This repository has been archived by the owner on Jan 9, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Conjur version is rolled back to 1.5.0 #50
Labels
Comments
diverdane
pushed a commit
that referenced
this issue
Apr 30, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools expect to publish images from the locations above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and as expected. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
Apr 30, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools expect to publish images from the locations above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and as expected. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
Apr 30, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools expect to publish images from the locations above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and as expected. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
May 1, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. * The base Postgres image that we use with the Marketplace app has been upgraded from 10.1 to 10.12 (latest minor version for major version 10). This eliminates some vulnerabilities that we want to avoid. However, version 10.12 requires us to set the environment variable: ``` ENV POSTGRES_HOST_AUTH_METHOD=trust ``` Since the helm charts in conjur-oss-helm-charts that we use doesn't set this environment variable (yet), a local Dockerfile is being added to build a postgres container image with this environment variable setting. Note that the previous version of postgres image that we were using (10.1) sets this implicitly, so we're not changing anything functionally with respect to the postgres authentication method. This does bring up an important security issue that needs to be documented for now, and addressed soon. A comment was added to the Dockerfile to describe the situation: ``` ``` Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
May 1, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. * The base Postgres image that we use with the Marketplace app has been upgraded from 10.1 to 10.12 (latest minor version for major version 10). This eliminates some vulnerabilities that we want to avoid. However, version 10.12 requires us to set the environment variable: ``` ENV POSTGRES_HOST_AUTH_METHOD=trust ``` Since the helm charts in conjur-oss-helm-charts that we use doesn't set this environment variable (yet), a local Dockerfile is being added to build a postgres container image with this environment variable setting. Note that the previous version of postgres image that we were using (10.1) sets this implicitly, so we're not changing anything functionally with respect to the postgres authentication method. This does bring up an important security issue that needs to be documented for now, and addressed soon. A comment was added to the Dockerfile to describe the situation: ``` ``` Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
May 1, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. * The base Postgres image that we use with the Marketplace app has been upgraded from 10.1 to 10.12 (latest minor version for major version 10). This eliminates some vulnerabilities that we want to avoid. However, version 10.12 requires us to set the environment variable: ``` ENV POSTGRES_HOST_AUTH_METHOD=trust ``` Since the helm charts in conjur-oss-helm-charts that we use doesn't set this environment variable (yet), a local Dockerfile is being added to build a postgres container image with this environment variable setting. Note that the previous version of postgres image that we were using (10.1) sets this implicitly, so we're not changing anything functionally with respect to the postgres authentication method. This does bring up an important security issue that needs to be documented for now, and addressed soon. A comment was added to the Dockerfile to describe the situation: ``` IMPORTANT NOTE: With the current cyberark/conjur-oss-helm-chart Helm charts, the PostGres container is installed as a separate pod from the Conjur server. Setting the PostGres authentication method to "trust" means that any pod in the same Kubernetes cluster that learns the internal IP address and port of the PostGres pod can connect and have root privilege access in the PostGres database. This means that: 1) For now, the Conjur Google Marketplace app should be "siloed" in its own GKE cluster, while allowing only privileged access to that cluster. 2) This security challenge is also true for the cyberark/conjur-oss-helm-chart Helm charts that the Google Marketplace application uses. So the Helm charts should eventually be modified to (a) Install the PostGres container in the same pod as Conjur when it is included in the Helm install (i.e. external database is not being used. (b) Optionally, add Helm chart values for selecting different levels of PostGres authentication. (At a minimum, allow for selection of root username/password, pass those credentials as a Kubernetes secret, and maybe use SCRAM-SHA-256 encryption of credentials. ``` Fixes Issue #50
izgeri
changed the title
Conjur version is rolled back to 1.5.1
Conjur version is rolled back to 1.5.0
May 4, 2020
diverdane
pushed a commit
that referenced
this issue
May 5, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. * The base Postgres image that we use with the Marketplace app has been upgraded from 10.1 to 10.12 (latest minor version for major version 10). This eliminates some vulnerabilities that we want to avoid. However, version 10.12 requires us to set the environment variable: ``` ENV POSTGRES_HOST_AUTH_METHOD=trust ``` Since the helm charts in conjur-oss-helm-charts that we use doesn't set this environment variable (yet), a local Dockerfile is being added to build a postgres container image with this environment variable setting. Note that the previous version of postgres image that we were using (10.1) sets this implicitly, so we're not changing anything functionally with respect to the postgres authentication method. This does bring up an important security issue that needs to be documented for now, and addressed soon. A comment was added to the Dockerfile to describe the situation: ``` IMPORTANT NOTE: With the current cyberark/conjur-oss-helm-chart Helm charts, the PostGres container is installed as a separate pod from the Conjur server. Setting the PostGres authentication method to "trust" means that any pod in the same Kubernetes cluster that learns the internal IP address and port of the PostGres pod can connect and have root privilege access in the PostGres database. This means that: 1) For now, the Conjur Google Marketplace app should be "siloed" in its own GKE cluster, while allowing only privileged access to that cluster. 2) This security challenge is also true for the cyberark/conjur-oss-helm-chart Helm charts that the Google Marketplace application uses. So the Helm charts should eventually be modified to (a) Install the PostGres container in the same pod as Conjur when it is included in the Helm install (i.e. external database is not being used. (b) Optionally, add Helm chart values for selecting different levels of PostGres authentication. (At a minimum, allow for selection of root username/password, pass those credentials as a Kubernetes secret, and maybe use SCRAM-SHA-256 encryption of credentials. ``` Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
May 26, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
Jun 1, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
Jun 11, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. Fixes Issue #50
diverdane
pushed a commit
that referenced
this issue
Jun 11, 2020
This change rolls back the release version of Conjur open source that is included in the Marketplace application from 1.6.0 back to 1.5.0. This is being done because the release 1.6.0 is not deemed to be stable. Some other changes: * Marketplace application version is changed to 1.5.0 to match Conjur release being used * As images are built, they are pushed to a registry location that uses `cyberark` as a repo name, i.e.: ``` https://gcr.io/conjur-cloud-launcher-onboard/cyberark:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/deployer:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/nginx:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/postgres:1.6.1 https://gcr.io/conjur-cloud-launcher-onboard/cyberark/tester:1.6.1 ``` This is a bit confusing, but the way our Google Marketplace app was initially set up, the Google Marketplace publishing tools look for images to publish in the locations shown above. I checked with Google Marketplace engineers on this, and they say that the above locations are correct, and are as they expect. * In CONTRIBUTING.md, the step to check for vulnerabilities on the GCR is deleted, since Google no longer checks for vulnerabilities in Marketplace images by default. (This is a paid service now.) * The Google marketplace helm deployer that serves as a baseline for our deployer has been downgraded to 0.9.10, since version 0.10.0 and 0.10.1 have vulnerabilities that we want to avoid. Fixes Issue #50
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
At current the integration uses Conjur v1.6.0, but we want to roll back to v1.5.1 for this push since 1.6.0 includes the Rails 5 upgrade and there continue to be minor issues identified that will be fixed in the next tag, which is not yet available. So as not to block our progress on this release, we'll use the last stable version v1.5.0.
The text was updated successfully, but these errors were encountered: