Bumped product version to 0.20.1.

.github/workflows/build.yml

@@ -405,7 +405,6 @@ jobs:
       artifact-name: "boundary_${{ needs.set-product-version.outputs.product-version }}_linux_amd64.zip"
       go-version: ${{ needs.product-metadata.outputs.go-version }}
       edition: ${{ needs.product-metadata.outputs.product-edition }}
-      docker-image-name: ${{ needs.build-docker.outputs.name }}
       docker-image-file: "boundary_default_linux_amd64_${{ needs.set-product-version.outputs.product-version }}_${{ github.sha }}.docker.dev.tar"
     secrets: inherit
   bats:

.github/workflows/enos-run.yml

@@ -15,9 +15,6 @@ on:
       go-version:
         required: true
         type: string
-      docker-image-name:
-        required: false
-        type: string
       docker-image-file:
         required: false
         type: string
@@ -96,7 +93,6 @@ jobs:
       ENOS_VAR_crt_bundle_path: ./support/boundary.zip
       ENOS_VAR_test_email: ${{ secrets.SERVICE_USER_EMAIL }}
       ENOS_VAR_boundary_edition: ${{ inputs.edition }}
-      ENOS_VAR_boundary_docker_image_name: ${{ inputs.docker-image-name }}
       ENOS_VAR_boundary_docker_image_file: ./support/boundary_docker_image.tar
       ENOS_VAR_go_version: ${{ inputs.go-version }}
       ENOS_VAR_gcp_project_id: ${{ secrets.GCP_PROJECT_ID_CI }}

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 Canonical reference for changes, improvements, and bugfixes for Boundary.
 
+## Next
+
+## 0.20.1 (2025/11/03)
+
+### New and Improved
+
+* Added a complete IBM Key Protect wrapper implementation with configuration options and KMS client integration ([PR](https://github.com/hashicorp/go-kms-wrapping/pull/292))
+
 ## 0.20.0 (2025/09/25)
 
 ### New and Improved
@@ -17,8 +25,8 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 * Adds support to parse User-Agent headers and emit them in telemetry events
   ([PR](https://github.com/hashicorp/boundary/pull/5645)).
 * cli: Added `boundary connect cassandra` command for connecting to Cassandra targets.
-  This new helper command allows users to authorize sessions against Cassandra 
-  targets and automatically invoke a Cassandra client with the appropriate 
+  This new helper command allows users to authorize sessions against Cassandra
+  targets and automatically invoke a Cassandra client with the appropriate
   connection parameters and credentials. Currently only username/password credentials are automatically attached.
 * ui: Improved load times for resource tables with search and filtering capabilities by replacing indexeddb for local data storage with sqlite (WASM) and OPFS ([PR](https://github.com/hashicorp/boundary-ui/pull/2984))
 

api/proxy/option.go

@@ -39,6 +39,7 @@ type Options struct {
 	WithSkipSessionTeardown      bool
 	withSessionTeardownTimeout   time.Duration
 	withApiClient                *api.Client
+	withInactivityTimeout        time.Duration
 }
 
 // Option is a function that takes in an options struct and sets values or
@@ -142,3 +143,12 @@ func WithApiClient(with *api.Client) Option {
 		return nil
 	}
 }
+
+// WithInactivityTimeout provides an optional duration after which a session
+// with no active connections will be cancelled
+func WithInactivityTimeout(with time.Duration) Option {
+	return func(o *Options) error {
+		o.withInactivityTimeout = with
+		return nil
+	}
+}

api/proxy/proxy.go

@@ -34,26 +34,28 @@ import (
 const sessionCancelTimeout = 30 * time.Second
 
 type ClientProxy struct {
-	tofuToken               string
-	cachedListenerAddress   *ua.String
-	connectionsLeft         *atomic.Int32
-	connsLeftCh             chan int32
-	callerConnectionsLeftCh chan int32
-	apiClient               *api.Client
-	sessionAuthzData        *targets.SessionAuthorizationData
-	createTime              time.Time
-	expiration              time.Time
-	ctx                     context.Context
-	cancel                  context.CancelFunc
-	transport               *http.Transport
-	workerAddr              string
-	listenAddrPort          netip.AddrPort
-	listener                *atomic.Value
-	listenerCloseOnce       *sync.Once
-	clientTlsConf           *tls.Config
-	connWg                  *sync.WaitGroup
-	started                 *atomic.Bool
-	skipSessionTeardown     bool
+	tofuToken             string
+	cachedListenerAddress *ua.String
+	connectionsLeft       *atomic.Int32
+	activeConns           *atomic.Int32
+	connsLeftCh           chan int32
+	callerConnsLeftCh     chan int32
+	apiClient             *api.Client
+	sessionAuthzData      *targets.SessionAuthorizationData
+	createTime            time.Time
+	expiration            time.Time
+	ctx                   context.Context
+	cancel                context.CancelFunc
+	transport             *http.Transport
+	workerAddr            string
+	listenAddrPort        netip.AddrPort
+	listener              *atomic.Value
+	listenerCloseOnce     *sync.Once
+	clientTlsConf         *tls.Config
+	connWg                *sync.WaitGroup
+	started               *atomic.Bool
+	skipSessionTeardown   bool
+	closeReason           *atomic.Value
 }
 
