Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ui/replication status discoverability #8705

Merged
merged 56 commits into from
Jun 18, 2020

Conversation

Monkeychip
Copy link
Contributor

@Monkeychip Monkeychip commented Apr 8, 2020

Vault UI Replication Enhancements

In this PR we have redone all the Replication Details Dashboards. These include the following:

  1. DR Primary: ui/vault/replication/dr
  2. Performance Primary: ui/vault/replication/dr
  3. When you have both Performance & DR primaries, there is a new Summary Dashboard: ui/vault/replication
  4. DR Secondary (🆕 route): ui/vault/replication-dr-promote/details
  5. Performance Secondary: ui/vault/replication/performance

The purpose behind each of these dashboards is to display more relevant replication data and also make bouncing back and forth between the different clusters easier. In an effort to achieve the latter, a new API property has been added (TODO link to future PR). This adds a clickable IP and connection status that will take you to the secondary UI page.

In all the dashboards, new information that was always available via the status endpoint is now displayed. Examples include: displaying the know_primary_cluster_addrs on secondary clusters. And on the primary dashboards displaying the know_primary_cluster. This is just one of many examples.

This PR also addressed transition issues that occurred on enabling a new cluster. In the examples, there is a gif of one such transition issue. For more specific information on this, refer back to this PR

Old version screenshots

DR Primary:

Performance Primary:

Replication Index Page when both modes are enabled as primaries:

Performance Secondary:

DR Secondary: no page existed.

Transition Flow error example, enabling a Performance Secondary:

New screenshots

DR Primary:

Performance Primary:

Primary Management Page:
image

Replication Index Page when one mode is enabled
image

Replication Index Page when both modes are enabled as primaries:

Performance Secondary:

DR Secondary:

Secondary Management Page:
image

Transition Flow error example, enabling a Performance Secondary:

Monkeychip and others added 4 commits April 1, 2020 08:52
* setup, not complete

* update routing

* clean up

* add test

* add link from status menu

* clean up

* fixes per pr comments

* revert back to two if statements due to refresh bug
… pages for project (#8661)

* setup, not complete

* update routing

* clean up

* add test

* add link from status menu

* clean up

* fixes per pr comments

* setup dashboard with contextual components, and toggle

* setup option to show tabs or not

* handle conditional nav menu

* pass in whole model object

* rename to replication-page

* clean up

* clean up based on pr feedback

* fix linting error
…mponents (#8670)

* setup replication dashboard with scss and initial card components

* sync with Noelles changes and clean up the inner grid container inside the selectable card

* set up nested contextual components for selectable-cards

* setup component for table row

* address walk through notes

* remove name selectable from card component as it is not selectable

* add missing space
* add helperText param to InfoTableRow

* initial page setup

* format card with padding and correct number of rows

* style card titles with margin

* move styles inside replication class; add todos

* move replication-summary styles into core app so hot reloading works

* prevent known secondaries card from being cut off on the right hand side

* make cards have the correct column span

* make code elements inside tables black

* WIP - start VltTable component

* simplify css

* renamed VltTable to ReplicationTable and use divs instead of table elements

* fix position of known secondaries

* use table element for secondaries card

* add todo

* move replication components to replication engine

* Revert "move replication components to replication engine"

This reverts commit 2228b83.

* move ReplicationPrimaryCards to components

* remove hover box shadow since cards are not selectable yet

* only apply padding to replication selectable-cards

* specify replication vlt-table in classname

* move replication toggle and toggle into core addon

* remove extra toolbar border

* remove duplicate css

* move ReplicationTableRows to core addon and use them on DR primary page

* clean up todos

* add jsdoc comments

* rename ReplicationTable to KnownSecondaries

* update replicaiton table api to accept flexible data

* rename replicationAttrs to data

* move replication components to core addon
@Monkeychip Monkeychip added the ui label Apr 8, 2020
@Monkeychip Monkeychip added this to the 1.5 milestone Apr 8, 2020
Noelle Daley and others added 22 commits April 9, 2020 11:59
* populate table with actual secondary ids

* add todo

* make KnownSecondariesCard component

* move KnownSecondariesCard styles to own file

* add EmptyState when there are no known secondaries

* fix known secondaries manage link

* fix Add Secondary link; bring in capabilities model to repliation index route so we can check for adding secondaries

* fix JSDOC comments and updata data to replicationAttrs
* setup styling for delta

* clean up

* replication table remove and rename model to data

* remove old replication header component now that it is in addons

* move replication secondary card component

* calc delta

* clean up

* remove unused components that are now in addon

* address pr comments

* remove test

* fix failing test

* address pr comments

* attempting to fix test

* move to computed components

* fix test error

* fix state of null error
* setup styling for delta

* clean up

* replication table remove and rename model to data

* remove old replication header component now that it is in addons

* move replication secondary card component

* calc delta

* clean up

* remove unused components that are now in addon

* address pr comments

* remove test

* fix failing test

* address pr comments

* attempting to fix test

* initial setup before merge updates

* move to computed components

* fix test error

* fix state of null error

* clean up

* setup alert banner and documentation link

* setup alert banner with second icon

* remove underscore to dash

* add in missing error messages

* add connection-state shutdown

* add storybook update to alert banner

* pr comments

* move css class to helper class

* address pr comments

* add in connection states correct endpoint
* initial test setup

* use margin when there are no knownsecondaries

* set up replication tests in ember engine

* set knownSecondaries

* move tests to host app and set resolver

* finish known-secondaries-card-test

* make knownSecondaries array match the API response

* add known secondaries table test

* oops, remove stories directory

* wip - replication table rows test

* remove extra code

* finish replication table rows tests

* add | Enterprise | to test module

* remove unncessary assertion:
* show dynamic state glyph

* show state glyph after state

* move LearnLink into core addon

* make ReplicationDocLink component

* prevent double lines at the bottom of the dashboard
* move dr to higher level component and setup isDisabled for error state when dr mode is disabled.

* add in error messages final

* refactor transistion on submit handler focused on dr secondary

* handle transition

* update empty state component to include icon and add empty state to details page

* fix spelling

* address pr comments

* merge with replication branch

* remove component structure for replication-secondary-card

* compute title and error message

* make specific empty state messages

* fix test

* address pr comments

* regenerate the storyboook for empty state
* use h3 instead of code elements

* use correct property names for StateDisplay

* WIP

* remove todo

* move cluster states into a map; make status menu icon match cluster state

* show error in state card using the same state map in the cluster model

* whitespace

* move cluster-states into a helper and update usage

* use circle success icon for stream-wals because that is the ideal state

* more refactoring of cluster state display

* use new cluster-states helper

* whitespace

* use clusterStates helper in replication secondary card

* remove extra import

* add default values for when state isn't recognized

* make sure that state exists before getting state details from clusterStates helper

* be more strict when state cannot be found

* use brace expansion to fix linting error

* add tests for error states

* fix text wrapping issue on secondary cards; make titles match mocks

* use unknown if metric isn't foudn

* remove extra border on selectable card when there is an error

* use outline square in status menu for error
* use ReplicationDashboard component

* move syncing and alert banners into dashboard component

* only show primary cluster addr if dashboard is for a secondary

* use ReplicationPage and Dashboard

* move isSecondary to page component

* remove duplication

* remove dead code

* refactored table rows

* make sure dashboards update data when we are switching between mclusterModes and replicationTypes

* clarified replicationMode and clusterMode

* remove extra margin

* get rid of data

* remove syncProgress

* remove Enterprise filter from tests so component tests are run
* fix typo

* fetch replication/mode/status and pass to dashboard component

* add reindexing stage to AlertBanner; use real value for isReindexing

* remove dr since we don't need it anymore

* add indentation

* remove TODO

* capitalize reindexing_stage and make progress 0 by default

* remove Toggle since we don't need it anymore

* get allllll the variables at once

* only run secondary details test on enterprise
* address secondary card overflow issue

* setup replicaiton header test

* address secondary card overflow issue

* setup replication secondary card test

* setup replicaiton header test

* setup replicaiton page test

* setup replication secondary card test

* setup replication dashboard test

* setup replicaiton page test

* remove unused code

* fix overflow

* finish test for rep dashboard

* update rep secondary card test

* finish rep header test

* fix rep table rows and header test

* fix header test

* fix missing data-test-primary-cluster

* add to secondary test

* remove pauseTest

* add to enterprise replication test

* add mode to dr secondary test

* remove pauseTest

* add enterprise to test

* amend per pr commments

* re organize rep secondary card test

* adjust error heights with design input

* move const around in rep secondary card test

* move const around and message for rep dashboard test

* amend per pr review comments

* remove styling from grid-item-left

* remove dup hasErrorClass key

* quick fix

* test failure fix

* fix test due to merge

* remove hasErrorClass

* modify test message
* change styling

* remove replication toggle

* modifications for auto refresh and final removal of delta and last wal

* fix refresh issue by removing replicationMode on this.reset which conflicts with the same property being set on the cluster model

* remove comments

* add unknown placeholder

* add auto refresh to other components and remove mention of toggle

* remove meep and primary cluster heading area
* whitespace

* rename consts

* rename variables

* test that dashboard shows a reindexing alert banner

* standardize shamir and ui wizard progress bar

* make new progressbar component

* just kidding, we can use the html5 progress bar

* make top margins consistent across primary and secondary dashboards

* clean up AlertBanner JSDocs and markdown

* show a progress bar inside an AlertBanner if cluster is reindexing

* add example AlertBanner with Progress Bar

* add reindexing tests

* add a tiny left margin to progress bars inside alert banners

* keep old class names in wizard to prevent bug, but keep consistent progress background color

* use spacing variables

* remove extra border when secondary card has an error

* make card header sizes and weight consistent
* setup rep dashboard to dynamically take in the component to render and dynamically setup the css based on mode of cluster

* conditional pass in the correct props to the Dashboard.card component and add margin to reindexing alertBanner

* update replication dashboard test

* add performance secondary test and clean up replication-secondary-card test

* fix message

* replace cluster-id with secondaryId

* remove reindexing test as its a duplicate of the branch noelle is working on

* cleanup

* address pr comments

* small test fixes

* add secondaryId to header test

* fix tests description
* make sure progress bar updates and animates

* ensure dashboard updates when replication mode has changed

* make sure we update isSyncing when state has changed

* wip - console log statements to see if components are getting new attrs

* Revert "wip - console log statements to see if components are getting new attrs"

This reverts commit d05219b.

