Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conjur has clear upgrade instructions #1528

Closed
izgeri opened this issue May 6, 2020 · 5 comments
Closed

Conjur has clear upgrade instructions #1528

izgeri opened this issue May 6, 2020 · 5 comments
Labels
component/conjur kind/enhancement

Comments

@izgeri
Copy link
Contributor

izgeri commented May 6, 2020
edited
Loading

If I am using Conjur, and a new version becomes available, I want to be able to seamlessly upgrade my current version of Conjur to the new version without losing any data and with minimal downtime.

Additional context

It may be that certain versions of Conjur require special upgrade instructions; this card is not meant to capture that. The output of this card should be standard upgrade instructions that typically apply / represent a baseline for Conjur operation. Given these baseline upgrade instructions (which should account for updating the Conjur server, performing any needed database migrations, and any other standard upgrade operations) should enable us to provide documentation on exceptions to this standard that arise for any given Conjur version bump.
@uCatu
Copy link
Contributor

uCatu commented May 6, 2020
edited
Loading

Following steps were performed to upgrade from OSS v.{x} to OSS v.{x+1}:

  1. Edit docker-compose.yml conjur service image tag to {x+1}
  2. Delete current conjur container:
    docker rm -f conjur
  3. Rerun docker-compose:
    docker-compose up -d
  4. View docker containers and verify all are healthy, up and running:
    'docker ps -a`
  • side note, it is possible you will need to reassign CONJUR_DATA_KEY system variable. Same key as before.
    export CONJUR_DATA_KEY="$(< data_key)

EDIT: @izgeri - Yes, sorry :)
FINGERPRINT UPDATE WORKAROUND STEPS:

  1. Use any host/user (i.e: admin/dave/botapp...) and same API key to authenticate
    see docs: https://docs.conjur.org/Latest/en/Content/Developer/Conjur_API_Authenticate.htm?tocpath=Developer%7CREST%C2%A0APIs%7C_____2

  2. Once obtained "short-lived access token" from response, transfer it to dot seperated token in following format:
    protected.payload.signature
    e.g:

  "protected": "eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiI0NGIwMjBmNjY0MDBmNzFhZDQ3Y2I0N2IzYTFiNmU5MSJ9",
  "payload": "eyJzdWIiOiJhbGljZSIsImlhdCI6MTUwNTgzMDY1MX0=",
  "signature": "iRLTwNomb_b6TS4e539IIC-isPsc0kIn-F_ajlvnGdrN6brEEHnVha2vm0oDwOjpnmpFrMYLzn8aPo4_7DP3edssfQbpMG6OZI2Ea9DRfkhQGtSQ2fQvhDos_f16EX_jWQkYlsY6T_RurAxf_7VC4hEhjZA8nLkXOohA1DheyoJiT2-7vdpLmf42G7r1gPWHd_JuFkee28Ax2vCi35l4yQXkAHFaLkb3cAD2iwYuavv3qcFnYsT5WhLQqndPoNzgNa4dMvWRkVNUoVmvL30oE6lAlWPO4rFbPpmLwJRJFudDF8IVV9cVRKnV3z79_3RfEsHJ6YTHVX4Cv--cXmkT17QSFp87DK94DAOX3jKvJNo49DdqkzXqAPUIj3CD3IWI"
}

Will be transferd into:

eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiI0NGIwMjBmNjY0MDBmNzFhZDQ3Y2I0N2IzYTFiNmU5MSJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTUwNTgzMDY1MX0=.iRLTwNomb_b6TS4e539IIC-isPsc0kIn-F_ajlvnGdrN6brEEHnVha2vm0oDwOjpnmpFrMYLzn8aPo4_7DP3edssfQbpMG6OZI2Ea9DRfkhQGtSQ2fQvhDos_f16EX_jWQkYlsY6T_RurAxf_7VC4hEhjZA8nLkXOohA1DheyoJiT2-7vdpLmf42G7r1gPWHd_JuFkee28Ax2vCi35l4yQXkAHFaLkb3cAD2iwYuavv3qcFnYsT5WhLQqndPoNzgNa4dMvWRkVNUoVmvL30oE6lAlWPO4rFbPpmLwJRJFudDF8IVV9cVRKnV3z79_3RfEsHJ6YTHVX4Cv--cXmkT17QSFp87DK94DAOX3jKvJNo49DdqkzXqAPUIj3CD3IWI

  1. Browse to https://jwt.io/, insert dot seperated token into enocde textbox, extract kid from decode header section - this will be your new figerprint.
    Screen Shot 2020-05-07 at 11 43 40

  2. Enter PG container from your terminal:
    docker exec -it postgres bash

  3. Switch user to postgres
    su postgres

  4. Use psql cli to login
    psql

  5. Be familiar with content of slosilo_keystore table select * from slosilo_keystore;
    notice you have 3 columns: id, key, fingerprint, extract id record will be similar to: authn:myConjurAccount

  6. Edit account recored with new fingerprint
    update slosilo_keystore set fingerprint = '{VALUE FROM STEP 7}' where id = '{VALUE FORM STEP 11}';

  7. To verify, run step 5 and use short-lived-token to do any action, fetch secrect load policy etc.

@izgeri
Copy link
Contributor Author

izgeri commented May 7, 2020

@uCatu I vaguely remember someone mentioning an operation with slosilo was needed - did you have to do something like this at any point? Also, do you know what might be different about these instructions if there is a database migration between versions?

@nahumcohen nahumcohen mentioned this issue May 25, 2020
Merged
@shulifink
Copy link
Contributor

@izgeri - is this ticket also meant to cover High availability and autofailover upgrade for DAP?

@izgeri izgeri mentioned this issue Jun 3, 2020
Closed
@izgeri
Copy link
Contributor Author

izgeri commented Jun 19, 2020

@shulifink not at all - this ticket is just for standard upgrade instructions that can be used to migrate one docker-compose deployment of Conjur OSS to a newer version of Conjur

@hilagross hilagross mentioned this issue Jul 15, 2020
Merged
6 tasks
@izgeri
Copy link
Contributor Author

izgeri commented Sep 3, 2020
edited
Loading

This is resolved in #1607. See UPGRADING.md for more info.

@izgeri izgeri closed this as completed Sep 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/conjur kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@izgeri @uCatu @shulifink