 // New creates a new client proxy. The given context should be cancelable; once
@@ -90,17 +92,19 @@ func New(ctx context.Context, authzToken string, opt ...Option) (*ClientProxy, e
 	}
 
 	p := &ClientProxy{
-		cachedListenerAddress:   ua.NewString(""),
-		connsLeftCh:             make(chan int32),
-		connectionsLeft:         new(atomic.Int32),
-		listener:                new(atomic.Value),
-		listenerCloseOnce:       new(sync.Once),
-		connWg:                  new(sync.WaitGroup),
-		listenAddrPort:          opts.WithListenAddrPort,
-		callerConnectionsLeftCh: opts.WithConnectionsLeftCh,
-		started:                 new(atomic.Bool),
-		skipSessionTeardown:     opts.WithSkipSessionTeardown,
-		apiClient:               opts.withApiClient,
+		cachedListenerAddress: ua.NewString(""),
+		connsLeftCh:           make(chan int32),
+		connectionsLeft:       new(atomic.Int32),
+		activeConns:           new(atomic.Int32),
+		listener:              new(atomic.Value),
+		listenerCloseOnce:     new(sync.Once),
+		connWg:                new(sync.WaitGroup),
+		listenAddrPort:        opts.WithListenAddrPort,
+		callerConnsLeftCh:     opts.WithConnectionsLeftCh,
+		started:               new(atomic.Bool),
+		skipSessionTeardown:   opts.WithSkipSessionTeardown,
+		apiClient:             opts.withApiClient,
+		closeReason:           new(atomic.Value),
 	}
 
 	if opts.WithListener != nil {
@@ -142,7 +146,7 @@ func New(ctx context.Context, authzToken string, opt ...Option) (*ClientProxy, e
 	// We don't _rely_ on client-side timeout verification but this prevents us
 	// seeming to be ready for a connection that will immediately fail when we
 	// try to actually make it
-	p.ctx, p.cancel = context.WithDeadline(ctx, p.expiration)
+	p.ctx, p.cancel = context.WithDeadlineCause(ctx, p.expiration, fmt.Errorf("Session has expired"))
 
 	transport := cleanhttp.DefaultTransport()
 	transport.DisableKeepAlives = false
@@ -212,6 +216,17 @@ func (p *ClientProxy) Start(opt ...Option) (retErr error) {
 	// Ensure closing the listener runs on any other return condition
 	defer listenerCloseFunc()
 
+	// automatically close the proxy when inactive
+	proxyAutoClose := time.AfterFunc(10*time.Minute, func() {
+		p.cancel()
+		p.setCloseReason("Inactivity timeout reached")
+	})
+
+	activeConnCh := make(chan int32)
+	activeConnFn := func(d int32) {
+		activeConnCh <- p.activeConns.Add(d)
+	}
+
 	fin := make(chan error, 10)
 	p.connWg.Add(1)
 	go func() {
@@ -243,8 +258,10 @@ func (p *ClientProxy) Start(opt ...Option) (retErr error) {
 					return
 				}
 			}
+			activeConnFn(1)
 			p.connWg.Add(1)
 			go func() {
+				defer activeConnFn(-1)
 				defer listeningConn.Close()
 				defer p.connWg.Done()
 				wsConn, err := p.getWsConn(p.ctx)
@@ -305,27 +322,40 @@ func (p *ClientProxy) Start(opt ...Option) (retErr error) {
 		}()
 		defer p.connWg.Done()
 		defer listenerCloseFunc()
-
 		for {
 			select {
 			case <-p.ctx.Done():
+				if err := context.Cause(p.ctx); !errors.Is(err, context.Canceled) {
+					p.setCloseReason(err.Error())
+				}
 				return
 			case connsLeft := <-p.connsLeftCh:
 				p.connectionsLeft.Store(connsLeft)
-				if p.callerConnectionsLeftCh != nil {
-					p.callerConnectionsLeftCh <- connsLeft
+				if p.callerConnsLeftCh != nil {
+					p.callerConnsLeftCh <- connsLeft
 				}
 				if connsLeft == 0 {
 					// Close the listener as we can't authorize any more
 					// connections
+					p.setCloseReason("No connections left in session")
 					return
 				}
+			case activeConns := <-activeConnCh:
+				switch {
+				case activeConns > 0:
+					// always stop the timer when a new connection is made,
+					// even if timeout opt is 0
+					proxyAutoClose.Stop()
+				case opts.withInactivityTimeout <= 0:
+					// no timeout was set, timer should not be reset for inactivity
+				case activeConns == 0:
+					proxyAutoClose.Reset(opts.withInactivityTimeout)
+				}
 			}
 		}
 	}()
 
 	p.connWg.Wait()
-	defer p.cancel()
 