* style progress bar in mozilla; allow testing the progress bar in storybook

* test that primary and secondary card container don't display at the same time
chelshaw and others added 20 commits June 2, 2020 18:42
Set up dr-secondary management page with new action flow

* Create confirmation-modal component

* Refactor replication-dr-secondary splash page to replication manage page

* Refactor replication-action-disable component to use confirmation modal

* Add details/manage tab to replication-dr-secondary section
* Replication Management Sidebranch: Replication Action Disable (#9061)
* Replication Management Sidebranch: Replication Action Recover (#9061)
Fixes bad merge conflict
* do not show replication mode or id when replication isn't enabled

* fix broken tag

* fill in confirmation text when disabling replication in tests

* fix typo

* fix demote primary test selector

* add test selectors and update tests to match new format

* fill in Performance when disabling performance secondary
* Update Primary replication action uses modal flow

* Update modal max-height to accommodate for the navbar
* setup token modal flow

* calc expirationDate

* fix date-format test after moving it in addon

* fix icon conditional in modal title

* decode token to get epoch expiration date and convert

* handle clicking outside of modal

* remove extra copy button

* add modal check in rep  acceptance test

* look only at day and month and remove console

* fix spelling

* cleanup

* replace dr with variable

* make string check longer in test

* fix test variables

* refactor enterprise test for secondary token flow

* make cluster model property replicationModeForDisplay to handle all cases where we were either conditionally displaying the DR, Disaster Recovery, etc. or where we were hardcoding it into the hbs.  For situations where it was DR before, I am now keeping it more consistent and using Disaster Recovery as on the manage page we do not show the Diaster Recovery (DR) anywhere.

* set initial value for ttl picker to fix issue where itwas setting seconds to minutes

* clean up

* add comment about ttl picker
* replace primaryClusterAddr with knownPrimaryClusterAddrs

* rename state to Status; fix css layout

* add InfoTable component

* only show label column if there is a label

* add grid-item-middle class

* whitespace

* fix grid layout

* die tagName, die

* set table max-height

* prep InfoTable for Storybook

* ensure cards always have the same height

* remove duplicate max height since vlt-table already has max-height

* add InfoTable tests

* add InfoTable to Storybook

* organize grid item css; rename for consistency

* add sticky header to table

* add sticky-header class to keep table styles in scope

* whoops, do not use fake data
* show secondaryId in table rows

* show primary_cluster_addr in table rows

* remove cluster Ids from replication headers
* only show primary_cluster_addr for primary

* fix overflow on replication index

* remove display from cluster-states because it is not used anywhere

* fix missing replication mode from description

* add comments

* use helper to consolidate replication descriptions

* fix text wrapping on medium screen sizes
* Replication demote action uses modal flow

Co-authored-by: Noelle Daley <[email protected]>
Co-authored-by: Angel Garbarino <[email protected]>
* replace with replicationModeForDisplay that is defined on the cluster

* fix spelling on replication and confirmed with design for placeholder when Not defined

* remove extra div with box class

* change manage link to take you to the secondaries manage as it's within the known secondaries card

* fix scroll always showing by adding auto, and decreasing the height.  WIP

* add empty state to known_primary_cluster_addrs

* address pr comments
* fix title of secondary card

* show connected status

* fix tests
* fix enterprise test

* add n

* add another n
Generate operation token flow from replication DR Secondary. Clicking 'Cancel' on the modal after the operation has started results in cancelling generate operation and restarting the process.
@Monkeychip Monkeychip marked this pull request as ready for review June 18, 2020 17:01
@Monkeychip Monkeychip changed the title DRAFT: Ui/replication status discoverability Ui/replication status discoverability Jun 18, 2020
Copy link
Contributor

@chelshaw chelshaw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀🤘🙌

@andaley andaley merged commit c729463 into master Jun 18, 2020
@andaley andaley deleted the ui/replication-status-discoverability branch June 18, 2020 21:52
catsby added a commit that referenced this pull request Jun 19, 2020
* master: (31 commits)
  changelog++
  changelog++
  Ui/replication status discoverability (#8705)
  Update CHANGELOG.md
  Counter that increments on every secret engine lease creation. (#9244)
  Add password_policy field to Azure docs (#9249)
  Replaced ClusterMetricSink's cluster name with an atomic.Value. (#9252)
  Fix database creds rotation panic for nil resp (#9258)
  changelog++
  changelog++
  Move sdk/helper/random -> helper/random (#9226)
  UI: Disallow kv2 with too large 'max versions' value (#9242)
  Allow mTLS for mysql secrets engine (#9181)
  docs: add sample revocation for mongodb (#9245)
  Add new Telemetry config options (#9238)
  Add a simple sealed gauge, updated when seal status changes (#9177)
  Test Shamir-to-Transit and Transit-to-Shamir Seal Migration for post-1.4 Vault. (#9214)
  Configure metrics wrapper with the "global" object, not just the fanout. (#9099)
  changelog++
  Add backend type to audit logs (#9167)
  ...
andaley added a commit that referenced this pull request Jul 17, 2020
* Sidebranch: add new route on DR secondary (#8640)

* setup, not complete

* update routing

* clean up

* add test

* add link from status menu

* clean up

* fixes per pr comments

* revert back to two if statements due to refresh bug

* Sidebranch: Setup Replication Page as component to be consumed in all pages for project (#8661)

* setup, not complete

* update routing

* clean up

* add test

* add link from status menu

* clean up

* fixes per pr comments

* setup dashboard with contextual components, and toggle

* setup option to show tabs or not

* handle conditional nav menu

* pass in whole model object

* rename to replication-page

* clean up

* clean up based on pr feedback

* fix linting error

* Sidebranch: setup replication dashboard with scss and initial card components (#8670)

* setup replication dashboard with scss and initial card components

* sync with Noelles changes and clean up the inner grid container inside the selectable card

* set up nested contextual components for selectable-cards

* setup component for table row

* address walk through notes

* remove name selectable from card component as it is not selectable

* add missing space

* Ui/dr primary/initial page setup (#8671)

* add helperText param to InfoTableRow

* initial page setup

* format card with padding and correct number of rows

* style card titles with margin

* move styles inside replication class; add todos

* move replication-summary styles into core app so hot reloading works

* prevent known secondaries card from being cut off on the right hand side

* make cards have the correct column span

* make code elements inside tables black

* WIP - start VltTable component

* simplify css

* renamed VltTable to ReplicationTable and use divs instead of table elements

* fix position of known secondaries

* use table element for secondaries card

* add todo

* move replication components to replication engine

* Revert "move replication components to replication engine"

This reverts commit 2228b83.

* move ReplicationPrimaryCards to components

* remove hover box shadow since cards are not selectable yet

* only apply padding to replication selectable-cards

* specify replication vlt-table in classname

* move replication toggle and toggle into core addon

* remove extra toolbar border

* remove duplicate css

* move ReplicationTableRows to core addon and use them on DR primary page

* clean up todos

* add jsdoc comments

* rename ReplicationTable to KnownSecondaries

* update replicaiton table api to accept flexible data

* rename replicationAttrs to data

* move replication components to core addon

* Ui/dr primary components (#8711)

* populate table with actual secondary ids

* add todo

* make KnownSecondariesCard component

* move KnownSecondariesCard styles to own file

* add EmptyState when there are no known secondaries

* fix known secondaries manage link

* fix Add Secondary link; bring in capabilities model to repliation index route so we can check for adding secondaries

* fix JSDOC comments and updata data to replicationAttrs

* Sidebranch: DR Secondary Dashboard - pr4 (#8706)

* setup styling for delta

* clean up

* replication table remove and rename model to data

* remove old replication header component now that it is in addons

* move replication secondary card component

* calc delta

* clean up

* remove unused components that are now in addon

* address pr comments

* remove test

* fix failing test

* address pr comments

* attempting to fix test

* move to computed components

* fix test error

* fix state of null error

* Sidebranch: DR Secondary Dashboard state message handlers (#8741)

* setup styling for delta

* clean up

* replication table remove and rename model to data

* remove old replication header component now that it is in addons

* move replication secondary card component

* calc delta

* clean up

* remove unused components that are now in addon

* address pr comments

* remove test

* fix failing test

* address pr comments

* attempting to fix test

* initial setup before merge updates

* move to computed components

* fix test error

* fix state of null error

* clean up

* setup alert banner and documentation link

* setup alert banner with second icon

* remove underscore to dash

* add in missing error messages

* add connection-state shutdown

* add storybook update to alert banner

* pr comments

* move css class to helper class

* address pr comments

* add in connection states correct endpoint

* Ui/dr dashboard tests (#8732)

* initial test setup

* use margin when there are no knownsecondaries

* set up replication tests in ember engine

* set knownSecondaries

* move tests to host app and set resolver

* finish known-secondaries-card-test

* make knownSecondaries array match the API response

* add known secondaries table test

* oops, remove stories directory

* wip - replication table rows test

* remove extra code

* finish replication table rows tests

* add | Enterprise | to test module

* remove unncessary assertion:

* show dynamic state glyph (#8747)

* show dynamic state glyph

* show state glyph after state

* move LearnLink into core addon

* make ReplicationDocLink component

* prevent double lines at the bottom of the dashboard

* Sidebranch: dr-secondary-dashboard-pr7 (#8792)

* move dr to higher level component and setup isDisabled for error state when dr mode is disabled.

* add in error messages final

* refactor transistion on submit handler focused on dr secondary

* handle transition

* update empty state component to include icon and add empty state to details page

* fix spelling

* address pr comments

* merge with replication branch

* remove component structure for replication-secondary-card

* compute title and error message

* make specific empty state messages

* fix test

* address pr comments

* regenerate the storyboook for empty state

* Replication Primary Dashboard: handle errors (#8845)

* use h3 instead of code elements

* use correct property names for StateDisplay

* WIP

* remove todo

* move cluster states into a map; make status menu icon match cluster state

* show error in state card using the same state map in the cluster model

* whitespace

* move cluster-states into a helper and update usage

* use circle success icon for stream-wals because that is the ideal state

* more refactoring of cluster state display

* use new cluster-states helper

* whitespace

* use clusterStates helper in replication secondary card

* remove extra import

* add default values for when state isn't recognized

* make sure that state exists before getting state details from clusterStates helper

* be more strict when state cannot be found

* use brace expansion to fix linting error

* add tests for error states

* fix text wrapping issue on secondary cards; make titles match mocks

* use unknown if metric isn't foudn

* remove extra border on selectable card when there is an error

* use outline square in status menu for error

* Ui/replication/refactor dashboard components (#8878)

* use ReplicationDashboard component

* move syncing and alert banners into dashboard component

* only show primary cluster addr if dashboard is for a secondary

* use ReplicationPage and Dashboard

* move isSecondary to page component

* remove duplication

* remove dead code

* refactored table rows

* make sure dashboards update data when we are switching between mclusterModes and replicationTypes

* clarified replicationMode and clusterMode

* remove extra margin

* get rid of data

* remove syncProgress

* remove Enterprise filter from tests so component tests are run

* Ui/replication/primary reindexing (#8906)

* fix typo

* fetch replication/mode/status and pass to dashboard component

* add reindexing stage to AlertBanner; use real value for isReindexing

* remove dr since we don't need it anymore

* add indentation

* remove TODO

* capitalize reindexing_stage and make progress 0 by default

* remove Toggle since we don't need it anymore

* get allllll the variables at once

* only run secondary details test on enterprise

* Sidebranch: component and acceptance tests (#8903)

