All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Nothing should go in this section, please add to the latest unreleased version (and update the corresponding date), or add a new version.
- Update multiple dependencies to latest versions
1.7.26 - 2024-12-27
- Update golang.org/x/net to v0.33.0 to resolve CVE-2024-45338
1.7.25 - 2024-12-16
- Update golang.org/x/crypto to v0.31.0 to resolve CVE-2024-45337
1.7.24 - 2024-07-25
- Update golang.org/x/net to v0.24.0
1.7.23 - 2024-03-21
- Upgrade to go 1.22 (CONJSE-1842)
1.7.22 - 2024-03-11
- Update ruby:3.0.6-slim-bullseye to ruby:3-slim-bullseye for docs and website generation (CONJSE-1850)
- Update Jekyll to v4.3.3 (CONJSE-1850)
1.7.21 - 2024-01-03
- Update
alpine
base image to v3.19 (CONJSE-1825)
1.7.20 - 2023-12-22
- Upgrade to go 1.21 (CNJR-3417)
- Updated golang.org/x/net to v0.19.0, github.com/go-sql-driver/mysql to v1.7.1, golang:1.19-buster to golang:1.21.3-bullseye, golang:1.19 to golang:1.20.10, and ruby:3.0.5-slim-bullseye to ruby:3.0.6-bullseye
- Updated golang.org/x/net to v0.17.0 to remove CVE-2023-39325 and CVE-2023-44487 (CNJR-3020)
1.7.19 - 2023-11-02
- Add support for caching_sha256_password to mysql connector (CONJSE-1801)
1.7.18 - 2023-08-22
- Update CRD test script. cyberark/secretless-broker#1499
- Updated github.com/docker/docker to v24.0.5 (CONJSE-1798)
- Added support for SCRAM-SHA-256 to postgres connector (CONJSE-1801)
1.7.17 - 2023-04-17
- Updated Go version to 1.19 cyberark/secretless-broker#1491
- Updated github.com/aws/aws-sdk-go to v1.44.0 to remove security issues cyberark/secretless-broker#1490
- Updated golang.org/x/net to v0.7.0 to remove CVE-2022-41723 cyberark/secretless-broker#1488
1.7.16 - 2022-12-27
- Updated direct dependencies in bin/juxtaposer/go.mod and go.mod and add replace statements for known vulnerable third-party versions. cyberark/secretless-broker#1479]
- Upgrade golang.org/x/text and golange.org/x/net to reolve CVE-2022-32149 and CVE-2022-27664 cyberark/secretless-broker#1478
- Upgrade website Dockerfiles to Ruby 3 to resolve CVE-2022-0778. cyberark/secretless-broker#1475
- Update go-mssqldb submodule to resolve CVE-2022-41717 and CVE-2022-41721 cyberark/secretless-broker#1483
1.7.14 - 2022-08-17
- Added replace & exclude statements to go.mod to remove dependency on github.com/emicklei/go-restful v2.8.5 to resolve CVE-2022-1996 cyberark/secretless-broker#1473
1.7.13 - 2022-07-07
- Updated direct dependencies in bin/juxtaposer/go.mod and in go.mod and add replace statements for known vulnerable third-party versions. cyberark/secretless-broker#1467
1.7.12 - 2022-05-02
- Update to automated release process cyberark/secretless-broker#1462
1.7.11 - 2022-04-29
- Support for building on Apple M1 hardware. cyberark/secretless-broker#1456
- Updated github.com/containerd/containerd to resolve CVE-2022-23648 cyberark/secretless-broker#1459
- Updated github.com/docker/docker to resolve CVE-2015-3627 cyberark/secretless-broker#1459
- Updated github.com/docker/distribution to resolve GHSA-qq97-vm5h-rrhg cyberark/secretless-broker#1459
1.7.10 - 2022-02-15
- Postgres connector has been updated to propagate client options through Secretless to target server. cyberark/secretless-broker#1444
- Updated github.com/containerd/containerd to resolve GHSA-5j5w-g665-5m35 cyberark/secretless-broker#1450
1.7.9 - 2022-01-14
- Use latest version of conjur-authn-k8s-client which supports JWT loging and tracing. cyberark/secretless-broker#1446
1.7.8 - 2021-11-09
- Version bump to resolve flakey test on tagged master. cyberark/secretless-broker#1438
1.7.7 - 2021-11-03
- Request-signing on the AWS connector was updated to address a bug that was causing failed integrity checks, where the request-signing by Secretless was incorporating more headers than were used on the original request-signing. The fix limits the headers used by Secretless to those used in the original request. cyberark/secretless-broker#1432
- Updated containerd to v1.4.11 to close CVE-2020-15257 (Not vulnerable) cyberark/secretless-broker#1431
1.7.6 - 2021-09-10
- Secretless and secretless-redhat containers now use Alpine 3.14 as their base image. PR cyberark/secretless-broker#1423
1.7.5 - 2021-08-04
- Updated addressable to 2.8.0 in docs/Gemfile.lock to resolve GHSA-jxhc-q857-3j6g cyberark/secretless-broker#1418
- Updated github.com/gogo/protobuf to 1.3.2 to resolve CVE-2021-3121 cyberark/secretless-broker#1418
1.7.4 - 2021-06-30
- Update RH base image to
ubi8/ubi
instead ofrhel7/rhel
. PR cyberark/secretless-broker#1411
1.7.3 - 2021-03-09
- Updated k8s authenticator client version to 0.19.1, which streamlines the parsing of authentication responses, updates the project Golang version to v1.15, and improves error messaging.