 	{
 		// the go funcs are done, so we can safely close the chan and range over any errors
@@ -367,6 +397,25 @@ func (p *ClientProxy) CloseSession(sessionTeardownTimeout time.Duration) error {
 	return nil
 }
 
+// CloseReason returns the reason why the proxy was closed, if the proxy closed
+// itself. If the proxy is still running or the proxy was closed externally, an
+// empty string is returned.
+func (p *ClientProxy) CloseReason() string {
+	switch r := p.closeReason.Load().(type) {
+	case string:
+		return r
+	default:
+		return ""
+	}
+}
+
+// setCloseReason updates the reason the proxy closed from an empty string to the
+// provided string. setCloseReason only accepts the first provided reason for
+// closing, all other calls are ignored.
+func (p *ClientProxy) setCloseReason(reason string) {
+	p.closeReason.CompareAndSwap(nil, reason)
+}
+
 // ListenerAddress returns the address of the client proxy listener. Because the
 // listener is started with Start(), this could be called before listening
 // occurs. To avoid returning until we have a valid value, pass a context;

enos/README.md

@@ -66,6 +66,8 @@ following lines
 127.0.0.1       localhost       worker
 127.0.0.1       localhost       vault
 ```
+### AWS Credentials
+Copy the AWS Account credentials from doormat and set it in the terminal, where the enos commands are run.
 
 ## Executing Scenarios
 From the `enos` directory:

enos/enos-scenario-e2e-docker-base-plus.hcl

@@ -81,7 +81,7 @@ scenario "e2e_docker_base_plus" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address

enos/enos-scenario-e2e-docker-base-with-gcp.hcl

@@ -82,7 +82,7 @@ scenario "e2e_docker_base_with_gcp" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address

enos/enos-scenario-e2e-docker-base-with-vault.hcl

@@ -83,7 +83,7 @@ scenario "e2e_docker_base_with_vault" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address

enos/enos-scenario-e2e-docker-base-with-worker.hcl

@@ -99,7 +99,7 @@ scenario "e2e_docker_base_with_worker" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster, local.network_database]
       database_network = local.network_database
       postgres_address = step.create_boundary_database.address
@@ -143,7 +143,7 @@ scenario "e2e_docker_base_with_worker" {
       step.create_boundary
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       boundary_license = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file      = "worker-config.hcl"
       container_name   = "worker"

enos/enos-scenario-e2e-docker-base.hcl

@@ -81,7 +81,7 @@ scenario "e2e_docker_base" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address

enos/enos-scenario-e2e-docker-worker-registration-controller-led.hcl

@@ -99,7 +99,7 @@ scenario "e2e_docker_worker_registration_controller_led" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster, local.network_database]
       database_network = local.network_database
       postgres_address = step.create_boundary_database.address
@@ -113,7 +113,7 @@ scenario "e2e_docker_worker_registration_controller_led" {
     depends_on = [step.create_boundary]
     variables {
       address      = step.create_boundary.address
-      image_name   = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name   = step.build_boundary_docker_image.image_name
       network_name = local.network_cluster
       login_name   = step.create_boundary.login_name
       password     = step.create_boundary.password
@@ -157,7 +157,7 @@ scenario "e2e_docker_worker_registration_controller_led" {
       step.create_boundary
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       boundary_license = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file      = "worker-config-controller-led.hcl"
       container_name   = "worker"

enos/enos-scenario-e2e-docker-worker-registration-worker-led.hcl

@@ -99,7 +99,7 @@ scenario "e2e_docker_worker_registration_worker_led" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster, local.network_database]
       database_network = local.network_database
       postgres_address = step.create_boundary_database.address
@@ -144,7 +144,7 @@ scenario "e2e_docker_worker_registration_worker_led" {
       step.create_boundary
     ]
     variables {
-      image_name              = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name              = step.build_boundary_docker_image.image_name
       boundary_license        = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file             = "worker-config-worker-led.hcl"
       container_name          = "worker"
@@ -165,7 +165,7 @@ scenario "e2e_docker_worker_registration_worker_led" {
     ]
     variables {
       address      = step.create_boundary.address
-      image_name   = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name   = step.build_boundary_docker_image.image_name
       network_name = local.network_cluster
       login_name   = step.create_boundary.login_name
       password     = step.create_boundary.password

enos/enos-scenario-e2e-ui-docker.hcl

@@ -81,7 +81,7 @@ scenario "e2e_ui_docker" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address
@@ -124,7 +124,7 @@ scenario "e2e_ui_docker" {
       step.create_boundary
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       boundary_license = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file      = "worker-config.hcl"
       container_name   = "worker"