List view
# Phase 1 Automated deployment of RDS backed conjur OSS. * Jenkins Pipeline * New Repo (conjurinc/conjurops) - keep v4 policies in conjurinc/conjurops-policies - Add v5 policies to conjurinc/conjurops - deprecate conjurinc/conjurops-policies once v4 conjurops is shutdown * Deployment tool: cloud formation / aws sdk / ansible * Two environments Staging / Master # Phase 2 Policy Structure for V5 - keeping variable names constant # Phase 3 Data import # Phase 4 Remove reliance on v4 * Jenkins Auth * Registry Auth # Phase 5 Continuous deployment of conjur master
No due date### TODO: Re-think approach to turn it into a more user-servicable/self-service style/modular capability - [ ] Seed service (anything else from changelogs we missed?) - [ ] Pummel 2.0 - [ ] Handle high-volume logging (send UDP packets like socat does, memory-only somehow?, central sending - msmc channel?, transient/ephemeral) - [ ] Build with dependencies without having to follow gopath conventions (https://github.com/v3io/v3ctl/blob/master/Makefile) - [ ] a goroutine that checks for new admin keys (goroutine with n-sec sleep & 1-m channel) - [ ] Check channel only after failed request - kick off a key comparison on failed request? - [ ] if new admin key is detected, broadcast on a channel - [ ] consolidate http calls into an external function with a config map/struct - [ ] Pummel the health endpoint - [ ] Move pummel/exercise and master/follower CLI off the instances (separate instance? Bamboo? Fargate? m1.large? etc), switch on-instance CLIs to container link, ldap tools - [ ] Optional sleep between pummel calls to keep from getting too hammered by even one thread - [ ] One-touch method to stop all testing (exercise, pummel x 2) - [ ] https://github.com/golang/go/wiki/SubRepositories - [ ] Everything in the readme.md todo section - [ ] Incorporate seed service (anything else from changelogs past?) - [ ] Perform backups - [ ] Find a way to handle run failures (destory?) - [ ] Limit CI job to one concurrent run - [ ] Rename? (goddamnit Gil!) - [ ] Check resource consumption at the end of each run - [ ] Kangaroo Jack notifications still sneaking in - [ ] Use seccomp - [ ] All stages optional (for dev/testing) - [ ] Rotation dummy user - [ ] See if we can do this with smaller/cheaper instances - [ ] Multi-account support (eval replacement) for KJ - [ ] OCP follower? - [ ] KMS master key encryption - [ ] authn-ldap - [ ] Present xa-cluster (maybe pre-recording) - [x] Upload certs to all hosts - [x] Move ha policy into centos home dir - [x] Generate certs for unconfigured clusters - [x] Suspend monitoring during a reset - [x] Wait for alarms to be OK before completing monitoring pipeline - [x] Remove master appliance build notification
No due date## Objective In general, optimizing and automating as much as we can with the manual steps from this process https://github.com/conjurinc/appliance/wiki/Release-Instructions-v5 Which today is cumbersome and multi steps ## A few things to consider - [ ] ./release scripts are different in every repo - [ ] Packages and dependencies automation (update the PACKAGES file?) - [ ] Release branches are created automatically - [ ] Tagging in the docker image should be the PAS_RELEASE not the internal VERSION - [ ] Why do we need multiple versions (internal version VERSION, PAS_VERSION) ? - [ ] Ability to release patches from release branches
No due dateTODO: Flesh out description more Adding security, enforcement and verification to accounts across services
No due date- [ ] Based on botkit - [ ] Receives 'all' webhooks from conjurinc, cyberark, and conjurdemos - use eventemitter - [ ] Has access to admin API keys for Slack and Github - [ ] Core modules vs user modules, dynamically loaded with command to reload, contain failure, ci pipeline - [ ] Cron example, trigger example, gh example, webhook example w/ overlapping paths (eventemitter again? - [ ] Conjur JS sdk - securely erase - [ ] Pipeline with dummy running, and eslint - [ ] channel with debug logging - [ ] list people from conjur-devs who aren't on a call ## Functionality - [ ] create new repos with permissions, webhooks, license, GitHub actions?, PR and issue templates etc - [ ] conjur-devs users missing on calls - [x] v4 API for collecting vulns (needs GraphQL) - [ ] notifications for various hook events (audit log) (to use audit log outside of webhooks, need github emnterprise) - [ ] surface more concerning build failures - [ ] label sync - [ ] issue format enforcement - [ ] github status reports - [ ] A slack bot to get people to set real name and profile pic on join
No due date- [ ] Jenkins master and executor fleet are reproducible - [ ] Everything is based on Ubuntu Bionic (or another LTS option?) - [ ] Executors are disposable - [ ] Windows executors are available, with documentation around how to utilize them - [ ] Jenkins is reconfigured from scratch with seed-based pipelines only - [ ] A mechanism is in place to ensure we're current on patches for core and plugins - [ ] Measures are taken to broadly isolate Jenkins from the wider internet (cloudflare?) - [ ] All reasonable attempts are made to follow best practices (config as code, reproducible/disposable, secure etc) - [ ] Windows containers? - [ ] Better protection from the broader internet (Cloudflare Access via Github?) - [ ] Discover repos instead of hardcoding the list (org folder) - [ ] Enable agent-master security subsystem - [ ] Alternative swarm client configurations - [ ] Enable full plugin and script security? Ref: * https://github.com/jenkinsci/jenkinsfile-runner
No due date### TODO: Add more info about the maintenance to do
No due dateThe issue stems from two setTimeout calls at 180ms (sometimes 400ms if it's been manually adjusted) a piece that handle the bouncing balls in advance of full page load. They determine whether or not the ToC has finished rendering (it loads level by level) and then removes `visibility: hidden` from the document content div. If the ToC loads slow enough, neither of the setTimeout callbacks consider the page load successful and no content is made visible. Rivka is going to experiment with switching to a setInterval instead, as well as removing the bouncing balls entirely. Removing the balls is an issue because the page loads very incrementally, and they were added in the first place due to negative user feedback on the loading experience. This should be ready for review in 1-2 weeks. See https://github.com/cyberark/conjur-docs/blob/master/Content/Resources/_TopNav/cc_topnav.js `asyncIsMenuLoaded()`
No due date### TODO: Fill in the goals here https://cloudcustodian.io/ as a possible tool to use?
No due date