From 1bc959ad5a4294eb2fb7c72a45853fb95e4f7b8f Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 3 Dec 2018 11:45:02 -0500
Subject: [PATCH] CL and plugin updates

---
 CHANGELOG.md                                  | 170 +++++++-----------
 .../path_login.go                             |   6 +
 vendor/vendor.json                            |   6 +-
 3 files changed, 73 insertions(+), 109 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 218ca4ef6499d..f6f7f5502a4f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,21 +1,12 @@
 ## 1.0.0
 
-IMPROVEMENTS:
-
- * ui: Allow editing of KV V2 data when a token doesn't have capabilities to
-   read secret metadata [GH-5879]
-
-BUG FIXES:
-
- * ui: Update DR Secondary Token generation command [GH-5857]
- * ui: Fix pagination bug where controls would be rendered once for each
-   item when viewing policies [GH-5866]
-
-
-## 1.0.0-rc1 (Nov 20th, 2018)
- 
 CHANGES:
 
+ * Tokens are now prefixed by a designation to indicate what type of token they
+   are. Service tokens start with `s.` and batch tokens start with `b.`.
+   Existing tokens will still work (they are all of service type and will be
+   considered as such). Prefixing allows us to be more efficient when consuming
+   a token, which keeps the critical path of requests faster.
  * Paths within `auth/token` that allow specifying a token or accessor in the
    URL have been removed. These have been deprecated since March 2016 and
    undocumented, but were retained for backwards compatibility. They shouldn't
@@ -28,35 +19,6 @@ CHANGES:
    options map itself cannot be unset once it's set, but the keypairs within the
    map can be unset if an empty value is provided, with the exception of the
    `version` keypair which is handled differently for KVv2 purposes.
-
-IMPROVEMENTS:
-
- * agent: Support for configuring the location of the kubernetes service account
-   [GH-5725]
- * ui: Empty states have updated styling and link to relevant actions and 
-   documentation [GH-5758]
-
-BUG FIXES:
-
- * identity: Update group memberships when entity is deleted [GH-5786]
- * storage/gcs: Send md5 of values to GCS to avoid potential corruption
-   [GH-5804]
- * ui: Fix the PKI context menu so that items load [GH-5824]
- * ui: Fix dr secondary operation token generation via the ui [GH-5818]
- * ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
- * agent: Fix auth when multiple redirects [GH-5814]
- * secrets/kv: Fix issue where storage version would get incorrectly downgraded 
-   [GH-5809]
- * performance standby: Fix audit table upgrade on standbys [GH-5811]
- * performance standby: Fix redirect on approle update [GH-5820]
- * cli: Restore the `-policy-override` flag [GH-5826]
- * core: Fix rekey progress reset which did not happen under certain
-   circumstances. [GH-5743]
-
-## 1.0.0-beta2 (November 13th, 2018)
-
-CHANGES:
-
  * Agent no longer automatically reauthenticates when new credentials are
    detected. It's not strictly necessary and in some cases was causing
    reauthentication much more often than intended.
@@ -76,25 +38,32 @@ CHANGES:
    writing custom clients using the Go API library. As before, this can be
    changed to any custom HTTP client by the caller.
 
-CHANGES FROM BETA 1:
-(Note: these items will be removed from the final 1.0 changelog as they are
-only breaking changes from beta1)
-
- * Token Store Roles and Batch Tokens: Roles now default to `default-service`
-   token type, issuing service tokens by default but allowing overriding by the
-   client. They now also support `default-batch` in addition to `service` and
-   `batch`.
-
 FEATURES:
 