* address secondary card overflow issue

* setup replicaiton header test

* address secondary card overflow issue

* setup replication secondary card test

* setup replicaiton header test

* setup replicaiton page test

* setup replication secondary card test

* setup replication dashboard test

* setup replicaiton page test

* remove unused code

* fix overflow

* finish test for rep dashboard

* update rep secondary card test

* finish rep header test

* fix rep table rows and header test

* fix header test

* fix missing data-test-primary-cluster

* add to secondary test

* remove pauseTest

* add to enterprise replication test

* add mode to dr secondary test

* remove pauseTest

* add enterprise to test

* amend per pr commments

* re organize rep secondary card test

* adjust error heights with design input

* move const around in rep secondary card test

* move const around and message for rep dashboard test

* amend per pr review comments

* remove styling from grid-item-left

* remove dup hasErrorClass key

* quick fix

* test failure fix

* fix test due to merge

* remove hasErrorClass

* modify test message

* Sidebranch: remove delta, toggle, and make auto-refresh (#8945)

* change styling

* remove replication toggle

* modifications for auto refresh and final removal of delta and last wal

* fix refresh issue by removing replicationMode on this.reset which conflicts with the same property being set on the cluster model

* remove comments

* add unknown placeholder

* add auto refresh to other components and remove mention of toggle

* remove meep and primary cluster heading area

* ensure status menu displays replication state, not just one (#8959)

* Add Replication Reindexing Progress Bar (#8975)

* whitespace

* rename consts

* rename variables

* test that dashboard shows a reindexing alert banner

* standardize shamir and ui wizard progress bar

* make new progressbar component

* just kidding, we can use the html5 progress bar

* make top margins consistent across primary and secondary dashboards

* clean up AlertBanner JSDocs and markdown

* show a progress bar inside an AlertBanner if cluster is reindexing

* add example AlertBanner with Progress Bar

* add reindexing tests

* add a tiny left margin to progress bars inside alert banners

* keep old class names in wizard to prevent bug, but keep consistent progress background color

* use spacing variables

* remove extra border when secondary card has an error

* make card header sizes and weight consistent

* Sidebranch: Performance Secondary Dashboard (#8956)

* setup rep dashboard to dynamically take in the component to render and dynamically setup the css based on mode of cluster

* conditional pass in the correct props to the Dashboard.card component and add margin to reindexing alertBanner

* update replication dashboard test

* add performance secondary test and clean up replication-secondary-card test

* fix message

* replace cluster-id with secondaryId

* remove reindexing test as its a duplicate of the branch noelle is working on

* cleanup

* address pr comments

* small test fixes

* add secondaryId to header test

* fix tests description

* Ui/replication/test update (#8995)

* make sure progress bar updates and animates

* ensure dashboard updates when replication mode has changed

* make sure we update isSyncing when state has changed

* wip - console log statements to see if components are getting new attrs

* Revert "wip - console log statements to see if components are getting new attrs"

This reverts commit d05219b.

* style progress bar in mozilla; allow testing the progress bar in storybook

* test that primary and secondary card container don't display at the same time

* prepare KnownSecondariesTable for backend compatibility (#9029)

* Ui/replication mgmt action block (#9053)

This does some low-impact work to prepare for the refactor of replication-actions. Includes:

- Move modal to addon in lib/core
- Update modal to take a "type" param which changes the header color + icon
- Add tests for modal changes
- Add action-block style only component
- Add styles-only replication-action grid that the action-blocks will live inside of

* Sidebranch: address transition issues on replication engine and actions (#9010)

* small formatting changes

* change findRecord to peekRecord so it keeps track of the changing data.

* add styling such that when page is loading it does not spread across the whole page

* help with reload and styling on replication route

* initial setup for new flow that handles adding a perf secondary, and also some on a dr secondary

* clean up

* add loader on rep page for situations when data is still loading, and add loading mode in header, seperate from the modeForUrl used in other places to help transistion

* fix transitionTo when coming from different replication.mode vs replication.index route

* set default of mode for radio checkboxes after removing from DEFAULTS var

* reset and cont using onEnable because TransitionTo is not working inside of component

* remove console

* the reason we were getting transition errors :(

* remove modeObjecT

* fix error by removing peek record from application and moving it lower down in a property replicationAttrs

* Readd back space

* this one really does fix the issue

* add back peek record and add conditional to isLoadingData

* figure out cluster id from service instead of hardcoded

* fix capabilities-self error by adding a 1 sceond delay for when transition from replication.index to replication.mode.index on enable performance secondary

* remove attempt to circumvent the peekRecord in application

* add to replication page tests and clarify replicationMode to formattedReplicationMode, it's super confusing when seeing replicationMode being duplicated throughout the computed components.  this clarifies its computed only for formatting

* fix repetive conditional

* capture the state when either dr.mode or performance.mode are undefined, which happens during a transition.  If this is the case add a loader on the replicationindex page.

* address some pr comments

* small change

* add bootstrapping mode to test

* add Replication Learn Links to wizard (#9106)

* Ui/summary dashboard (#9079)

* move key value to lib/core/addon so I can use inside replication engine

* setup summary dasbhoard on replication summary component

* set title for summary dashboard

* do not show replication table rows on summary dashboard

* show that last_wal updates every 10 seconds

* show replication table rows on individual dashboards, but not summary

* remove extra bottom border on replication-dashboard

* add replicationDetailsSummary object and replication-summary-card

* setup structure and data calcs of replication summary card

* fix links and styling on summary card

* breadcrumbs

* match state title on summary dashboard to individual dashboards

* add margin below replication header

* update breadcrumbs to show replication mode

* align details link right

* add margin below tabs in replication header

* user helper-text to make card text styling consistent across dashboards

* remove unneeded code

* add bottom border to summary state

* add bottom margin to summary dashboard

* add negative margins to bring values closer to related cell

* fix failing test due to data-test attribute change and make storybook component for replication-summary-card

* setup replication summary card test.  I suspect we'll move the hasError test to the dashboard where the error will show around the state display

* add to replication acceptance test for new summary dashboard

* remove pauseTest

* add is-active to li element

* clean up

* dashboard test and clean up

* addressing pr comments

* fix replication/null/status error

* add JSDocs for rep page and rep dash

* more pr cleanup

* remove conditional and fix styling blue link

* fix conditional on when loading summary dashboard to check for primary on both. wrap code in div so it lands on another line.

Co-authored-by: Noelle Daley <[email protected]>

* change message with bold 'not' if primary (#9112)

* Add JSDocs to components (#9125)

* jsdocs

* remove todo that is no longer relevant

* clean up wording

* wordsmithing

* fix spelling

* example for clusterMode

* Replication Management Sidebranch: Replication Action Disable (#9061)

Set up dr-secondary management page with new action flow

* Create confirmation-modal component

* Refactor replication-dr-secondary splash page to replication manage page

* Refactor replication-action-disable component to use confirmation modal

* Add details/manage tab to replication-dr-secondary section

* Refactor Replication Action: Promote to use modal flow (#9122)

* Ui/replication mgmt/reindex action (#9126)

* Replication Management Sidebranch: Replication Action Disable (#9061)

* Ui/replication mgmt/recover action (#9127)

* Replication Management Sidebranch: Replication Action Recover (#9061)

* Close link-to tag in header (#9139)

Fixes bad merge conflict

* UI: Fix replication management tests (#9136)

* do not show replication mode or id when replication isn't enabled

* fix broken tag

* fill in confirmation text when disabling replication in tests

* fix typo

* fix demote primary test selector

* add test selectors and update tests to match new format

* fill in Performance when disabling performance secondary

* Ui/replication mgmt/update primary action (#9149)

* Update Primary replication action uses modal flow

* Update modal max-height to accommodate for the navbar

* Ui/secondary token flow dr (#9150)

* setup token modal flow

* calc expirationDate

* fix date-format test after moving it in addon

* fix icon conditional in modal title

* decode token to get epoch expiration date and convert

* handle clicking outside of modal

* remove extra copy button

* add modal check in rep  acceptance test

* look only at day and month and remove console

* fix spelling

* cleanup

* replace dr with variable

* make string check longer in test

* fix test variables

* refactor enterprise test for secondary token flow

* make cluster model property replicationModeForDisplay to handle all cases where we were either conditionally displaying the DR, Disaster Recovery, etc. or where we were hardcoding it into the hbs.  For situations where it was DR before, I am now keeping it more consistent and using Disaster Recovery as on the manage page we do not show the Diaster Recovery (DR) anywhere.

* set initial value for ttl picker to fix issue where itwas setting seconds to minutes

* clean up

* add comment about ttl picker

* Add known primaries info table (#9152)

* replace primaryClusterAddr with knownPrimaryClusterAddrs

* rename state to Status; fix css layout

* add InfoTable component

* only show label column if there is a label

* add grid-item-middle class

* whitespace

* fix grid layout

* die tagName, die

* set table max-height

* prep InfoTable for Storybook

* ensure cards always have the same height

* remove duplicate max height since vlt-table already has max-height

* add InfoTable tests

* add InfoTable to Storybook

* organize grid item css; rename for consistency

* add sticky header to table

* add sticky-header class to keep table styles in scope

* whoops, do not use fake data

* Ui/rep design updates (#9169)

* show secondaryId in table rows

* show primary_cluster_addr in table rows

* remove cluster Ids from replication headers

* Ui/fix enable overflow (#9173)

* only show primary_cluster_addr for primary

* fix overflow on replication index

* remove display from cluster-states because it is not used anywhere

* fix missing replication mode from description

* add comments

* use helper to consolidate replication descriptions

* fix text wrapping on medium screen sizes

* Ui/replication mgmt/demote action (#9168)

* Replication demote action uses modal flow

Co-authored-by: Noelle Daley <[email protected]>
Co-authored-by: Angel Garbarino <[email protected]>

* Ui/replication merge cleanup 2 (#9212)

* replace with replicationModeForDisplay that is defined on the cluster

* fix spelling on replication and confirmed with design for placeholder when Not defined

* remove extra div with box class

* change manage link to take you to the secondaries manage as it's within the known secondaries card

* fix scroll always showing by adding auto, and decreasing the height.  WIP

* add empty state to known_primary_cluster_addrs

* address pr comments

* Add real connected state and API address (#9219)

* fix title of secondary card

* show connected status

* fix tests

* fix enterprise test (#9229)

* fix enterprise test

* add n

* add another n

* Ui/replication mgmt/generate token action (#9187)

Generate operation token flow from replication DR Secondary. Clicking 'Cancel' on the modal after the operation has started results in cancelling generate operation and restarting the process.

