Skip to content

Commit

Permalink
backport of commit 85070b0
Browse files Browse the repository at this point in the history
  • Loading branch information
Dan-Heath authored Sep 9, 2024
1 parent 13c6160 commit eae8b41
Show file tree
Hide file tree
Showing 304 changed files with 2,811 additions and 3,877 deletions.
20 changes: 1 addition & 19 deletions .github/workflows/backport.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,26 +14,8 @@ jobs:
backport:
if: github.event.pull_request.merged
runs-on: ${{ fromJSON(vars.RUNNER) }}
container: hashicorpdev/backport-assistant:0.5.1
container: hashicorpdev/backport-assistant:0.2.3
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0 # Fetch all branches and tags
- name: Check if any migrations have changed
run: |
if git diff --exit-code --name-only "origin/${{ github.event.pull_request.base.ref }}"...HEAD -- internal/db/schema/migrations; then
echo "No migrations have changed, continuing with backport"
else
# Post comment on PR.
echo "Posting new backport-failure GitHub comment under PR #${{ github.event.pull_request.number }}"
curl -sX POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-d '{"body": "Backport Assistant: you attempted to automatically backport changes in this PR, but because it contained changes to migration files, this was rejected. Please carefully manually backport the changes."}' \
"$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/issues/${{ github.event.pull_request.number }}/comments"
echo "Migrations have changed, refusing to backport. Please carefully manually backport the changes."
exit 1
fi
- name: Backport changes to stable-website
run: |
backport-assistant backport -automerge
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/enos-run.yml
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ jobs:
key: ${{ needs.setup.outputs.go-cache-key }}
restore-keys: |
${{ runner.os }}-go
fail-on-cache-miss: false
fail-on-cache-miss: true
- name: Set up Terraform
uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # TSCCR: loading action configs: failed to query HEAD reference: failed to get advertised references: authorization failed
with:
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/security-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,10 @@ on:
jobs:
scan:
runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}
if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'hc-github-team-secure-boundary' }}
if: |
! github.event.pull_request.head.repo.fork &&
github.actor != 'dependabot[bot]' &&
github.actor != 'hc-github-team-secure-boundary'
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test-race.yml
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ jobs:
key: ${{ needs.setup.outputs.go-cache-key }}
restore-keys: |
${{ runner.os }}-go
fail-on-cache-miss: false
fail-on-cache-miss: true
- name: Test ${{ matrix.module }} Module
run: |
make test-${{ matrix.module }}
Expand Down Expand Up @@ -141,7 +141,7 @@ jobs:
key: ${{ needs.setup.outputs.go-cache-key }}
restore-keys: |
${{ runner.os }}-go
fail-on-cache-miss: false
fail-on-cache-miss: true
- name: Set up plugin cache
id: plugin-cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ jobs:
key: ${{ needs.setup.outputs.go-cache-key }}
restore-keys: |
${{ runner.os }}-go
fail-on-cache-miss: false
fail-on-cache-miss: true
- name: Test ${{ matrix.module }} Module
run: |
make test-${{ matrix.module }}
Expand Down Expand Up @@ -141,7 +141,7 @@ jobs:
key: ${{ needs.setup.outputs.go-cache-key }}
restore-keys: |
${{ runner.os }}-go
fail-on-cache-miss: false
fail-on-cache-miss: true
- name: Set up plugin cache
id: plugin-cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
Expand Down
2 changes: 1 addition & 1 deletion .go-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.23.0
1.22.5
129 changes: 46 additions & 83 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,28 +4,19 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.

## Next

## 0.17.2 (Unreleased)

### Changes

* The Go API properly uses the passed in value for `WithRecursive` and
`WithSkipCurlOutput` instead of always setting to true regardless of the
passed-in value. ([PR](https://github.com/hashicorp/boundary/pull/5066))

## 0.17.1 (2024/08/21)
## 0.17.1 (2024/08/22)

### New and Improved

* Add `GetDownstreamWorkersTimeout` config option which represents the period of
time (as a duration) timeout for GetDownstreamWorkers call in
DownstreamWorkerTicker. This is currently not documented and considered
internal. ([PR](https://github.com/hashicorp/boundary/pull/5007))
* Add `GetDownstreamWorkersTimeout` config option which represents the period of time (as a duration) timeout
for GetDownstreamWorkers call in DownstreamWorkerTicker. This is currently not documented and considered internal.
([PR](https://github.com/hashicorp/boundary/pull/5007))

### Bug Fixes

* Fixed issue where storage policies were not deleted when scopes are deleted
([PR](https://github.com/hashicorp/boundary/pull/5014))
* Contains Bug Fixes from 0.16.3
* Contains Bug Fixes from 0.16.3

### Security

Expand All @@ -35,76 +26,55 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.

