Create UPGRADING.md

[hilagross]

What does this PR do?

In this PR, we add upgrade instructions to this project. The instructions apply to docker-compose deployments of Conjur OSS. For helm-based upgrade instructions, users can see the Conjur helm chart upgrade guide.

In addition, this adds custom upgrade instructions for users who will be upgrading from pre-1.8 versions to 1.8+.

What ticket does this PR close?

Connected to #1584, #1528.

Checklists

Change log

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code changes, or
• The changes in this PR do not require tests

Documentation

• This PR does not require updating any documentation, or
• Docs (e.g. READMEs) were updated in this PR, and/or there is a follow-on issue to update docs

[izgeri]

Can we make this a markdown subsection? It would be convenient to use this going forward to note any additional version-specific instructions, and if the line is

### 1.8.0

Then we can link to it in our release notes and it's clear that the custom upgrade instructions apply to this specific version

Note that I am assuming the changes will land before the next tag, and that the tag will be a minor version bump.

[hilagross]

@izgeri just to make sure I understood correctly, also the from version should be change to 1.8.0 or 1.7.2 is ok?

[izgeri]

I am assuming that the FIPS changes will be included in the next tag, and that we'll bump the minor version since we're adding functionality in a backwards compatible manner (following semver - see here)

That would mean they'll be included in 1.8.0

[hilagross]

that's for sure, what I meant should we say 'from 1.7.2 and below' or 'below version 1.8.0'?
what should be the correct term for this FYO?

[izgeri]

We could just make it say Upgrading to 1.8.0

[hilagross]

what will happen if a user will upgrade from 1.7.0 to 1.8.1 or even 1.9.0 in the future?
I think it should be clear the any upgrade from a version before 1.8.0 should run this step.
WDYT?
@alexkalish @izgeri

[alexkalish]

I think what you have is fine for now.

[izgeri]

@hilagross I'd like to have a technical review of this before we merge it. @diverdane and @sgnn7 have recently been through the upgrade process in great detail for the helm chart - the docker-compose upgrade flow is by comparison much simpler. I am checking with @alexkalish about whether we might be able to schedule a detailed technical review of this in the next week or so - I think the end result would really benefit from this.

[alexkalish]

@hilagross: Thank you for doing this! I made a ton of suggestions, mostly around wording and punctuation. I think that only my comment about the special step requires a manual change.

[alexkalish]

I think what you have is fine for now.

[InbalZilberman]

@alexkalish @izgeri can you please take over this PR or close it and open another one?
Hila is not expected to return any time soon :)

[izgeri]

@alexkalish I will make your changes and try a quick sanity check before asking you to rereview

[izgeri]

@InbalZilberman @alexkalish I applied Alex's updates and then tried to run through the upgrade steps as documented using the quick start docker-compose with the Conjur image version specified (e.g. I modified this line to read image: cyberark/conjur:1.5.0, for example).

I was not able to get the original draft instructions to work, but a quick bit of research allowed me to tweak them to get them working for a standard upgrade from 1.5.0 to 1.7.4. Those updates are now in a separate commit on this branch.

Once I got those working, I tried the custom upgrade instructions for upgrading from 1.7.4 to 1.8.0. I was NOT SUCCESSFUL. Running bundle exec rake slosilo:migrate on the Conjur server container did not produce any log output, and when I attempted to interact with the API afterwards:

• I was able to successfully authenticate, and exchange an API key for an access token

• when I tried to use that access token on a secret retrieval request, I got an Invalid token response:

  The retrieved value is: HTTP/1.1 401 Unauthorized
  Server: nginx/1.13.6
  Date: Wed, 15 Jul 2020 21:03:35 GMT
  Content-Type: text/plain
  Content-Length: 27
  Connection: keep-alive
  Cache-Control: no-cache
  X-Request-Id: a27dc38f-0772-4fdc-b62b-a3181a641123
  X-Runtime: 0.001891
  
  Unauthorized: Invalid token
  

  The Conjur logs show:

   Started POST "/authn/myConjurAccount/host%2FBotApp%2FmyDemoApp/authenticate" for 192.168.32.3 at 2020-07-15 21:03:33 +0000
  [origin=192.168.32.3] [request_id=29c707d4-a7ff-4e58-a317-0071c60f6a30] [tid=36] Processing by AuthenticateController#authenticate as */*
  [origin=192.168.32.3] [request_id=29c707d4-a7ff-4e58-a317-0071c60f6a30] [tid=36]   Parameters: {:controller=>"authenticate", :action=>"authenticate", :authenticator=>"authn", :account=>"myConjurAccount", :id=>"host/BotApp/myDemoApp"}
  [origin=192.168.32.3] [request_id=29c707d4-a7ff-4e58-a317-0071c60f6a30] [tid=36] myConjurAccount:host:BotApp/myDemoApp successfully authenticated with authenticator authn service myConjurAccount:webservice:conjur/authn
  [origin=192.168.32.3] [request_id=29c707d4-a7ff-4e58-a317-0071c60f6a30] [tid=36] Completed 200 OK in 17ms (Views: 0.2ms)
  [origin=192.168.32.3] [request_id=a27dc38f-0772-4fdc-b62b-a3181a641123] [tid=34] Started GET "/secrets/myConjurAccount/variable/BotApp%2FsecretVar" for 192.168.32.3 at 2020-07-15 21:03:35 +0000
  

  There is nothing after the Started GET line in the Conjur logs - the server appears to hang. The nginx logs show:

  192.168.32.2 - - [15/Jul/2020:21:03:33 +0000] "POST /authn/myConjurAccount/host%2FBotApp%2FmyDemoApp/authenticate HTTP/1.1" 200 644 "-" "curl/7.55.0"
  192.168.32.2 - - [15/Jul/2020:21:03:35 +0000] "GET /secrets/myConjurAccount/variable/BotApp%2FsecretVar HTTP/1.1" 401 27 "-" "curl/7.55.0"
  

I am going to try again going from 1.7.4 to 1.8.1, but if I get the same result I will likely need help from @uCatu and team to figure out next steps. I don't think we'll include post-1.8 releases in the suite release until this is resolved.