* use none set instead of not defined

Co-authored-by: Noelle Daley <[email protected]>
Co-authored-by: Chelsea Shaw <[email protected]>
Co-authored-by: Noelle Daley <[email protected]>
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Sep 10, 2020
Pkgsrc changes:
 * Added a patch to cope with fromStatT on NetBSD
 * Added a patch to cope with docker client default settings (build
   also on NetBSD)

Upstream changes:

1.5.3 (August 27th, 2020)

NOTE:
All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8,
1.2.6, and 1.2.5 has been made fully open source, and the git tags for
1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source
users.

BUG FIXES:
 * auth/aws: Made header handling for IAM authentication more robust
 * secrets/ssh: Fixed a bug with role option for SSH signing algorithm
   to allow more than RSA signing

## 1.5.1

CHANGES:
* pki: The tidy operation will now remove revoked certificates if the
  parameter `tidy_revoked_certs` is set to `true`. This will result in
  certificate entries being immediately removed, as opposed to
  awaiting until its NotAfter time. Note that this only affects
  certificates that have been already
  revoked. [[GH-9609](https://github.com/hashicorp/vault/pull/9609)]

IMPROVEMENTS:
* auth/jwt: Add support for fetching groups and user information from
  G Suite during
  authentication. [[GH-9574](https://github.com/hashicorp/vault/pull/9574)]
* secrets/openldap: Add "ad" schema that allows the engine to
  correctly rotate AD
  passwords. [[GH-9740](https://github.com/hashicorp/vault/pull/9740)]
* ui: Wrap TTL option on transit engine export action is updated to a
  new component.
  [[GH-9632](https://github.com/hashicorp/vault/pull/9632)]

BUG FIXES:
* secrets/gcp: Ensure that the IAM policy version is appropriately set
  after a roleset's bindings have
  changed. [[GH-9603](https://github.com/hashicorp/vault/pull/9603)]
* replication (enterprise): Fix status API output incorrectly stating
  replication is in `idle` state.
* core: Fix panic when printing over-long info fields at startup
  [[GH-9681](https://github.com/hashicorp/vault/pull/9681)]

## 1.5.0
### July 21st, 2020

CHANGES:
* storage/raft: The storage configuration now accepts a new
  `max_entry_size` config that will limit the total size in bytes of
  any entry committed via raft. It defaults to `"1048576"`
  (1MiB). [[GH-9027](https://github.com/hashicorp/vault/pull/9027)]
* token: Token creation with custom token ID via `id` will no longer
  allow periods (`.`) as part of the input string.
  The final generated token value may contain periods, such as the
  `s.` prefix for service token
  indication. [[GH-8646](https://github.com/hashicorp/vault/pull/8646/files)]
* token: Token renewals will now return token policies within the
  `token_policies` , identity policies within `identity_policies`, and
  the full policy set within
  `policies`. [[GH-8535](https://github.com/hashicorp/vault/pull/8535)]
* cubbyhole: Reject reads and writes to an empty ("")
  path. [[GH-8971](https://github.com/hashicorp/vault/pull/8971)]
* core: Remove the addition of newlines to parsed configuration when
  using integer/boolean values
  [[GH-8928](https://github.com/hashicorp/vault/pull/8928)]
* audit: Token TTL and issue time are now provided in the auth portion
  of audit logs. [[GH-9091](https://github.com/hashicorp/vault/pull/9091)]

IMPROVEMENTS:
* audit: Replication status requests are no longer
  audited. [[GH-8877](https://github.com/hashicorp/vault/pull/8877)]
* audit: Added mount_type field to requests and
  responses. [[GH-9167](https://github.com/hashicorp/vault/pull/9167)]
* auth/aws: Add support for Web Identity credentials
  [[GH-7738](https://github.com/hashicorp/vault/pull/7738)]
* auth/jwt: Support users that are members of more than 200 groups on Azure
  [[GH-120](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/120)]
* auth/kubernetes: Allow disabling `iss` validation
  [[GH-91](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/91)]
* core: Add the Go version used to build a Vault binary to the server message
  output. [[GH-9078](https://github.com/hashicorp/vault/pull/9078)]
* core: Added Password Policies for user-configurable password generation
  [[GH-8637](https://github.com/hashicorp/vault/pull/8637)]
* core: New telemetry metrics covering token counts, token creation, KV
  secret counts, lease
  creation. [[GH-9239](https://github.com/hashicorp/vault/pull/9239)]
  [[GH-9250](https://github.com/hashicorp/vault/pull/9250)]
  [[GH-9244](https://github.com/hashicorp/vault/pull/9244)]
  [[GH-9052](https://github.com/hashicorp/vault/pull/9052)]
* cli: Support reading TLS parameters from file for the `vault operator raft
  join` command. [[GH-9060](https://github.com/hashicorp/vault/pull/9060)]
* plugin: Add SDK method, `Sys.ReloadPlugin`, and CLI command, `vault plugin
  reload`, for reloading
  plugins. [[GH-8777](https://github.com/hashicorp/vault/pull/8777)]
* plugin (enterprise): Add a scope field to plugin reload, which when global,
  reloads the plugin anywhere in a
  cluster. [[GH-9347](https://github.com/hashicorp/vault/pull/9347)]
* sdk/framework: Support accepting TypeFloat parameters over the API
  [[GH-8923](https://github.com/hashicorp/vault/pull/8923)]
* secrets/aws: Add iam_groups parameter to role create/update
  [[GH-8811](https://github.com/hashicorp/vault/pull/8811)]
* secrets/database: Add static role rotation for MongoDB Atlas database
  plugin
  [[GH-11](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/11)]
* secrets/database: Add static role rotation for MSSQL database plugin
  [[GH-9062](https://github.com/hashicorp/vault/pull/9062)]
* secrets/database: Allow InfluxDB to use insecure TLS without cert bundle
  [[GH-8778](https://github.com/hashicorp/vault/pull/8778)]
* secrets/gcp: Support BigQuery dataset ACLs in absence of IAM endpoints
  [[GH-78](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/78)]
* secrets/pki: Allow 3072-bit RSA keys
  [[GH-8343](https://github.com/hashicorp/vault/pull/8343)]
* secrets/ssh: Add a CA-mode role option to specify signing algorithm
  [[GH-9096](https://github.com/hashicorp/vault/pull/9096)]
* secrets/transit: Transit requests that make use of keys now include a new
  field  `key_version` in their responses
  [[GH-8775](https://github.com/hashicorp/vault/pull/8775)]
* secrets/transit: Improving transit batch encrypt and decrypt latencies
  [[GH-9100](https://github.com/hashicorp/vault/pull/9100)]
* sentinel: Add a sentinel config section, and "additional_enabled_modules",
  a list of Sentinel modules that may be imported in addition to the
  defaults.
* ui: Update TTL picker styling on SSH secret engine
  [[GH-8891](https://github.com/hashicorp/vault/pull/8891)]
* ui: Only render the JWT input field of the Vault login form on mounts
  configured for JWT auth
  [[GH-8952](https://github.com/hashicorp/vault/pull/8952)]
* cli: Add a new subcommand, `vault monitor`, for tailing server logs in the
  console. [[GH-8477](https://github.com/hashicorp/vault/pull/8477)]
* ui: Add replication dashboards.  Improve replication management
  workflows. [[GH-8705]](https://github.com/hashicorp/vault/pull/8705).

BUG FIXES:
* agent: Restart template server when it shuts down
  [[GH-9200](https://github.com/hashicorp/vault/pull/9200)]
* auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI)
  auth method could not authenticate when the plugin backend was mounted at a
  non-default path.
  [[GH-7](https://github.com/hashicorp/vault-plugin-auth-oci/pull/7)]
* core: Extend replicated cubbyhole fix in 1.4.0 to cover case where a
  performance primary is also a DR primary
  [[GH-9148](https://github.com/hashicorp/vault/pull/9148)]
* secrets/aws: Fix issue where performance standbys weren't able to generate
  STS credentials after an IAM access key rotation in AWS and root IAM
  credential update in Vault
  [[GH-9186](https://github.com/hashicorp/vault/pull/9186)]
* secrets/database: Fix issue where rotating root database credentials while
  Vault's storage backend is unavailable causes Vault to lose access to the
  database [[GH-8782](https://github.com/hashicorp/vault/pull/8782)]
* secrets/database: Fix issue that prevents performance standbys from
  connecting to databases after a root credential rotation
  [[GH-9129](https://github.com/hashicorp/vault/pull/9129)]
* secrets/gcp: Fix issue were updates were not being applied to the
  `token_scopes` of a roleset.
  [[GH-90](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/90)]
* secrets/kv: Return the value of delete_version_after when reading
  kv/config, even if it is set to the default.
  [[GH-42](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/42)]
* ui: Add Toggle component into core addon so it is available in KMIP and
  other Ember Engines.
  [[GH-8913]](https://github.com/hashicorp/vault/pull/8913)
* ui: Disallow max versions value of large than 9999999999999999 on kv2
  secrets engine. [[GH-9242](https://github.com/hashicorp/vault/pull/9242)]

## 1.4.3 (TBD)

IMPROVEMENTS:
* auth/aws: Add support for Web Identity credentials
  [[GH-9251](https://github.com/hashicorp/vault/pull/9251)]
* core: Add the Go version used to build a Vault binary to the server message
  output. [[GH-9078](https://github.com/hashicorp/vault/pull/9078)]
* secrets/database: Add static role rotation for MongoDB Atlas database
  plugin [[GH-9311](https://github.com/hashicorp/vault/pull/9311)]
* ui: Link to the Vault Changelog in the UI footer
  [[GH-9216](https://github.com/hashicorp/vault/pull/9216)]

BUG FIXES:
* auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI)
  auth method could not authenticate when the plugin backend was mounted at a
  non-default path. [[GH-9278](https://github.com/hashicorp/vault/pull/9278)]
* replication: The issue causing cubbyholes in namespaces on performance
  secondaries to not work, which was fixed in 1.4.0, was still an issue when
  the primary was both a performance primary and DR primary.
* secrets/aws: Fix issue where performance standbys weren't able to generate
  STS credentials after an IAM access key rotation in AWS and root IAM
  credential update in Vault
  [[GH-9207](https://github.com/hashicorp/vault/pull/9207)]
* secrets/database: Fix issue that prevents performance standbys from
  connecting to databases after a root credential rotation
  [[GH-9208](https://github.com/hashicorp/vault/pull/9208)]
* secrets/gcp: Fix issue were updates were not being applied to the
  `token_scopes` of a roleset.
  [[GH-9277](https://github.com/hashicorp/vault/pull/9277)]

## 1.4.2 (May 21st, 2020)

SECURITY:
* core: Proxy environment variables are now redacted before being logged, in
  case the URLs include a username:password. This vulnerability,
  CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4.0 and 1.4.1,
  as well as older versions of Vault
  [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
* secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being
  used instead of the configured backend TTLs for dynamic service
  accounts. This vulnerability is CVE-2020-12757.
  [[GH-85](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/85)]

