Merge pull request #46 from cyberark/bump-version

Update project README / metadata for release prep

CHANGELOG.md

@@ -5,14 +5,26 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
-### Added
-- Added daily build trigger
+
+## [0.3.2] - 2020-12-29
 
 ### Changed
-- Updated reference to Conjur CLI container
-- Updated base image to Ubuntu 18.04
-- [Added retries](https://github.com/cyberark/ansible-conjur-host-identity/pull/32) to tasks/identity/Request identity from Conjur.
-  This will increase the reliability of host factory requests without introducing any extra delay if the first request succeeds.
+- Summon and Summon-Conjur default versions are updated to v0.8.3 and v0.5.3,
+  respectively.
+  [cyberark/ansible-conjur-host-identity#45](https://github.com/cyberark/ansible-conjur-host-identity/issues/45)
+- [Added retries](https://github.com/cyberark/ansible-conjur-host-identity/pull/32)
+  to tasks/identity/Request identity from Conjur. This will increase the reliability
+  of host factory requests without introducing any extra delay if the first request succeeds.
+
+### Deprecated
+- Support for Ansible versions lower than 2.8 is removed in this release since
+  these versions are already well past end of life. For Ansible 2.9+, we now
+  recommend that users leverage the [Conjur Ansible collection](https://github.com/cyberark/ansible-conjur-collection)
+  instead of this project.
+  [cyberark/ansible-conjur-host-identity#45](https://github.com/cyberark/ansible-conjur-host-identity/issues/45)
+- Support for Conjur Enterprise v4 is deprecated in this release. It will be removed
+  in the next release.
+  [cyberark/ansible-conjur-host-identity#45](https://github.com/cyberark/ansible-conjur-host-identity/issues/45)
 
 ## [0.3.1] - 2019-02-27
 ### Fixed
@@ -32,7 +44,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Establishes Conjur identity using a Conjur Host Factory Token
 - Installs and configures Summon Summon-Conjur provider for secure secret retrieval
 
-[Unreleased]: https://github.com/cyberark/ansible-conjur-host-identity/compare/v0.3.1...HEAD
+[Unreleased]: https://github.com/cyberark/ansible-conjur-host-identity/compare/v0.3.2...HEAD
+[0.3.2]: https://github.com/cyberark/ansible-conjur-host-identity/compare/v0.3.1...v0.3.2
 [0.3.1]: https://github.com/cyberark/ansible-conjur-host-identity/compare/v0.3.0...v0.3.1
 [0.3.0]: https://github.com/cyberark/ansible-conjur-host-identity/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/cyberark/ansible-conjur-host-identity/compare/v0.1.0...v0.2.0

CONTRIBUTING.md

@@ -15,11 +15,22 @@ From here your pull request will be reviewed and once you've responded to all
 feedback it will be merged into the project. Congratulations, you're a
 contributor!
 
-### Testing
+## Testing
 
 To run the tests:
 
 ```sh-session
 $ cd tests
 $ ./test.sh
 ```
+
+## Releasing
+
+To create a new release, follow the instructions in our general release
+guidelines [here](https://github.com/cyberark/community/blob/master/Conjur/CONTRIBUTING.md#release-process).
+
+The project version is stored in the [VERSION](./VERSION) file. The metadata file
+[meta/main.yml](meta/main.yml) may also need to be updated with each release.
+
+When a new tag is added to this project, the new version is automatically
+available in Ansible Galaxy.

Jenkinsfile

@@ -14,7 +14,7 @@ pipeline {
 
   stages {
     stage('Validate Changelog') {
-      steps { sh './tests/parse-changelog.sh' }
+      steps { sh './bin/parse-changelog.sh' }
     }
 
     stage('Run tests') {
@@ -24,7 +24,6 @@ pipeline {
         junit 'tests/junit/*'
       }
     }
-
   }
 
   post {

README.md

@@ -1,55 +1,75 @@
 # Conjur Ansible Role
 
-This Ansible role provides the ability to grant Conjur machine identity to a host. Based on that identity, secrets can then be retrieved securely using the [Summon](https://github.com/cyberark/summon) tool (installed on hosts with identities created by this role).
+This Ansible role provides the ability to grant Conjur machine identity to a host.
+Once a host has an identity created by this role, secrets can be retrieved securely
+using the [Summon](https://github.com/cyberark/summon) tool.
 