- * AppRole support in Vault Agent Auto-Auth: You can now use AppRole
-   credentials when having Agent automatically authenticate to Vault.
- * OpenAPI descriptions of mounted backends can be served directly from Vault.
- * Support for Kubernetes Projected Service Account Tokens in Kubernetes auth
- * Added ability to wrap secrets and easily copy the wrap token or secret JSON in the UI.
+ * **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated
+   from Enterprise to Open Source. We've created a migrator to allow migrating
+   between Shamir seals and auto unseal methods.
+ * Batch Tokens: Batch tokens trade off some features of service tokens for no
+   storage overhead, and in most cases can be used across performance
+   replication clusters.
+ * Replication Speed Improvements: We've worked hard to speed up a lot of
+   operations when using Vault Enterprise Replication.
+ * **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
+   pattern to keys stored within GCP Cloud KMS.
+ * **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole
+   credentials when having Agent automatically authenticate to Vault
+ * **OpenAPI Support**: Descriptions of mounted backends can be served directly
+   from Vault
+ * **Kubernetes Projected Service Account Tokens**: Projected Service Account
+   Tokens are now supported in Kubernetes auth
+ * **Response Wrapping in UI**: Added ability to wrap secrets and easily copy
+   the wrap token or secret JSON in the UI
 
 IMPROVEMENTS:
 
+ * agent: Support for configuring the location of the kubernetes service account
+   [GH-5725]
+ * auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
  * secret/totp: Allow @ character to be part of key name [GH-5652]
  * secret/consul: Add support for new policy based tokens added in Consul 1.4
    [GH-5586]
@@ -104,16 +73,37 @@ IMPROVEMENTS:
  * ui: Improved banner and popup design [GH-5672]
  * ui: Added token type to auth method mount config [GH-5723]
  * ui: Display additonal wrap info when unwrapping. [GH-5664]
+ * ui: Empty states have updated styling and link to relevant actions and 
+   documentation [GH-5758]
+ * ui: Allow editing of KV V2 data when a token doesn't have capabilities to
+   read secret metadata [GH-5879]
 
 BUG FIXES:
 
+ * agent: Fix auth when multiple redirects [GH-5814]
+ * cli: Restore the `-policy-override` flag [GH-5826]
+ * core: Fix rekey progress reset which did not happen under certain
+   circumstances. [GH-5743]
  * core: Migration from autounseal to shamir will clean up old keys [GH-5671]
+ * identity: Update group memberships when entity is deleted [GH-5786]
+ * replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
+ * replication/perfstandby: Fix redirect on approle update [GH-5820]
  * secrets/azure: Fix valid roles being rejected for duplicate ids despite
    having distinct scopes
    [[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
+ * storage/gcs: Send md5 of values to GCS to avoid potential corruption
+   [GH-5804]
+ * secrets/kv: Fix issue where storage version would get incorrectly downgraded 
+   [GH-5809]
  * secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
    for all other operations for backwards compatibility
    [[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
+ * ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
+ * ui: Fix dr secondary operation token generation via the ui [GH-5818]
+ * ui: Fix the PKI context menu so that items load [GH-5824]
+ * ui: Update DR Secondary Token generation command [GH-5857]
+ * ui: Fix pagination bug where controls would be rendered once for each
+   item when viewing policies [GH-5866]
  * ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
    the revoke button in the UI [GH-5647]
  * ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
@@ -122,52 +112,20 @@ BUG FIXES:
 
 BUG FIXES:
 
+ * agent: Fix issue when specifying two file sinks [GH-5610]
  * auth/userpass: Fix minor timing issue that could leak the presence of a
    username [GH-5614]
+ * autounseal/alicloud: Fix issue interacting with the API (Enterprise)
+ * autounseal/azure: Fix key version tracking (Enterprise)
  * cli: Fix panic that could occur if parameters were not provided [GH-5603]
  * core: Fix buggy behavior if trying to remount into a namespace
  * identity: Fix duplication of entity alias entity during alias transfer
    between entities [GH-5733]
+ * namespaces: Fix tuning of auth mounts in a namespace
  * ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
  * ui: Fix issue where IE 11 didn't render the UI and also had a broken form
    when trying to use tool/hash [GH-5714]
- * agent: Fix issue when specifying two file sinks [GH-5610]
- * autounseal/alicloud: Fix issue interacting with the API (Enterprise)
- * autounseal/azure: Fix key version tracking (Enterprise)
- * namespaces: Fix tuning of auth mounts in a namespace
-
-## 1.0.0-beta1 (October 23rd, 2018)
-
-NOTE:
-
-  A few items didn't make it into beta1; this entry will be updated for beta2
-  and the final release.
-
-CHANGES:
-
- * core: Tokens are now prefixed by a designation to indicate what type of
-   token they are. Service tokens start with `s.` and batch tokens start with
-   `b.`. Existing tokens will still work (they are all of service type and will
-   be considered as such). Prefixing allows us to be more efficient when
-   consuming a token, which keeps the critical path of requests faster.
-
-FEATURES:
-
- * **Auto-Unseal in Open Source**: Cloud-based auto-unseal is migrating from
-   Enterprise to Open Source. We've created a migrator to allow migrating
-   between Shamir seals and auto unseal methods.
- * Batch Tokens: Batch tokens trade off some features of service tokens for no
-   storage overhead, and in most cases can be used across performance
-   replication clusters.
- * Replication Speed Improvements: We've worked hard to speed up a lot of
-   operations when using Vault Enterprise Replication.
- * **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
-   pattern to keys stored within GCP Cloud KMS.
-
-IMPROVEMENTS:
-
- * auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
-
+ 
 ## 0.11.4 (October 23rd, 2018)
 
