coalesce can be used to match a
template against multiple possible values, returning the first non-empty
value. As an example, this can be used in a credential library to allow a
username value that might be comprised of a name or login name depending on
the auth method, e.g. {{ coalesce .Account.Name .Account.LoginName}}
(PR))/v1/billing:monthly-active-users and new cli command,
boundary billing monthly-active-users that can be used to view the monthly
active user counts.kms worker method has been
removed. Since 0.13.0, unless the use_deprecated_kms_auth_method value was
set on the worker config, the new kms mechanism was already being used; this
is simply no longer an available option.grant_scope_id field on roles is now deprecated in favor of the multiple
grant scope support.id field in grants has changed to ids
which allows multiple ids to be included; existing grants submitted to
Boundary will continue to work, but grants using "id" can no longer be added
to or set on a role.max_page_size.
The Admin UI, CLI and api package automatically paginate results.this, children (global/org only) to apply to all
direct children of a scope, and descendants (global only) to apply to all
descendants of a scope. These use the new actions add-grant-scopes,
set-grant-scopes, and remove-grant-scopes on roles. For now the
grant_scope_id field on roles will continue to be able to be set, which will
set a single grant scope, but this capability is now deprecated.read, update, and delete have been added. These
allow operating on resources by directly specifying the ID of the resource as
the next parameter (e.g. boundary update ttcp_1234567890). Subtypes do not
need to be specified (e.g. that command is equivalent to boundary targets update tcp -id ttcp_1234567890), and any flags given after the ID are passed
through to the type-specific subcommand. Once the ID has been entered,
autocomplete is also supported.
(PR)key_id parameter within SSH Certificate Credential Libraries now accepts
the use of templated parameters
(PR)max_page_size for controlling the default and max size
of pages when paginating through results.search has been added allowing quick searching of targets or
sessions. It utilizes a client side cache also added in this release. The
client side cache starts itself automatically in the background when successfully
executing any command that communicates with a Boundary controller. To disable
the client cache from starting automatically set the
BOUNDARY_SKIP_CACHE_DAEMON environment variable or pass the
-skip-cache-daemon flag when running a command that may start it.
Commands daemon start, daemon stop, daemon status, and daemon add-token
were added to help manage the cache. The cache does not currently work with
Boundary instances that require the use of client side certs.Update go-kms-wrapping/extras/kms dependency to allow external wrappers without a key id to be used within a KMS config stanza. Note: this fix allows GCP KMS keys to be again with Boundary, which had stopped working in v0.13.0. (PR)
Two Vault client settings were not being properly used when constructing a Vault client. (PR)
The TLS Skip Verify setting was only being set if a CA Cert was also
configured. This fix sets the TLS Skip Verify when configured regardless of
other settings.
The TLS Server Name setting was never being set. Bad programmers. This fix
now sets it on the Vault client if the Vault Credential Store has been
configured to use a value for this setting.
vault credential library subtype has
now been removed in favor of vault-generic. For example, instead of
boundary credential-libraries create vault, you must use boundary credential-libraries create vault-generic.-format=json option will now only use the status_code field. The status
field has been removed.application-credential-source has been
removed as a field. brokered-credential-source should be used instead.
(PR, deprecated
changelog).boundary connect ssh subcommand.
(Issue,
PR).maximum_page_size and dereference_aliases
(PR).authenticate command against a password auth
method on Windows where the password would be swallowed when the login name is
submitted (PR)id field has been changed to ids (but id will
still be accepted for now, up until 0.15.0). In the ids field, multiple IDs
can now be specified in a grant, either via commas (text format) or array
(JSON format). (PR).boundary dev the initial LDAP auth-method with an
ID of amldap_1234567890 is now in a public-active state, so it will be returned
in the response from boundary auth-methods listids parameter. In 0.15.0 the ability to add new grants via the id
parameter will be removed.default_client_port field allows specifying the default
port to use on the client side when connecting to a target, unless overridden
by the client via -listen-port (PR)ldap subcommands available on CRUDL
operations for examples), as well as the ability to authenticate against it
via the SDK, CLI, admin UI, and desktop client. (PR)With the introduction of the new KMS variant for worker registration (as
described below), using the deprecated behavior requires opting-in. This is
only recommended if compatibility with pre-0.13 workers using the KMS auth
method is required. Requiring opting in removes some potentially confusing
behavior for deciding when to use the old versus new mechanism. To opt in, add
use_deprecated_kms_auth_method = true to the worker config block. Note
that if a 0.13+ worker using KMS connects to a 0.13+ controller using KMS, the
transition to the new method will happen automatically. To go back to the old
method after that will require the worker to be deleted and re-added with the
use_deprecated_kms_auth_method config field specified.
When grants are added to roles additional validity checking is now performed. This extra validity checking is designed to reject grants that are not documented grant formats or are for combinations of IDs and types that cannot actually be used together. These previously would have been accepted without error but would never result in permissions being granted, causing confusion. As a result, attempting to write such grants into roles may now result in an error; the error message gives hints for resolution.
WithAutomaticVersioning for auth tokens in Go SDK: this option was
incorrectly being generated for auth token resources, which do not support
versioning. This is technically a breaking change, but it was a no-op option
anyways that there was no reason to be using. It has now been removed.
Plugins: With the introduction of the storage plugin service, the Azure and AWS Host plugin
repositories have been renamed to drop the host element of the repository name:
Similarly the plugins/host package has been renamed to plugins/boundary
(PR1,PR2, PR3, PR4).
PostgreSQL 12 or greater is now required. PostgreSQL 11 is no longer supported.
authorize-session now works properly when using a target's name as
the identifier and the target name contains one or more slashes (PR)client secret bug for OIDC authentication methods(PR)vault-ssh-certificate credential libraries, the
vault credential library subtype is being renamed to vault-generic to
denote it as a credential library that can be used in a generalized way to
issue credentials from vault. Existing credential libraries with the
subtype of vault will be updated to vault-generic. The subtype of
vault will still be accepted as a valid subtype in API requests to the
credential libraries endpoints, but is deprecated. Instead vault-generic
should be used. In addition the boundary credential-libraries create vault and boundary credential-libraries update vault subcommands will
still function, but are deprecated. Instead boundary credential-libraries create vault-generic and boundary credential-libraries update vault-generic should be used. Also note that any credential library created
using the subtype of vault, either via the API or via the deprecated
subcommand, will have the subtype set to vault-generic. The deprecated
subtype and subcommands will be removed in boundary 0.14.0, at which point
vault-generic must be used.-format=json option with the cli would provide
a status_code for successful API requests from the cli. However, in the
case where an error was returned, the JSON would use status instead. This
inconsistency has been fixed, with status_code being used in both cases.
For error cases status will still be populated, but is deprecated and will
be removed in 0.14.0.worker_filter field has been deprecated and
replaced with egress and ingress worker filters. Egress worker filters determine which workers are
used to access targets. Ingress worker filters (HCP Boundary only) determine which workers are
used to connect with a client to initiate a session. (PR)SIGHUP sent to parent process; some init systems, notably
dumb-init, would pass them along to the child processes and cause the
plugin to exit (PR)-format=json the JSON was inconsistent in how it reported
status codes. In successful cases it would use status_code, but in error
cases it would use status. Now status_code is used in both cases. In
error cases status is still populated, see the deprecations above for
more details. (PR)job_run table.
(PR)Vault Parameter Templating: In vault credential libraries, the paths and any
POST bodies can contain templated parameters using Go template syntax (similar
to Consul-Template). The following template parameters are supported (note
that account values are tied to the account associated with the token making
the call):
{{ .User.Id }}: the user's ID{{ .User.Name }}: the user's name (from the user resource){{ .User.FullName }}: the user's name (from the account corresponding to
the primary auth method in the user's scope; this may not be populated or
maybe different than the account name in the template){{ .User.Email }}: the user's email address (same caveat as FullName){{ .Account.Id }}: the account's ID{{ .Account.Name }}: the account's name (from the account resource){{ .Account.LoginName }}: the account's login name (if used by that type
of account){{ .Account.Subject }}: the account's subject (if used by that type
of account){{ .Account.Email }}: the account's email (if used by that type
of account)Additionally, there is currently a single function that strips the rest of a string after a specified substring; this is useful for pulling an user/account name from an email address. In the following example it uses the account email can be any other parameter:
{{ truncateFrom .Account.Email "@" }}: this would turn foo@example.com into fooPer-scope key lifecycle management: You can now manage the lifecycles of both Key Encryption Keys (KEKs) and Data Encryption Keys (DEKs) using the new key rotation and key version destruction functionality. To learn more about this new feature, refer to the documentation.
Upgrade notice: If the Database purpose DEK for a scope is destroyed, you must use the API to cancel any sessions that predate the upgrade. (PR)
workers: PKI Worker daemons now get disconnected from upstreams when their corresponding resource is deleted (PR)
authorize-session time, which could allow one worker to bear the majority of
sessions (PR)worker_filter attribute when configuring a Vault credential store.json credential type supported by static
credential stores that allows submitting a generic JSON object to Boundary for
use with credential brokering workflows
(PR)SIGINT or SIGTERM (PR)add-host-sets, remove-host-sets, and set-host-sets actions
on targets were deprecated in favor of add-host-sources,
remove-host-sources, and set-host-sources. Originally these actions and
API calls were to be removed in 0.6, but this was delayed to give extra time
for clients to switch over. This has now been fully switched over. A database
migration will modify any grants in roles to have the new actions. This same
changeover has been made for add-/remove-/set-credential-libraries to
add-/remove-/set-credential-sources, although those actions would only be in
grant strings in very rare circumstances as the -sources actions replaced
the -libraries actions very quickly.
(PR)SIGHUP: Workers will now re-read the
initial_upstreams value from the configuration file when given a SIGHUP.
This allows a worker to reconnect to controllers if the full set of
controllers has been changed over at the same time, without having to restart
the worker. (PR)workers:create:worker-led (e.g.
via boundary workers create worker-led) was given an invalid token
(PR)