v1.7.2

Changelog

Added

• Support for OpenShift 4.3 and 4.5.
  conjurdemos/kubernetes-conjur-demo#122

Deprecated

• Support for OpenShift 3.9 and 3.10 is removed in this release.
  conjurdemos/kubernetes-conjur-demo#122

Fixed

• Automatic endpoint discovery for the AWS connector was updated to address two
  bugs where (1) the request host header was not being updated to the discovered
  endpoint, and (2) the request modification was being done after signing the
  request which would result in a failing integrity check.
  cyberark/secretless-broker#1369

v1.7.1

Change log

Added

• The vault provider now supports loading secrets from the KV Version 2 secret engine. Reference a secret in Vault using the right path and a field navigation in the Secretless configuration. cyberark/secretless-broker#1331

Changed

• Update k8s authenticator client version to 0.19.0, which adds some fixes around cert injection failure (see also changes in 0.18.1). cyberark/secretless-broker#1352

v1.7.0

Change log

Added

• Secretless and secretless-redhat containers now use Alpine 3.12 as their base image.
  PR cyberark/secretless-broker#1296
• MySQL and PostgreSQL connectors support SSL host name verification with verify-full SSL mode. Also adds optional sslhost configuration parameter that is compared to the server's certificate SAN.
  cyberark/secretless-broker#548
• Generic HTTP connector now supports queryParam as a configurable section in the Secretless configuration file, under config. This allows the construction of a query string which can have credentials injected as needed.
  cyberark/secretless-broker#1290
• Generic HTTP connector now supports oauth1 as a configurable section in the Secretless configuration file, under config. This allows the construction of a header for an OAuth 1.0 request. The OAuth 1.0 feature currently only supports HMAC-SHA1, but there is an issue logged to support other hashing methods.
  cyberark/secretless-broker#1297
• Many (20+) example generic connector configurations were added to the project, to demonstrate support for a broad set of popular APIs and to serve as an example for other APIs users may need to use Secretless with their apps. See here for the full list of examples.
  cyberark/secretless-broker#1248

v1.6.0

Change log

Added

• Support for a SECRETLESS_HTTP_CA_BUNDLE environment variable that specifies the path to a CA cert bundle and enables users to configure Secretless with additional CA certificates for server cert verification when using HTTP connectors. (PR #1180)
• TLS support for the Secretless-to-server connections of the MSSQL connector. This is the recommended way to secure this connection and achieves feature parity with other TLS connectors. (#1163, #1164, #1165)
• MSSQL connector supports SSL host name verification with verify-full SSL mode. Also adds optional sslhost configuration parameter that is compared to the server's certificate SAN. (#1199)

Fixed

• PostgreSQL connector log messages were updated to improve formatting, fixing a previous issue where the log messages were improperly formatted and were garbled in the logs. (PR #1192)

Security

• TCP connectors all automatically zeroize the connection credentials in memory after successfully opening a connection; previously, credentials were only zeroized in memory on error. (#1188)

v1.5.2

Change log

Changed

• Bump authn-k8s client to v0.16.1 (cyberark/conjur-authn-k8s-client#70)

Fixed

• Updated RH image push to ensure we're logged into the RH container registry
  appropriately before pushing (#1149)

v1.5.1

Notable changes

Improved integration tests, MSSQL connector support in our performance testing tool, and updated logging to display INFO level messages by default.

Upgrade instructions

Update your application manifests to refer to cyberark/secretless-broker:1.5.1

Known issues

None.

Change log

Added

• Added RedHat certified image build to pipeline (#1141)
• Added pipeline step to validate changelog (#1138)
• Added MSSQL support to juxtaposer perf testing tool (#1135)
• Added SIGPIPE to signals handled by Secretless Juxtaposer (#1136)
• Added JDBC Integration tests for Postgres (#1130)
• Added JDBC Tests for MSSQL (#1124)
• Added client params propagation to MSSQL integration tests (#1103)

Changed

• Default logging level changed from Warn to Info. Some logging message
  levels were readjusted to retain the same UX. (#1127)
• Update bin/prefill_changelog to generate valid CHANGELOG / ensure current
  CHANGELOG parses (#1138)
• Converted integration tests to use configs.v2 (#1120)

Fixed

• Fixed broken documentation links (#1122)

v1.5.0

The MSSQL connector is beta!

Change Log

Added

• Added option to specify MSSQL edition in tests (#1093)
• Added debug image that can be used with a debugger like delve (#1056)
• Added template READMEs to connector templates (#1020)

Changed

• Updated release instructions (#1080)
• Improved MSSQL connector tests (#1107, #1089, #1098)
• Improved handling of io.EOF errors on TCP proxy_service
• Conjur authn-k8s client version bumped to v0.16.0
• Added links to SDK docs in README (#1104)
• Ensure external connector plugins will not override built-in connectors (#1085)
• MSSQL connector moved to beta

Fixed

• Updated pg connector to better validate packet length (#1095)
• MSSQL connector faithfully propagates login response (#1106)
• MSSQL connector faithfully propagates login request (#1107)

v1.4.2

Change log

Added

• Updated CONTRIBUTING.md with instructions for using go-mssqldb submodule (#1044)
• Added gosec security scan to pipeline (#976)
• Added integration tests for MSSQL against additional MSSQL versions (#1017)
• Added gofmt to CodeClimate checks (#1055)
• Added support for MSSQL client parameter propagation (#1012)

Changed

• Bumped the conjur-authn-k8s-client version for the Conjur provider k8s
  authenticator to v0.15.0 (#1060)
• Example plugin updated for clarity (#1061)
• Plugin SDK templates updated for clarity (#1054)
• Removed hardcoded PreloginResponse from MSSQL connector (#1014)
• Bumped Go version in Dockerfile to 1.13

Fixed

• Secretless doesn't exit when it can't start a configured connector (#1057)
• Secretless has insufficient logs when the config file has trouble loading (#1062)

v1.4.1

Change log

Added

• Added README for the MSSQL connector (#1003)

Changed

• Added go-mssqldb dependency as a submodule (#1038)

Fixed

• Updated Conjur provider to log and exit on repeated authentication failure
  (#1035)

v1.4.0

Notably in this release we add an alpha generic HTTP connector. This new connector enables you to use Secretless to inject authentication credentials into your API request for most APIs - even if Secretless doesn't have a built-in connector specifically for that API . All you have to do is update your Secretless configuration 💪

If you are interested in using the Secretless generic HTTP connector to securely handle your API authentication or to help in writing new HTTP connectors, please view the README.

Change log

Added

• Added generic HTTP connector to enable writing new HTTP connectors via
  config (#995)

Changed

• Improved logs for k8s CRD test failure debugging (#1027)
• Updated Ruby version in docs container (#1028)
• Updated Conjur HTTP connector to leverage the generic HTTP connector (#1009)
• Reorganized integration tests (#958)
• Updated Basic Auth HTTP connector to leverage the generic HTTP connector
  (#1007)
• Replaced "honnef.co/go/tools" dependency in go.sum with a github link
• Updated "ozzo-validation" dependency to latest version
• Make forceSSL setting explicit in e2e tests