Version v1.11.1+suite.1

This Suite release aligns with Conjur Server version 1.11.1. It includes quality and troubleshooting improvements to the Conjur SDK, as well as enhancements in the Conjur Kubernetes and Google Cloud Platform authenticators. Notable updates are highlighted below.

For a reminder of the Conjur Open Source Suite Release structure please refer to the documentation introduction.

What's New

New and enhanced functionality includes:

Conjur Core

NEW! Google Cloud Platform (GCP) Authenticator Support for Google Cloud Functions

Google Cloud Function (GCF) applications can now authenticate to Conjur using the GCP authenticator. For more information on how to get started using this new feature, reference the GCP authenticator documentation.

Kubernetes Authenticator

If the Kubernetes Authenticator encounters an error while asynchronously injecting the authentication certificate into the client container, it now writes the error message to a file in the client container so that the error can be logged in the client container logs. Together with the changes in the Kubernetes authenticator client available in this release, it is now easier to troubleshoot certificate injection issues.

Conjur Integrations

Kubernetes Authentication Client

As noted above, the Conjur Kubernetes authenticator has been updated to write error messages due to problems in the certificate injection process into a file in the client container. With this release, the authenticator client has also been updated so that if it cannot read the certificate file within 10 seconds, it attempts to log the contents of the error log file to the authenticator client container logs. This makes it possible to observe all Kubernetes authentication steps when experiencing issues during the certificate injection process by reviewing the client container logs and the Conjur server logs.

This release includes additional changes to the authenticator container logs; see the change log for more details.

Secrets Provider for Kubernetes

Secrets Provider for Kubernetes has been updated to use the Kubernetes authenticator client v0.19.0. With this change, users benefit from the changes made to the Kubernetes authenticator client in this release for improved performance and troubleshooting capabilities during the client certificate injection process.

Secrets Delivery

Secretless Broker

Secretless Broker's Conjur secret provider has been updated to use the Kubernetes authenticator client v0.19.0, so that when using Secretless with the Conjur Kubernetes authenticator, users may also benefit from improved performance and troubleshooting capabilities during the client certificate injection process.

Deprecations

Support for OpenShift versions 3.9 and 3.10 is officially deprecated and support will be removed in the next suite release. These versions have already been declared end-of-life by Red Hat and were deprecated by CyberArk Dynamic Access Provider in version 11.7. Users are encouraged to upgrade their OpenShift clusters to at least version 3.11, which is supported by both Red Hat and the Conjur OSS Suite.

Components

The following components are included or enhanced in Conjur OSS Suite v1.11.1+suite.1:

Conjur Server

Conjur SDK

Platform Integrations

DevOps Tools

Secretless Broker

Summon

Conjur OSS Suite Installation

Installing the Suite Release Version of Conjur requires setting the container image tag.

Follow the relevant instructions for your environment.

  • Docker or docker-compose

    Set the container image tag to cyberark/conjur:1.11.1. For example, make the following update to the conjur service in the quickstart docker-compose.yml: 

    image: cyberark/conjur:1.11.1
  • Conjur OSS Helm chart

    Update the image.tag value and use the appropriate release of the helm chart: 

    helm install ... \
  --set image.tag="1.11.1" \
  ...
  https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v2.0.2/conjur-oss-2.0.2.tgz

Upgrade Instructions

Upgrade instructions are available for the following suite components:

What's New by Component

The following components are introduced or enhanced in the Conjur OSS Suite version v1.11.1+suite.1:

cyberark/conjur

v1.11.0 (2020-11-06)

Added

  • GCP authenticator (authn-gcp) supports authenticating from Google Cloud Function (GCF) using a GCE instance identity token. See design for more details. cyberark/conjur#1804

Changed

  • Conjur now raises an ExecCommandError error instead of a CertInstallationError error in case it failed to install the client certificate during authn-k8s. cyberark/conjur#1860

Fixed

  • Conjur now raises an Unauthorized error when a user attempts to rotate the API key of a nonexistent role. Previously, the operation would result in a successful rotation of the existing user's API key, with no indication that the target of the operation had changed. cyberark/conjur#1914

Security

v1.11.1 (2020-11-19)

Added

  • UBI-based Conjur image to support Conjur server running on OpenShift. Image will be published to RedHat Container Registry. cyberark/conjur#1883

cyberark/conjur-oss-helm-chart

v2.0.2 (2020-12-02)

Changed

cyberark/conjur-api-go

v0.6.1 (2020-12-02)

Changed

cyberark/conjur-api-python3

v0.1.1 (2020-11-05)

Added

Changed

cyberark/conjur-authn-k8s-client

v0.19.0 (2020-10-08)

Added

Changed

cyberark/secrets-provider-for-k8s

v1.1.1 (2020-11-24)

Added

Changed

Fixed

cyberark/secretless-broker

v1.7.1 (2020-10-20)

Added

  • The vault provider now supports loading secrets from the KV Version 2 secret engine. Reference a secret in Vault using the right path and a field navigation in the Secretless configuration. cyberark/secretless-broker#1331

Changed