fix(deps): update module github.com/hashicorp/vault to v1.8.4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/hashicorp/vault	require	minor	v1.7.3 -> v1.8.4

---

Release Notes

hashicorp/vault

v1.8.4

Compare Source

1.8.4

6 October 2021

IMPROVEMENTS:

• core: Update Oracle Cloud library to enable seal integration with the uk-gov-london-1 region [GH-12724]

BUG FIXES:

• core: Fix a deadlock on HA leadership transfer [GH-12691]
• database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
• pki: Fix regression preventing email addresses being used as a common name within certificates [GH-12716]
• storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
• ui: Fix bug where edit role form on auth method is invalid by default [GH-12646]

v1.8.3

Compare Source

1.8.3

29 September 2021

IMPROVEMENTS:

• secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]

BUG FIXES:

• agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
• core (enterprise): Allow deletion of stored licenses on DR secondary nodes
• core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
• core (enterprise): Only delete quotas on primary cluster. [GH-12339]
• identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
• raft (enterprise): Fix panic when updating auto-snapshot config
• secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
• secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #​28 [GH-12599]
• secrets/transit: Enforce minimum cache size for transit backend and init cache size on transit backend without restart. [GH-12418]
• storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
• ui: Fix bug where capabilities check on secret-delete-menu was encoding the forward slashes. [GH-12550]
• ui: Show day of month instead of day of year in the expiration warning dialog [GH-11984]

v1.8.2

Compare Source

1.8.2

26 August 2021

CHANGES:

• go: Update go version to 1.16.7 [GH-12408]

BUG FIXES:

• auth/aws: Fixes ec2 login no longer supporting DSA signature verification [GH-12340]
• cli: vault debug now puts newlines after every captured log line. [GH-12175]
• database/couchbase: change default template to truncate username at 128 characters [GH-12300]
• identity: Fix a panic on arm64 platform when doing identity I/O. [GH-12371]
• physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
• plugin/snowflake: Fixed bug where plugin would crash on 32 bit systems [GH-12378]
• sdk/database: Fix a DeleteUser error message on the gRPC client. [GH-12351]
• secrets/gcp: Fixes a potential panic in the service account policy rollback for rolesets. [GH-12379]
• ui: Fixed api explorer routing bug [GH-12354]
• ui: Fixes metrics page when read on counter config not allowed [GH-12348]
• ui: fix issue where on MaskedInput on auth methods if tab it would clear the value. [GH-12409]

v1.8.1

Compare Source

1.8.1

August 5th, 2021

CHANGES:

• go: Update go version to 1.16.6 [GH-12245]

IMPROVEMENTS:

• serviceregistration: add external-source: "vault" metadata value for Consul registration. [GH-12163]

BUG FIXES:

• auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. [GH-12026]
• auth/jwt: Fixes OIDC auth from the Vault UI when using form_post as the oidc_response_mode. [GH-12258]
• core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified
• core: fix byte printing for diagnose disk checks [GH-12229]
• identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [GH-12151]

v1.8.0

Compare Source

1.8.0

July 28th, 2021

CHANGES:

• agent: Errors in the template engine will no longer cause agent to exit unless
  explicitly defined to do so. A new configuration parameter,
  exit_on_retry_failure, within the new top-level stanza, template_config, can
  be set to true in order to cause agent to exit. Note that for agent to exit if
  template.error_on_missing_key is set to true, exit_on_retry_failure must
  be also set to true. Otherwise, the template engine will log an error but then
  restart its internal runner. [GH-11775]
• agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
  when using GCP Auto-Auth method [GH-11473]
• core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to
  start Vault. More information is available in the Vault License FAQ

FEATURES:

• GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation
  of service account keys and access tokens. [GH-12023]
• Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
• License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
• MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
• Vault Diagnose: A new vault operator command to detect common issues with vault server setups.

IMPROVEMENTS:

• agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
• agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
• api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
• auth/aws: Underlying error included in validation failure message. [GH-11638]
• cli/api: Add lease lookup command [GH-11129]
• core: Add prefix_filter to telemetry config [GH-12025]
• core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
• core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
• core (enterprise): Add controlled capabilities to control group policy stanza
• core: Add metrics for standby node forwarding. [GH-11366]
• core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
• core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
• core: add irrevocable lease list and count apis [GH-11607]
• core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
• db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
• go: Update to Go 1.16.5 [GH-11802]
• raft: Improve raft batch size selection [GH-11907]
• raft: change freelist type to map and set nofreelistsync to true [GH-11895]
• replication: Delay evaluation of X-Vault-Index headers until merkle sync completes.
• secrets/rabbitmq: Add ability to customize dynamic usernames [GH-11899]
• secrets/ad: Add rotate-role endpoint to allow rotations of service accounts. [GH-11942]
• secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
• secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
• secrets/database/elasticsearch: Add ability to customize dynamic usernames [GH-11957]
• secrets/database/influxdb: Add ability to customize dynamic usernames [GH-11796]
• secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
• secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]
• secrets/database/mongodbatlas: Adds the ability to customize username generation for dynamic users in MongoDB Atlas. [GH-11956]
• secrets/database/redshift: Add ability to customize dynamic usernames [GH-12016]
• secrets/database/snowflake: Add ability to customize dynamic usernames [GH-11997]
• ssh: add support for templated values in SSH CA DefaultExtensions [GH-11495]
• storage/raft/autopilot (enterprise): Enable Autopilot on DR secondary clusters
• storage/raft: Support autopilot for HA only raft storage. [GH-11260]
• ui: Add Validation to KV secret engine [GH-11785]
• ui: Add database secret engine support for MSSQL [GH-11231]
• ui: Add push notification message when selecting okta auth. [GH-11442]
• ui: Add regex validation to Transform Template pattern input [GH-11586]
• ui: Add specific error message if unseal fails due to license [GH-11705]
• ui: Add validation support for open api form fields [GH-11963]
• ui: Added auth method descriptions to UI login page [GH-11795]
• ui: JSON fields on database can be cleared on edit [GH-11708]
• ui: Obscure secret values on input and displayOnly fields like certificates. [GH-11284]
• ui: Redesign of KV 2 Delete toolbar. [GH-11530]
• ui: Replace tool partials with components. [GH-11672]
• ui: Show description on secret engine list [GH-11995]
• ui: Update ember to latest LTS and upgrade UI dependencies [GH-11447]
• ui: Update partials to components [GH-11680]
• ui: Updated ivy code mirror component for consistency [GH-11500]
• ui: Updated node to v14, latest stable build [GH-12049]
• ui: Updated search select component styling [GH-11360]
• ui: add transform secrets engine to features list [GH-12003]
• ui: add validations for duplicate path kv engine [GH-11878]
• ui: show site-wide banners for license warnings if applicable [GH-11759]
• ui: update license page with relevant autoload info [GH-11778]

DEPRECATIONS:

• secrets/gcp: Deprecated the /gcp/token/:roleset and /gcp/key/:roleset paths for generating
  secrets for rolesets. Use /gcp/roleset/:roleset/token and /gcp/roleset/:roleset/key instead. [GH-12023]

BUG FIXES:

