To learn more about the Conjur Open Source Suite Release structure, refer to the documentation introduction.
New and enhanced functionality includes:
This release includes improved error handling by the Conjur server.
Conjur Cloud Foundry Integration
The Conjur Buildpack has been updated to add support for Summon environments in the
secrets.yml file. Users can now divide their
secrets.yml files into environments and specify which environment secrets should be loaded at runtime using the new
SECRETS_YAML_ENVIRONMENT environment variable. For detailed instructions on using this new functionality, see the project README.
This release also includes a minor update to the Conjur Service Broker. Users who consume our Tanzu Application Service tile should wait for the next tile release to update the service broker, but all users may install the buildpack at any time following the documented instructions.
These are the primary repositories for Conjur Open Source and its SDK.
The following components are included or enhanced in Conjur OSS Suite Version v1.11.3+Suite.1:
cyberark/conjur-cli v6.2.3 (2020-12-22)
cyberark/conjur-api-dotnet v2.0.0 (2020-06-10)
cyberark/conjur-api-go v0.7.1 (2021-03-01)
cyberark/conjur-api-java v3.0.2 (2020-10-28)
cyberark/conjur-api-python3 v0.1.1 (2020-11-05)
cyberark/conjur-api-ruby v5.3.4 (2020-10-29)
cyberark/cloudfoundry-conjur-buildpack v2.2.0 (2020-03-01)
cyberark/conjur-service-broker v1.1.5 (2021-03-01)
cyberark/conjur-authn-k8s-client v0.19.1 (2021-02-08)
cyberark/secrets-provider-for-k8s v1.1.3 (2021-03-01)
cyberark/ansible-conjur-collection v1.1.0 (2020-12-29)
cyberark/ansible-conjur-host-identity v0.3.2 (2020-12-29)
cyberark/conjur-puppet v3.1.0 (2020-10-08)
cyberark/terraform-provider-conjur v0.4.0 (2020-04-29)
cyberark/secretless-broker v1.7.3 (2020-03-09)
Conjur OSS Suite installation
Installing the Suite Release Version of Conjur requires setting the container image tag.
Follow the instructions relevant for your environment.
- Docker or docker-compose
Set the container image tag to
cyberark/conjur:1.11.3. For example, make the following update to the conjur service in the quickstart docker-compose.yml:
- Conjur OSS Helm chart
image.tagvalue and use the appropriate release of the helm chart:
helm install ... \ --set image.tag="1.11.3" \ ... https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v2.0.3/conjur-oss-2.0.3.tgz
Upgrade instructions are available for the following suite components:
What's new by component
The following components were introduced or enhanced in the Conjur OSS suite version v1.11.3+suite.1.
Conjur now raises a RoleNotFound error when trying to authenticate a non-existent host in authn-k8s. cyberark/conjur#2046
Conjur now raises a new ServiceIdMissing error if the service-id param is missing in an authentication request for the OIDC authenticator. cyberark/conjur#2004
RetrieveBatchSecretsSafe method, which allows the user to specify the use of the Accept: base64 header in batch retrieval requests. This allows binary secrets to be retrieved from Conjur. cyberark/conjur-api-go#88
Updated Go versions to 1.15.
Resources method no longer sends improperly URL-encoded query strings when filtering resources with the "Search" parameter. Previously, if you used a "Search" value that included a slash "/", the client would return no results even if the server had matching resources due to an issue with the URL-encoding. cyberark/conjur-api-go#93
Support for using Summon environments in the
secrets.ymlfile. Users can now divide their
secrets.ymlfiles into sections for each environment and specify the secrets to load at runtime using the new
SECRETS_YAML_ENVIRONMENTenvironment variable. See the README for more information. cyberark/cloudfoundry-conjur-buildpack#44
Support for using the Buildpack with Conjur Enterprise v4. We recommend users migrate to Dynamic Access Provider v11+ or Conjur OSS v1+. cyberark/cloudfoundry-conjur-buildpack#86
The service broker Gemfile now specifies the Ruby version so that the service broker no longer fails to install when using a version of the Ruby Buildpack v1.8.15 or older, due to an incompatibility issue between Ruby and Nokogiri versions. cyberark/conjur-service-broker#229
Support for Conjur Enterprise v4 has been removed. We recommend users migrate to Dynamic Access Provider v11+ or Conjur OSS v1+. cyberark/conjur-service-broker#203
The Authenticate method now parses the authentication response and writes it to the token file, without the need to call
ParseAuthenticationResponse. This is a breaking change for software that leverages the
go get github.com/cyberark/conjur-authn-k8s-client/pkg/authenticatorGo package (Secretless and Secrets Provider for Kubernetes); users of the Kubernetes Authenticator Client Docker image are not impacted by this change. cyberark/conjur-authn-k8s-client#180
The project Golang version is updated from the end-of-life v1.12 to the latest version v1.15. cyberark/conjur-authn-k8s-client#206
Improve the error message raised when the username doesn't include the host/ prefix. cyberark/conjur-authn-k8s-client#212
Updated Kubernetes Authenticator Client to version to 0.19.1, which streamlines the parsing of authentication responses, updates the project Golang version to v1.15, and improves error messaging.
Updated Kubernetes Authenticator Client version to 0.19.1, which streamlines the parsing of authentication responses, updates the project Golang version to v1.15, and improves error messaging.
When configured for the SSL mode of
prefer, Secretless now sends a valid "SSL is not supported" response per the PostgreSQL protocol standard when a client attempts to open an SSL connection using the PostgreSQL connector. When the client is configured for SSL mode
prefer, the updated response enables the client to downgrade to an insecure connection and continue. Previously, clients sending requests using the SSL mode of either
preferwould receive a generic error from Secretless, which made it harder to determine the root cause of the problem and caused the
preferSSL mode to not function correctly. cyberark/secretless-broker#1377