hashicorp/boundary v0.11.0

on GitHub

0.11.0 (2022/09/27)

Known Issues

• PKI workers in past versions did not store a prior encryption key, and a bug
  prior to 0.11.0 meant that auth rotations could happen more frequently than
  expected. This could cause some race issues around rotation time. However,
  there was another issue where a past worker authentication record could be
  looked up for some operations instead of the current one, made more likely by
  the too-frequent rotations. In 0.11.0 we attempt to ensure that the record
  that remains on upgrade is the most current one, but it is possible that the
  wrong one is chosen, leading to a failure for the worker to authenticate or
  for some operations to consistently fail. In this case, the worker will need
  to be deleted and re-authorized. We apologize for any issues this causes and
  this should be remedied going forward.

Bug Fixes

• Fix bug preventing delete of org. (PR
• scopes: Organizations could be prevented from being deleted if some resources
  remained (PR)
• workers: Authentication rotation could occur prior to the expected time
  (PR)
• workers: When looking up worker authentication records, an old record could be
  returned instead of the new one, leading to errors for encryption or
  decryption operations (PR)

New and Improved

• vault: (HCP Boundary only): Private Vault clusters can be used with HCP Boundary by using PKI workers
  deployed in the same network as a private cluster. Tags are used to control which PKI workers can manage private Vault
  requests by specifying a worker_filter attribute when configuring a Vault credential store.
• credentials: There is now a json credential type supported by static
  credential stores that allows submitting a generic JSON object to Boundary for
  use with credential brokering workflows
  (PR)
• ui: Add support for worker management
  (PR)
• ui: Add support for PKI worker registration
  (PR)
• ui: Add support for Static Credential Stores
  (PR)
• ui: Add support for Username & Password Credentials
  (PR)
• ui: Add support for Username & Key Pair Credentials
  (PR)
• ui (HCP Boundary only): SSH Target creation along with injected application
  credential support (PR)
• ui (HCP Boundary only): Update vault credential stores to support private
  vault access (PR)
• ui: Improve quick setup wizard onboarding guide resource names
  (PR)
• ui: Updates to host catalog and host set forms and “Learn More” links
  (PR)
• workers: Added the ability to read and reinitialize the Worker certificate
  authority (PR1,
  PR2)
• workers: Return the worker Boundary binary version on worker list and read
  (PR)
• workers: Addition of worker graceful shutdown, triggered by an initial
  SIGINT or SIGTERM (PR)
• workers: Retain one previous encryption/decryption key after authentication
  rotation (PR)

Deprecations/Changes

• In 0.5.0, the add-host-sets, remove-host-sets, and set-host-sets actions
  on targets were deprecated in favor of add-host-sources,
  remove-host-sources, and set-host-sources. Originally these actions and
  API calls were to be removed in 0.6, but this was delayed to give extra time
  for clients to switch over. This has now been fully switched over. A database
  migration will modify any grants in roles to have the new actions. This same
  changeover has been made for add-/remove-/set-credential-libraries to
  add-/remove-/set-credential-sources, although those actions would only be in
  grant strings in very rare circumstances as the -sources actions replaced
  the -libraries actions very quickly.
  (PR)