Closed macmiranda closed 8 months ago
@macmiranda thank you for reporting this; we've reproduced it and are actively looking into a solution.
@macmiranda apologies, I thought I had reproduced the issue but was mistaken; do you have controller logs from the error you'd be willing to share?
@irenarindos it seems to be an issue with boundary
on the local machine. The communication with the controller happens as usual (no errors on either client or controller side), we get the credentials from vault (for the dynamic role) as usual but when we try to connect to the designated port, connection is refused, in fact there is no process bound to it.
For version 0.14.2:
Version information:
Build Date: 2023-10-31T11:02:50Z
Git Revision: a86ee182c2853913f019c2559f1451d926235707
Version Number: 0.14.2
boundary connect -target-id ttcp_********c -listen-port 54321
Proxy listening information:
Address: *********
Connection Limit: -1
Expiration: Thu, 01 Feb 2024 17:37:49 CET
Port: 54321
Protocol: tcp
Session ID: s_Sg7XzO4KBW
Credentials:
Credential Source Description: Staging Vault credential library for <redacted> database's editor role
Credential Source ID: clvlt_*******V3T
Credential Source Name: staging_<redacted>_vault_role
Credential Store ID: csvlt_FI*****aY
Credential Store Type: vault-generic
Secret:
{
"password": "********************",
"username": "v-token-to-product--*****************"
}
and from a different terminal
lsof -i :54321
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
boundary 32974 maurelio 13u IPv4 0x577271de32181917 0t0 TCP localhost:54321 (LISTEN)
When using boundary 0.15.0, it behaves the same but the last command yields:
lsof -i :54321
[!NOTE] Our controllers and workers are running image 0.14.3
I'm guessing it's related to this PR @jefferai
Hi @macmiranda, thanks for raising this so quickly. We recognize we have not given users explicit guidance around whether to use Boundary clients on newer versions than your control plane.
After some investigation and internal discussion we've come to the conclusion that this should not be supported. Guaranteeing support for clients on newer versions than your control plane would make it impossible to add new features or deprecate old ones. As a best practice, we've now added that clients should be on the same version as control planes or one version older than their control plane.
For example, Boundary clients version 0.14.0 are compatible with Boundary control plane running Boundary 0.15.0. However, they will not have compatibility once the control plane is updated to version 0.16.0 or above. Boundary clients version 0.15.0 are not compatible with Boundary control plane running Boundary 0.14.0 or lower. Customers are recommended to run the latest versions of Boundary on all cluster resources (clients, controllers, workers) in order to leverage the newest features and bug fixes.
We have now made this explicit in our documentation: https://developer.hashicorp.com/boundary/docs/enterprise/supported-versions and are looking for any other places in documentation we can make this more clear.
Updated guidance around client <-> control plane compatibility: https://developer.hashicorp.com/boundary/docs/enterprise/supported-versions
Ok, @PPacent thanks for clarifying it. On a side note, you may want to fix some typos in that doc
Thanks for the catch @macmiranda, should be fixed now
Describe the bug
boundary connect
fails to create a listening socket on Mac OS M1 (arm). The build I'm using is:To Reproduce Steps to reproduce the behavior:
boundary authenticate ...
boundary connect postgres -target-id ****** -dbname *****
Expected behavior Boundary is able to connect to the target
Additional context Downgrading Boundary CLI to 0.14.2 solves the issue.