Log Message:
Update security/vault to 0.9.1.

DEPRECATIONS/CHANGES:

- AppRole Case Sensitivity: In prior versions of Vault, `list` operations
  against AppRole roles would require preserving case in the role name, even
  though most other operations within AppRole are case-insensitive with
  respect to the role name. This has been fixed; existing roles will behave as
  they have in the past, but new roles will act case-insensitively in these
  cases.
- Token Auth Backend Roles parameter types: For `allowed_policies` and
  `disallowed_policies` in role definitions in the token auth backend, input
  can now be a comma-separated string or an array of strings. Reading a role
  will now return arrays for these parameters.
- Transit key exporting: You can now mark a key in the `transit` backend as
  `exportable` at any time, rather than just at creation time; however, once
  this value is set, it still cannot be unset.
- PKI Secret Backend Roles parameter types: For `allowed_domains` and
  `key_usage` in role definitions in the PKI secret backend, input
  can now be a comma-separated string or an array of strings. Reading a role
  will now return arrays for these parameters.
- SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic
  key method in the SSH backend, the default is now to use 2048-bit keys if no
  specific key bit size is specified.
- Consul Secret Backend lease handling: The `consul` secret backend can now
  accept both strings and integer numbers of seconds for its lease value. The
  value returned on a role read will be an integer number of seconds instead
  of a human-friendly string.
- Unprintable characters not allowed in API paths: Unprintable characters are
  no longer allowed in names in the API (paths and path parameters), with an
  extra restriction on whitespace characters. Allowed characters are those
  that are considered printable by Unicode plus spaces.

FEATURES:

- Transit Backup/Restore: The `transit` backend now supports a backup
  operation that can export a given key, including all key versions and
  configuration, as well as a restore operation allowing import into another
  Vault.
- gRPC Database Plugins: Database plugins now use gRPC for transport,
  allowing them to be written in other languages.
- Nomad Secret Backend: Nomad ACL tokens can now be generated and revoked
  using Vault.
- TLS Cert Auth Backend Improvements: The `cert` auth backend can now
  match against custom certificate extensions via exact or glob matching, and
  additionally supports max_ttl and periodic token toggles.

IMPROVEMENTS:

- auth/cert: Support custom certificate constraints
- auth/cert: Support setting `max_ttl` and `period`
- audit/file: Setting a file mode of `0000` will now disable Vault from
  automatically `chmod`ing the log file
- auth/github: The legacy MFA system can now be used with the GitHub auth
  backend
- auth/okta: The legacy MFA system can now be used with the Okta auth backend
- auth/token: `allowed_policies` and `disallowed_policies` can now be specified
  as a comma-separated string or an array of strings
- command/server: The log level can now be specified with `VAULT_LOG_LEVEL`
- core: Period values from auth backends will now be checked and applied to the
  TTL value directly by core on login and renewal requests
- database/mongodb: Add optional `write_concern` parameter, which can be set
  during database configuration. This establishes a session-wide write
  concern for the lifecycle of the mount
- http: Request path containing non-printable characters will return 400 - Bad
  Request
- mfa/okta: Filter a given email address as a login filter, allowing operation
  when login email and account email are different
- plugins: Make Vault more resilient when unsealing when plugins are
  unavailable
- secret/pki: `allowed_domains` and `key_usage` can now be specified
  as a comma-separated string or an array of strings
- secret/ssh: Allow 4096-bit keys to be used in dynamic key method
- secret/consul: The Consul secret backend now uses the value of `lease` set
  on the role, if set, when renewing a secret.
- storage/mysql: Don't attempt database creation if it exists, which can help
  under certain permissions constraints

BUG FIXES:

- api/status (enterprise): Fix status reporting when using an auto seal
- auth/approle: Fix case-sensitive/insensitive comparison issue
- auth/cert: Return `allowed_names` on role read
- auth/ldap: Fix incorrect control information being sent
- core: Fix seal status reporting when using an autoseal
- core: Add creation path to wrap info for a control group token
- core: Fix potential panic that could occur using plugins when a node
  transitioned from active to standby
- core: Fix memory ballooning when a connection would connect to the cluster
  port and then go away -- redux!
- core: Replace recursive token revocation logic with depth-first logic, which
  can avoid hitting stack depth limits in extreme cases
- core: When doing a read on configured audited-headers, properly handle case
  insensitivity
- core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable
- database/mysql: Allow the creation statement to use commands that are not yet
  supported by the prepare statement protocol
- plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference`