Boundary
Boundary 0.19.0 release notes
GA date: January 30, 2025
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
Important changes
| Change | Description |
|---|---|
| Role creation | In a future version Boundary will no longer automatically create roles when new scopes are created. This was implemented prior to multi-scope grants to ensure administrators and users had default permissions in new scopes. Since Boundary 0.15, initial roles created for new clusters provide these permissions by default to all scopes using multi-scope grants. |
Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary. The image now includes wget, which you can alternatively use to check the health endpoint for a worker. If your workflow depends on having curl in the image, you can dynamically install it using apk.Learn more: Known issues and breaking changes |
| Go version 1.23 TLS handshake behavior changes | Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x and later controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior. Learn more: Known issues and breaking changes |
New features
| Feature | Update | Description |
|---|---|---|
| Dynamic host catalogs for GCP | GA | Boundary now supports dynamic host catalogs for GCP. When you configure dynamic host catalogs, Boundary securely queries infrastructure providers at runtime to discover and configure new services. You can define rules for whether you want Boundary to automatically add any discovered hosts as members of the host set. Learn more: Host discovery and GCP dynamic hosts. |
| Worker filter generator | GA | A new filter generator was added to the Admin Console UI, allowing you to more easily create worker filters for targets, credential stores, and storage buckets. Learn more: Worker tags. |
| Vault brokered credentials format change | GA | Previously, when you brokered credentials from a Vault credential store, the credentials displayed in raw JSON and could contain special characters. It was difficult to consume the credentials in this format. Credentials are now displayed in a format that is easier to cut and paste. Learn more: Create a Vault credential store. |
Known issues and breaking changes
| Version | Issue | Description |
|---|---|---|
| 0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
| 0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
| 0.17.1+ | Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary.The image now includes wget. You can use wget to check the health endpoint for workers.Learn more: Check the health endpoint using wgetIf your workflow depends on having curl in the image, you can dynamically install it using apk. Refer to the following commands for examples of using apk to install curl:<CONTAINER-ID> apk add curlor kubectl exec -ti <NAME> -- apk add curl |
| 0.18.x+ | Boundary version 0.18.x and later CLI is unable to establish connections using the boundary connect command | Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x and later controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior. To revert back to the previous TLS handshake behavior, add the tlskyber=0 parameters to the GODEBUG environment variable before the boundary connect command. For example:GODEBUG=tlskyber=0 boundary connect ssh -target-id <ID>Learn more: Go issue #70047 and Go 1.23 Release Notes |