Skip to content

v0.4.0
Compare
Choose a tag to compare
@hc-github-team-wg-packagespec hc-github-team-wg-packagespec released this 30 Jun 22:51
v0.4.0
0b66464

0.4.0 (2021/06/29)

New and Improved

  • Credential Stores: This release introduces Credential Stores, with the first
    implementation targeting Vault. A credential store can be created that accepts
    a Vault periodic token (which it will keep refreshed) and connection
    information allowing it to make requests to Vault.
  • Credential Libraries: This release introduces Credential Libraries, with the
    first implementation targeting Vault. Credential libraries describe how to
    make a request to fetch a credential from the credential store. The first
    credential library is the generic type that takes in a user-defined request
    body to send to Vault and thus can work for any type of Vault secrets engine.
    When a credential library is used to fetch a credential, if the credential
    contains a lease, Boundary will keep the credential refreshed, and revoke the
    credential when the session that requested it is finished.
  • Credential Brokering: Credential libraries can be attached to targets; when a
    session is authorized against that target, a credential will be fetched from
    the library that is then relayed to the client. The client can then use this
    information to make a connection, allowing them to gain the benefit of dynamic
    credential generation from Vault, but without needing their own Vault
    login/token (see NOTE below).
  • boundary connect Credential Brokering Integration: Additionally, we have
    started integration into the boundary connect helpers, starting in this
    release with the Postgres helper; if the credential contains a
    username/password and boundary connect postgres is the helper being used,
    the command will automatically pass the credentials to the psql process.
  • The worker will now close any existing proxy connections it is handling when
    it cannot make a status request to the worker. The timeout for this behavior
    is currently 15 seconds.

NOTE: When using credential brokering, remember that if the user can connect
directly to the end resource, they can use the brokered username and password
via that direct connection to skip Boundary. This isn't any different from
normal Boundary behavior (if a user can directly connect, they can bypass
Boundary) but it's worth repeating.

Bug Fixes

  • scheduler: removes a Postgres check constraint, on the length of the controller name,
    causing an error when the scheduler attempts to run jobs
    (issue,
    PR).
Assets 2
Loading