This release adds HashiCorp Vault as an external secret store for workspaces. The integration supports token and AppRole authentication with the KV v2 secrets engine.
🚀 Features
Section titled “🚀 Features”HashiCorp Vault secret store support
Section titled “HashiCorp Vault secret store support”Dec 23, 2025 · @lava, @mavam · #18
You can now use HashiCorp Vault as an external secret store for your workspaces. The integration supports token and AppRole authentication methods, and works with the KV v2 secrets engine. Add a Vault secret store via the CLI:
tenzir-platform secret store add vault \ --address=https://vault.example.com \ --mount=secret \ --token=<token>Or with AppRole authentication (recommended for production):
tenzir-platform secret store add vault \ --address=https://vault.example.com \ --mount=secret \ --role-id=<id> --secret-id=<id>The --mount option specifies the path to a KV v2 secrets engine. For Vault
Enterprise, use --namespace to specify the namespace. Vault secrets are
returned as JSON by default. Append a :key suffix to retrieve a specific field
as a string, for example, secret("database:password").
Custom gateway URL in deployment instructions
Section titled “Custom gateway URL in deployment instructions”When using a Sovereign Edition instance of the Tenzir Platform with a custom Tenzir Gateway URL, the “Other” tab now displays the gateway endpoint for easy copying.