### New and Improved

* Add `GetDownstreamWorkersTimeout` config option which represents the period of
time (as a duration) timeout for GetDownstreamWorkers call in
DownstreamWorkerTicker. This is currently not documented and considered
internal. ([PR](https://github.com/hashicorp/boundary/pull/5007))
* Add `GetDownstreamWorkersTimeout` config option which represents the period of time (as a duration) timeout
for GetDownstreamWorkers call in DownstreamWorkerTicker. This is currently not documented and considered internal.
([PR](https://github.com/hashicorp/boundary/pull/5007))

### Bug Fixes

* Minio large file support: Disable multipart uploads via minio to fix an issue
where the file checksum is set incorrectly on each part of the upload, causing
it to fail. This change fixes file uploads larger than 16MB and limits upload
sizes to 5GB. ([PR](https://github.com/hashicorp/boundary/pull/5013)) and
([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/21))
* Resolved an issue where session authorization was returning a `401` if the
alias is non-existent or the alias does not resolve to anything. A `404`
status code is now returned.
([PR](https://github.com/hashicorp/boundary/pull/5006)))
* Minio large file support: Disable multipart uploads via minio to fix an issue where the file checksum is set incorrectly on each part
of the upload, causing it to fail. This change fixes file uploads larger than 16MB and limits upload sizes to 5GB.
([PR](https://github.com/hashicorp/boundary/pull/5013)) and ([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/21))
* Resolved an issue where session authorization was returning a `401` if the alias is non-existent or the alias does not resolve to anything.
A `404` status code is now returned.
([PR](https://github.com/hashicorp/boundary/pull/5006))

### Security

* curl (enterprise): The curl binary is no longer included in the published
Docker container images for Boundary Enterprise to address the CVE-2024-7264
vulnerability.
* curl (enterprise): The curl binary is no longer included in the published Docker container images for Boundary Enterprise to address the
CVE-2024-7264 vulnerability.
[CVE-2024-7264](https://github.com/advisories/GHSA-97c4-2w4v-c7r8)

## 0.17.0 (2024/07/17)

### New and Improved

* SBC (Storage Bucket Credential): This release introduces, SBC, a resource that
represents credentials for authentication and authorization with an external
object store. There are two SBC types, managed secret and environmental.
([PR](https://github.com/hashicorp/boundary/pull/4933)),
([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/18)) and
([PR](https://github.com/hashicorp/boundary-plugin-aws/pull/46))
* SBC State: This release introduces, SBC State, which represents the ability
for a worker to perform a specific action using the storage bucket. SBC
permission types (write, read, & delete) represent an action that is required
for the storage bucket to do as a routine task on an external object store.
Each permission type has a permission state (ok, error, unknown).
* SBC Worker Filtering: For protocol aware workers that require interaction
with an external storage service, the workers will be filtered by the SBC
state depending on the action and permission required.
* ui: Add multiple grant scope support for roles
([PR](https://github.com/hashicorp/boundary-ui/pull/2388))
* ui: Add API tags support for workers and improve worker filtering for targets
([PR](https://github.com/hashicorp/boundary-ui/pull/2393))

### Bug Fixes
* SBC (Storage Bucket Credential): This release introduces, SBC, a resource that represents credentials for
authentication and authorization with an external object store. There are two SBC types, managed secret and environmental.
([PR](https://github.com/hashicorp/boundary/pull/4933)), ([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/18)) and ([PR](https://github.com/hashicorp/boundary-plugin-aws/pull/46))
* SBC State: This release introduces, SBC State, which represents the ability for a worker to perform a specific action
using the storage bucket. SBC permission types (write, read, & delete) represent an action that is required for the
storage bucket to do as a routine task on an external object store. Each permission type has a permission state
(ok, error, unknown).
* SBC Worker Filtering: For protocol aware workers that require interaction with an external storage service, the
workers will be filtered by the SBC state depending on the action and permission required.
* ui: Add multiple grant scope support for roles ([PR](https://github.com/hashicorp/boundary-ui/pull/2388))
* ui: Add API tags support for workers and improve worker filtering for targets ([PR](https://github.com/hashicorp/boundary-ui/pull/2393))

