Log Message:
Update security/vault to 0.9.0.

DEPRECATIONS/CHANGES:

- API HTTP client behavior: When calling `NewClient` the API no longer
  modifies the provided client/transport.
- AWS EC2 client nonce behavior: The client nonce generated by the
  backend that gets returned along with the authentication response
  will be audited in plaintext.
- AWS Auth role options: The API will now error when trying to create
  or update a role with the mutually-exclusive options
  `disallow_reauthentication` and `allow_instance_migration`.
- SSH CA role read changes: When reading back a role from the `ssh`
  backend, the TTL/max TTL values will now be an integer number of
  seconds rather than a string. This better matches the API elsewhere
  in Vault.
- SSH role list changes: When listing roles from the `ssh` backend via
  the API, the response data will additionally return a `key_info` map
  that will contain a map of each key with a corresponding object
  containing the `key_type`.
- More granularity in audit logs: Audit request and response entires
  are still in RFC3339 format but now have a granularity of
  nanoseconds.
- High availability related values have been moved out of the
  `storage` and `ha_storage` stanzas, and into the top-level
  configuration. `redirect_addr` has been renamed to `api_addr`.
- A new `seal` stanza has been added to the configuration file, which
  is optional and enables configuration of the seal type to use for
  additional data protection, such as using HSM or Cloud KMS solutions
  to encrypt and decrypt data.

FEATURES:

- RSA Support for Transit Backend: Transit backend can now generate
  RSA keys which can be used for encryption and signing.
- Identity System: Now in open source and with significant
  enhancements, Identity is an integrated system for understanding
  users across tokens and enabling easier management of users directly
  and via groups.
- External Groups in Identity: Vault can now automatically assign
  users and systems to groups in Identity based on their membership in
  external groups.
- Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now
  take advantage of FIPS 140-2-certified HSMs to ensure that Critical
  Security Parameters are protected in a compliant fashion.
- Control Groups (Enterprise): Require multiple members of an Identity
  group to authorize a requested action before it is allowed to run.
- Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS
  KMS and GCP CKMS.
- Sentinel Integration (Enterprise): Take advantage of HashiCorp
  Sentinel to create extremely flexible access control policies - even
  on unauthenticated endpoints.
- Barrier Rekey Support for Auto-Unseal (Enterprise): When using
  auto-unsealing functionality, the `rekey` operation is now
  supported; it uses recovery keys to authorize the master key rekey.
- Operation Token for Disaster Recovery Actions (Enterprise): When
  using Disaster Recovery replication, a token can be created that can
  be used to authorize actions such as promotion and updating primary
  information, rather than using recovery keys.
- Trigger Auto-Unseal with Recovery Keys (Enterprise): When using
  auto-unsealing, a request to unseal Vault can be triggered by a
  threshold of recovery keys, rather than requiring the Vault process to
  be restarted.
- UI Redesign (Enterprise): All new experience for the Vault
  Enterprise UI. The look and feel has been completely redesigned to
  give users a better experience and make managing secrets fast and
  easy.
- UI: SSH Secret Backend (Enterprise): Configure an SSH secret
  backend, create and browse roles. And use them to sign keys or
  generate one time passwords.
- UI: AWS Secret Backend (Enterprise): You can now configure the AWS
  backend via the Vault Enterprise UI. In addition you can create
  roles, browse the roles and Generate IAM Credentials from them
  in the UI.

IMPROVEMENTS:

- api: Add ability to set custom headers on each call
- command/server: Add config option to disable requesting client
  certificates
- core: Disallow mounting underneath an existing path, not just over
- physical/file: Use `700` as permissions when creating directories.
  The files themselves were `600` and are all encrypted, but this
  doesn't hurt.
- secret/aws: Add ability to use custom IAM/STS endpoints
- secret/cassandra: Work around Cassandra ignoring consistency levels
  for a user listing query
- secret/pki: Private keys can now be marshalled as PKCS#8
- secret/pki: Allow entering URLs for `pki` as both comma-separated
  strings and JSON arrays
- secret/ssh: Role TTL/max TTL can now be specified as either a string
  or an integer
- secret/transit: Sign and verify operations now support a `none` hash
  algorithm to allow signing/verifying pre-hashed data
- secret/database: Add the ability to glob allowed roles in the
  Database Backend
- ui (enterprise): Support for RSA keys in the transit backend
- ui (enterprise): Support for DR Operation Token generation,
  promoting, and updating primary on DR Secondary clusters

BUG FIXES:

- api: Fix panic when setting a custom HTTP client but with a nil
  transport
- api: Fix authing to the `cert` backend when the CA for the client
  cert is not known to the server's listener
- auth/approle: Create role ID index during read if a role is missing
  one
- auth/aws: Don't allow mutually exclusive options
- auth/radius: Fix logging in in some situations
- core: Fix memleak when a connection would connect to the cluster
  port and then go away
- core: Fix panic if a single-use token is used to step-down or seal
- core: Set rather than add headers to prevent some duplicated headers
  in responses when requests were forwarded to the active node
- physical/etcd3: Fix some listing issues due to how etcd3 does prefix
  matching
- physical/etcd3: Fix case where standbys can lose their etcd client
  lease
- physical/file: Fix listing when underscores are the first component
  of a path
- plugins: Allow response errors to be returned from backend plugins
- secret/transit: Fix panic if the length of the input ciphertext was
  less than the expected nonce length
- ui (enterprise): Reinstate support for generic secret backends -
  this was erroneously removed in a previous release