releases.shpreview
HashiCorp/Boundary/v0.12.0

v0.12.0

February 8, 2023BoundaryView original ↗
$npx -y @buildinternet/releases show rel_N1ZLi4NWM8DS9EpH6mQlM

0.12.0 (2023/01/24)

Deprecations/Changes

  • In Boundary 0.9.0, targets were updated to require a default port value. This had been the original intention; it was a mistake that it was optional. Unfortunately, due to a separate defect in the update verification logic for static hosts, it was possible for a host to be updated (but not created) with a port. This meant that targets could use ports attached to host addresses, which was not the intention and leads to confusing behavior across different installations. In this version, updating static hosts will no longer allow ports to be part of the address; when authorizing a session, any port on such a host will be ignored in favor of the default port on the target. In Boundary 0.14.0, this will become an error instead. As a consequence, it means that the fallback logic for targets that did not have a default port defined is no longer in service; all targets must now have a default port defined.
  • With the introduction of vault-ssh-certificate credential libraries, the vault credential library subtype is being renamed to vault-generic to denote it as a credential library that can be used in a generalized way to issue credentials from vault. Existing credential libraries with the subtype of vault will be updated to vault-generic. The subtype of vault will still be accepted as a valid subtype in API requests to the credential libraries endpoints, but is deprecated. Instead vault-generic should be used. In addition the boundary credential-libraries create vault and boundary credential-libraries update vault subcommands will still function, but are deprecated. Instead boundary credential-libraries create vault-generic and boundary credential-libraries update vault-generic should be used. Also note that any credential library created using the subtype of vault, either via the API or via the deprecated subcommand, will have the subtype set to vault-generic. The deprecated subtype and subcommands will be removed in boundary 0.14.0, at which point vault-generic must be used.
  • In Boundary 0.1.8 using the -format=json option with the cli would provide a status_code for successful API requests from the cli. However, in the case where an error was returned, the JSON would use status instead. This inconsistency has been fixed, with status_code being used in both cases. For error cases status will still be populated, but is deprecated and will be removed in 0.14.0.

New and Improved

  • Direct Address Targets: You can now set an address directly on a target, bypassing the need for host catalogs, host sets and hosts. (PR)
  • Custom Response Headers: Adds ability to set api and ui response headers based on status code. Includes default secure CSP and other headers. (PR)
  • metrics: Adds accepted connections and closed connections counters to keep track downstream connections for worker and controller servers. (PR)
  • Egress and Ingress worker filters: The target worker_filter field has been deprecated and replaced with egress and ingress worker filters. Egress worker filters determine which workers are used to access targets. Ingress worker filters (HCP Boundary only) determine which workers are used to connect with a client to initiate a session. (PR)
  • Multi-Hop Sessions (HCP Boundary only): Multi-hop PKI workers can communicate with each other to serve 2 primary purposes: authentication and session proxying. This results in the ability to chain multiple workers together to access services hidden under layers of network security. Multi-hop workers can also establish a TCP session through multiple workers, with the ability to reverse proxy and establish a connection.
  • ui: Upgrade Admin UI to Ember 4.4. (PR)
  • ui: Add support for JSON credentials in Admin UI. (PR)
  • Vault SSH certificate credential library: A new credential library that uses the vault ssh secret engine to generate ssh private key and certificates. The library can be used as an injected application credential source for targets that support credential injection. (PR)
  • ui: Add support for managed groups in add-principals list. (PR)

Bug Fixes

  • plugins: Ignore SIGHUP sent to parent process; some init systems, notably dumb-init, would pass them along to the child processes and cause the plugin to exit (PR)
  • data warehouse: Fix bug that caused credential dimensions to not get associated with session facts (PR).
  • sessions: Fix two authorizeSession race conditions in handleProxy. (PR)
  • cli: When using -format=json the JSON was inconsistent in how it reported status codes. In successful cases it would use status_code, but in error cases it would use status. Now status_code is used in both cases. In error cases status is still populated, see the deprecations above for more details. (PR)
  • database: Add job that automatically cleans up completed runs in the job_run table. (PR)
  • core: Linux packages now have vendor label and set the default label to HashiCorp. This fix is implemented for any future releases, but will not be updated for historical releases.

Fetched April 8, 2026