Conjur version is rolled back to 1.5.0 #50

izgeri · 2020-04-29T14:32:02Z

At current the integration uses Conjur v1.6.0, but we want to roll back to v1.5.1 for this push since 1.6.0 includes the Rails 5 upgrade and there continue to be minor issues identified that will be fixed in the next tag, which is not yet available. So as not to block our progress on this release, we'll use the last stable version v1.5.0.

This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools expect to publish images from the locations above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and as expected. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) Fixes Issue #50

This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. * The base Postgres image that we use with the Marketplace app has been upgraded from 10.1 to 10.12 (latest minor version for major version 10). This eliminates some vulnerabilities that we want to avoid. However, version 10.12 requires us to set the environment variable: ``` ENV POSTGRES_HOST_AUTH_METHOD=trust ``` Since the helm charts in conjur-oss-helm-charts that we use doesn't set this environment variable (yet), a local Dockerfile is being added to build a postgres container image with this environment variable setting. Note that the previous version of postgres image that we were using (10.1) sets this implicitly, so we're not changing anything functionally with respect to the postgres authentication method. This does bring up an important security issue that needs to be documented for now, and addressed soon. A comment was added to the Dockerfile to describe the situation: ``` ``` Fixes Issue #50

This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. * The base Postgres image that we use with the Marketplace app has been upgraded from 10.1 to 10.12 (latest minor version for major version 10). This eliminates some vulnerabilities that we want to avoid. However, version 10.12 requires us to set the environment variable: ``` ENV POSTGRES_HOST_AUTH_METHOD=trust ``` Since the helm charts in conjur-oss-helm-charts that we use doesn't set this environment variable (yet), a local Dockerfile is being added to build a postgres container image with this environment variable setting. Note that the previous version of postgres image that we were using (10.1) sets this implicitly, so we're not changing anything functionally with respect to the postgres authentication method. This does bring up an important security issue that needs to be documented for now, and addressed soon. A comment was added to the Dockerfile to describe the situation: ``` IMPORTANT NOTE: With the current cyberark/conjur-oss-helm-chart Helm charts, the PostGres container is installed as a separate pod from the Conjur server. Setting the PostGres authentication method to "trust" means that any pod in the same Kubernetes cluster that learns the internal IP address and port of the PostGres pod can connect and have root privilege access in the PostGres database. This means that: 1) For now, the Conjur Google Marketplace app should be "siloed" in its own GKE cluster, while allowing only privileged access to that cluster. 2) This security challenge is also true for the cyberark/conjur-oss-helm-chart Helm charts that the Google Marketplace application uses. So the Helm charts should eventually be modified to (a) Install the PostGres container in the same pod as Conjur when it is included in the Helm install (i.e. external database is not being used. (b) Optionally, add Helm chart values for selecting different levels of PostGres authentication. (At a minimum, allow for selection of root username/password, pass those credentials as a Kubernetes secret, and maybe use SCRAM-SHA-256 encryption of credentials. ``` Fixes Issue #50

This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. Fixes Issue #50

izgeri added component/gcp kind/cleanup labels Apr 29, 2020

izgeri assigned diverdane Apr 29, 2020

diverdane mentioned this issue Apr 30, 2020

Conjur version is rolled back to 1.5.0 #52

Merged

izgeri changed the title ~~Conjur version is rolled back to 1.5.1~~ Conjur version is rolled back to 1.5.0 May 4, 2020

izgeri added the blocked label May 11, 2020

izgeri mentioned this issue Jun 10, 2020

There is a new release of the GCP marketplace integration #31

Open

izgeri removed the blocked label Jun 11, 2020

izgeri closed this as completed Jun 15, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Conjur version is rolled back to 1.5.0 #50

Conjur version is rolled back to 1.5.0 #50

izgeri commented Apr 29, 2020 •

edited

Loading

Conjur version is rolled back to 1.5.0 #50

Conjur version is rolled back to 1.5.0 #50

Comments

izgeri commented Apr 29, 2020 • edited Loading

izgeri commented Apr 29, 2020 •

edited

Loading