v0.16.1

Merge pull request #4830 from hashicorp/backport/moduli-e2e-aws-regio…

v0.16.0

0.16.0 (2024/04/15)

New and Improved

• Target aliases have been added: You can now create an alias for a target.
  In most situations where you would use a target id, you can now instead use
  the alias value. Crate an alias with
  boundary aliases create target -value example.boundary -destination-id ttcp_1234567890
  and connect to a target using an alias using boundary connect example.boundary
• Worker local storage state: Self managed workers that are configured to be used for
  session recordings will report the state of the its disk space. To learn more about this
  new feature, refer to the documentation.
• MinIO storage plugin: You can now create a storage bucket that allows Boundary to interoperate
  with a MinIO cluster for Session Recording storage. This includes some added functionality such
  as credential rotation and credential management. To learn more about the plugin, refer to the readme. Note: Due to a library incompatibility, this release is not yet compatible with the netbsd operating system. Please refer to the following documentation to learn how to create a storage bucket.
• ui: Add UI support for filtering and pagination (PR)
• ui: Add UI support for MinIO (Enterprise and HCP Boundary only) (PR)

Added dependency

• postgres citext dependency added to enable aliases to be globally unique in
  a case insensitive way.

v0.15.4

bump api/sdk

v0.15.3

0.15.3 (2024/03/13)

Bug Fixes

• Fix a nil pointer error in the client cache daemon when a refresh was forced
  performing a boundary search.
  (PR)
• Resolved an issue introduced in 0.14 where, after successfully deleting an AWS S3
  Storage Bucket with credential rotation enabled, Boundary could not delete the
  associated IAM Access Key resource

New and Improved

• templating: A new templating function coalesce can be used to match a
  template against multiple possible values, returning the first non-empty
  value. As an example, this can be used in a credential library to allow a
  username value that might be comprised of a name or login name depending on
  the auth method, e.g. {{ coalesce .Account.Name .Account.LoginName}}
  (PR))

v0.15.2

bump go version 1.21.8

v0.14.5

bump go version 1.21.8

v0.15.1

0.15.1 (2024/02/28)

Bug Fixes

• cli: Update proxy listener to not close when the number of connections left
  for the session is zero. The listener will refuse new connections when the
  number of connections left is zero but existing connections will be active.
  This fixes a CLI client issue where sessions with max connection count
  configured were closed when the number of connections left hit 0.
  (Issue,
  (PR))
• Fix issue where the websocket connection was throwing closing errors during
  the session teardown.
  (PR)

New and Improved

• feat: support added for tracking and reporting monthly active users for
  the purpose of billing. It adds a new API endpoint,
  /v1/billing:monthly-active-users and new cli command,
  boundary billing monthly-active-users that can be used to view the monthly
  active user counts.

v0.15.0

0.15.0 (2024/01/30)

Deprecations/Changes

• Per the note in Boundary 0.13.0, the previous kms worker method has been
  removed. Since 0.13.0, unless the use_deprecated_kms_auth_method value was
  set on the worker config, the new kms mechanism was already being used; this
  is simply no longer an available option.
• Per the notes in Boundary 0.12.0 and 0.14.0, it is now an error if an address
  on a host or target contains a port. As of this release, this restriction also
  affects existing addresses (not just creation/updating via the API) so any
  existing addresses containing a port will not be able to be used as part of a
  target's session authorization call.
• The grant_scope_id field on roles is now deprecated in favor of the multiple
  grant scope support.
• Per the note in Boundary 0.13.1, the id field in grants has changed to ids
  which allows multiple ids to be included; existing grants submitted to
  Boundary will continue to work, but grants using "id" can no longer be added
  to or set on a role.
• All list endpoints except workers now return the first 1000 items instead
  of all items if no parameters are provided. The number of items returned can
  be configured through the new controller configuration value max_page_size.
  The Admin UI, CLI and api package automatically paginate results.