- When configured for the SSL mode of
require
orprefer
, Secretless now sends a valid "SSL is not supported" response per the PostgreSQL protocol standard when a client attempts to open an SSL connection using the PostgreSQL connector. When the client is configured for SSL modeprefer
, the updated response enables the client to downgrade to an insecure connection and continue. Previously, clients sending requests using the SSL mode of eitherrequire
orprefer
would receive a generic error from Secretless, which made it harder to determine the root cause of the problem and caused theprefer
SSL mode to not function correctly. cyberark/secretless-broker#1377
- Support for OpenShift 4.3 has been deprecated as of this release.
- Support for OpenShift 4.6 has been certified as of this release.
- Support for OpenShift 4.7 has been certified as of this release.
1.7.2 - 2021-02-05
- Support for OpenShift 4.3 and 4.5. conjurdemos/kubernetes-conjur-demo#122
- Support for OpenShift 3.9 and 3.10 is removed in this release. conjurdemos/kubernetes-conjur-demo#122
- Automatic endpoint discovery for the AWS connector was updated to address two bugs where (1) the request host header was not being updated to the discovered endpoint, and (2) the request modification was being done after signing the request which would result in a failing integrity check. cyberark/secretless-broker#1369
1.7.1 - 2020-10-20
- The
vault
provider now supports loading secrets from the KV Version 2 secret engine. Reference a secret in Vault using the right path and a field navigation in the Secretless configuration. cyberark/secretless-broker#1331
- Update k8s authenticator client version to 0.19.0, which adds some fixes around cert injection failure (see also changes in 0.18.1). cyberark/secretless-broker#1352
1.7.0 - 2020-09-11
- Secretless and secretless-redhat containers now use Alpine 3.12 as their base image. PR cyberark/secretless-broker#1296
- MySQL and PostgreSQL connectors support SSL host name verification with
verify-full
SSL mode. Also adds optionalsslhost
configuration parameter that is compared to the server's certificate SAN. cyberark/secretless-broker#548 - Generic HTTP connector now supports
queryParam
as a configurable section in the Secretless configuration file, underconfig
. This allows the construction of a query string which can have credentials injected as needed. cyberark/secretless-broker#1290 - Generic HTTP connector now supports
oauth1
as a configurable section in the secretless configuration file, underconfig
. This allows the construction of a header for an OAuth 1.0 request. The OAuth 1.0 feature currently only supports HMAC-SHA1, but there is an issue logged to support other hashing methods. cyberark/secretless-broker#1297 - Many (20+) example generic connector configurations were added to the project, to demonstrate support for a broad set of popular APIs and to serve as an example for other APIs users may need to use Secretless with their apps. See here for the full list of examples. cyberark/secretless-broker#1248
1.6.0 - 2020-05-04
- Support for a
SECRETLESS_HTTP_CA_BUNDLE
environment variable that specifies the path to a CA cert bundle and enables users to configure Secretless with additional CA certificates for server cert verification when using HTTP connectors. PR #1180 - TLS support for the Secretless-to-server connections of the MSSQL connector. This is the recommended way to secure this connection and achieves feature parity with other TLS connectors. #1163, #1164, #1165
- MSSQL connector supports SSL host name verification with
verify-full
SSL mode. Also adds optionalsslhost
configuration parameter that is compared to the server's certificate SAN. #1199
- PostgreSQL connector log messages were updated to improve formatting, fixing a previous issue where the log messages were improperly formatted and were garbled in the logs. PR #1192
- TCP connectors all automatically zeroize the connection credentials in memory after successfully opening a connection; previously, credentials were only zeroized in memory on error. #1188
1.5.2 - 2020-02-24
- Bump authn-k8s client to v0.16.1 (cyberark/conjur-authn-k8s-client#70)
- Updated RH image push to ensure we're logged into the RH container registry appropriately before pushing (#1149)
- Fixed a stack overflow issue when running multiple multiple connections to an MsSQL server consecutively
1.5.1 - 2020-02-12
- Added RedHat certified image build to pipeline (#1141)
- Added pipeline step to validate changelog (#1138)
- Added MSSQL support to juxtaposer perf testing tool (#1135)
- Added SIGPIPE to signals handled by Secretless Juxtaposer (#1136)
- Added JDBC Integration tests for Postgres (#1130)
- Added JDBC Tests for MSSQL (#1124)
- Added client params propagation to MSSQL integration tests (#1103)
- Default logging level changed from
Warn
toInfo
. Some logging message levels were readjusted to retain the same UX. (#1127) - Update
bin/prefill_changelog
to generate valid CHANGELOG / ensure current CHANGELOG parses (#1138) - Converted integration tests to use configs.v2 (#1120)
- Fixed broken documentation links (#1122)
1.5.0 - 2020-01-29
- Added option to specify MSSQL edition in tests (#1093)
- Added debug image that can be used with a debugger like delve (#1056)
- Added template READMEs to connector templates (#1020)
- Updated release instructions (#1080)
- Improved MSSQL connector tests (#1107, #1089, #1098)
- Improved handling of
io.EOF
errors on TCPproxy_service
- Conjur authn-k8s client version bumped to v0.16.0
- Added links to SDK docs in README (#1104)
- Ensure external connector plugins will not override built-in connectors (#1085)
- MSSQL connector moved to beta
- Updated pg connector to better validate packet length (#1095)
- MSSQL connector faithfully propagates login response (#1106)
- MSSQL connector faithfully propagates login request (#1107)
1.4.2 - 2020-01-08
- Updated CONTRIBUTING.md with instructions for using
go-mssqldb
submodule (#1044) - Added gosec security scan to pipeline (#976)
- Added integration tests for MSSQL against additional MSSQL versions (#1017)
- Added
gofmt
to CodeClimate checks (#1055) - Added support for MSSQL client parameter propagation (#1012)
- Bumped the
conjur-authn-k8s-client
version for the Conjur provider k8s authenticator tov0.15.0
(#1060) - Example plugin updated for clarity (#1061)
- Plugin SDK templates updated for clarity (#1054)
- Removed hardcoded PreloginResponse from MSSQL connector (#1014)
- Bumped Go version in Dockerfile to 1.13
- Secretless doesn't exit when it can't start a configured connector (#1057)
- Secretless has insufficient logs when the config file has trouble loading (#1062)
1.4.1 - 2019-12-11
- Added README for the MSSQL connector (#1003)
- Added
go-mssqldb
dependency as a submodule (#1038)
- Updated Conjur provider to log and exit on repeated authentication failure (#1035)
1.4.0 - 2019-12-04
- Added generic HTTP connector to enable writing new HTTP connectors via config (#995)
- Improved logs for k8s CRD test failure debugging (#1027)
- Updated Ruby version in docs container (#1028)
- Updated Conjur HTTP connector to leverage the generic HTTP connector (#1009)
- Reorganized integration tests (#958)
- Updated Basic Auth HTTP connector to leverage the generic HTTP connector (#1007)
- Replaced "honnef.co/go/tools" dependency in go.sum with a github link
- Updated "ozzo-validation" dependency to latest version
- Make forceSSL setting explicit in e2e tests
1.3.0 - 2019-11-18
- Added trivy security scan to project pipeline (#986)
- Added unit tests to ConfigEnv, profile and signal packages
- Added alpha MSSQL connector (#964)
- Added template skeleton for connector plugins (#967)
- Extract config validation from ProxyServices and add unit tests
- Improved available_plugins unit tests
- Updated juxtaposer configs for perf tests (#969)
- Ensure MySQL uses appropriate default sslmode value (#928)
- Improved pg error propagation (#974)
1.2.0 - 2019-10-21
- Added a new public plugin interface for building connector plugins
- Added a new public log interface for standardizing logging
- Added code coverage reporting to unit test output
- Added ability to run k8s-demo test on GKE
- Refactored existing connectors to use new public connector plugin interface
- Changed the core proxy and plugin manager to support the new public connector plugin interface
- Edited website Google Group links to link to Discourse
- Updated the example plugin to implement the new plugin interface
- Minor format changes to Apache 2.0 license
- Project structure reorganized
- Internal code updated to use v2 config instead of v1 config
- Goreleaser build updated to cross-compile linux and darwin
- Updated Conjur tests to use official CLI image
- Improve namespace cleanup in k8s-ci/test
- Add COMPOSE_PROJECT_NAME to tests to fix namespace collision errors
- Updated k8s-demo to use LoadBalancer on Services to avoid NodePort conflicts
- Clarified quick demo directions
- Improved error-handling / retry logic in k8s-ci
Protocol
key in v2 config is replaced withconnector
key
1.1.0 - 2019-08-09