## 0.16.2 (2024/06/10)

### New and Improved

* Updated Minio plugin to allow for potential use with other S3-compatible
storage providers.
([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/16)) and
([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/17))
* Updated Minio plugin to allow for potential use with other S3-compatible storage providers.
([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/16)) and ([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/17))

### Bug Fixes

* Fixed a bug where a worker credential rotation request suceeded on the
controller but the response to the worker was lost. This resulted in the
controller using a separate set of credentials than the worker, causing the
worker to be unable to connect to the controller. The fix implements the new
nodeenrollment library NodeIdLoader interface, which ensures that on store, if
worker NodeInformation has a previous key set, the worker will check and correct
its stored credential set to match. LodeNodeInformation was also updated to fix
a bug where in this split credential scenario, the current credential key was
assumed to be the incoming worker key, which caused the wrong key information to
be populated for the key id.
* Fixed a bug where a worker credential rotation request suceeded on the controller but the response to the worker was lost.
This resulted in the controller using a separate set of credentials than the worker, causing the worker to be unable to connect
to the controller. The fix implements the new nodeenrollment library NodeIdLoader interface, which ensures that on store,
if worker NodeInformation has a previous key set, the worker will check and correct its stored credential set to match.
LodeNodeInformation was also updated to fix a bug where in this split credential scenario, the current credential key was
assumed to be the incoming worker key, which caused the wrong key information to be populated for the key id.
([PR](https://github.com/hashicorp/boundary/pull/4870))

### New and Improved
Expand Down Expand Up @@ -165,24 +135,17 @@ be populated for the key id.

### New and Improved

* Target aliases have been added: You can now create an alias for a target. In
most situations where you would use a target id, you can now instead use the
alias value. Create an alias with `boundary aliases create target -value
example.boundary -destination-id ttcp_1234567890` and connect to a target
using an alias using `boundary connect example.boundary`
* Worker local storage state: Self managed workers that are configured to be
used for session recordings will report the state of the its disk space. To
learn more about this new feature, refer to the
[documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording/create-storage-bucket#local-storage).
* MinIO storage plugin: You can now create a storage bucket that allows Boundary
to interoperate with a MinIO cluster for Session Recording storage. This
includes some added functionality such as credential rotation and credential
management. To learn more about the plugin, refer to the
[readme](https://github.com/hashicorp/boundary-plugin-minio?tab=readme-ov-file#minio-plugin-for-hashicorp-boundary).
*Note:* Due to a library incompatibility, this release is not yet compatible
with the `netbsd` operating system. Please refer to the following
[documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording/create-storage-bucket)
to learn how to create a storage bucket.
* Target aliases have been added: You can now create an alias for a target.
In most situations where you would use a target id, you can now instead use
the alias value. Create an alias with
`boundary aliases create target -value example.boundary -destination-id ttcp_1234567890`
and connect to a target using an alias using `boundary connect example.boundary`
* Worker local storage state: Self managed workers that are configured to be used for
session recordings will report the state of the its disk space. To learn more about this
new feature, refer to the [documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording/create-storage-bucket#local-storage).
* MinIO storage plugin: You can now create a storage bucket that allows Boundary to interoperate
with a MinIO cluster for Session Recording storage. This includes some added functionality such
as credential rotation and credential management. To learn more about the plugin, refer to the [readme](https://github.com/hashicorp/boundary-plugin-minio?tab=readme-ov-file#minio-plugin-for-hashicorp-boundary). *Note:* Due to a library incompatibility, this release is not yet compatible with the `netbsd` operating system. Please refer to the following [documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording/create-storage-bucket) to learn how to create a storage bucket.
* ui: Add UI support for filtering and pagination
([PR](https://github.com/hashicorp/boundary-ui/pull/2237))
* ui: Add UI support for MinIO (Enterprise and HCP Boundary only)
Expand Down
2 changes: 1 addition & 1 deletion api/accounts/account.gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/accounts/ldap_account_attributes.gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/accounts/oidc_account_attributes.gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit eae8b41

Please sign in to comment.