IMPROVEMENTS:
* storage/raft: The storage stanza now accepts `leader_ca_cert_file`,
  `leader_client_cert_file`, and  `leader_client_key_file` parameters to read
  and parse TLS certificate information from paths on disk.
  Existing non-path based parameters will continue to work, but their values
  will need to be provided as a single-line string with newlines delimited by
  `\n`.  [[GH-8894](https://github.com/hashicorp/vault/pull/8894)]
* storage/raft: The `vault status` CLI command and the `sys/leader` API now
  contain the committed and applied raft indexes.
  [[GH-9011](https://github.com/hashicorp/vault/pull/9011)]

BUG FIXES:
* auth/aws: Fix token renewal issues caused by the metadata changes in 1.4.1
  [[GH-8991](https://github.com/hashicorp/vault/pull/8991)]
* auth/ldap: Fix 1.4.0 regression that could result in auth failures when
  LDAP auth config includes upndomain.
  [[GH-9041](https://github.com/hashicorp/vault/pull/9041)]
* secrets/ad: Forward rotation requests from standbys to active clusters
  [[GH-66](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/66)]
* secrets/database: Prevent generation of usernames that are not allowed by
  the MongoDB Atlas API
  [[GH-9](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/9)]
* secrets/database: Return an error if a manual rotation of static account
  credentials fails [[GH-9035](https://github.com/hashicorp/vault/pull/9035)]
* secrets/openldap: Forward all rotation requests from standbys to active
  clusters [[GH-9028](https://github.com/hashicorp/vault/pull/9028)]
* secrets/transform (enterprise): Fix panic that could occur when accessing
  cached template entries, such as a requests that accessed templates
  directly or indirectly from a performance standby node.
* serviceregistration: Fix a regression for Consul service registration that
  ignored using the listener address as the redirect address unless api_addr
  was provided. It now properly uses the same redirect address as the one
  used by Vault's Core object.
  [[GH-8976](https://github.com/hashicorp/vault/pull/8976)]
* storage/raft: Advertise the configured cluster address to the rest of the
  nodes in the raft cluster. This fixes an issue where a node advertising
  0.0.0.0 is not using a unique hostname.
  [[GH-9008](https://github.com/hashicorp/vault/pull/9008)]
* storage/raft: Fix panic when multiple nodes attempt to join the cluster at
  once. [[GH-9008](https://github.com/hashicorp/vault/pull/9008)]
* sys: The path provided in `sys/internal/ui/mounts/:path` is now
  namespace-aware. This fixes an issue with `vault kv` subcommands that had
  namespaces provided in the path returning permission denied all the time.
  [[GH-8962](https://github.com/hashicorp/vault/pull/8962)]
* ui: Fix snowman that appears when namespaces have more than one period
  [[GH-8910](https://github.com/hashicorp/vault/pull/8910)]

## 1.4.1 (April 30th, 2020)

CHANGES:
* auth/aws: The default set of metadata fields added in 1.4.1 has been
  changed to `account_id` and `auth_type`
  [[GH-8783](https://github.com/hashicorp/vault/pull/8783)]
* storage/raft: Disallow `ha_storage` to be specified if `raft` is set as the
  `storage` type. [[GH-8707](https://github.com/hashicorp/vault/pull/8707)]

IMPROVEMENTS:
* auth/aws: The set of metadata stored during login is now configurable
  [[GH-8783](https://github.com/hashicorp/vault/pull/8783)]
* auth/aws: Improve region selection to avoid errors seen if the account
  hasn't enabled some newer AWS regions
  [[GH-8679](https://github.com/hashicorp/vault/pull/8679)]
* auth/azure: Enable login from Azure VMs with user-assigned identities
  [[GH-33](https://github.com/hashicorp/vault-plugin-auth-azure/pull/33)]
* auth/gcp: The set of metadata stored during login is now configurable
  [[GH-92](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/92)]
* auth/gcp: The type of alias name used during login is now configurable
  [[GH-95](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/95)]
* auth/ldap: Improve error messages during LDAP operation failures
  [[GH-8740](https://github.com/hashicorp/vault/pull/8740)]
* identity: Add a batch delete API for identity entities
  [[GH-8785]](https://github.com/hashicorp/vault/pull/8785)
* identity: Improve performance of logins when no group updates are needed
  [[GH-8795]](https://github.com/hashicorp/vault/pull/8795)
* metrics: Add `vault.identity.num_entities` metric
  [[GH-8816]](https://github.com/hashicorp/vault/pull/8816)
* secrets/kv: Allow `delete-version-after` to be reset to 0 via the CLI
  [[GH-8635](https://github.com/hashicorp/vault/pull/8635)]
* secrets/rabbitmq: Improve error handling and reporting
  [[GH-8619](https://github.com/hashicorp/vault/pull/8619)]
* ui: Provide One Time Password during Operation Token generation process
  [[GH-8630]](https://github.com/hashicorp/vault/pull/8630)

BUG FIXES:
* auth/okta: Fix MFA regression (introduced in
  [GH-8143](https://github.com/hashicorp/vault/pull/8143)) from 1.4.0
  [[GH-8807](https://github.com/hashicorp/vault/pull/8807)]
* auth/userpass: Fix upgrade value for `token_bound_cidrs` being ignored due
  to incorrect key provided
  [[GH-8826](https://github.com/hashicorp/vault/pull/8826/files)]
* config/seal: Fix segfault when seal block is removed
  [[GH-8517](https://github.com/hashicorp/vault/pull/8517)]
* core: Fix an issue where users attempting to build Vault could receive Go
  module checksum errors
  [[GH-8770](https://github.com/hashicorp/vault/pull/8770)]
* core: Fix blocked requests if a SIGHUP is issued during a long-running
  request has the state lock held.
  Also fixes deadlock that can happen if `vault debug` with the config target
  is ran during this time.
  [[GH-8755](https://github.com/hashicorp/vault/pull/8755)]
* core: Always rewrite the .vault-token file as part of a `vault login` to
  ensure permissions and ownership are set correctly
  [[GH-8867](https://github.com/hashicorp/vault/pull/8867)]
* database/mongodb: Fix context deadline error that may result due to retry
  attempts on failed commands
  [[GH-8863](https://github.com/hashicorp/vault/pull/8863)]
* http: Fix superflous call messages from the http package on logs caused by
  missing returns after `respondError` calls
  [[GH-8796](https://github.com/hashicorp/vault/pull/8796)]
* namespace (enterprise): Fix namespace listing to return `key_info` when a
  scoping namespace is also provided.
* seal/gcpkms: Fix panic that could occur if all seal parameters were
  provided via environment variables
  [[GH-8840](https://github.com/hashicorp/vault/pull/8840)]
* storage/raft: Fix memory allocation and incorrect metadata tracking issues
  with snapshots [[GH-8793](https://github.com/hashicorp/vault/pull/8793)]
* storage/raft: Fix panic that could occur if `disable_clustering` was set to
  true on Raft storage cluster
  [[GH-8784](https://github.com/hashicorp/vault/pull/8784)]
* storage/raft: Handle errors returned from the API during snapshot
  operations [[GH-8861](https://github.com/hashicorp/vault/pull/8861)]
* sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data
  [[GH-8714](https://github.com/hashicorp/vault/pull/8714)]

## 1.4.0 (April 7th, 2020)

CHANGES:
* cli: The raft configuration command has been renamed to list-peers to avoid
  confusion.

FEATURES:
* **Kerberos Authentication**: Vault now supports Kerberos authentication
  using a SPNEGO token.
   Login can be performed using the Vault CLI, API, or agent.
* **Kubernetes Service Discovery**: A new Kubernetes service discovery
  feature where, if configured, Vault will tag Vault pods with their current
  health status. For more, see
  [#8249](https://github.com/hashicorp/vault/pull/8249).
* **MongoDB Atlas Secrets**: Vault can now generate dynamic credentials for
  both MongoDB Atlas databases as well as the [Atlas programmatic
  interface]
  (https://docs.atlas.mongodb.com/tutorial/manage-programmatic-access/).
* **OpenLDAP Secrets Engine**: We now support password management of existing
  OpenLDAP user entries. For more, see [#8360]
  (https://github.com/hashicorp/vault/pull/8360/).
* **Redshift Database Secrets Engine**: The database secrets engine now
  supports static and dynamic secrets for the Amazon Web Services (AWS)
  Redshift service.
* **Service Registration Config**: A newly introduced `service_registration`
  configuration stanza, that allows for service registration to be configured
  separately from the storage backend. For more, see [#7887]
  (https://github.com/hashicorp/vault/pull/7887/).
* **Transform Secrets Engine (Enterprise)**: A new secrets engine that
  handles secure data transformation and tokenization against provided input
  value.
* **Integrated Storage**: Promoted out of beta and into general availability
  for both open-source and enterprise workloads.