-## Required Reading
+## Recommended Reading
 
-* To learn more about Conjur, give it a [try](https://www.conjur.org/get-started/try-conjur.html)
-* To learn more about how Conjur can be integrated with Ansible, visit the [Integration Documentation](https://www.conjur.org/integrations/ansible.html)
-* To learn more about Summon, the tool that lets you execute applications with secrets retrieved from Conjur, visit the [Summon Webpage](https://cyberark.github.io/summon/)
-* To learn more about other ways you can integrate with Conjur, visit our pages on the [CLI](https://developer.conjur.net/cli), [API](https://developer.conjur.net/clients), and [Integrations](https://www.conjur.org/integrations/)
+* To learn more about Conjur, [give it a try](https://www.conjur.org/get-started/).
+* To learn more about how Conjur can be integrated with Ansible, visit the
+  [Integration Documentation](https://docs.conjur.org/Latest/en/Content/Integrations/ansible.html).
+* To learn more about Summon, the tool that lets you export secret values retrieved
+  from Conjur to your applications with, visit the
+  [Summon Webpage](https://cyberark.github.io/summon/).
+* To learn more about other ways you can integrate with Conjur, visit the
+  [Conjur documentation](https://docs.conjur.org/Latest/en/Content/Resources/_TopNav/cc_Home.htm).
 
-## Using ansible-conjur-host-identity with Conjur OSS 
+## Requirements
+
+* Conjur v1+ or Dynamic Access Provider (DAP) v10+
+* Conjur Enterprise v4
+* Ansible v2.8
+
+If you are using Ansible v2.9+, please consider using our
+[Ansible Collection](https://github.com/cyberark/ansible-conjur-collection) instead.
 
-Are you using this project with [Conjur OSS](https://github.com/cyberark/conjur)? Then we 
-**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS 
-suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html). 
-Conjur maintainers perform additional testing on the suite release versions to ensure 
-compatibility. When possible, upgrade your Conjur version to match the 
-[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm); 
-when using integrations, choose the latest suite release that matches your Conjur version. For any 
+## Using ansible-conjur-host-identity with Conjur OSS
+
+Are you using this project with [Conjur OSS](https://github.com/cyberark/conjur)? Then we
+**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS
+suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html).
+Conjur maintainers perform additional testing on the suite release versions to ensure
+compatibility. When possible, upgrade your Conjur version to match the
+[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm);
+when using integrations, choose the latest suite release that matches your Conjur version. For any
 questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5).
 
-## Installation
+## Usage instructions
 
 Install the Conjur role using the following command in your playbook directory:
 
 ```sh-session
 $ ansible-galaxy install cyberark.conjur-host-identity
 ```
 
-## Requirements
-
-* A running Conjur service that is accessible from the target nodes.
-* Ansible >= 2.3.0.0
-
-## Usage
-
-The Conjur role provides a method to “Conjurize” or establish the Conjur identity of a remote node with Ansible. The node can then be granted least-privilege access to retrieve the secrets it needs in a secure manner.
+The Conjur role provides a method to “Conjurize” or establish the Conjur identity
+of a remote node with Ansible. The node can then be granted least-privilege access
+to retrieve the secrets it needs in a secure manner.
 
 ### Role Variables
 
-* `conjur_appliance_url` `*`: URL of the running Conjur service
-* `conjur_account` `*`: Conjur account name
-* `conjur_host_factory_token` `*`: [Host Factory](https://developer.conjur.net/reference/services/host_factory/) token for
-layer enrollment. This should be specified in the environment on the Ansible controlling host.
-* `conjur_host_name` `*`: Name of the host being conjurized.
-* `conjur_ssl_certificate`: Public SSL certificate of the Conjur endpoint
-* `conjur_validate_certs`: Boolean value to indicate if the Conjur endpoint should validate certificates
-* `summon.version`: version of Summon to install. Default is `0.6.6`.
-* `summon_conjur.version`: version of Summon-Conjur provider to install. Default is `0.5.0`.
-
-The variables marked with `*` are required fields. The other variables are required for running with an HTTPS Conjur endpoint, but are not required if you run with an HTTP Conjur endpoint.
+* `conjur_appliance_url` `*`: The URL of the Conjur / DAP instance you are connecting
+   to. When connecting to an HA DAP master cluster, this would be the URL of the
+   master load balancer.
+* `conjur_account` `*`: The account name for the Conjur instance you are connecting to.
+* `conjur_host_factory_token` `*`: [Host Factory](https://docs.conjur.org/Latest/en/Content/Operations/Services/host_factory.html)
+  token for layer enrollment. This should be specified in the environment on the
+  Ansible controlling host.
+* `conjur_host_name` `*`: Name of the host identity for the host factory to create.
+* `conjur_ssl_certificate`: The PEM-encoded x509 CA certificate chain for the DAP
+  instance you are connecting to. This value may be obtained by running the command:
+  ```
+  $ openssl s_client -showcerts -servername [CONJUR_DNS_NAME] -connect [CONJUR_DNS_NAME]:443 < /dev/null 2> /dev/null
+  ```
+* `conjur_validate_certs`: Boolean value to indicate whether the client should
+  validate the Conjur server certificates.
+* `summon.version`: Version of Summon to install. Default is `0.8.3`.
+* `summon_conjur.version`: Version of Summon-Conjur provider to install. Default is `0.5.3`.
+
+The variables marked with `*` are required fields. The other variables are required
+for running with an HTTPS Conjur endpoint, but are not required if you run with
+an HTTP Conjur endpoint.
 
