
Vault 0.10 released - jnsaff2
https://www.hashicorp.com/blog/vault-0-10
======
jlgaddis
What happened to the old Unix philosophy about doing nothing on success
(a.k.a. "Rule of Silence")?

That is:

    
    
      $ vault kv undelete -versions=2 secret/my-secret
      Success! Data written to: secret/undelete/my-secret
    

should instead be:

    
    
      $ vault kv undelete -versions=2 secret/my-secret
      $
    

Also, the screenshots on the Vault OSS UI Introduction page [0] are completely
unintelligible.

[0]: [https://www.hashicorp.com/resources/vault-oss-ui-
introductio...](https://www.hashicorp.com/resources/vault-oss-ui-introduction)

~~~
jrs95
For your average user I think this is confusing and not good UX.

Since a lot of people using this tool will be developers with MacBooks and not
hardcore *nix users, it’s probably a good choice to ignore that convention.

~~~
otp124
> For your average user I think this is confusing and not good UX.

I disagree, as the average vault user is likely someone familiar with Unix
(though there is a Windows binary). Here is an example that I just ran on my
machine.. very silent.

    
    
      $ mkdir source
      $ cd source
      $ touch file
      $ rm file
      $

~~~
onmai-xyz

      $ rm file 
      $ echo $?
      $ 0
    

Silent, unless you go looking. The return value of the last executed command
is available as $?.

I picked this up at
[http://www.rsync.net/resources/howto/remote_commands.html](http://www.rsync.net/resources/howto/remote_commands.html)
for running commands over ssh and not seeing the console output.

------
micheldlebeau
Vault secrets versioning, Enterprise UI open sourced, root DB creds rotation,
Azure Auth method and GCP secrets engine and GCP cloud spanner as a storage
backend, really great release!

------
zimbatm
A simple thing that's been missing for a long time now is a way to patch
existing secrets in the KV store. Since the secret itself is composed of keys
and values it quickly becomes cumbersome to just update one of those. I guess
now that versioning is enabled it will be easier to build a tool on top.

    
    
        $ vault kv put secret/my-secret my-value=itsasecret
        $ vault kv patch secret/my-secret new-value=othersecret
        ^--- this doesn't exist
        $ vault kv get secret/my-secret
    
        ====== Data ======
        Key         Value
        ---         -----
        my-value    itsasecret
        new-value   othersecret

------
otp124
A while back I was using Vault, and the standard logging didn't give me enough
to setup any sort of useful detection & alerting capabilities. I tried to
increase verbosity in Vault's logging, as the CLI would accept integer
parameters, and the documentation made it seem this was possible.

However, the source code was hardcoded to only one logging level (they didn't
actually have multiple logging levels). The homepage marketing-speak was
disingenuous on this front. Coupled with other poor architecture choices
(wasn't actually HA, forced you to use other Hashicorp products, etc), I lost
interest in the product.

Seemed they were mostly focused on unique features than standard enterprise
requirements. Have things improved?

------
nodesocket
The web-ui and Google Cloud IAM secrets engine plugin are awesome new
features. I've been playing and setting up Vault today on GCP and overall
really happy.

Also, I believe using Google Storage as a backed now works with clusters
meaning Consul is now not required for clustering.