IMPROVEMENTS:
* agent: add option to force the use of the auth-auth token, and ignore the
  Vault token in the request
  [[GH-8101](https://github.com/hashicorp/vault/pull/8101)]
* api: Restore and fix DNS SRV Lookup
  [[GH-8520](https://github.com/hashicorp/vault/pull/8520)]
* audit: HMAC http_raw_body in audit log; this ensures that large
  authenticated Prometheus metrics responses get replaced with short HMAC
  values [[GH-8130](https://github.com/hashicorp/vault/pull/8130)]
* audit: Generate-root, generate-recovery-token, and
  generate-dr-operation-token requests and responses are now
  audited. [[GH-8301](https://github.com/hashicorp/vault/pull/8301)]
* auth/aws: Reduce the number of simultaneous STS client credentials needed
  [[GH-8161](https://github.com/hashicorp/vault/pull/8161)]
* auth/azure: subscription ID, resource group, vm and vmss names are now
  stored in alias metadata
  [[GH-30](https://github.com/hashicorp/vault-plugin-auth-azure/pull/30)]
* auth/jwt: Additional OIDC callback parameters available for CLI logins
  [[GH-80](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/80) &
  [GH-86](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/86)]
* auth/jwt: Bound claims may be optionally configured using globs
  [[GH-89](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/89)]
* auth/jwt: Timeout during OIDC CLI login if process doesn't complete within
  2 minutes
  [[GH-97](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/97)]
* auth/jwt: Add support for the `form_post` response mode
  [[GH-98](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/98)]
* auth/jwt: add optional client_nonce to authorization flow
  [[GH-104](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/104)]
* auth/okta: Upgrade okta sdk lib, which should improve handling of groups
  [[GH-8143](https://github.com/hashicorp/vault/pull/8143)]
* aws: Add support for v2 of the instance metadata service (see [issue
  7924](https://github.com/hashicorp/vault/issues/7924) for all linked PRs)
* core: Separate out service discovery interface from storage interface to allow
  new types of service discovery not coupled to storage
  [[GH-7887](https://github.com/hashicorp/vault/pull/7887)]
* core: Add support for telemetry option `metrics_prefix`
  [[GH-8340](https://github.com/hashicorp/vault/pull/8340)]
* core: Entropy Augmentation can now be used with AWS KMS and Vault Transit
  seals
* core: Allow tls_min_version to be set to TLS 1.3
  [[GH-8305](https://github.com/hashicorp/vault/pull/8305)]
* cli: Incorrect TLS configuration will now correctly fail
  [[GH-8025](https://github.com/hashicorp/vault/pull/8025)]
* identity: Allow specifying a custom `client_id` for identity tokens
  [[GH-8165](https://github.com/hashicorp/vault/pull/8165)]
* metrics/prometheus: improve performance with high volume of metrics updates
  [[GH-8507](https://github.com/hashicorp/vault/pull/8507)]
* replication (enterprise): Fix race condition causing clusters with high
  throughput writes to sometimes fail to enter streaming-wal mode
* replication (enterprise): Secondary clusters can now perform an extra gRPC
  call to all nodes in a primary
  cluster in an attempt to resolve the active node's address
* replication (enterprise): The replication status API now outputs
  `last_performance_wal`, `last_dr_wal`, and `connection_state` values
* replication (enterprise): DR secondary clusters can now be recovered by the
  `replication/dr/secondary/recover` API
* replication (enterprise): We now allow for an alternate means to create a
  Disaster Recovery token, by using a batch token that is created with an ACL
  that allows for access to one or more of the DR endpoints.
* secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver
  [[GH-8140](https://github.com/hashicorp/vault/pull/8140)]
* secrets/database/mongodb: Add support for x509 client authorization to
  MongoDB [[GH-8329](https://github.com/hashicorp/vault/pull/8329)]
* secrets/database/oracle: Add support for static credential rotation
  [[GH-26](https://github.com/hashicorp/vault-plugin-database-oracle/pull/26)]
* secrets/consul: Add support to specify TLS options per Consul backend
  [[GH-4800](https://github.com/hashicorp/vault/pull/4800)]
* secrets/gcp: Allow specifying the TTL for a service key
  [[GH-54](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/54)]
* secrets/gcp: Add support for rotating root keys
  [[GH-53](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/53)]
* secrets/gcp: Handle version 3 policies for Resource Manager IAM requests
  [[GH-77](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/77)
* secrets/nomad: Add support to specify TLS options per Nomad backend
  [[GH-8083](https://github.com/hashicorp/vault/pull/8083)]
* secrets/ssh: Allowed users can now be templated with identity information
  [[GH-7548](https://github.com/hashicorp/vault/pull/7548)]
* secrets/transit: Adding RSA3072 key support
  [[GH-8151](https://github.com/hashicorp/vault/pull/8151)]
* storage/consul: Vault returns now a more descriptive error message when
  only a client cert or a client key has been provided
  [[GH-4930]](https://github.com/hashicorp/vault/pull/8084)
* storage/raft: Nodes in the raft cluster can all be given possible leader
  addresses for them to continuously try and join one of them, thus
  automating the process of join to a greater extent
  [[GH-7856](https://github.com/hashicorp/vault/pull/7856)]
* storage/raft: Fix a potential deadlock that could occur on leadership
  transition [[GH-8547](https://github.com/hashicorp/vault/pull/8547)]
* storage/raft: Refresh TLS keyring on snapshot restore
  [[GH-8546](https://github.com/hashicorp/vault/pull/8546)]
* storage/etcd: Bumped etcd client API SDK
  [[GH-7931](https://github.com/hashicorp/vault/pull/7931) &
  [GH-4961](https://github.com/hashicorp/vault/pull/4961) &
  [GH-4349](https://github.com/hashicorp/vault/pull/4349) &
  [GH-7582](https://github.com/hashicorp/vault/pull/7582)]
* ui: Make Transit Key actions more prominent
  [[GH-8304](https://github.com/hashicorp/vault/pull/8304)]
* ui: Add Core Usage Metrics
  [[GH-8347](https://github.com/hashicorp/vault/pull/8347)]
* ui: Add refresh Namespace list on the Namespace dropdown, and redesign of
  Namespace dropdown menu
  [[GH-8442](https://github.com/hashicorp/vault/pull/8442)]
* ui: Update transit actions to codeblocks & automatically encode plaintext
  unless indicated [[GH-8462](https://github.com/hashicorp/vault/pull/8462)]
* ui: Display the results of transit key actions in a modal window
  [[GH-8462](https://github.com/hashicorp/vault/pull/8575)]
* ui: Transit key version styling updates & ability to copy key from dropdown
  [[GH-8480](https://github.com/hashicorp/vault/pull/8480)]

BUG FIXES:
* agent: Fix issue where TLS options are ignored for agent template feature
  [[GH-7889](https://github.com/hashicorp/vault/pull/7889)]
* auth/jwt: Use lower case role names for `default_role` to match the `role`
  case convention
  [[GH-100](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/100)]
* auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to
  lookup the group membership of the given user
  [[GH-6325]](https://github.com/hashicorp/vault/pull/8333)
* cli: Support autocompletion for nested mounts
  [[GH-8303](https://github.com/hashicorp/vault/pull/8303)]
* cli: Fix CLI namespace autocompletion
  [[GH-8315](https://github.com/hashicorp/vault/pull/8315)]
* identity: Fix incorrect caching of identity token JWKS responses
  [[GH-8412](https://github.com/hashicorp/vault/pull/8412)]
* metrics/stackdriver: Fix issue that prevents the stackdriver metrics
  library to create unnecessary stackdriver descriptors
  [[GH-8073](https://github.com/hashicorp/vault/pull/8073)]
* replication: Fix issue causing cubbyholes in namespaces on performance
  secondaries to not work.
* replication (enterprise): Unmounting a dynamic secrets backend could
  sometimes lead to replication errors.  Change the order of operations to
  prevent that.
* seal (enterprise): Fix seal migration when transactional seal wrap backend
  is in use.
* secrets/database/influxdb: Fix potential panic if connection to the
  InfluxDB database cannot be established
  [[GH-8282](https://github.com/hashicorp/vault/pull/8282)]
* secrets/database/mysql: Ensures default static credential rotation
  statements are used
  [[GH-8240](https://github.com/hashicorp/vault/pull/8240)]
* secrets/database/mysql: Fix inconsistent query parameter names: {{name}} or
  {{username}} for different queries. Now it allows for either for backwards
  compatibility [[GH-8240](https://github.com/hashicorp/vault/pull/8240)]
* secrets/database/postgres: Fix inconsistent query parameter names: {{name}}
  or {{username}} for different queries. Now it allows for either for
  backwards compatibility
  [[GH-8240](https://github.com/hashicorp/vault/pull/8240)]
* secrets/pki: Support FQDNs in DNS Name
  [[GH-8288](https://github.com/hashicorp/vault/pull/8288)]
* storage/raft: Allow seal migration to be performed on Vault clusters using
  raft storage [[GH-8103](https://github.com/hashicorp/vault/pull/8103)]
* telemetry: Prometheus requests on standby nodes will now return an error
  instead of forwarding the request to the active node
  [[GH-8280](https://github.com/hashicorp/vault/pull/8280)]
* ui: Fix broken popup menu on the transit secrets list page
  [[GH-8348](https://github.com/hashicorp/vault/pull/8348)]
* ui: Update headless Chrome flag to fix `yarn run test:oss`
  [[GH-8035](https://github.com/hashicorp/vault/pull/8035)]
* ui: Update CLI to accept empty strings as param value to reset
  previously-set values
* ui: Fix bug where error states don't clear when moving between action tabs
  on Transit [[GH-8354](https://github.com/hashicorp/vault/pull/8354)]

## 1.3.6 (May 21st, 2020)

SECURITY:
* core: proxy environment variables are now redacted before being logged, in
  case the URLs include a username:password. This vulnerability,
  CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.1, as
  well as older versions of Vault
  [[GH-9022](https://github.com/hashicorp/vault/pull/9022)

BUG FIXES:
* auth/aws: Fix token renewal issues caused by the metadata changes in 1.3.5
  [[GH-8991](https://github.com/hashicorp/vault/pull/8991)]
* replication: Fix mount filter bug that allowed replication filters to hide
  local mounts on a performance secondary

## 1.3.5 (April 28th, 2020)

CHANGES:
* auth/aws: The default set of metadata fields added in 1.3.2 has been
  changed to `account_id` and `auth_type`
  [[GH-8783](https://github.com/hashicorp/vault/pull/8783)]

IMPROVEMENTS:
* auth/aws: The set of metadata stored during login is now configurable
  [[GH-8783](https://github.com/hashicorp/vault/pull/8783)]

## 1.3.4 (March 19th, 2020)

SECURITY:
* A vulnerability was identified in Vault and Vault Enterprise such that,
  under certain circumstances,  an Entity's Group membership may
  inadvertently include Groups the Entity no longer has permissions to. This
  vulnerability, CVE-2020-10660, affects Vault and Vault Enterprise versions
  0.9.0 and newer, and is fixed in 1.3.4.
  [[GH-8606](https://github.com/hashicorp/vault/pull/8606)]
* A vulnerability was identified in Vault Enterprise such that, under certain
  circumstances, existing nested-path policies may give access to Namespaces
  created after-the-fact. This vulnerability, CVE-2020-10661, affects Vault
  Enterprise versions 0.11 and newer, and is fixed in 1.3.4.

## 1.3.3 (March 5th, 2020)

BUG FIXES:
* approle: Fix excessive locking during tidy, which could potentially block
  new approle logins for long enough to cause an outage
  [[GH-8418](https://github.com/hashicorp/vault/pull/8418)]
* cli: Fix issue where Raft snapshots from standby nodes created an empty
  backup file [[GH-8097](https://github.com/hashicorp/vault/pull/8097)]
* identity: Fix incorrect caching of identity token JWKS responses
  [[GH-8412](https://github.com/hashicorp/vault/pull/8412)]
* kmip: role read now returns tls_client_ttl
* kmip: fix panic when templateattr not provided in rekey request
* secrets/database/influxdb: Fix potential panic if connection to the
  InfluxDB database cannot be established
  [[GH-8282](https://github.com/hashicorp/vault/pull/8282)]
* storage/mysql: Fix potential crash when using MySQL as coordination for
  high availability [[GH-8300](https://github.com/hashicorp/vault/pull/8300)]
* storage/raft: Fix potential crash when using Raft as coordination for high
  availability [[GH-8356](https://github.com/hashicorp/vault/pull/8356)]
* ui: Fix missing License menu item
  [[GH-8230](https://github.com/hashicorp/vault/pull/8230)]
* ui: Fix bug where default auth method on login is defaulted to auth method
  that is listing-visibility=unauth instead of "other"
  [[GH-8218](https://github.com/hashicorp/vault/pull/8218)]
* ui: Fix bug where KMIP details were not shown in the UI Wizard
  [[GH-8255](https://github.com/hashicorp/vault/pull/8255)]
* ui: Show Error messages on Auth Configuration page when you hit permission
  errors [[GH-8500](https://github.com/hashicorp/vault/pull/8500)]
* ui: Remove duplicate form inputs for the GitHub config
  [[GH-8519](https://github.com/hashicorp/vault/pull/8519)]
* ui: Correct HMAC capitalization
  [[GH-8528](https://github.com/hashicorp/vault/pull/8528)]
* ui: Fix danger message in DR
  [[GH-8555](https://github.com/hashicorp/vault/pull/8555)]
* ui: Fix certificate field for LDAP config
  [[GH-8573](https://github.com/hashicorp/vault/pull/8573)]

## 1.3.2 (January 22nd, 2020)

SECURITY:
 * When deleting a namespace on Vault Enterprise, in certain circumstances,
   the deletion process will fail to revoke dynamic secrets for a mount in
   that namespace. This will leave any dynamic secrets in remote systems
   alive and will fail to clean them up. This vulnerability, CVE-2020-7220,
   affects Vault Enterprise 0.11.0 and newer.

