0.11.0 (2022/09/27)
Known Issues
- PKI workers in past versions did not store a prior encryption key, and a bug
prior to 0.11.0 meant that auth rotations could happen more frequently than
expected. This could cause some race issues around rotation time. However,
there was another issue where a past worker authentication record could be
looked up for some operations instead of the current one, made more likely by
the too-frequent rotations. In 0.11.0 we attempt to ensure that the record
that remains on upgrade is the most current one, but it is possible that the
wrong one is chosen, leading to a failure for the worker to authenticate or
for some operations to consistently fail. In this case, the worker will need
to be deleted and re-authorized. We apologize for any issues this causes and
this should be remedied going forward.
Bug Fixes
- Fix bug preventing delete of org. (PR
- scopes: Organizations could be prevented from being deleted if some resources
remained (PR) - workers: Authentication rotation could occur prior to the expected time
(PR) - workers: When looking up worker authentication records, an old record could be
returned instead of the new one, leading to errors for encryption or
decryption operations (PR)
New and Improved
- vault: (HCP Boundary only): Private Vault clusters can be used with HCP Boundary by using PKI workers
deployed in the same network as a private cluster. Tags are used to control which PKI workers can manage private Vault
requests by specifying aworker_filter
attribute when configuring a Vault credential store. - credentials: There is now a
json
credential type supported bystatic
credential stores that allows submitting a generic JSON object to Boundary for
use with credential brokering workflows
(PR) - ui: Add support for worker management
(PR) - ui: Add support for PKI worker registration
(PR) - ui: Add support for Static Credential Stores
(PR) - ui: Add support for Username & Password Credentials
(PR) - ui: Add support for Username & Key Pair Credentials
(PR) - ui (HCP Boundary only): SSH Target creation along with injected application
credential support (PR) - ui (HCP Boundary only): Update vault credential stores to support private
vault access (PR) - ui: Improve quick setup wizard onboarding guide resource names
(PR) - ui: Updates to host catalog and host set forms and “Learn More” links
(PR) - workers: Added the ability to read and reinitialize the Worker certificate
authority (PR1,
PR2) - workers: Return the worker Boundary binary version on worker list and read
(PR) - workers: Addition of worker graceful shutdown, triggered by an initial
SIGINT
orSIGTERM
(PR) - workers: Retain one previous encryption/decryption key after authentication
rotation (PR)
Deprecations/Changes
- In 0.5.0, the
add-host-sets
,remove-host-sets
, andset-host-sets
actions
on targets were deprecated in favor ofadd-host-sources
,
remove-host-sources
, andset-host-sources
. Originally these actions and
API calls were to be removed in 0.6, but this was delayed to give extra time
for clients to switch over. This has now been fully switched over. A database
migration will modify any grants in roles to have the new actions. This same
changeover has been made foradd-/remove-/set-credential-libraries
to
add-/remove-/set-credential-sources
, although those actions would only be in
grant strings in very rare circumstances as the-sources
actions replaced
the-libraries
actions very quickly.
(PR)