From 9e06af8ce92078e07654e42e401c9a18a9eb0e1a Mon Sep 17 00:00:00 2001 From: Srdjan Grubor Date: Wed, 16 Sep 2020 16:18:19 -0500 Subject: [PATCH 1/5] Prep for v3.0.0 release CHANGELOG was compressed to show only v2->v3 changes and metadata was updated to refer to the v3 non-RC version. --- CHANGELOG.md | 19 +++---------------- metadata.json | 2 +- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ec435b..ba6bb4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,19 +6,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] -### Changed -- Changed recommended usages to no longer wrap the whole invocation in Sensitive as - it is generally not needed. - [cyberark/conjur-puppet#198](https://github.com/cyberark/conjur-puppet/issues/198) - -## [3.0.0-rc3] - 2020-09-11 - -### Fixed -- Release artifact excludes files that may be inadvertently added to the archive - during builds. - [cyberark/conjur-puppet#213](https://github.com/cyberark/conjur-puppet/issues/213) - -## [3.0.0-rc2] - 2020-08-26 +## [3.0.0] - 2020-09-17 ### Added - Secrets are now retrieved by the Puppet agent, instead of the server, using Puppet's @@ -170,9 +158,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Fixed - fixed a bug in host identity manifest preventing usage of host factory -[Unreleased]: https://github.com/cyberark/conjur-puppet/compare/v3.0.0-rc3...HEAD -[3.0.0-rc3]: https://github.com/cyberark/conjur-puppet/compare/v3.0.0-rc2...v3.0.0-rc3 -[3.0.0-rc2]: https://github.com/cyberark/conjur-puppet/compare/v2.0.6...v3.0.0-rc2 +[Unreleased]: https://github.com/cyberark/conjur-puppet/compare/v3.0.0...HEAD +[3.0.0]: https://github.com/cyberark/conjur-puppet/compare/v2.0.6...v3.0.0 [2.0.6]: https://github.com/cyberark/conjur-puppet/compare/v2.0.5...v2.0.6 [2.0.5]: https://github.com/cyberark/conjur-puppet/compare/v2.0.4...v2.0.5 [2.0.4]: https://github.com/cyberark/conjur-puppet/compare/v2.0.3...v2.0.4 diff --git a/metadata.json b/metadata.json index b91e693..23dd139 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "cyberark-conjur", - "version": "3.0.0-rc3", + "version": "3.0.0", "author": "CyberArk Software, Inc.", "summary": "Register nodes as Conjur hosts and securely use secrets stored in Conjur", "license": "Apache-2.0", From 667dc0b4ac963bd377f4bf410267ae4bc34086c9 Mon Sep 17 00:00:00 2001 From: Srdjan Grubor Date: Thu, 17 Sep 2020 10:45:08 -0500 Subject: [PATCH 2/5] Remove references of CertFile from README This is not a completed feature yet so it's being pulled from the docs for now. --- README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 4be4d65..9d25802 100644 --- a/README.md +++ b/README.md @@ -408,17 +408,15 @@ values available to set are: |-|-|-| | `Account` | `REG_SZ` | Conjur account specified during Conjur setup. | | `ApplianceUrl` | `REG_SZ` | Conjur API endpoint. | -| `CertFile` | `REG_SZ` | Path to a file containing the public Conjur SSL cert. This value **must** be an absolute path and not a relative one. | -| `SslCertificate` | `REG_SZ` | Raw public Conjur SSL cert. Overwritten by the contents read from `CertFile` when it is present. | +| `SslCertificate` | `REG_SZ` | Raw public Conjur SSL cert.| | `Version` | `REG_DWORD` | Conjur API version. Defaults to `5`. | -These may be set using Powershell (**use either `SslCertificate` _or_ `CertFile` but not both**): +These may be set using Powershell: ```powershell > reg ADD HKLM\Software\CyberArk\Conjur /v ApplianceUrl /t REG_SZ /d https://conjur.mycompany.com > reg ADD HKLM\Software\CyberArk\Conjur /v Version /t REG_DWORD /d 5 > reg ADD HKLM\Software\CyberArk\Conjur /v Account /t REG_SZ /d myorg -> reg ADD HKLM\Software\CyberArk\Conjur /v CertFile /t REG_SZ /d "C:\path\to\ca.pem" > reg ADD HKLM\Software\CyberArk\Conjur /v SslCertificate /t REG_SZ /d "-----BEGIN CERTIFICATE-----..." ``` @@ -431,7 +429,6 @@ Windows Registry Editor Version 5.00 "ApplianceUrl"="https://conjur.mycompany.com" "Version"=dword:00000005 "Account"="myorg" -"CertFile"="C:\path\to\ca.pem" ``` _**NOTE: It is important from a security perspective to ensure that From 72cbfa472f0ff35e69a0aa08de5ef065a70a406a Mon Sep 17 00:00:00 2001 From: Srdjan Grubor Date: Thu, 17 Sep 2020 10:52:13 -0500 Subject: [PATCH 3/5] Add Trusted certification level information This project is now certified as Trusted so we added this info to the README. --- README.md | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 9d25802..63ee6ec 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,8 @@ #### Table of Contents - [Description](#description) +- [Certification