IMPROVEMENTS:
 * auth/aws: Add aws metadata to identity alias
   [[GH-7985](https://github.com/hashicorp/vault/pull/7985)]
 * auth/kubernetes: Allow both names and namespaces to be set to "*"
   [[GH-78](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/78)]

BUG FIXES:
* auth/azure: Fix Azure compute client to use correct base URL
  [[GH-8072](https://github.com/hashicorp/vault/pull/8072)]
* auth/ldap: Fix renewal of tokens without configured policies that are
  generated by an LDAP login
  [[GH-8072](https://github.com/hashicorp/vault/pull/8072)]
* auth/okta: Fix renewal of tokens without configured policies that are
  generated by an Okta login
  [[GH-8072](https://github.com/hashicorp/vault/pull/8072)]
* core: Fix seal migration error when attempting to migrate from auto unseal
  to shamir [[GH-8172](https://github.com/hashicorp/vault/pull/8172)]
* core: Fix seal migration config issue when migrating from auto unseal to
  auto unseal [[GH-8172](https://github.com/hashicorp/vault/pull/8172)]
* plugin: Fix issue where a plugin unwrap request potentially used an expired
  token [[GH-8058](https://github.com/hashicorp/vault/pull/8058)]
* replication: Fix issue where a forwarded request from a performance/standby
  node could run into a timeout
* secrets/database: Fix issue where a manual static role rotation could
  potentially panic [[GH-8098](https://github.com/hashicorp/vault/pull/8098)]
* secrets/database: Fix issue where a manual root credential rotation request
  is not forwarded to the primary node
  [[GH-8125](https://github.com/hashicorp/vault/pull/8125)]
* secrets/database: Fix issue where a manual static role rotation request is
  not forwarded to the primary node
  [[GH-8126](https://github.com/hashicorp/vault/pull/8126)]
* secrets/database/mysql: Fix issue where special characters for a MySQL
  password were encoded
  [[GH-8040](https://github.com/hashicorp/vault/pull/8040)]
* ui: Fix deleting namespaces
  [[GH-8132](https://github.com/hashicorp/vault/pull/8132)]
* ui: Fix Error handler on kv-secret edit and kv-secret view pages
  [[GH-8133](https://github.com/hashicorp/vault/pull/8133)]
* ui: Fix OIDC callback to check storage
  [[GH-7929](https://github.com/hashicorp/vault/pull/7929)].
* ui: Change `.box-radio` height to min-height to prevent overflow issues
  [[GH-8065](https://github.com/hashicorp/vault/pull/8065)]

## 1.3.1 (December 18th, 2019)

IMPROVEMENTS:
* agent: Add ability to set `exit-after-auth` via the CLI
  [[GH-7920](https://github.com/hashicorp/vault/pull/7920)]
* auth/ldap: Add a `request_timeout` configuration option to prevent
  connection requests from hanging
  [[GH-7909](https://github.com/hashicorp/vault/pull/7909)]
* auth/kubernetes: Add audience to tokenreview API request for Kube
  deployments where issuer is not Kube.
  [[GH-74](https://github.com/hashicorp/vault/pull/74)]
* secrets/ad: Add a `request_timeout` configuration option to prevent
  connection requests from hanging
  [[GH-59](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/59)]
* storage/postgresql: Add support for setting `connection_url` from
  enviornment variable `VAULT_PG_CONNECTION_URL`
  [[GH-7937](https://github.com/hashicorp/vault/pull/7937)]
* telemetry: Add `enable_hostname_label` option to telemetry stanza
  [[GH-7902](https://github.com/hashicorp/vault/pull/7902)]
* telemetry: Add accept header check for prometheus mime type
  [[GH-7958](https://github.com/hashicorp/vault/pull/7958)]

BUG FIXES:
* agent: Fix issue where Agent exits before all templates are rendered when
  using and `exit_after_auth`
  [[GH-7899](https://github.com/hashicorp/vault/pull/7899)]
* auth/aws: Fixes region-related issues when using a custom `sts_endpoint` by
  adding a `sts_region` parameter
  [[GH-7922](https://github.com/hashicorp/vault/pull/7922)]
* auth/token: Fix panic when getting batch tokens on a performance standby
  from a role that does not exist
  [[GH-8027](https://github.com/hashicorp/vault/pull/8027)]
* core: Improve warning message for lease TTLs
  [[GH-7901](https://github.com/hashicorp/vault/pull/7901)]
* identity: Fix identity token panic during invalidation
  [[GH-8043](https://github.com/hashicorp/vault/pull/8043)]
* plugin: Fix a panic that could occur if a mount/auth entry was unable to
  mount the plugin backend and a request that required the system view to be
  retrieved was made
  [[GH-7991](https://github.com/hashicorp/vault/pull/7991)]
* replication: Add `generate-public-key` endpoint to list of allowed
  endpoints for existing DR secondaries
* secrets/gcp: Fix panic if bindings aren't provided in roleset
  create/update.
  [[GH-56](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/56)]
* secrets/pki: Prevent generating certificate on performance standby when
  storing
  [[GH-7904](https://github.com/hashicorp/vault/pull/7904)]
* secrets/transit: Prevent restoring keys to new names that are sub paths
  [[GH-7998](https://github.com/hashicorp/vault/pull/7998)]
* storage/s3: Fix a bug in configurable S3 paths that was preventing use of
  S3 as a source during `operator migrate` operations
  [[GH-7966](https://github.com/hashicorp/vault/pull/7966)]
* ui: Ensure secrets with a period in their key can be viewed and copied
  [[GH-7926](https://github.com/hashicorp/vault/pull/7926)]
* ui: Fix status menu after demotion
  [[GH-7997](https://github.com/hashicorp/vault/pull/7997)]
* ui: Fix select dropdowns in Safari when running Mojave
  [[GH-8023](https://github.com/hashicorp/vault/pull/8023)]

## 1.3 (November 14th, 2019)

CHANGES:
 * Secondary cluster activation: There has been a change to the way that
   activating performance and DR secondary clusters works when using public
   keys for encryption of the parameters rather than a wrapping token. This
   flow was experimental and never documented. It is now officially supported
   and documented but is not backwards compatible with older Vault releases.
 * Cluster cipher suites: On its cluster port, Vault will no longer advertise
   the full TLS 1.2 cipher suite list by default. Although this port is only
   used for Vault-to-Vault communication and would always pick a strong
   cipher, it could cause false flags on port scanners and other security
   utilities that assumed insecure ciphers were being used. The previous
   behavior can be achieved by setting the value of the (undocumented)
   `cluster_cipher_suites` config flag to `tls12`.
 * API/Agent Renewal behavior: The API now allows multiple options for how it
   deals with renewals. The legacy behavior in the Agent/API is for the renewer
   (now called the lifetime watcher) to exit on a renew error, leading to a
   reauthentication. The new default behavior is for the lifetime watcher to
   ignore 5XX errors and simply retry as scheduled, using the existing lease
   duration. It is also possible, within custom code, to disable renewals
   entirely, which allows the lifetime watcher to simply return when it
   believes it is time for your code to renew or reauthenticate.

FEATURES:
 * **Vault Debug**: A new top-level subcommand, `debug`, is added that allows
   operators to retrieve debugging information related to a particular Vault
   node. Operators can use this simple workflow to capture triaging
   information, which can then be consumed programmatically or by support and
   engineering teams.  It has the abilitity to probe for config, host,
   metrics, pprof, server status, and replication status.
 * **Recovery Mode**: Vault server can be brought up in recovery mode to
   resolve outages caused due to data store being in bad state. This is a
   privileged mode that allows `sys/raw` API calls to perform surgical
   corrections to the data tore. Bad storage state can be caused by
   bugs. However, this is usually observed when known (and fixed) bugs are
   hit by older versions of Vault.
 * **Entropy Augmentation (Enterprise)**: Vault now supports sourcing entropy
   from external source for critical security parameters. Currently an HSM
   that supports PKCS#11 is the only supported source.
 * **Active Directory Secret Check-In/Check-Out**: In the Active Directory
   secrets engine, users or applications can check out a service account for
   use, and its password will be rotated when it's checked back in.
 * **Vault Agent Template**: Vault Agent now supports rendering templates
   containing Vault secrets to disk, similar to Consul Template
   [[GH-7652](https://github.com/hashicorp/vault/pull/7652)]
 * **Transit Key Type Support**: Signing and verification is now supported
   with the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves
   [[GH-7551](https://github.com/hashicorp/vault/pull/7551)] and encryption
   and decryption is now supported via AES128-GCM96
   [[GH-7555](https://github.com/hashicorp/vault/pull/7555)]
 * **SSRF Protection for Vault Agent**: Vault Agent has a configuration
   option to require a specific header before allowing requests
   [[GH-7627](https://github.com/hashicorp/vault/pull/7627)]
 * **AWS Auth Method Root Rotation**: The credential used by the AWS auth
   method can now be rotated, to ensure that only Vault knows the credentials
   it is using [[GH-7131](https://github.com/hashicorp/vault/pull/7131)]
 * **New UI Features**: The UI now supports managing users and groups for the
   Userpass, Cert, Okta, and Radius auth methods.
 * **Shamir with Stored Master Key**: The on disk format for Shamir seals has
   changed, allowing for a secondary cluster using Shamir downstream from a
   primary cluster using Auto
   Unseal. [[GH-7694](https://github.com/hashicorp/vault/pull/7694)]
 * **Stackdriver Metrics Sink**: Vault can now send metrics to
   [Stackdriver](https://cloud.google.com/stackdriver/). See the
   [configuration
   documentation](https://www.vaultproject.io/docs/config/index.html) for
   details. [[GH-6957](https://github.com/hashicorp/vault/pull/6957)]
 * **Filtered Paths Replication (Enterprise)**: Based on the predecessor
   Filtered Mount Replication, Filtered Paths Replication allows now
   filtering of namespaces in addition to mounts.
 * **Token Renewal via Accessor**: Tokens can now be renewed via the accessor
   value through the new `auth/token/renew-accessor` endpoint if the caller's
   token has permission to access that endpoint.
 * **Improved Integrated Storage (Beta)**: Improved raft write performance,
   added support for non-voter nodes, along with UI support for: using raft
   storage, joining a raft cluster, and downloading and restoring a
   snapshot.

