Switched to use go-module.mk.
CHANGES:
* agent: Agent now properly returns a non-zero exit code on error, such as
one due to template rendering failure. Using error_on_missing_key in the
template config will cause agent to immediately exit on failure. In order
to make agent properly exit due to continuous failure from template
rendering errors, the old behavior of indefinitely restarting the
template server is now changed to exit once the default retry attempt of
12 times (with exponential backoff) gets exhausted. [GH-9670]
* token: Periodic tokens generated by auth methods will have the period
value stored in its token entry. [GH-7885]
* core: New telemetry metrics reporting mount table size and number of
entries [GH-10201]
* go: Updated Go version to 1.15.4 [GH-10366]
FEATURES:
* Couchbase Secrets: Vault can now manage static and dynamic credentials
for Couchbase. [GH-9664]
* Expanded Password Policy Support: Custom password policies are now
supported for all database engines.
* Integrated Storage Auto Snapshots (Enterprise): This feature enables an
operator to schedule snapshots of the integrated storage backend and
ensure those snapshots are persisted elsewhere.
* Integrated Storage Cloud Auto Join: This feature for integrated storage
enables Vault nodes running in the cloud to automatically discover and
join a Vault cluster via operator-supplied metadata.
* Key Management Secrets Engine (Enterprise; Tech Preview): This new secret
engine allows securely distributing and managing keys to Azure cloud KMS
services.
* Seal Migration: With Vault 1.6, we will support migrating from an auto
unseal mechanism to a different mechanism of the same type. For example,
if you were using an AWS KMS key to automatically unseal, you can now
migrate to a different AWS KMS key.
* Tokenization (Enterprise; Tech Preview): Tokenization supports creating
irreversible “tokens” from sensitive data. Tokens can be used in less
secure environments, protecting the original data.
* Vault Client Count: Vault now counts the number of active entities (and
non-entity tokens) per month and makes this information available via the
"Metrics" section of the UI.
IMPROVEMENTS:
* auth/approle: Role names can now be referenced in templated policies
through the approle.metadata.role_name property [GH-9529]
* auth/aws: Improve logic check on wildcard BoundIamPrincipalARNs and
include role name on error messages on check failure [GH-10036]
* auth/jwt: Add support for fetching groups and user information from G
Suite during authentication. [GH-123]
* auth/jwt: Adding EdDSA (ed25519) to supported algorithms [GH-129]
* auth/jwt: Improve cli authorization error [GH-137]
* auth/jwt: Add OIDC namespace_in_state option [GH-140]
* secrets/transit: fix missing plaintext in bulk decrypt response [GH-9991]
* command/server: Delay informational messages in -dev mode until logs have
settled. [GH-9702]
* command/server: Add environment variable support for
disable_mlock. [GH-9931]
* core/metrics: Add metrics for storage cache [GH_10079]
* core/metrics: Add metrics for leader status [GH 10147]
* physical/azure: Add the ability to use Azure Instance Metadata Service to
set the credentials for Azure Blob storage on the backend. [GH-10189]
* sdk/framework: Add a time type for API fields. [GH-9911]
* secrets/database: Added support for password policies to all databases
[GH-9641, and more]
* secrets/database/cassandra: Added support for static credential rotation
[GH-10051]
* secrets/database/elasticsearch: Added support for static credential
rotation [GH-19]
* secrets/database/hanadb: Added support for root credential & static
credential rotation [GH-10142]
* secrets/database/hanadb: Default password generation now includes
dashes. Custom statements may need to be updated to include quotes around
the password field [GH-10142]
* secrets/database/influxdb: Added support for static credential rotation
[GH-10118]
* secrets/database/mongodbatlas: Added support for root credential rotation
[GH-14]
* secrets/database/mongodbatlas: Support scopes field in creations
statements for MongoDB Atlas database plugin [GH-15]
* seal/awskms: Add logging during awskms auto-unseal [GH-9794]
* storage/azure: Update SDK library to use azure-storage-blob-go since
previous library has been deprecated. [GH-9577]
* secrets/ad: rotate-root now supports POST requests like other secret
engines [GH-70]
* ui: Add ui functionality for the Transform Secret Engine [GH-9665]
* ui: Pricing metrics dashboard [GH-10049]
BUG FIXES:
* auth/jwt: Fix bug preventing config edit UI from rendering [GH-141]
* cli: Don't open or overwrite a raft snapshot file on an unsuccessful
vault operator raft snapshot [GH-9894]
* core: Implement constant time version of shamir GF(2^8) math [GH-9932]
* core: Fix resource leak in plugin API (plugin-dependent, not all plugins
impacted) [GH-9557]
* core: Fix race involved in enabling certain features via a license change
* identity: Check for timeouts in entity API [GH-9925]
* secrets/database: Fix handling of TLS options in mongodb connection
strings [GH-9519]
* secrets/gcp: Ensure that the IAM policy version is appropriately set
after a roleset's bindings have changed. [GH-93]
* ui: Mask LDAP bindpass while typing [GH-10087]
* ui: Update language in promote dr modal flow [GH-10155]
* ui: Update language on replication primary dashboard for clarity
[GH-10205]
* core: Fix bug where updating an existing path quota could introduce a
conflict. [GH-10285]