ETA: I have confirmed that the same problem occurs:

• when upgrading from 1.7.4 to 1.8.1 following the standard instructions + the custom documented step for 1.8.0
• when upgrading from 1.7.4 to 1.8.0 following the standard instructions

[uCatu]

WIP please

[uCatu]

Suggest using docker-compose as we assum user also use. And in case user has additional container that are not related to conjur they will not appear in output
docker-compose ps -a

[uCatu]

Suggested change

	1. In your terminal window, set the `CONJUR_DATA_KEY` environment variable:
	1. In local terminal session, set `CONJUR_DATA_KEY` environment variable:

[uCatu]

The mention of Conjur data key is much more important than naming of conjur service
Can we put the spotlight on it? It can be confusing with API KEY I think we need to give here a link (maybe from here or here ) to where we suggsted to store it, that it's a Base64-encoded 256 bit data encrytion key etc, without it - there is no upgrade

[uCatu]

Suggested change

	export CONJUR_DATA_KEY={your Conjur data key}
	export CONJUR_DATA_KEY=<Conjur data key content>

[uCatu]

Don't know if we want to talk about Puma here, adding comlpexitiy

[uCatu]

Can we change "succesfully" to "without visible/explicit error message"

[uCatu]

If we chose to use docer-compose please switch this example to the one above

[uCatu]

Redundent in any case

[uCatu]

We want to add
"from MD5 to a more secure SHA256" ?

[uCatu]

WIP please

[uCatu]

Maybe this command should be better? encapsulate with CLI
docker-compose exec conjur conjurctl wait

[izgeri]

I'm glad you suggested that! I use that command myself and was trying to find a way to work it in - I hesitated, because I'm not sure it works well enough when the server fails. I'll play around with it and see how it goes.

[izgeri]

@uCatu thanks for your feedback, and I'll try to work in your changes.

IMPORTANTLY the custom upgrade instructions for v1.8.0 don't work as currently written. do you have any more info on this?

[uCatu]

@uCatu thanks for your feedback, and I'll try to work in your changes.

IMPORTANTLY the custom upgrade instructions for v1.8.0 don't work as currently written. do you have any more info on this?

@izgeri
Yes I'm on it will take me 30 minutes to figure out if we can use slosilo task - as it never been tested. The original approach was to change fingerprint manual on PG via psql - just wanted to touch base on the whole tutorial since it's the first time I'm reading it, thats why I commented on other issues

Available on Slack for quick response :)

[uCatu]

@uCatu thanks for your feedback, and I'll try to work in your changes.
IMPORTANTLY the custom upgrade instructions for v1.8.0 don't work as currently written. do you have any more info on this?

@izgeri
Yes I'm on it will take me 30 minutes to figure out if we can use slosilo task - as it never been tested. The original approach was to change fingerprint manual on PG via psql - just wanted to touch base on the whole tutorial since it's the first time I'm reading it, thats why I commented on other issues

Available on Slack for quick response :)

Revisiting Slosilo migrate task:
https://github.com/cyberark/slosilo/blob/4c4c6d2beac698b8958acab5627d926fe240c6fb/lib/slosilo/adapters/sequel_adapter.rb#L52

tells us that in order to get fingerprint value, fingrperint column must be deleted or not present
as we are talking about upgrade the latter is not relevent

That means that we can stil utilize that task by still needs to (was able to create this oneliner):
docker-compose exec -u postgres database psql -c "ALTER TABLE slosilo_keystore DROP COLUMN fingerprint"

and than run:
docker-compose exec conjur bundle exec rake slosilo:migrate

I tested it, looks fine can you verify please?

[izgeri]

I deployed v1.5.0 using the quick start instructions

Then I built Conjur locally and changed the docker-compose to read conjur:1.8.1-14274915 for the image. I followed the upgrade instructions and it worked beautifully! Very nice work @h-artzi 👏

I did make one suggestion to change a section title. But other than that, I think this PR is good to go.

[izgeri]

@h-artzi it looks like it also needs a rebase before I can approve

[izgeri]

Great work to everyone involved! Thanks @hilagross for kicking this off, @uCatu for drafting an initial process, and @h-artzi for getting it over the finish line! It feels great to have this added to our project :)

@uCatu I believe @h-artzi addressed all of your requested changes, with one optional request that seems ok to skip. If you have any additional requests, let's work on them in a follow-up issue - this one's been open long enough!

Dismissing your review @alexkalish because it would appear all of your changes have been addressed. Thanks for helping make this a better document!!

[codeclimate]

Code Climate has analyzed commit 9a661bc and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 86.8% (0.0% change).

View more on Code Climate.

[alexkalish]

Wohoo!!