Conjur OSS Maintainers Monthly Office Hours

Announcing the Conjur OSS Maintainers Monthly Office Hours!

Starting this month we’ll be hosting monthly office hours with the Conjur OSS maintainers. Join us to hear about what we’re working on, to learn tips and tricks for Conjur OSS development, or to ask questions about topics from troubleshooting your deployment to getting your contribution merged.

The first meeting will be held on April 14, 2021 at 11 AM Eastern. Meeting details are below.

Conjur Enterprise customers are more than welcome, but please note that this meeting isn’t a substitute for your regular support calls and tickets. If you have questions about your particular deployment, please don’t wait until the maintainers meeting to get help. For the quickest assistance, please open a support case following the standard CyberArk SLA. More details about how support works can be found here.

April 14, 2021 Maintainers Meeting Agenda

• Next Conjur OSS Suite Release
• Current OSS projects in progress
• Upcoming OSS kickoffs / design proposals
• Community questions

If you have a specific topic you’d like to cover during the “Community questions” portion of the agenda, you can add it as a comment to this thread to ensure we make time for it in the agenda.

Meeting Link

Date: April 14, 2021
Time: 11 AM Eastern
Link: Microsoft Teams meeting

Join on your computer or mobile app

Click here to join the meeting

We hope to see you there!

I’m looking forward to the meeting tomorrow!!

Some info to look forward to:

• Next Conjur OSS Suite Release - PR, Wiki. See docs for recent releases!
  • Includes the recently released New CLI!
• Current OSS projects in progress
  • Simpler Conjur Configuration in K8s - design
• Upcoming OSS kickoffs / design proposals
  • Generic JWT Authenticator - design (draft), PR
• Community questions

Notes from the April 14, 2021 meeting:

• @joe.garcia asked about the open issue cyberark/conjur-api-python3#264, which asks that the v7 CLI support non-default authenticators (in particular, LDAP). I’ve noted that this issue needs a response, and will make sure someone from R&D responds in the next few days.

  This also led to a good conversation about when to file GitHub issues versus Salesforce Enhancement Requests (ERs) - generally for enterprise customers with access to Salesforce, filing ERs comes with an SLA for responses, so it’s beneficial to file an ER if you can.

• @QuincyCheng noted that Kubernetes has recently announced that CronJob is GA in 1.21, and asked about Secrets Provider adding support for running as CronJob. As this is relatively new information, we don’t have a plan for adding this support yet - but it’s on our radar.

  It’s worth noting that Secrets Provider had a request this week for a MutatingAdmissionWebhook Controller for Secrets, which is a slightly different approach than the CronJob. Interested folks can read more about this idea here.

• @joe.garcia asked if we’ve considered using GitHub Discussions to facilitate early conversations about potential new features without cluttering the backlog. Right now we use GitHub issues and this Discourse as our main venue for discussing feature enhancements, so we haven’t felt a need to try Discussions yet - but we’ll try it out soon to learn about what benefits it might bring.

• @pvoehrs asked for a status update about Conjur’s OpenAPI definition, which was actually just released for the first time this week. Expect the Conjur OpenAPI definition to be included in the May Conjur OSS Suite Release. We’re looking forward to using this definition to improve our API documentation and better standardize our client libraries. In particular, since the specification defines all authenticator endpoints, the generated clients all include methods for all authenticators out of the box - and as new authenticators are added, new clients can be quickly generated that support new authenticators, too. This could be hugely beneficial to the Conjur integrations that operate in different environments, as users who would like to leverage platform-specific authenticators would be able to do so out of the box.

• @joe.garcia asked if we’ve looked into enabling support for other databases besides PostgreSQL. @kumbirai recalled that there may be pg-specific stored procedures, and @alexkalish confirmed that at this point it’s unlikely to happen without significant work.

• @AndrewCopeland asked about using OpenAPI-generated clients for authn-k8s. This is the one authenticator that may be challenging to use out of the box with a generated client, since it requires Mutual TLS which was only recently added to the OpenAPI standard.

• @AndrewCopeland recently created a sample implementation of using our Kubernetes sidecar with GCP authentication. On the call he asked about the path forward for this idea as well as the possibility of using public cloud authenticators with all of our integrations. We’ll definitely be continuing this discussion internally!

• @pvoehrs asked about how to have better audit / access control when using Conjur with Ansible, and @joe.garcia recommended moving to Tower / Ansible Automation Platform for improved RBAC. Ansible Core doesn’t have the same RBAC as the automation platform.

• @QuincyCheng asked about open source documentation, to enable more contributions to doc bugs, etc. This conversation will also continue offline, to help us understand the use case better so that we can make a stronger case for enabling docs contributions.

Thank you everyone for joining today, especially @boazmichaely whose PM perspective was especially valuable on the call. I look forward to speaking with you again next month!!