uCatu
commented
4 years ago Following steps were performed to upgrade from OSS v.{x} to OSS v.{x+1}:
- Edit
docker-compose.ymlconjur service image tag to {x+1} - Delete current conjur container:
docker rm -f conjur - Rerun docker-compose:
docker-compose up -d - View docker containers and verify all are healthy, up and running: 'docker ps -a`
- side note, it is possible you will need to reassign
CONJUR_DATA_KEYsystem variable. Same key as before.export CONJUR_DATA_KEY="$(< data_key)
EDIT: @izgeri - Yes, sorry :) FINGERPRINT UPDATE WORKAROUND STEPS:
-
Use any host/user (i.e: admin/dave/botapp...) and same API key to authenticate see docs: https://docs.conjur.org/Latest/en/Content/Developer/Conjur_API_Authenticate.htm?tocpath=Developer%7CREST%C2%A0APIs%7C_____2
-
Once obtained "short-lived access token" from response, transfer it to dot seperated token in following format:
protected.payload.signaturee.g:"protected": "eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiI0NGIwMjBmNjY0MDBmNzFhZDQ3Y2I0N2IzYTFiNmU5MSJ9", "payload": "eyJzdWIiOiJhbGljZSIsImlhdCI6MTUwNTgzMDY1MX0=", "signature": "iRLTwNomb_b6TS4e539IIC-isPsc0kIn-F_ajlvnGdrN6brEEHnVha2vm0oDwOjpnmpFrMYLzn8aPo4_7DP3edssfQbpMG6OZI2Ea9DRfkhQGtSQ2fQvhDos_f16EX_jWQkYlsY6T_RurAxf_7VC4hEhjZA8nLkXOohA1DheyoJiT2-7vdpLmf42G7r1gPWHd_JuFkee28Ax2vCi35l4yQXkAHFaLkb3cAD2iwYuavv3qcFnYsT5WhLQqndPoNzgNa4dMvWRkVNUoVmvL30oE6lAlWPO4rFbPpmLwJRJFudDF8IVV9cVRKnV3z79_3RfEsHJ6YTHVX4Cv--cXmkT17QSFp87DK94DAOX3jKvJNo49DdqkzXqAPUIj3CD3IWI" }Will be transferd into:
eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiI0NGIwMjBmNjY0MDBmNzFhZDQ3Y2I0N2IzYTFiNmU5MSJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTUwNTgzMDY1MX0=.iRLTwNomb_b6TS4e539IIC-isPsc0kIn-F_ajlvnGdrN6brEEHnVha2vm0oDwOjpnmpFrMYLzn8aPo4_7DP3edssfQbpMG6OZI2Ea9DRfkhQGtSQ2fQvhDos_f16EX_jWQkYlsY6T_RurAxf_7VC4hEhjZA8nLkXOohA1DheyoJiT2-7vdpLmf42G7r1gPWHd_JuFkee28Ax2vCi35l4yQXkAHFaLkb3cAD2iwYuavv3qcFnYsT5WhLQqndPoNzgNa4dMvWRkVNUoVmvL30oE6lAlWPO4rFbPpmLwJRJFudDF8IVV9cVRKnV3z79_3RfEsHJ6YTHVX4Cv--cXmkT17QSFp87DK94DAOX3jKvJNo49DdqkzXqAPUIj3CD3IWI -
Browse to
https://jwt.io/, insert dot seperated token into enocde textbox, extractkidfrom decode header section - this will be your new figerprint.
-
Enter PG container from your terminal:
docker exec -it postgres bash -
Switch user to
postgressu postgres -
Use psql cli to login
psql -
Be familiar with content of
slosilo_keystoretableselect * from slosilo_keystore;notice you have 3 columns: id, key, fingerprint, extract id record will be similar to:authn:myConjurAccount -
Edit account recored with new fingerprint
update slosilo_keystore set fingerprint = '{VALUE FROM STEP 7}' where id = '{VALUE FORM STEP 11}'; -
To verify, run step 5 and use short-lived-token to do any action, fetch secrect load policy etc.
izgeri
shulifink
If I am using Conjur, and a new version becomes available, I want to be able to seamlessly upgrade my current version of Conjur to the new version without losing any data and with minimal downtime.
Additional context
It may be that certain versions of Conjur require special upgrade instructions; this card is not meant to capture that. The output of this card should be standard upgrade instructions that typically apply / represent a baseline for Conjur operation. Given these baseline upgrade instructions (which should account for updating the Conjur server, performing any needed database migrations, and any other standard upgrade operations) should enable us to provide documentation on exceptions to this standard that arise for any given Conjur version bump.