 ### Example Playbook
 
@@ -65,11 +85,14 @@ Configure a remote node with a Conjur identity and Summon:
 ```
 
 This example:
-* Registers the host with Conjur, adding it into the layer specific to the provided host factory token.
-* Installs Summon with the Summon Conjur provider for secret retrieval from Conjur.
+
+* Registers the host with Conjur, adding it into the layer specific to the provided
+  host factory token.
+* Installs Summon with the Summon-Conjur provider for secret retrieval from Conjur.
 
 ### Summon & Service Managers
-With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap.  Here's a simple example of a SystemD file connecting to Conjur:
+With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap.
+Here's a simple example of a SystemD file connecting to Conjur:
 ```ini
 [Unit]
 Description=DemoApp
@@ -80,27 +103,34 @@ User=DemoUser
 #Environment=CONJUR_MAJOR_VERSION=4
 ExecStart=/usr/local/bin/summon --yaml 'DB_PASSWORD: !var staging/demoapp/database/password' /usr/local/bin/myapp
 ```
-**Note**
-When connecting to Conjur 4 (Conjur Enterprise), Summon requires the environment variable `CONJUR_MAJOR_VERSION` set to `4`. You can provide it by uncommenting the relevant line above.
 
-The above example uses Summon to retrieve the password stored in `staging/myapp/database/password`, set it to an environment variable `DB_PASSWORD`, and provide it to the demo application process. Using Summon, the secret is kept off disk. If the service is restarted, Summon retrieves the password as the application is started.
+The example above uses Summon to retrieve the password stored in `staging/myapp/database/password`,
+set it to an environment variable `DB_PASSWORD`, and provide it to the demo application
+process. Using Summon, the secret is kept off disk. If the service is restarted,
+Summon retrieves the password again as the application is started.
 
 ### Dependencies
 
 None
 
 ### Recommendations
 
-* Add `no_log: true` to each play that uses sensitive data, otherwise that data can be printed to the logs.
-* Set the Ansible files to minimum permissions. Ansible uses the permissions of the user that runs it.
+* **Important:** Add `no_log: true` to each play that uses sensitive data,
+  **otherwise that data can be printed to the logs.**
+* Set the Ansible files to minimum permissions. Ansible uses the permissions of
+  the user that runs it.
 
 ## Contributing
 
-We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
-guide][contrib].
+We welcome contributions of all kinds to this repository. For instructions on
+how to get started and descriptions of our development workflows, please see our
+[contributing guide][contrib].
 
 [contrib]: https://github.com/cyberark/ansible-conjur-host-identity/blob/master/CONTRIBUTING.md
 
 ## License
 
-This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details.
+Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
+
+This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE)
+for more details.

VERSION

@@ -0,0 +1 @@
+0.3.2

defaults/main.yml

@@ -1,7 +1,7 @@
 summon:
-  version: 0.6.6
+  version: 0.8.3
   # TODO - this should dynamically be generated as part of the Ansible fact gathering 
   os: linux-amd64
 summon_conjur:
-  version: 0.5.0
+  version: 0.5.3
   os: linux-amd64

meta/main.yml

@@ -4,15 +4,10 @@ galaxy_info:
   short_description: Grants Conjur machine identity
   description: Grants Conjur machine identity to hosts
   company: CyberArk
-  license: Apache
-  author:
-    - Dustin Collins (@dustinmm80)
-    - Oren Ben Meir (@orenbm)
-    - Jason Vanderhoof (@jvanderhoof)
-    - Kumbirai Tanekha (@doodlesbykumbi)
-    - Gary Moon (@garymoon)
+  license: Apache-2.0
+  author: Conjur Maintainers ([email protected])
 
-  min_ansible_version: '2.3'
+  min_ansible_version: '2.8'
 
   platforms:
     - name: Ubuntu