Level](#certification-level) + * [Certified Versions](#certified-versions) - [Setup](#setup) * [Setup requirements](#setup-requirements) * [Deprecations](#deprecations) @@ -12,7 +14,6 @@ + [Conjur Enterprise v4](#conjur-enterprise-v4) + [Use of Host Factory Tokens](#use-of-host-factory-tokens) * [Installation](#installation) - + [Certified Versions](#certified-versions) * [Using conjur-puppet with Conjur OSS](#using-conjur-puppet-with-conjur-oss) * [Conjur module basics](#conjur-module-basics) + [Example usage](#example-usage) @@ -41,13 +42,27 @@ secrets from Conjur. You can find our official distributable releases on Puppet Forge under [`cyberark/conjur`](https://forge.puppet.com/cyberark/conjur). +## Certification level + +![](https://img.shields.io/badge/Certification%20Level-Trusted-007BFF?link=https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md) + +This repo is a **Trusted** level project. It's been reviewed by CyberArk to verify that it will securely +work with Conjur OSS as documented. For more detailed information on our certification levels, see +[our community guidelines](https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md#community). + +### Certified Versions + +Releases of this module belonging to the `v3` major version are not currently +Certified. If a Certified version of this module is desired, please use the highest +available `v2.x.x` version available on PuppetForge under +[`cyberark/conjur`](https://forge.puppet.com/cyberark/conjur). + ## Setup ### Setup requirements This module requires that you have: -- Puppet v6 _or equivalent EE version_ (**Preliminary [Community level](https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md#community) - support only**) +- Puppet v6 _or equivalent EE version_ - Conjur endpoint available to both the Puppet server and the Puppet nodes using this module. Supported versions: - Conjur OSS v1+ @@ -89,14 +104,6 @@ command on the Puppet server: puppet module install cyberark-conjur --version 1.2.3 ``` -#### Certified Versions - -Releases of this module belonging to the `v3` major version are not currently -Certified. If a Certified version of this module is desired, please use the highest -available `v2.x.x` version available on PuppetForge under -[`cyberark/conjur`](https://forge.puppet.com/cyberark/conjur). More details about -Certification Levels can be found in our [Community repo](https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md). - ### Using conjur-puppet with Conjur OSS Are you using this project with [Conjur OSS](https://github.com/cyberark/conjur)? Then we From 60ad79cbfadb13cb1bf22f19ee9246d55fc2707e Mon Sep 17 00:00:00 2001 From: Srdjan Grubor Date: Thu, 17 Sep 2020 13:11:33 -0500 Subject: [PATCH 4/5] Fix broken links on REDAME doc in Puppet Forge Relative links don't work on Puppet Forge so their instances in README were changed to absolute links. --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 63ee6ec..b01186d 100644 --- a/README.md +++ b/README.md @@ -476,11 +476,13 @@ $dbpass = Deferred(conjur::secret, ['production/postgres/password']) ## Reference -For a complete reference, please see [REFERENCE.md](REFERENCE.md). +For a complete reference, please see +[REFERENCE.md](https://github.com/cyberark/conjur-puppet/blob/master/REFERENCE.md). ## Limitations -See [metadata.json](metadata.json) for supported platforms. +See [metadata.json](https://github.com/cyberark/conjur-puppet/blob/master/metadata.json) +for supported platforms. At current, the Conjur Puppet module encrypts and decrypts the Conjur access token using the Puppet server’s private/public key pair. This is known to be From 55136e75b9a4290990516e4b2f8c2c02544ce495 Mon Sep 17 00:00:00 2001 From: Srdjan Grubor Date: Thu, 17 Sep 2020 13:13:48 -0500 Subject: [PATCH 5/5] Clarified usage info in README This change changes the basic usage examples to use the same language as the headers for their respective sections. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b01186d..f1ba90b 100644 --- a/README.md +++ b/README.md @@ -122,13 +122,13 @@ that can be used to retrieve secrets from Conjur. Given a Conjur variable identi identity parameters, `conjur::secret` uses the node’s Conjur identity to resolve and return the variable’s value as a `Sensitive` variable. -Using agent-side identity: +Using a pre-provisioned identity: ```puppet $dbpass = Deferred(conjur::secret, ['production/postgres/password']) ``` -Using server-provided configuration: +Using a manifest-provided identity: ```puppet $sslcert = @("EOT") -----BEGIN CERTIFICATE-----