Merge branch 'master' of https://github.com/hashicorp/vault into tls13

.circleci/config/@config.yml

@@ -29,7 +29,7 @@ executors:
     environment:
       GO111MODULE: "off"
       CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
-      GO_VERSION: 1.12.14  # Pin Go to patch version (ex: 1.2.3)
+      GO_VERSION: 1.13.7  # Pin Go to patch version (ex: 1.2.3)
       GOTESTSUM_VERSION: 0.3.3  # Pin gotestsum to patch version (ex: 1.2.3)
       GO_TAGS: ""
     working_directory: /go/src/github.com/hashicorp/vault

.circleci/config/jobs/website-docker-image.yml

@@ -4,19 +4,26 @@ shell: /usr/bin/env bash -euo pipefail -c
 steps:
   - checkout
   - setup_remote_docker
-  - run:
-      name: Diff package-lock.json
-      command: |
-        echo 'export PACKAGE_LOCK_CHANGED=$(git diff --name-only $(git log --pretty=format:'%h' -n1 HEAD~1)...HEAD | grep -c website/package-lock.json)' >> $BASH_ENV
   - run:
       name: Build Docker Image if Necessary
       command: |
-        if [ "$CIRCLE_BRANCH" = "master" ] && [ $PACKAGE_LOCK_CHANGED -gt 0 ]; then
-          cd website/
-          docker build -t hashicorp/vault-website:$CIRCLE_SHA1 .
-          docker tag hashicorp/vault-website:$CIRCLE_SHA1 hashicorp/vault-website:latest
-          docker login -u $DOCKER_USER -p $DOCKER_PASS
-          docker push hashicorp/vault-website
-        else
-          echo "Not building a new website docker image - branch is not master and/or dependencies have not changed."
-        fi
+        # BUILD_FROM_REPO should ALWAYS be the main OSS Vault repo URL.
+        [email protected]:hashicorp/vault.git
+        [ "$CIRCLE_REPOSITORY_URL" = "$BUILD_FROM_REPO" ] || {
+          echo "Not building website docker image for repo '$CIRCLE_REPOSITORY_URL' - we only build it for $BUILD_FROM_REPO."
+          exit 0
+        }
+        [ "$CIRCLE_BRANCH" = "master" ] || {
+          echo "Not building website docker image for branch '$CIRCLE_BRANCH' - we only build it for master."
+          exit 0
+        }
+        PACKAGE_LOCK_CHANGED=$(git diff --name-only $(git log --pretty=format:'%h' -n1 HEAD~1)...HEAD | grep -c website/package-lock.json)
+        [ $PACKAGE_LOCK_CHANGED -gt 0 ] || {
+          echo "Not building a new website docker image - dependencies have not changed."
+          exit 0
+        }
+        cd website/
+        docker build -t hashicorp/vault-website:$CIRCLE_SHA1 .
+        docker tag hashicorp/vault-website:$CIRCLE_SHA1 hashicorp/vault-website:latest
+        docker login -u $DOCKER_USER -p $DOCKER_PASS
+        docker push hashicorp/vault-website

CHANGELOG.md

@@ -2,31 +2,40 @@
 
 FEATURES:
 
- * **Kerberos Authentication**: We now support Kerberos authentication using
-   a SPNEGO token. Login can be performed using the Vault CLI, API, or agent.
+* **Kerberos Authentication**: We now support Kerberos authentication using a SPNEGO token. 
+   Login can be performed using the Vault CLI, API, or agent.
+* **Kubernetes Service Discovery**: We now support Kerberos service discovery where, if 
+   configured, Vault will tag Vault pods with their current health status. For more, see [#8249](https://github.com/hashicorp/vault/pull/8249).
 
 IMPROVEMENTS:
 
