Release Notes for CyberArk Conjur Service Broker for VMware Tanzu

These are release notes for CyberArk Conjur Service Broker for VMware Tanzu

v1.3.2

Release Date: June 22, 2022

Fixed issues in this release:

Unpinned the Ruby Buildpack in the Conjur Service Broker’s manifest.yml and updated the pinned Ruby version in the service broker’s Gemfile to ~> 2.7, to capture the idea that the service broker works for all 2.x Ruby versions from 2.7 and up, since any lesser version has reached end of life. See CHANGELOG between v2.2.1 and v2.2.4
Upgraded Golang dependencies in Conjur Buildpack to resolve security vulnerabilities. See CHANGELOG between v2.2.1 and v2.2.4
Upgraded Ruby dependencies in Conjur Service Broker to resolve security vulnerabilities. See CHANGELOG between v1.2.1 and v1.2.5

Release Date: August 10, 2021

Features in this release:

Removed support for Conjur Enterprise v4
- We recommend migrating to Conjur Enterprise v11+ or Conjur OSS v1+.
- cyberark/conjur-service-broker#203
Add organization_name and space_name annotations
- Service Broker API spec 2.15 and above provide organization_name and space_name. If these are available, they are added as annotations on the organization and space policies that are created in Conjur. cyberark/conjur-service-broker#238
- Requires Conjur Open Source v1.3.7+ or Conjur Enterprise (formerly Dynamic Access Provider) v11.3.0+
Support for using Summon environments in secrets.yml file
- secrets.yml files can be split into sections by environment and secrets to load at runtime can be specified using new SECRETS_YAML_ENVIRONMENT variable. cyberark/cloudfoundry-conjur-buildpack#44
Fixed error messages with invalid line numbers
- Caused by Cloudfoundry Buildpack encountering errors while parsing environment variable settings after retrieving secrets from Conjur. cyberark/cloudfoundry-conjur-buildpack#120

Fixed issues in this release:

Known issues in this release:

Service broker fails if not installed with ruby buildpack v1.8.37
- The service broker currently requires Ruby 2.5.8, which was removed in ruby buildpack versions later than v1.8.37. As a result, we have pinned the service broker to use v1.8.37 cyberark/conjur-service-broker#253

Release Date: January 15, 2021

Features in this release:

Buildpack archives releases in branch for more reliable online buildpack usage
- Previously, we recommended users refer to the project master branch in GitHub when using the online buildpack. With this change, we now archive releases in the “latest” branch, and recommend users either refer to the latest branch or a specific tag when using the online version of this buildpack. cyberark/cloudfoundry-conjur-buildpack#101
Service broker sets the default value of CONJUR_VERSION to 5
- When the value for CONJUR_VERSION is null or empty, we default to 5. If an invalid value is given, we raise an error immediately. cyberark/conjur-service-broker#47
Support for using the Conjur Tile with Conjur Enterprise v4 is now deprecated.
- Support will be removed in the next release. cyberark/cloudfoundry-conjur-buildpack#73, cyberark/conjur-service-broker#191

Fixed issues in this release:

(Security) Buildpack can no longer log secret values given invalid secrets.yml keys
- See Security Advisory. We recommend all users update their buildpack version to at least v2.1.5; v2.1.6 is included in this tile release.

Known issues in this release:

Service Broker fails to install if using older versions of Ruby Buildpack
- When using Ruby Buildpack version 1.8.15 or older, the service broker will fail to install because the Ruby version will default to 2.4.x. cyberark/conjur-service-broker#229

Release Date: August 7, 2020

Features in this release:

Improved service-broker validation and error handling
- Service broker returns 404 when the org or space policy branches do not exist as expected with a helpful error message, rather than returning 500.
- If a value is given to the CONJUR_POLICY environment variable, service-broker verifies that the given policy exists on the server, and provides a helpful error if it does not exist.
Expanded buildpack configuration capabilities
- The runtime location for secrets.yml can now be configured by setting the SECRETS_YAML_PATH environment variable for the Cloud Foundry application.
- Buildpack supply step now scans build directory for candidate secrets.yml files, and reports them to the buildpack deploy output during the supply phase. If unable to locate any secrets.yml files, it will exit.
The buildpack now properly reads only the Conjur credentials from VCAP_SERVICES. Previously, it
could consume credentials for other services, if their field names exactly matched those used by Conjur (e.g. version is a very common field).

Known issues in this release:

Invalid variable name causes secret exposure in logs
- See Security Advisory. This is fixed in the buildpack v2.1.5.

Release Date: June 21, 2019

Features in this release:

Release Date: May 2, 2019

Features in this release:

Added space-scoped host identities
VMware Tanzu operators now have the option to issue a shared Conjur identity for all applications in a space, or an identity for each application individually. Read more about this here.

Release Date: March 7, 2019

Features in this release:

Simplified policy management and deployment:
- Conjur Service Broker automatically creates policy branches in Conjur to mirror org and space structure in VMware Tanzu during the service instance provisioning.
- Entitlements can be added to orgs and spaces.
- Applications are auto-enrolled into org and space layers on bind.
Applications use Conjur followers to retrieve secrets for a improved scalability
Conjur Buildpack is updated to a supply buildpack to enable use of multi-buildpack functionality

Known issues in this release:

Conjur Buildpack does not currently support Java applications using Spring Boot 1.4+