IMPROVEMENTS:
 * agent: Add ability to set the TLS SNI name used by Agent
   [[GH-7519](https://github.com/hashicorp/vault/pull/7519)]
 * agent & api: Change default renewer behavior to ignore 5XX errors
   [[GH-7733](https://github.com/hashicorp/vault/pull/7733)]
 * auth/jwt: The redirect callback host may now be specified for CLI logins
   [[GH-71](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/71)]
 * auth/jwt: Bound claims may now contain boolean values
   [[GH-73](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/73)]
 * auth/jwt: CLI logins can now open the browser when running in WSL
   [[GH-77](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/77)]
 * core: Exit ScanView if context has been cancelled
   [[GH-7419](https://github.com/hashicorp/vault/pull/7419)]
 * core: re-encrypt barrier and recovery keys if the unseal key is updated
   [[GH-7493](https://github.com/hashicorp/vault/pull/7493)]
 * core: Don't advertise the full set of TLS 1.2 cipher suites on the cluster
   port, even though only strong ciphers were used
   [[GH-7487](https://github.com/hashicorp/vault/pull/7487)]
 * core (enterprise): Add background seal re-wrap
 * core/metrics: Add config parameter to allow unauthenticated sys/metrics
   access. [[GH-7550](https://github.com/hashicorp/vault/pull/7550)]
 * metrics: Upgrade DataDog library to improve performance
   [[GH-7794](https://github.com/hashicorp/vault/pull/7794)]
 * replication (enterprise): Write-Ahead-Log entries will not duplicate the
   data belonging to the encompassing physical entries of the transaction,
   thereby improving the performance and storage capacity.
 * replication (enterprise): Added more replication metrics
 * replication (enterprise): Reindex process now compares subpages for a more
   accurate indexing process.
 * replication (enterprise): Reindex API now accepts a new `skip_flush`
   parameter indicating all the changes should not be flushed while the tree
   is locked.
 * secrets/aws: The root config can now be read
   [[GH-7245](https://github.com/hashicorp/vault/pull/7245)]
 * secrets/database/cassandra: Add ability to skip verfication of connection
   [[GH-7614](https://github.com/hashicorp/vault/pull/7614)]
 * secrets/gcp: Fix panic during rollback if the roleset has been deleted
   [[GH-52](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/52)]
 * storage/azure: Add config parameter to Azure storage backend to allow
   specifying the ARM endpoint
   [[GH-7567](https://github.com/hashicorp/vault/pull/7567)]
 * storage/cassandra: Improve storage efficiency by eliminating unnecessary
   copies of value data
   [[GH-7199](https://github.com/hashicorp/vault/pull/7199)]
 * storage/raft: Improve raft write performance by utilizing FSM Batching
   [[GH-7527](https://github.com/hashicorp/vault/pull/7527)]
 * storage/raft: Add support for non-voter nodes
   [[GH-7634](https://github.com/hashicorp/vault/pull/7634)]
 * sys: Add a new `sys/host-info` endpoint for querying information about
   the host [[GH-7330](https://github.com/hashicorp/vault/pull/7330)]
 * sys: Add a new set of endpoints under `sys/pprof/` that allows profiling
   information to be extracted
   [[GH-7473](https://github.com/hashicorp/vault/pull/7473)]
 * sys: Add endpoint that counts the total number of active identity entities
   [[GH-7541](https://github.com/hashicorp/vault/pull/7541)]
 * sys: `sys/seal-status` now has a `storage_type` field denoting what type
   of storage the cluster is configured to use
 * sys: Add a new `sys/internal/counters/tokens` endpoint, that counts the
   total number of active service token accessors in the shared token
   storage.
   [[GH-7541](https://github.com/hashicorp/vault/pull/7541)]
 * sys/config: Add  a new endpoint under `sys/config/state/sanitized` that
   returns the configuration state of the server. It excludes config values
   from `storage`, `ha_storage`, and `seal` stanzas and some values
   from `telemetry` due to potential sensitive entries in those fields.
 * ui: when using raft storage, you can now join a raft cluster, download a
   snapshot, and restore a snapshot from the UI
   [[GH-7410](https://github.com/hashicorp/vault/pull/7410)]
 * ui: clarify when secret version is deleted in the secret version history
   dropdown [[GH-7714](https://github.com/hashicorp/vault/pull/7714)]

BUG FIXES:
 * agent: Fix a data race on the token value for inmemsink
   [[GH-7707](https://github.com/hashicorp/vault/pull/7707)]
 * api: Fix Go API using lease revocation via URL instead of body
   [[GH-7777](https://github.com/hashicorp/vault/pull/7777)]
 * api: Allow setting a function to control retry behavior
   [[GH-7331](https://github.com/hashicorp/vault/pull/7331)]
 * auth/gcp: Fix a bug where region information in instance groups names could
   cause an authorization attempt to fail
   [[GH-74](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/74)]
 * cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token)
   could cause confusing error messages during `vault login`
   [[GH-7508](https://github.com/hashicorp/vault/pull/7508)]
 * cli: Fix a bug where the `namespace list` command with JSON formatting
   always returned an empty object
   [[GH-7705](https://github.com/hashicorp/vault/pull/7705)]
 * cli: Command timeouts are now always specified solely by the
   `VAULT_CLIENT_TIMEOUT`
   value. [[GH-7469](https://github.com/hashicorp/vault/pull/7469)]
 * core: Don't allow registering a non-root zero TTL token lease. This is
   purely defense in depth as the lease would be revoked immediately anyways,
   but there's no real reason to allow registration.
   [[GH-7524](https://github.com/hashicorp/vault/pull/7524)]
 * identity (enterprise): Fixed identity case sensitive loading in secondary
   cluster [[GH-7327](https://github.com/hashicorp/vault/pull/7327)]
 * identity: Ensure only replication primary stores the identity case
   sensitivity state
   [[GH-7820](https://github.com/hashicorp/vault/pull/7820)]
 * raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup
   [[GH-7619](https://github.com/hashicorp/vault/pull/7619)]
 * secrets/pki: Don't allow duplicate SAN names in issued certs
   [[GH-7605](https://github.com/hashicorp/vault/pull/7605)]
 * sys/health: Pay attention to the values provided for `standbyok` and
   `perfstandbyok` rather than simply using their presence as a key to flip on
   that behavior [[GH-7323](https://github.com/hashicorp/vault/pull/7323)]
 * ui: using the `wrapped_token` query param will work with `redirect_to` and
   will automatically log in as intended
   [[GH-7398](https://github.com/hashicorp/vault/pull/7398)]
 * ui: fix an error when initializing from the UI using PGP keys
   [[GH-7542](https://github.com/hashicorp/vault/pull/7542)]
 * ui: show all active kv v2 secret versions even when `delete_version_after`
   is configured [[GH-7685](https://github.com/hashicorp/vault/pull/7685)]
 * ui: Ensure that items in the top navigation link to pages that users have
   access to [[GH-7590](https://github.com/hashicorp/vault/pull/7590)]

## 1.2.4 (November 7th, 2019)

SECURITY:
 * In a non-root namespace, revocation of a token scoped to a non-root
   namespace did not trigger the expected revocation of dynamic secret leases
   associated with that token. As a result, dynamic secret leases in non-root
   namespaces may outlive the token that created them.  This vulnerability,
   CVE-2019-18616, affects Vault Enterprise 0.11.0 and newer.
 * Disaster Recovery secondary clusters did not delete already-replicated data
   after a mount filter has been created on an upstream Performance secondary
   cluster. As a result, encrypted secrets may remain replicated on a Disaster
   Recovery secondary cluster after application of a mount filter excluding
   those secrets from replication. This vulnerability, CVE-2019-18617, affects
   Vault Enterprise 0.8 and newer.
 * Update version of Go to 1.12.12 to fix Go bug golang.org/issue/34960 which
   corresponds to CVE-2019-17596.

CHANGES:
 * auth/aws: If a custom `sts_endpoint` is configured, Vault Agent and the
   CLI should provide the corresponding region via the `region` parameter
   (which already existed as a CLI parameter, and has now been added to
   Agent). The automatic region detection added to the CLI and Agent in 1.2
   has been removed.

IMPROVEMENTS:
  * cli: Ignore existing token during CLI login
    [[GH-7508](https://github.com/hashicorp/vault/pull/7508)]
  * core: Log proxy settings from environment on startup
    [[GH-7528](https://github.com/hashicorp/vault/pull/7528)]
  * core: Cache whether we've been initialized to reduce load on storage
    [[GH-7549](https://github.com/hashicorp/vault/pull/7549)]

BUG FIXES:
 * agent: Fix handling of gzipped responses
   [[GH-7470](https://github.com/hashicorp/vault/pull/7470)]
 * cli: Fix panic when pgp keys list is empty
   [[GH-7546](https://github.com/hashicorp/vault/pull/7546)]
 * cli: Command timeouts are now always specified solely by the
   `VAULT_CLIENT_TIMEOUT`
   value. [[GH-7469](https://github.com/hashicorp/vault/pull/7469)]
 * core: add hook for initializing seals for migration
   [[GH-7666](https://github.com/hashicorp/vault/pull/7666)]
 * core (enterprise): Migrating from one auto unseal method to another never
   worked on enterprise, now it does.
 * identity: Add required field `response_types_supported` to identity token
   `.well-known/openid-configuration` response
   [[GH-7533](https://github.com/hashicorp/vault/pull/7533)]
 * identity: Fixed nil pointer panic when merging entities
   [[GH-7712](https://github.com/hashicorp/vault/pull/7712)]
 * replication (Enterprise): Fix issue causing performance standbys nodes
   disconnecting when under high loads.
 * secrets/azure: Fix panic that could occur if client retries timeout
   [[GH-7793](https://github.com/hashicorp/vault/pull/7793)]
 * secrets/database: Fix bug in combined DB secrets engine that can result in
   writes to static-roles endpoints timing out
   [[GH-7518](https://github.com/hashicorp/vault/pull/7518)]
 * secrets/pki: Improve tidy to continue when value is nil
   [[GH-7589](https://github.com/hashicorp/vault/pull/7589)]
 * ui (Enterprise): Allow kv v2 secrets that are gated by Control Groups to
   be viewed in the UI
   [[GH-7504](https://github.com/hashicorp/vault/pull/7504)]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants