You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PKI workers in past versions did not store a prior encryption key, and a bug
prior to 0.11.0 meant that auth rotations could happen more frequently than
expected. This could cause some race issues around rotation time. However,
there was another issue where a past worker authentication record could be
looked up for some operations instead of the current one, made more likely by
the too-frequent rotations. In 0.11.0 we attempt to ensure that the record
that remains on upgrade is the most current one, but it is possible that the
wrong one is chosen, leading to a failure for the worker to authenticate or
for some operations to consistently fail. In this case, the worker will need
to be deleted and re-authorized. We apologize for any issues this causes and
this should be remedied going forward.
scopes: Organizations could be prevented from being deleted if some resources
remained (PR)
workers: Authentication rotation could occur prior to the expected time
(PR)
workers: When looking up worker authentication records, an old record could be
returned instead of the new one, leading to errors for encryption or
decryption operations (PR)
New and Improved
vault: (HCP Boundary only): Private Vault clusters can be used with HCP Boundary by using PKI workers
deployed in the same network as a private cluster. Tags are used to control which PKI workers can manage private Vault
requests by specifying a worker_filter attribute when configuring a Vault credential store.
credentials: There is now a json credential type supported by static
credential stores that allows submitting a generic JSON object to Boundary for
use with credential brokering workflows
(PR)
ui: Updates to host catalog and host set forms and “Learn More” links
(PR)
workers: Added the ability to read and reinitialize the Worker certificate
authority (PR1, PR2)
workers: Return the worker Boundary binary version on worker list and read
(PR)
workers: Addition of worker graceful shutdown, triggered by an initial SIGINT or SIGTERM (PR)
workers: Retain one previous encryption/decryption key after authentication
rotation (PR)
Deprecations/Changes
In 0.5.0, the add-host-sets, remove-host-sets, and set-host-sets actions
on targets were deprecated in favor of add-host-sources, remove-host-sources, and set-host-sources. Originally these actions and
API calls were to be removed in 0.6, but this was delayed to give extra time
for clients to switch over. This has now been fully switched over. A database
migration will modify any grants in roles to have the new actions. This same
changeover has been made for add-/remove-/set-credential-libraries to add-/remove-/set-credential-sources, although those actions would only be in
grant strings in very rare circumstances as the -sources actions replaced
the -libraries actions very quickly.
(PR)