users stream logs of a running Vault server. The log level selected can be different from the log level used by the server logs.
- Seal Migration: updates to the process which allows easier migrations from auto unseal to Shamir’s unseal algorithm.
- Namespace support for SSH helper: Vault now has an option to allow users to specify the namespace of the SSH mount when using the SSH helper.
- Password Policies: Vault now allows operators to customize how passwords are generated for select secret engines (OpenLDAP, Active Directory, Azure, and RabbitMQ), this will allow easier alignment with Security policies on password standards.
- AWS Secrets Groups Support: IAM users generated by Vault may now be added to IAM Groups.
- AWS Auth Web Identity Support: they have added support for AWS Web Identities, which will now be used in the credentials chain if present.
- OIDC Auth Provider Extensions: They have added support to OIDC Auth to incorporate IdP-specific extensions. Currently this includes expanded Azure AD groups support.
- GCP Secrets: Support BigQuery dataset ACLs in absence of IAM endpoints.
- Static Credential Rotation Support for MS SQL Server: Vault now allows static credential rotation for MS SQL.
HashiCorp Consul Service on Azure
Consul is HashiCorp’s multi-cloud aware service mesh network platform. It is a mature technology, but it does have a steep learning curve for aspirant entrants. In a collaboration between HashiCorp and Microsoft Azure, the deployment of Consul of Azure has been automated and packages into a service, simplifying deployment and day-to-day operations.
This is a fully functional Consul service deployed on Azure and delivered as a SaaS service. The difficult and non-core functions like provisioning, management and upgrades to the control plane have been offloaded to Hashicorp to manage on your behalf as a part of the service price. You as the consumer just leverage the functionality of Consul:
- Service Discovery: Provide a service registry with integrated health checking to enable any service to discover and be discovered by other services
- Service Mesh: Simplify service networking by shifting core functionality from centralized middleware to the endpoints. Consul’s service mesh functions include:
- Dynamic Traffic Management: Enable advanced traffic management to support different deployment strategies and improve application resiliency
- Service Segmentation: Encrypt communications and control access across services with mutual TLS and a native Envoy integration.
- Observability: Enable networking metric collection to provide insights into application behavior and performance without code modifications
HCS on Azure is deployed automatically by HashiCorp based on your preferences; be that on a Virtual Machine, a Kubernetes Pod, or a hybrid for both Kubernetes and Virtual Machines.
How do you subscribe to HCS on Azure?
To subscribe to the resource you utilize the Azure Managed Applications platform to interact with the platform using native Azure controls. This interacts directly with the HCS control plane behind the scenes to deploy the environment and carrying out all necessary tasks in a seamless manner.
For those that have a pre-existing Consul cluster are they able to utilize this service?
The simple answer is no, as federation is not yet supported (but high on the roadmap). As of the publication of this article, this service is only available to new users of Consul. Those who wish to migrate will need to redeploy and move their services.
As we said at the start of this article it has been a busy week at Hashicorp with HashiCorp Vault 1.5 and Consul Service on Azure releasing to market.
The release of Vault 1.5 is yet another milestone of this product and whilst not as transformative at their version 1.4 release it is still a solid upgrade, focused more supportability and monitoring rather than feature improvements. This consolidative release lays deeper foundations in monitoring to allow better visibility of the service as Vault becomes a more and more valuable asset to enterprises for the protection of their secrets, certificates, and credentials.
HashiCorp Consul Service’s release is a key milestone in their monetization strategy, together with Terraform Cloud. There is no doubt that Consul as a tool is powerful, the features it provides are key to any cloud-native strategy, however conversely the high barrier to entry in terms of deployment and configuration puts many off.
By simplifying the deployment of Consul and taking control of the management layer they have removed a significant amount of pain and risk for enterprises when taking up the concept of a service mesh and service discovery, and removed the operational overhead of resource management, upgrading and day to day processes that are not core to application needs.
This release is not perfect and the lack of federation could hurt initial uptake but it is a very solid starting point, given that it aims to solve pain points in the initial deployment as well as in day-to-day operations.