Boundary 0.14.0 release notes
GA date: October 11, 2023
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
New features
| Feature | Description |
|---|---|
| Boundary Desktop embedded terminal | An embedded terminal has been added to the Boundary Desktop client for convenience. Now you can use the CLI directly from within Boundary Desktop. Learn more: Install Boundary Desktop tutorial |
| LDAP authorization method | The LDAP auth method is no longer in beta, it is now fully supported. Administrators can now create, manage, and delete LDAP auth methods along with managed groups and accounts using the admin console UI. Learn more: Auth methods |
| Dynamic credential support for storage buckets HCP/ENT | You can now configure dynamic credentials for AWS S3 storage buckets using the Amazon Web Services (AWS) AssumeRole API. We recommend that you configure credentials using AssumeRole instead of access keys when possible.Learn more: Create a storage bucket |
| Remote pass-through commands for SSH | A new SSH flag, remote-command was introduced to the boundary connect ssh helper. It lets you run the specified commands on the remote-machine using pass-through arguments.Learn more: connect ssh command |
| New worker health metric | A new metric was added to the health endpoint to check the connection state of the worker and whether it can connect to an upstream controller. The result is automatically included in the response when you run the health endpoint. Learn more: Boundary health endpoints |
| Improved telemetry | Improved telemetry was added to Boundary. You can enable telemetry to gather information about your Boundary cluster. Learn more: events stanza |
Known issues and breaking changes
| Version | Issue | Description |
|---|---|---|
| 0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
| 0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
| 0.14.0 (Fixed in 0.14.1) | Go CVE-2023-39325 | The version of Go that was used in Boundary release 0.14.0 contained a CVE. The issue was fixed in Go versions 1.21.3 and 1.20. Boundary was updated to use the new Go versions in release 0.14.1, and the issue is resolved. Learn more: HTTP/2 rapid reset can cause excessive work in net/http Upgrade to the latest version of Boundary |
Feature deprecations and EOL
| EOL | Description |
|---|---|
vault credential library subtype | As noted in the v0.12.0 release notes, the vault credential library subtype was renamed to vault-generic. The vault subtype is removed in this release, you must use vault-generic now.Learn more: Credential libraries |
status field | As noted in the v0.12.0 changelog, using the -format=json option with the CLI produced inconsistent results. The status field is removed in this release. The status_code field is now used for both successful requests and errors. |
| Default port value | As noted in the v0.12.0 release notes, targets now require a default port value. Previously, any ports that you defined as part of a host address were ignored, but allowed as part of the target definition. From this version on, if you define a port on a host address it results in an error. Learn more: Targets |
| Application credentials parameter | As noted in the v0.10.0 changelog, the target subcommands for application credentials were renamed to brokered credentials. The application credentials subcommands are removed in this release. You must use the brokered credential subcommands instead.Learn more: targets |