vault: Update to 1.4.0

[Iku Iwasa <iku.iwasa%gmail.com@localhost>]

Module Name:	pkgsrc-wip
Committed By:	Iku Iwasa <iku.iwasa%gmail.com@localhost>
Pushed By:	iquiw
Date:		Sat Apr 11 10:49:41 2020 +0900
Changeset:	9e849789c47e2ba92952825044123eb772a7e94c

Modified Files:
	vault/Makefile
	vault/distinfo

Log Message:
vault: Update to 1.4.0

CHANGES:

* cli: The raft configuration command has been renamed to list-peers to
  avoid confusion.

FEATURES:

* Kerberos Authentication: Vault now supports Kerberos authentication using
  a SPNEGO token. Login can be performed using the Vault CLI, API, or agent.
* Kubernetes Service Discovery: A new Kubernetes service discovery feature
  where, if configured, Vault will tag Vault pods with their current health
  status. For more, see #8249.
* MongoDB Atlas Secrets: Vault can now generate dynamic credentials for
  both MongoDB Atlas databases as well as the Atlas programmatic interface.
* OpenLDAP Secrets Engine: We now support password management of existing
  OpenLDAP user entries. For more, see #8360.
* Redshift Database Secrets Engine: The database secrets engine now
  supports static and dynamic secrets for the Amazon Web Services (AWS)
  Redshift service.
* Service Registration Config: A newly introduced service_registration
  configuration stanza, that allows for service registration to be configured
  separately from the storage backend. For more, see #7887.
* Transform Secrets Engine (Enterprise): A new secrets engine that handles
  secure data transformation and tokenization against provided input value.
* Integrated Storage: Promoted out of beta and into general availability
  for both open-source and enterprise workloads.

IMPROVEMENTS:

* agent: add option to force the use of the auth-auth token, and ignore the
  Vault token in the request [GH-8101]
* api: Restore and fix DNS SRV Lookup [GH-8520]
* audit: HMAC http_raw_body in audit log; this ensures that large
  authenticated Prometheus metrics responses get replaced with short HMAC
  values [GH-8130]
* audit: Generate-root, generate-recovery-token, and
  generate-dr-operation-token requests and responses are now
  audited. [GH-8301]
* auth/aws: Reduce the number of simultaneous STS client credentials needed
  [GH-8161]
* auth/azure: subscription ID, resource group, vm and vmss names are now
  stored in alias metadata [GH-30]
* auth/jwt: Additional OIDC callback parameters available for CLI logins
  [GH-80 & GH-86]
* auth/jwt: Bound claims may be optionally configured using globs [GH-89]
* auth/jwt: Timeout during OIDC CLI login if process doesn't complete
  within 2 minutes [GH-97]
* auth/jwt: Add support for the form_post response mode [GH-98]
* auth/jwt: add optional client_nonce to authorization flow [GH-104]
* auth/okta: Upgrade okta sdk lib, which should improve handling of groups
  [GH-8143]
* aws: Add support for v2 of the instance metadata service (see issue 7924
  for all linked PRs)
* core: Separate out service discovery interface from storage interface to
  allow new types of service discovery not coupled to storage [GH-7887]
* core: Add support for telemetry option metrics_prefix [GH-8340]
* core: Entropy Augmentation can now be used with AWS KMS and Vault Transit
  seals
* core: Allow tls_min_version to be set to TLS 1.3 [GH-8305]
* cli: Incorrect TLS configuration will now correctly fail [GH-8025]
* identity: Allow specifying a custom client_id for identity tokens
  [GH-8165]
* metrics/prometheus: improve performance with high volume of metrics
  updates [GH-8507]
* replication (enterprise): Fix race condition causing clusters with high
  throughput writes to sometimes fail to enter streaming-wal mode
* replication (enterprise): Secondary clusters can now perform an extra
  gRPC call to all nodes in a primary cluster in an attempt to resolve the
  active node's address
* replication (enterprise): The replication status API now outputs
  last_performance_wal, last_dr_wal, and connection_state values
* replication (enterprise): DR secondary clusters can now be recovered by
  the replication/dr/secondary/recover API
* replication (enterprise): We now allow for an alternate means to create a
  Disaster Recovery token, by using a batch token that is created with an ACL
  that allows for access to one or more of the DR endpoints.
* secrets/database/mongodb: Switched internal MongoDB driver to
  mongo-driver [GH-8140]
* secrets/database/mongodb: Add support for x509 client authorization to
  MongoDB [GH-8329]
* secrets/database/oracle: Add support for static credential rotation
  [GH-26]
* secrets/consul: Add support to specify TLS options per Consul backend
  [GH-4800]
* secrets/gcp: Allow specifying the TTL for a service key [GH-54]
* secrets/gcp: Add support for rotating root keys [GH-53]
* secrets/gcp: Handle version 3 policies for Resource Manager IAM requests
  [GH-77]
* secrets/nomad: Add support to specify TLS options per Nomad backend
  [GH-8083]
* secrets/ssh: Allowed users can now be templated with identity information
  [GH-7548]
* secrets/transit: Adding RSA3072 key support [GH-8151]
* storage/consul: Vault returns now a more descriptive error message when
  only a client cert or a client key has been provided [GH-4930]
* storage/raft: Nodes in the raft cluster can all be given possible leader
  addresses for them to continuously try and join one of them, thus
  automating the process of join to a greater extent [GH-7856]
* storage/raft: Fix a potential deadlock that could occur on leadership
  transition [GH-8547]
* storage/raft: Refresh TLS keyring on snapshot restore [GH-8546]
* storage/etcd: Bumped etcd client API SDK [GH-7931 & GH-4961 & GH-4349 &
  GH-7582]
* ui: Make Transit Key actions more prominent [GH-8304]
* ui: Add Core Usage Metrics [GH-8347]
* ui: Add refresh Namespace list on the Namespace dropdown, and redesign of
  Namespace dropdown menu [GH-8442]
* ui: Update transit actions to codeblocks & automatically encode plaintext
  unless indicated [GH-8462]
* ui: Display the results of transit key actions in a modal window
  [GH-8462]
* ui: Transit key version styling updates & ability to copy key from
  dropdown [GH-8480]