 * agent: add option to force the use of the auth-auth token, and ignore the Vault token in the request [[GH-8101](https://github.com/hashicorp/vault/pull/8101)]
 * audit: HMAC http_raw_body in audit log; this ensures that large authenticated Prometheus metrics responses get
   replaced with short HMAC values [[GH-8130](https://github.com/hashicorp/vault/pull/8130)]
 * audit: Generate-root, generate-recovery-token, and generate-dr-operation-token requests and responses are now audited. [[GH-8301](https://github.com/hashicorp/vault/pull/8301)]
+* auth/aws: Reduce the number of simultaneous STS client credentials needed  [[GH-8161](https://github.com/hashicorp/vault/pull/8161)]
 * auth/jwt: Additional OIDC callback parameters available for CLI logins [[GH-80](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/80) & [GH-86](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/86)]
 * auth/jwt: Bound claims may be optionally configured using globs [[GH-89](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/89)]
+* auth/jwt: Timeout during OIDC CLI login if process doesn't complete within 2 minutes [[GH-97](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/97)]
 * aws: Add support for v2 of the instance metadata service (see [issue 7924](https://github.com/hashicorp/vault/issues/7924) for all linked PRs)
 * core: Separate out service discovery interface from storage interface to allow
   new types of service discovery not coupled to storage [[GH-7887](https://github.com/hashicorp/vault/pull/7887)]
+* core: Add support for telemetry option `metrics_prefix` [[GH-8340](https://github.com/hashicorp/vault/pull/8340)]
 * cli: Incorrect TLS configuration will now correctly fail [[GH-8025](https://github.com/hashicorp/vault/pull/8025)]
+* identity: Allow specifying a custom `client_id` for identity tokens [[GH-8165](https://github.com/hashicorp/vault/pull/8165)]
 * okta: Upgrade okta sdk lib, which should improve handling of groups [[GH-8143](https://github.com/hashicorp/vault/pull/8143)]
 * secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver [[GH-8140](https://github.com/hashicorp/vault/pull/8140)]
 * secrets/consul: Add support to specify TLS options per Consul backend [[GH-4800](https://github.com/hashicorp/vault/pull/4800)]
 * secrets/gcp: Allow specifying the TTL for a service key [[GH-54](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/54)]
 * secrets/gcp: Add support for rotating root keys [[GH-53](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/53)]
+* secrets/gcp: Handle version 3 policies for Resource Manager IAM requests [[GH-77](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/77)]
 * secrets/nomad: Add support to specify TLS options per Nomad backend [[GH-8083](https://github.com/hashicorp/vault/pull/8083)]
 * storage/raft: Nodes in the raft cluster can all be given possible leader
   addresses for them to continuously try and join one of them, thus automating
   the process of join to a greater extent [[GH-7856](https://github.com/hashicorp/vault/pull/7856)]
 * storage/etcd: Bumped etcd client API SDK [[GH-7931](https://github.com/hashicorp/vault/pull/7931) & [GH-4961](https://github.com/hashicorp/vault/pull/4961) & [GH-4349](https://github.com/hashicorp/vault/pull/4349) & [GH-7582](https://github.com/hashicorp/vault/pull/7582)]
+* ui: Make Transit Key actions more prominent [GH-8304](https://github.com/hashicorp/vault/pull/8304)
+* ui: Add Core Usage Metrics [GH-8347](https://github.com/hashicorp/vault/pull/8347)
 
 BUG FIXES:
 
@@ -40,10 +49,13 @@ BUG FIXES:
   different queries. Now it allows for either for backwards compatibility [[GH-8240](https://github.com/hashicorp/vault/pull/8240)]
 * secrets/pki: Support FQDNs in DNS Name [[GH-8288](https://github.com/hashicorp/vault/pull/8288)]
 * storage/mysql: Fix potential crash when using MySQL as coordination for high availability [[GH-8229](https://github.com/hashicorp/vault/pull/8229)]
+* storage/raft: Fix potential crash when using Raft as coordination for high availability [[GH-8239](https://github.com/hashicorp/vault/pull/8239)]
 * ui: Update CLI to accept empty strings as param value to reset previously-set values
 * telemetry: Prometheus requests on standby nodes will now return an error instead of forwarding 
   the request to the active node [[GH-8280](https://github.com/hashicorp/vault/pull/8280)]
 * cli: Support autocompletion for nested mounts [[GH-8303](https://github.com/hashicorp/vault/pull/8303)]
+* cli: Fix CLI namespace autocompletion [[GH-8315](https://github.com/hashicorp/vault/pull/8315)]
+* ui: Fix broken popup menu on the transit secrets list page [[GH-8348](https://github.com/hashicorp/vault/pull/8348)]
 
 
 ## 1.3.3 (Unreleased)
@@ -55,6 +67,8 @@ BUG FIXES:
 * ui: Fix bug where default auth method on login is defaulted to auth method that is listing-visibility=unauth instead of “other” [[GH-8218](https://github.com/hashicorp/vault/pull/8218)]
 * ui: Fix bug where KMIP details were not shown in the UI Wizard [[GH-8255](https://github.com/hashicorp/vault/pull/8255)]
 * secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [GH-8282]
+* storage/mysql: Fix potential crash when using MySQL as coordination for high availability [[GH-8300](https://github.com/hashicorp/vault/pull/8300)]
+* storage/raft: Fix potential crash when using Raft as coordination for high availability [[GH-8356](https://github.com/hashicorp/vault/pull/8356)]
 
 ## 1.3.2 (January 22nd, 2020)
 

Makefile

@@ -20,7 +20,7 @@ EXTERNAL_TOOLS=\
 GOFMT_FILES?=$$(find . -name '*.go' | grep -v pb.go | grep -v vendor)
 
 
-GO_VERSION_MIN=1.12.7
+GO_VERSION_MIN=1.13.7
 GO_CMD?=go
 CGO_ENABLED?=0
 ifneq ($(FDB_ENABLED), )

README.md

@@ -60,7 +60,7 @@ Developing Vault
 
 If you wish to work on Vault itself or any of its built-in systems, you'll
 first need [Go](https://www.golang.org) installed on your machine. Go version
-1.12.7+ is *required*.
+1.13.7+ is *required*.
 
 For local dev first make sure Go is properly installed, including setting up a
 [GOPATH](https://golang.org/doc/code.html#GOPATH). Ensure that `$GOPATH/bin` is in

api/go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.6.2
 	github.com/hashicorp/go-rootcerts v1.0.1
 	github.com/hashicorp/hcl v1.0.0
-	github.com/hashicorp/vault/sdk v0.1.14-0.20200111013952-157e805b97be
+	github.com/hashicorp/vault/sdk v0.1.14-0.20200214222719-7a3b716487a5
 	github.com/mitchellh/mapstructure v1.1.2
 	golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
 	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4