This Suite release aligns with Conjur Server version 1.11.1. It includes new OpenShift support for deploying Conjur OSS and some exciting new changes to our Ansible integration. Notable updates are highlighted below.
To learn more about the Conjur Open Source Suite Release structure refer to the documentation introduction.
New and enhanced functionality includes:
Conjur OSS Helm Chart
The Conjur OSS Helm Chart has been updated with Community-level support for deploying Conjur OSS into OpenShift 4.x clusters! Previously, the helm chart only had support out of the box for deploying to standard Kubernetes clusters. With this change, we are now publishing OpenShift-friendly images for Conjur and Nginx to the RedHat container registry, and the helm chart provides instructions for installing Conjur into OpenShift using these images.
Conjur Ansible Integration
In this suite release, the Conjur Ansible Collection is added to the Conjur OSS Suite! With the latest release of the Conjur collection, you can install both the Conjur Ansible Role and the Conjur Lookup Plugin with one command:
Ansible has been moving toward using collections since last year. With the release of Ansible 2.10, the Ansible core Conjur lookup plugin has been replaced with a reference to our collection. This change enables us to better support you by getting new features and bug fixes released as quickly as we can publish them in GitHub. We recommend using the Conjur collection with all Ansible versions that support collections, or for Ansible 2.9+!
The following components, with links to their GitHub releases, comprise the Conjur Open Source Suite v1.11.1+suite2:
cyberark/conjur-cli v6.2.3 (2020-12-22)
cyberark/conjur-api-dotnet v2.0.0 (2020-06-10)
cyberark/conjur-api-go v0.6.1 (2020-12-02)
cyberark/conjur-api-java v3.0.2 (2020-10-28)
cyberark/conjur-api-python3 v0.1.1 (2020-11-05)
cyberark/conjur-api-ruby v5.3.4 (2020-10-29)
cyberark/conjur-authn-k8s-client v0.19.0 (2020-10-08)
cyberark/secrets-provider-for-k8s v1.1.1 (2020-11-24)
cyberark/ansible-conjur-collection v1.1.0 (2020-12-29)
cyberark/ansible-conjur-host-identity v0.3.2 (2020-12-29)
cyberark/conjur-puppet v3.1.0 (2020-10-08)
cyberark/terraform-provider-conjur v0.4.0 (2020-04-29)
cyberark/secretless-broker v1.7.1 (2020-10-20)
Conjur OSS Suite installation
Installing the Suite Release Version of Conjur requires setting the container image tag.
Follow the instructions relevant for your environment.
- Docker or docker-compose
Set the container image tag to
cyberark/conjur:1.11.1. For example, make the following update to the conjur service in the quickstart docker-compose.yml:
- Conjur OSS Helm chart
image.tagvalue and use the appropriate release of the helm chart:
helm install ... \ --set image.tag="1.11.1" \ ... https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v2.0.3/conjur-oss-2.0.3.tgz
Upgrade instructions are available for the following suite components:
What's New by Component
The following components were introduced or enhanced in the Conjur OSS suite version:
The Conjur OSS helm chart has Community support for deploying Conjur OSS to OpenShift 4.x. cyberark/conjur-oss-helm-chart#60
The default Postgres server version is incremented to 10.15 from 10.14. cyberark/conjur-oss-helm-chart#120
Conjur pod no longer fails on restarts when the Conjur cluster is helm installed with the automatic Conjur account creation feature enabled (e.g. with --set account.create=true). The Conjur startup command is revised to check if the account exists before starting the server with the flag used to create it. cyberark/conjur-oss-helm-chart#119
The Conjur CLI now raises a proper error when trying to rotate a non-existing user's API key. cyberark/conjur#979
The Conjur Ansible role has been migrated to this collection, where it will be maintained moving forward. At current, the role in the collection is aligned with the v0.3.2 release of the standalone role. cyberark/ansible-conjur-host-identity#30
Add as_file boolean option to the lookup plugin which stores the secret as a temporary file and returns its path. This enables users to use the ansible_ssh_private_key_file parameter to define an SSH private key using a variable stored in Conjur; previously, users couldn't set this parameter via a direct call to the lookup plugin because the parameter does not accept inline SSH keys, and the lookup plugin could only return a string. cyberark/ansible-conjur-collection#52, Cyberark Commons post #1070
Summon and Summon-Conjur default versions are updated to v0.8.3 and v0.5.3, respectively. cyberark/ansible-conjur-host-identity#45
Added retries to tasks/identity/Request identity from Conjur. This will increase the reliability of host factory requests without introducing any extra delay if the first request succeeds.
Support for Conjur Enterprise v4 is deprecated in this release. It will be removed in the next release. cyberark/ansible-conjur-host-identity#45