BUG FIXES:

* agent: Fix issue where TLS options are ignored for agent template feature
  [GH-7889]
* auth/jwt: Use lower case role names for default_role to match the role
  case convention [GH-100]
* auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to
  lookup the group membership of the given user [GH-6325]
* cli: Support autocompletion for nested mounts [GH-8303]
* cli: Fix CLI namespace autocompletion [GH-8315]
* identity: Fix incorrect caching of identity token JWKS responses
  [GH-8412]
* metrics/stackdriver: Fix issue that prevents the stackdriver metrics
  library to create unnecessary stackdriver descriptors [GH-8073]
* replication: Fix issue causing cubbyholes in namespaces on performance
  secondaries to not work.
* seal (enterprise): Fix seal migration when transactional seal wrap
  backend is in use.
* secrets/database/influxdb: Fix potential panic if connection to the
  InfluxDB database cannot be established [GH-8282]
* secrets/database/mysql: Ensures default static credential rotation
  statements are used [GH-8240]
* secrets/database/mysql: Fix inconsistent query parameter names: {{name}}
  or {{username}} for different queries. Now it allows for either for
  backwards compatibility [GH-8240]
* secrets/database/postgres: Fix inconsistent query parameter names:
  {{name}} or {{username}} for different queries. Now it allows for either
  for backwards compatibility [GH-8240]
* secrets/pki: Support FQDNs in DNS Name [GH-8288]
* storage/raft: Allow seal migration to be performed on Vault clusters
  using raft storage [GH-8103]
* telemetry: Prometheus requests on standby nodes will now return an error
  instead of forwarding the request to the active node [GH-8280]
* ui: Fix broken popup menu on the transit secrets list page [GH-8348]
* ui: Update headless Chrome flag to fix yarn run test:oss [GH-8035]
* ui: Update CLI to accept empty strings as param value to reset
  previously-set values
* ui: Fix bug where error states don't clear when moving between action
  tabs on Transit [GH-8354]

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=9e849789c47e2ba92952825044123eb772a7e94c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 vault/Makefile | 2 +-
 vault/distinfo | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diffs:
diff --git a/vault/Makefile b/vault/Makefile
index c90bc460ac..80142407ce 100644
--- a/vault/Makefile
+++ b/vault/Makefile
@@ -1,6 +1,6 @@
 # $NetBSD$
 
-DISTNAME=	vault-1.3.4
+DISTNAME=	vault-1.4.0
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GITHUB:=hashicorp/}
 
diff --git a/vault/distinfo b/vault/distinfo
index 1ebefd284d..a0a9923ee0 100644
--- a/vault/distinfo
+++ b/vault/distinfo
@@ -1,8 +1,8 @@
 $NetBSD$
 
-SHA1 (vault-1.3.4.tar.gz) = 6f9afae2d5b6a462d3021dee6ab226143aa92b23
-RMD160 (vault-1.3.4.tar.gz) = 1910fae1d6b003d88de536d103a24f00adbcb007
-SHA512 (vault-1.3.4.tar.gz) = efae914ef76fb314d4652246fab468970f7b57d66af38453e3a0c74444f1879d049811cc09b7e059e1d9ea2b82c0b71de81cf54dce51778c8300247157d9a7c2
-Size (vault-1.3.4.tar.gz) = 31120568 bytes
+SHA1 (vault-1.4.0.tar.gz) = bf0826b737fc1c829ff76fbbf7aa98fe7b75d5cc
+RMD160 (vault-1.4.0.tar.gz) = de972aef35a0500aa69f4c277e83c1baec0be67d
+SHA512 (vault-1.4.0.tar.gz) = 13c1fb901fe577d91f2734f8a0ae5e51083e1307e7fc32a4388a1be48f2c46cd3d121432fa7450d6f9b439285d3ad5819b123631f41bb347e8d75ce683d24a7e
+Size (vault-1.4.0.tar.gz) = 33097110 bytes
 SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_system_stat__netbsd.go) = 723ce00bc56771008074e5d77efd465501fda2bb
 SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_term_termios__bsd.go) = 9696daf0158de14d8756748b0dc5398be9ff64f4