This document describes new and enhanced features for Conjur Secrets Manager Enterprise (Conjur Enterprise) version 12.7.
For release notes, see Release Notes.
Kubernetes Follower can authenticate using JWT-based authentication
In addition to our existing certificate-based Kubernetes Authenticator, in this version, we added support for authenticating the Kubernetes Follower using JWT-based authentication. This new capability joins the already existing capability of authenticating workloads running inside Kubernetes/OpenShift clusters, and allows reduced complexity and faster deployment of Kubernetes Followers.
For more information, see OpenShift/Kubernetes.
Kubernetes authenticator support Rancher's labels
We enhanced our existing Kubernetes Authenticator to support cross-namespace authentication in Kubernetes clusters managed by Rancher. Now, application owners can authenticate their workloads based on labels across Kubernetes namespaces and clusters.
For more information, see Workload identity for Kubernetes (cert-based authentication).
New built-in "Viewers" group
We added a new built-in group called "Viewers", generated automatically per Safe by the Vault Synchronizer. This new group represents a role that has permission to list secrets including their metadata (for example annotations metadata), but not the secret value. With this new group, users can apply more granular authorization policies for secrets in Safes.
For more information, see Safe policy.
Support OpenShift 4.10
Version 12.7 is approved for running in OpenShift v4.10. This covers all supported components and configurations of Conjur Enterprise.
For more information, see Supported Kubernetes-based environments.
Log in to Conjur UI using OIDC authentication - Early availability
In this version, we enhanced the security and the product experience by enabling organizations that require single sign-on (SSO) and MFA as part of their organizational security policies to log in to Conjur Enterprise's UI, using their already existing identity provider (IdP) implementation.
For more information, see OpenID Connect (OIDC) Authenticator.