• activity: Omit wrapping tokens and control groups from client counts [GH-11826]
• agent/cert: Fix issue where the API client on agent was not honoring certificate
  information from the auto-auth config map on renewals or retries. [GH-11576]
• agent/template: fix command shell quoting issue [GH-11838]
• agent: Fixed agent templating to use configured tls servername values [GH-11288]
• agent: fix timestamp format in log messages from the templating engine [GH-11838]
• auth/approle: fixing dereference of nil pointer [GH-11864]
• auth/jwt: Updates the hashicorp/cap library to v0.1.0 to
  bring in a verification key caching fix. [GH-11784]
• auth/kubernetes: Fix AliasLookahead to correctly extract ServiceAccount UID when using ephemeral JWTs [GH-12073]
• auth/ldap: Fix a bug where the LDAP auth method does not return the request_timeout configuration parameter on config read. [GH-11975]
• cli: Add support for response wrapping in vault list and vault kv list with output format other than table. [GH-12031]
• cli: vault delete and vault kv delete should support the same output options (e.g. -format) as vault write. [GH-11992]
• core (enterprise): Fix orphan return value from auth methods executed on performance standby nodes.
• core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
• core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
• core/metrics: Add generic KV mount support for vault.kv.secret.count telemetry metric [GH-12020]
• core: Fix cleanup of storage entries from cubbyholes within namespaces. [GH-11408]
• core: Fix edge cases in the configuration endpoint for barrier key autorotation. [GH-11541]
• core: Fix goroutine leak when updating rate limit quota [GH-11371]
• core: Fix race that allowed remounting on path used by another mount [GH-11453]
• core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [GH-11377]
• core: Fixed double counting of http requests after operator stepdown [GH-11970]
• core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
• identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
• mongo-db: default username template now strips invalid '.' characters [GH-11872]
• pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [GH-11367]
• replication: Fix panic trying to update walState during identity group invalidation.
• replication: Fix: mounts created within a namespace that was part of an Allow
  filtering rule would not appear on performance secondary if created after rule
  was defined.
• secret/pki: use case insensitive domain name comparison as per RFC1035 section 2.3.3
• secret: fix the bug where transit encrypt batch doesn't work with key_version [GH-11628]
• secrets/ad: Forward all creds requests to active node [GH-76] [GH-11836]
• secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [GH-11365]
• secrets/database/cassandra: Fixed issue where the PEM parsing logic of pem_bundle and pem_json didn't work for CA-only configurations [GH-11861]
• secrets/database/cassandra: Updated default statement for password rotation to allow for special characters. This applies to root and static credentials. [GH-11262]
• secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
• secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [GH-12087]
• secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
• secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
• secrets/openldap: Fix bug where schema was not compatible with rotate-root #​24 [GH-12019]
• storage/dynamodb: Handle throttled batch write requests by retrying, without which writes could be lost. [GH-10181]
• storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
• storage/raft: Tweak creation of vault.db file [GH-12034]
• storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [GH-11252]
• tokenutil: Perform the num uses check before token type. [GH-11647]
• transform (enterprise): Fix an issue with malformed transform configuration
  storage when upgrading from 1.5 to 1.6. See Upgrade Notes for 1.6.x.
• ui: Add role from database connection automatically populates the database for new role [GH-11119]
• ui: Add root rotation statements support to appropriate database secret engine plugins [GH-11404]
• ui: Automatically refresh the page when user logs out [GH-12035]
• ui: Fix Version History queryParams on LinkedBlock [GH-12079]
• ui: Fix bug where database secret engines with custom names cannot delete connections [GH-11127]
• ui: Fix bug where the UI does not recognize version 2 KV until refresh, and fix [object Object] error message [GH-11258]
• ui: Fix database role CG access [GH-12111]
• ui: Fix date display on expired token notice [GH-11142]
• ui: Fix entity group membership and metadata not showing [GH-11641]
• ui: Fix error message caused by control group [GH-11143]
• ui: Fix footer URL linking to the correct version changelog. [GH-11283]
• ui: Fix issue where logging in without namespace input causes error [GH-11094]
• ui: Fix namespace-bug on login [GH-11182]
• ui: Fix status menu no showing on login [GH-11213]
• ui: Fix text link URL on database roles list [GH-11597]
• ui: Fixed and updated lease renewal picker [GH-11256]
• ui: fix control group access for database credential [GH-12024]
• ui: fix issue where select-one option was not showing in secrets database role creation [GH-11294]
• ui: fix oidc login with Safari [GH-11884]

v1.7.5

Compare Source

1.7.5

29 September 2021

IMPROVEMENTS:

• secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]

BUG FIXES:

• agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
• core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
• core (enterprise): Only delete quotas on primary cluster. [GH-12339]
• identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
• raft (enterprise): Fix panic when updating auto-snapshot config
• secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
• secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #​28 [GH-12598]
• storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
• ui: Fixed api explorer routing bug [GH-12354]

v1.7.4

Compare Source

1.7.4

26 August 2021

SECURITY:

• UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

CHANGES:

• go: Update go version to 1.15.15 [GH-12411]

IMPROVEMENTS:

• ui: Updated node to v14, latest stable build [GH-12049]

BUG FIXES:

• replication (enterprise): Fix a panic that could occur when checking the last wal and the log shipper buffer is empty.
• cli: vault debug now puts newlines after every captured log line. [GH-12175]
• database/couchbase: change default template to truncate username at 128 characters [GH-12299]
• physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
• secrets/database/cassandra: Fixed issue where the PEM parsing logic of pem_bundle and pem_json didn't work for CA-only configurations [GH-11861]
• secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [GH-12087]
• ui: Automatically refresh the page when user logs out [GH-12035]
• ui: Fix database role CG access [GH-12111]
• ui: Fixes metrics page when read on counter config not allowed [GH-12348]
• ui: fix control group access for database credential [GH-12024]
• ui: fix oidc login with Safari [GH-11884]

1.7.3

June 16th, 2021

CHANGES:

• go: Update go version to 1.15.13 [GH-11857]

IMPROVEMENTS:

• db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
• ui: Add specific error message if unseal fails due to license [GH-11705]

BUG FIXES:

• auth/jwt: Updates the hashicorp/cap library to v0.1.0 to
  bring in a verification key caching fix. [GH-11784]
• core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
• secret: fix the bug where transit encrypt batch doesn't work with key_version [GH-11628]
• secrets/ad: Forward all creds requests to active node [GH-76] [GH-11836]
• tokenutil: Perform the num uses check before token type. [GH-11647]

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[codecov]

Codecov Report

Merging #340 (8d9d911) into master (1d2c0d1) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #340   +/-   ##
=======================================
  Coverage   42.01%   42.01%           
=======================================
  Files           7        7           
  Lines         307      307           
=======================================
  Hits          129      129           
  Misses        160      160           
  Partials       18       18           

[KellyMerrick]

lgtm