- Added version output to logs on startup
- Added NOTICES.txt to the project
- Added dependency tracking tools and info
- Added ability to configure PG connector with
host
/port
combination - Added gitleaks config to enable running gitleaks pre-push
- Deprecated support for PG connector configurations with
address
field - Minor edits to website quick start instructions
- Updated versioning method for the project to use version.go
- Parallelized integration tests
- Upgraded summon module dependency to 0.7.0
- Cleaned up go.mod and go.sum with
go mod tidy
- Only pin to vault/api submodule rather than larger vault module
- MySQL port defaults to 3306 if not specified
- Updated health check test to wait longer for server to come up to prevent test failures
- Revised README for simplicity and to describe available releases
- Removed custom script to check style in favor of code climate
- Removed old benchmark proof of concepts
- Removed GitLab pipeline
- Removed ability to pass
dbname
in theaddress
field of the PostgreSQL config - the PostgreSQLaddress
config now only acceptshost:[port]
- Resolved shellcheck errors
- Standardized spacing in
testutil
package - Fixed changelog prefill script
1.0.0 - 2019-07-03
- Added aggregation script to performance test code
- Revised "service authenticator" to "service connector" and updated docs/links
- Moved plugin interfaces to internal pending redesign
- Updated project so internal dev tags push to internal registry instead of DockerHub
- Removed beta label from project and updated README
- Updated configuration samples in demos to use v2 config
- Fixed go lint errors
- Fixed broken homepage link
- Fixed bug with MySQL connector (#766) that returned "Malformed packet" for all errors
- Removed deprecated full-demo
0.8.0 - 2019-06-18
- Added a performance testing tool to bin/juxtaposer
- Added a v2 configuration syntax that is simpler and easier to use
- Updated the Conjur Kubernetes authenticator client to 0.13.0 to fix a bug that caused the token refresh to fail after the cert expired
- Revised "k8s-demo"
- Upgraded to Golang v1.12.5 from v1.11.4
- Updated
conjur-authn-k8s-client
dependency to v0.13.0 - Updated
conjur-api-go
dependency to v0.5.2 - Removed third-party module for evaluating home directory path
- Updated goreleaser config to address deprecated
archive
tag - Revised PR template to remove unneeded manual tests
0.7.1 - 2019-05-16
- Added several issue templates
- Added improved tutorial flow to webpage
- Noted alpha support for HCV provider in README
- Improved CRD testing
- Updated base image used for GitLab CI
- Updated contributor info for documentation
- Updated to use universal
psql
command throughout repo`
- Corrected tutorial issues with code snippets and spacing
0.7.0 - 2019-03-26
- Add ability to verify plugin checksums
- Add kubernetes secrets provider to README.md
- Note styling in Kubernetes tutorial
- Add link to /tutorials in the top nav
- Add daily build trigger
- Add redirect link capabilities
- Add version to README.md
- Add a README for the shared library
- C shared library exposing secret providers (POC)
- Add custom 404 page
- Update Kubernetes Tutorial for Simplicity and Clarity
- Simplify fast k8s tutorial
- Update CTA links
- Refactor mysql/NativePassword to take bytes
- Clean up Go memory of secrets
- Refactor MySQL handler for readability and consistency
- Updating website build to gen godocs in go img
- Fix kubernetes secrets example in README
- Fix kubernetes-secrets-provider hash
- Remove target=blank from footer links
- Fix broken website publishing
- Fix all non-TODO CodeClimate issues
- Fix ssh hadler test naming
- Make ssh-handler integration test pull images before build
- Remove references to doc layout and update links
- Remove hashicorp root cert to fix broken build
- Fix the vault test that broke due to vault CLI updates
- Re-enable ssh-handler tests
0.6.4 - 2019-02-01
- Added a design proposal for credential zeroization
- Improved dev functionality in handler integration tests
- Removed checksum hacks for client-go from Dockerfiles, since this is fixed in Go 1.11.4
- Improved and refactored database integration test suite
- Updated MySQL handler to handle authPluginName mismatch and to have consistent sequenceIds
0.6.3 - 2019-01-11
- Database handlers support private-key pair as sslkey and sslcert
- Permissions have been fixed for OpenShift non-root integration and use
0.6.2 - 2019-01-09
- Added Kubernetes authenticator documentation for Conjur credential provider
