HashiConf Digital wrapped up this week, and HashiCorp dropped two new open-source projects that are clearly aimed at the gaps in their existing ecosystem: Waypoint for application deployment workflows and Boundary for secure remote access. After spending the past few days digging into both, I think they address real pain points — but the execution will determine whether they actually get traction.
If you’ve worked with HashiCorp’s stack (Terraform, Vault, Consul, Nomad), you know the tools are excellent individually but integrating them into a cohesive developer experience requires significant glue code and tribal knowledge. Waypoint and Boundary feel like an acknowledgment of that gap.
Waypoint: One Workflow to Deploy Them All#
Waypoint’s pitch is straightforward: define a waypoint.hcl file, run waypoint up, and your application gets built, deployed, and released — regardless of whether the target is Kubernetes, ECS, Nomad, or a plain Docker host. It’s an abstraction layer over deployment, similar in spirit to what Terraform does for infrastructure provisioning.
project = "my-app"
app "web" {
build {
use "docker" {}
}
deploy {
use "kubernetes" {
probe_path = "/health"
}
}
release {
use "kubernetes" {
load_balancer = true
}
}
}What’s interesting is the explicit separation of build, deploy, and release phases. This isn’t new conceptually — we’ve been talking about this pattern since at least the Twelve-Factor App — but having it as a first-class concern in a deployment tool is nice. The release phase in particular, which handles traffic shifting and load balancer configuration, is where things usually get messy in practice.
I’ve seen too many teams where deployment is a combination of shell scripts, CI pipeline steps, and kubectl commands stitched together with hope and documentation. Waypoint could clean that up, but only if it handles the edge cases. The initial plugin ecosystem covers the basics (Docker, Kubernetes, AWS ECS, Nomad), but real-world deployments inevitably involve custom steps — database migrations, feature flag updates, cache warming. The plugin architecture will need to be robust and extensible.
Boundary: Identity-Based Access for the Zero Trust Era#
Boundary is the more strategically interesting of the two launches. It’s a secure remote access solution built around identity rather than IP-based rules. Think of it as a modern replacement for VPNs and SSH bastion hosts, integrated with your identity provider.
The traditional approach to accessing internal infrastructure — VPN in, then SSH to a bastion, then hop to the target — is clunky and creates a poor audit trail. Boundary provides direct, authenticated access to resources based on who you are and what you’re authorized to do, with full session recording and logging.
This fits perfectly alongside Vault. Where Vault manages secrets and dynamic credentials, Boundary manages the access paths themselves. Together, they form a zero-trust access layer: Boundary authenticates and authorizes the session, Vault provides just-in-time credentials, and everything is logged and auditable.
For teams managing hybrid infrastructure — some on-prem, some in cloud, maybe multiple clouds — this is a compelling proposition. The identity-based approach means you don’t need to maintain complex network peering or VPN configurations just to let a developer access a staging database.
The Bigger Picture: HashiCorp’s Platform Play#
These launches make HashiCorp’s strategy clear. They’re building a complete platform for infrastructure and application lifecycle management:
- Terraform provisions infrastructure
- Vault manages secrets and credentials
- Consul handles service networking and discovery
- Nomad (or Kubernetes) orchestrates workloads
- Boundary controls access to everything
- Waypoint gives developers a simple deployment interface
Each tool works standalone and is open-source, but the real value proposition is the integrated cloud platform (HashiCorp Cloud Platform). It’s the classic open-source-to-enterprise playbook, and HashiCorp executes it better than most.
I’ve been running Terraform and Vault in production for years, and the quality of the open-source offerings has consistently been high. But I’ve also seen organizations struggle with the operational overhead of running the full stack. HCP promises to reduce that, though at a cost that’s worth scrutinizing.
My Take: Promising, But Give It Time#
Waypoint and Boundary are both at version 0.1.0, which means they’re nowhere near production-ready for most use cases. HashiCorp is transparent about this — the launch is about establishing direction and building community, not declaring victory.
My concerns with Waypoint are around flexibility. Deployment abstractions have been attempted many times (Heroku, Cloud Foundry, various PaaS offerings, even docker-compose in its own way), and they tend to work brilliantly for the 80% case and then fight you on the remaining 20%. HashiCorp’s track record with Terraform’s provider ecosystem gives me some confidence they understand extensibility, but it’s early days.
Boundary I’m more bullish on, because it solves a problem that’s genuinely underserved by existing open-source tools. Commercial solutions like Teleport exist, but an open-source, identity-native access proxy from HashiCorp — with Vault integration — is a strong offering. The zero-trust access model is clearly where the industry is heading, especially with distributed teams becoming the norm rather than the exception in 2020.
If you’re already in the HashiCorp ecosystem, keep an eye on both. If you’re evaluating new infrastructure tooling, Boundary is the one I’d recommend experimenting with sooner rather than later. Waypoint needs at least a few more releases before I’d consider it for anything beyond personal projects.
The infrastructure tooling space continues to mature, and it’s encouraging to see HashiCorp investing in developer experience alongside the operations side. The best infrastructure is the kind developers don’t have to think about — and these tools are a step in that direction.