Skip to content

Prepare initial Beta release - changelog #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
YashwanthaGowd merged 1 commit into from
Jun 18, 2026
Merged

Prepare initial Beta release - changelog #51

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 37 additions & 29 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,47 +2,55 @@

All notable changes to the Boundary Worker Helm Chart will be documented in this file.

## [Unreleased]
## [0.1.0-beta] - 2026-06-18

## [x.x.x] - YYYY-MM-DD
Initial public beta release of the Boundary Worker Helm chart.

### Added
- Initial Helm chart for HashiCorp Boundary Worker
- Single-replica worker deployment with persistent storage

**Core chart**
- Helm chart for deploying a HashiCorp Boundary Worker on Kubernetes
- Single-replica worker `Deployment` with persistent storage
- Support for controller-led, worker-led, and KMS-based worker registration
- Configurable proxy and operations Services
- Optional PersistentVolumeClaims for auth storage and session recording
- Auth storage PVC is optional — KMS-based workers can use an `emptyDir` instead (`worker.persistence.authStorage.enabled: false`)
- Worker HCL config embedded in `values.yaml` by default; `--set-file worker.config=<file>` supported
- Comprehensive unit tests with helm-unittest (25+ test pods)
- KIND cluster acceptance tests including TCP target connection test
- AWS EKS integration test suite with Terraform (IRSA support, addons, full lifecycle)
- Azure AKS integration test suite with Terraform (workload identity, addons, full lifecycle)
- Security-hardened pod and container contexts (non-root, read-only filesystem, dropped capabilities)
- Makefile with lint, unit-test, acceptance, and integration workflow targets
- Trivy and Kubescape security scanning
- Configurable proxy (`worker.service.proxy`) and operations (`worker.service.ops`) Services
- Optional `PersistentVolumeClaim` for auth storage — KMS-based workers can use an `emptyDir` instead (`worker.persistence.authStorage.enabled: false`)
- Optional `PersistentVolumeClaim` for session recording (`worker.persistence.recording.enabled`)
- Worker HCL config embedded in `values.yaml` by default; `--set-file worker.config=<file>` also supported
- Security-hardened pod and container security contexts (non-root UID/GID, read-only root filesystem, all capabilities dropped)
- Kubernetes Secrets support via `secretRefs` for sensitive values
- Artifact Hub annotations in `Chart.yaml`

**Testing**
- Unit tests with helm-unittest (25+ test files covering deployment, configmap, services, PVCs, RBAC, security contexts, and more)
- KIND cluster acceptance tests including a live TCP target connection test
- AWS EKS and Azure AKS integration test suites with Terraform (IRSA / workload identity, managed addons, full lifecycle)

**Tooling**
- `Makefile` targets for lint, unit tests, acceptance tests, and cloud integration tests
- Trivy vulnerability scanning and Kubescape compliance scanning
- Kubernetes manifest validation with kubeconform
- Artifact Hub annotations in `Chart.yaml` (`artifacthub.io/*`)

### Configuration Defaults
- Default image: `hashicorp/boundary-enterprise:0.21-ent` (chart `appVersion`)
- Default storage class: `""` — uses the cluster default StorageClass
- Default auth storage: `1Gi` (disabled automatically for KMS auth)
- Default recording storage: `10Gi`
- Default termination grace period: `7200s` (2 hours) — allows active sessions to drain
- Default resources: `100m` CPU / `512Mi` memory (requests), `200m` CPU / `1Gi` memory (limits)

| Parameter | Default | Notes |
|---|---|---|
| Image | `hashicorp/boundary-enterprise:0.21.3-ent` | chart `appVersion` |
| Storage class | `""` | uses cluster default `StorageClass` |
| Auth storage size | `1Gi` | auto-disabled for KMS auth method |
| Recording storage size | `10Gi` | |
| Termination grace period | `7200s` (2 h) | allows active sessions to drain |
| CPU request / limit | `100m` / `200m` | |
| Memory request / limit | `512Mi` / `1Gi` | |

### Documentation
- Comprehensive README with installation and configuration guide
- README with installation guide and configuration reference
- Embedded-values workflow as the primary installation approach
- Common deployment patterns (egress, intermediate workers)
- Common deployment patterns
- Public address and service exposure strategies
- Operations guide for upgrades and troubleshooting
- Security model documentation
- Operations guide covering upgrades and troubleshooting
- Security model overview

### Known Limitations
- Single replica only (no horizontal scaling)
- No automatic session drain during upgrades
- Single replica only — horizontal scaling is not supported
- No automatic `public_addr` discovery
- No built-in secret management integration
- No multi-worker topology orchestration