GitLab

- This is needed for building the final release.

* Disallow non-voter setting from peers.json

* Fix bug that would make the actual fix a no-op

* Change order of evaluation

* Error out instead of resetting the value

* Update physical/raft/raft.go
Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Print node ID
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

Ensure that the .vault-token file writen by `vault login` always has the correct permissions and ownership. (#8867) (#8869)

* database/mongodb: revert to old retry behavior

* add a default case for non-EOF errors

* Handle request errors during raft snapshot

* add aliasmetadata sdk helper and add to aws auth

* split into ec2_metadata and iam_metadata fields

* fix tests

* strip pointer

* add test of default metadata

* more test <3

* switch from interface to custom marshallers

* add tests for marshalling

* store nil when selected fields are default

* separate loop into pieces

* separate acc test into multiple

* Update builtin/credential/aws/path_login.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* changes from feedback

* update aws test

* refactor to also populate auth metadata

* update how jsonification is tested

* only add populated metadata values

* add auth_type to ec2 logins
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

Backporting https://github.com/hashicorp/vault/pull/8740 to 1.4.x

Makes "ldap operation failed" error messages a little more useful. Also
makes the errors unique so it's easier to debug where an error is coming
from when one occurs.

Use a more minimal bootstrap target when running in CI: just what we need to satisfy our job needs.  Also remove govendor which we no longer use. (#8808) (#8828)

* Support unwrapping tokens that does not contain data

* s/token/secret

Signed-off-by: Dustin Decker <dustindecker@protonmail.com>
Co-authored-by: Dustin Decker <dustindecker@protonmail.com>

The new okta library doesn't prepend /api/v1 to our URL paths like the old one does (we still use the old one in the absence of an API token, since the new one doesn't support that.)  Make our shim prepend /api/v1 to manual requests for the new library like the old library does, and remove explicit /api/v1 from our request paths. (#8807) (#8825)

* identity: Add batch entity deletion endpoint

* Update the parameter description

* Update error message

* Update helper/storagepacker/storagepacker.go
Co-Authored-By: Vishal Nayak <vishalnayak@users.noreply.github.com>

* Review feedback

* Update vault/identity_store_entities.go
Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

Adds support for user-assigned identities

storage/raft: Fix memory allocation issue and Metadata tracking issues with snapshots (#8793) (#8823)

* storage/raft: Split snapshot restore disk write into batches

* Work on snapshot consistency

* make sure tests send a snapshot

* Fix comment

* Don't remove metrics

* Fix comment

* raft: check for nil on concrete type in SetupCluster

* raft: move check to its own func

* raft: func cleanup

* raft: disallow disable_clustering = true when raft storage is used

* docs: update disable_clustering to mention new behavior

This addresses an issue found in #8696 which was determined to be due to
the Go module proxy having a cached copy of a tag that doesn't match the
official version (due a build prep error weeks ago). All of the repos
got new patch versions, but the content is identical.

This avoids SetConfig from having to grab a write lock which is called on a SIGHUP, and may block, along with a long-running requests that has a read lock held, any other operation that requires a state lock.

* always pick us-east-1 for aws partition

* Update builtin/credential/aws/backend.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

* show OTP if there is one, otherwise show placeholder

* show OTP during first step of token generation process

* use let instead of with