New and Improved

• Multiple grant scopes in roles: Roles now support multiple grant scopes, along
  with the special values this, children (global/org only) to apply to all
  direct children of a scope, and descendants (global only) to apply to all
  descendants of a scope. These use the new actions add-grant-scopes,
  set-grant-scopes, and remove-grant-scopes on roles. For now the
  grant_scope_id field on roles will continue to be able to be set, which will
  set a single grant scope, but this capability is now deprecated.
• Policies (Enterprise and HCP Boundary only): This release introduces Policies, a
  Boundary resource that represents a Governance Policy to enforce. The first
  implementation targets Storage Policies, which enables administrators to automate
  the process of retention and deletion of Session Recordings, ensuring that they're only
  retaining data that is explicitly required from a security/compliance perspective.
  • ui: Add full UI support for Storage Policies managing the lifecycle of Session Recordings.
    (PR)
• New generic commands read, update, and delete have been added. These
  allow operating on resources by directly specifying the ID of the resource as
  the next parameter (e.g. boundary update ttcp_1234567890). Subtypes do not
  need to be specified (e.g. that command is equivalent to boundary targets update tcp -id ttcp_1234567890), and any flags given after the ID are passed
  through to the type-specific subcommand. Once the ID has been entered,
  autocomplete is also supported.
  (PR)
• The key_id parameter within SSH Certificate Credential Libraries now accepts
  the use of templated parameters
  (PR)
• List endpoint pagination: All list endpoints except workers now support pagination.
  • api: All list endpoints except workers have added support for pagination.
    The api package automatically paginates until the end of the results. The new
    `WithListToken`` option can be used to request a list of updated and deleted resources
    relative to the last result received.
  • config: add new controller field max_page_size for controlling the default and max size
    of pages when paginating through results.
• New command search has been added allowing quick searching of targets or
  sessions. It utilizes a client side cache also added in this release. The
  client side cache starts itself automatically in the background when successfully
  executing any command that communicates with a Boundary controller. To disable
  the client cache from starting automatically set the
  BOUNDARY_SKIP_CACHE_DAEMON environment variable or pass the
  -skip-cache-daemon flag when running a command that may start it.
  Commands daemon start, daemon stop, daemon status, and daemon add-token
  were added to help manage the cache. The cache does not currently work with
  Boundary instances that require the use of client side certs.

v0.14.3

0.14.3 (2023/12/05)

New and Improved

• Added the ability to enforce rate limits on the Controller API. This version
  enables rate limits by default. For details on the default rate limits,
  how to configure rate limits, and how to disable rate limiting see the
  noted PR. (PR)
• Add support for OIDC prompts. Using prompts, the Relying Party (RP) can
  customize the authentication and authorization flow to suit their specific
  needs and improve the user experience. [OIDC Authentication request]
  (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) server.
  (PR)

Bug Fixes

• Update go-kms-wrapping/extras/kms dependency to allow external wrappers
  without a key id to be used within a KMS config stanza. Note: this fix allows
  GCP KMS keys to be again with Boundary, which had stopped working in v0.13.0.
  (PR)

• Two Vault client settings were not being properly used when constructing a
  Vault client. (PR)

  The TLS Skip Verify setting was only being set if a CA Cert was also
  configured. This fix sets the TLS Skip Verify when configured regardless of
  other settings.

  The TLS Server Name setting was never being set. Bad programmers. This fix
  now sets it on the Vault client if the Vault Credential Store has been
  configured to use a value for this setting.

v0.14.2

0.14.2 (2023/10/27)

New and Improved

• Expose Valid Principals for Vault SSH Signed Certs: Allow users to add additional valid principals when creating a vault ssh signed cert credential library (PR).

Bug Fixes

• High CPU consumption: A background GRPC connection state check caused high CPU utilization. This was caused by a long running loop that was checking for GRPC connection state changes between a worker and an upstream connection address. The loop was not correctly waiting for GRPC connection state changes before running. The issue was fixed by correctly updating the state that determines when the loop in GRPC connection state check should run. (PR)
• LDAP auth methods: Fix encoding of mTLS client key which prevented Boundary
  from making mTLS connections to an LDAP server (Issue,
  PR).