- Sanitized remaining listeners/handlers from dumping data on the CLI when debug mode is on
- Removed developer-only debug mode from demos and examples
0.6.1 - 2019-01-08
- Updated conjur-api-go dependency
- Added
/ready
and/live
endpoints on port 5335 for checking if the broker is ready/live
0.6.0 - 2018-12-20
- SSL support for MySQL and PostgreSQL handlers
- Improved test utilities
- Added flag for CPU or memory profiling
- Updated demos to support databases configured with SSL
- Allow ./bin/test_integration to specify individual test_folders + local flag
- Updated goreleaser process to use new image
0.5.2 - 2018-11-26
- Updated Kubernetes secrets provider to retrieve secrets from current namespace
- Fixed broken GitLab build referencing non-existent image
- Fixed broken keychain provider tests, and made easier to run manually
0.5.1 - 2018-11-20
- Tests for Kubernetes Secrets provider
- Initial benchmark data is compiled during build
- Project now builds in GitLab
- Goreleaser support for deb/rpm packages
- Initial implementation of AWS Secrets provider
- Removed bash4 dependency
- Documentation updates
- Updated Jekyll dependency to use version 3.8.4
- Moved the sidecar injector functionality to its own repo
0.5.0 - 2018-09-06
- Fix for "no matching manifest for linux/amd64 in the manifest" error
- Linter fixes
- Fixed fast-restart http listener error
- Fixed soft-reload 100% CPU bug
- Cleaned up channel closing in main proxy loop
- Update pg test to use sslmode=disable
- Fix Proxy#Run SHUTDOWN event deadlock
- Secretless shutdown ensures handlers shutdown; inform clients of closed connections
- Fixed panic when using server plugin with "match" config field
- Added support for Conjur Kubernetes authenticator in Conjur provider
- Added Kubernetes secrets provider
- Added support for a K8s custom resource definition of Secretless Broker config
- Updated standard config file reading to be in the form of a config manager plugin
- Added ability to watch for configuration changes through CRDs
- Add test for clean listener shutdown
- Added sidecar injector admission-webhook-controller
- Add BaseHandler and BaseListener
- Added Goreleaser for automated binary archive building (for tags)
- Added http credential zeroization
- Publish quick start Docker image
- Repo moved to
cyberark
, images pushed to DockerHub - Updated K8s demo to use K8s secrets provider
- Upgraded to Go1.11
- Conjur handler updated to instantiate Conjur provider
- Updates to website style, homepage, copy to clipboard, and minor content edits
- Update demos to use Dockerhub image
- Name updated to Secretless Broker
0.4.0 - 2018-08-02
- Update style checker to work with auto-generated plugin docs
- Created plugin interface for providers
- A demo of using Secretless in Kubernetes exists in
demos/k8s-demo
- The project uses the ASL 2.0 License
- The project has a website with initial styling
- The project has a logo
- A tutorial exists on the website of using Secretless in Kubernetes
- The website has documentation and quick start
- There is a basic auth http handler
- Golint runs as part of the Jenkins pipeline
- Project has a contributing and style guide
- Bumped the Golang version from 1.10.3 to Go1.11beta
- Converted from using dep to using go modules
- Updated test suite to split out unit and integration tests
- Updated README to be in sync with website documentation
- Improved Vault provider, SSH, and SSH Agent test suites
- Secretless runs as a limited user in the Docker image
- Secretless defaults to /sock for socket files
- Old demos were removed
- Improvements to SSH handler / listener for better error handling / debugging
- Style updates were made to code based on golint output
- The plugin package was renamed from
plugin_v1
toplugin/v1
- Added support for soft-reloading of listeners
0.3.0 - 2018-06-28
- Connection managers can be loaded with factories
- Listeners, handlers and managers can all now run from external plugins
- External plugin versioning now enforced
- Multi-stage container builds used
- Plugin test is now part of our CI pipeline
- Ability to notify connection managers of graceful shutdowns
- Added helper for creating changelog entries
- Internal listeners and handlers use the same plugin architecture as external plugins
- Made Docker images have Secretless in the path for easier launching
- Fixed CI test suite
- Optimized many aspects of container builds
- Pinned Golang version to 1.10.3
- Standardized plugin API
0.2.0 - 2018-05-17
- Added initial support for plugins
- Update CI to push images to Docker registry
- The first tagged version.