 CHANGES:
@@ -178,12 +136,12 @@ CHANGES:
 
 FEATURES:
 
- * Transit Key Trimming: Keys in transit secret engine can now be trimmed to
-   remove older unused key versions.
- * Web UI support for KV Version 2. Browse, delete, undelete and destroy 
-   individual secret versions in the UI.
- * Azure Existing Service Principal Support: Credentials can now be generated
-   against an existing service principal.
+ * **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
+   remove older unused key versions
+ * **Web UI support for KV Version 2**: Browse, delete, undelete and destroy 
+   individual secret versions in the UI
+ * **Azure Existing Service Principal Support**: Credentials can now be generated
+   against an existing service principal
 
 IMPROVEMENTS:
 
@@ -254,13 +212,13 @@ CHANGES:
 
 FEATURES:
 
- * AWS Secret Engine Root Credential Rotation: The credential used by the AWS
+ * **AWS Secret Engine Root Credential Rotation**: The credential used by the AWS
    secret engine can now be rotated, to ensure that only Vault knows the
-   credentials it is using. [GH-5140]
- * Storage Backend Migrator: A new `operator migrate` command allows offline
-   migration of data between two storage backends.
- * AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise): AliCloud KMS can now be used a support seal for 
-   Auto Unseal and Seal Wrapping.
+   credentials it is using [GH-5140]
+ * **Storage Backend Migrator**: A new `operator migrate` command allows offline
+   migration of data between two storage backends
+ * **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for 
+   Auto Unseal and Seal Wrapping
 
 BUG FIXES:
 
diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go
index 9ecff8f3366a5..75a60e6a1411e 100644
--- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go
@@ -109,6 +109,12 @@ func (b *kubeAuthBackend) pathLogin() framework.OperationFunc {
 				Period:  role.Period,
 				Alias: &logical.Alias{
 					Name: serviceAccount.uid(),
+					Metadata: map[string]string{
+						"service_account_uid":         serviceAccount.uid(),
+						"service_account_name":        serviceAccount.name(),
+						"service_account_namespace":   serviceAccount.namespace(),
+						"service_account_secret_name": serviceAccount.SecretName,
+					},
 				},
 				InternalData: map[string]interface{}{
 					"role": roleName,
diff --git a/vendor/vendor.json b/vendor/vendor.json
index 3aa44f4fc0a0c..b20e1b3645db2 100644
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -1437,10 +1437,10 @@
 			"revisionTime": "2018-10-31T19:59:42Z"
 		},
 		{
-			"checksumSHA1": "8J4z30a2oTqSPQYOaT4j/jiZuNE=",
+			"checksumSHA1": "Ldg2jQeyPrpAupyQq4lRVN+jfFY=",
 			"path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
-			"revision": "5328b889a921243d6e19cda38fb2c31a48cba2b2",
-			"revisionTime": "2018-11-01T19:05:09Z"
+			"revision": "091d9e5d5fabce920533eff31ad778778992a671",
+			"revisionTime": "2018-11-30T16:25:33Z"
 		},
 		{
 			"checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=",