release: github.com/cloudfoundry/diego-release / 0.1488.0

Github source: 84560639 or master branch

Changes from v0.1487.0 to v0.1488.0

IMPORTANT: Diego v0.1488.0 includes configuration to secure the cell rep API via mutual TLS authentication. Please consult “Upgrading to a TLS-Secured Cell Rep API” in the diego-release documentation for detailed steps on how to enable this security without incurring downtime in the Diego deployment. We recommend that all operators enable this security configuration, and doing so on upgrading from v0.1487.0 or earlier requires one fewer deployment step than doing so after upgrading to v0.1488.0 or later.

IMPORTANT: Diego v0.1488.0 requires v1.0.2 or later of garden-runc-release on Linux cells, and garden-linux-release is no longer supported. This change is required because Diego story #133264039 makes use of a new Garden API call, BulkNetOut, that is available only on v1.0.2 of garden-runc-release. Version v0.0.9 of garden-windows-bosh-release is also supported. The manifest generation scripts in diego-release now default to using garden-runc-release as the Linux implementation of the Garden backend instead of garden-linux-release, and the -g flag is now deprecated as a no-op. Please note that changing from garden-linux-release to garden-runc-release requires operators to recreate their Diego cell VMs (either explicitly or as a side-effect of a stemcell deploy), as upgrading from garden-linux to garden-runc in place is not supported. Also, the garden-runc-release repository recently moved to the “cloudfoundry” GitHub organization, so https://bosh.io/releases/github.com/cloudfoundry/garden-runc-release is now the correct source for final BOSH releases.

Significant changes

BBS API

BBS Relational Datastore

Container Placement

Component Coordination

cfdot

SSH

Routing

Volume Support (Experimental)

Container Networking Support (Experimental)

Garden-RunC Integration

Component Logging and Metrics

Test Suites and Tooling

Security

Documentation

Cleanup

De-Incubation

BOSH job changes

Removed canary job.

BOSH property changes

  • Added diego.auctioneer.rep.require_tls: Whether the auctioneer requires communication to the rep via TLS.
  • Added diego.auctioneer.rep.ca_cert: CA certificate for communication from the auctioneer to the rep.
  • Added diego.auctioneer.rep.client_cert: Client certificate for communication from the auctioneer to the rep.
  • Added diego.auctioneer.rep.client_key: Client key for communication from the auctioneer to the rep.
  • Added diego.auctioneer.rep.client_session_cache_size: Size of the TLS session cache for the auctioneer to keep for communication to the rep.
  • Added diego.bbs.rep.require_tls: Whether the BBS requires communication to the rep via TLS.
  • Added diego.bbs.rep.ca_cert: CA certificate for communication from the BBS to the rep.
  • Added diego.bbs.rep.client_cert: Client certificate for communication from the BBS to the rep.
  • Added diego.bbs.rep.client_key: Client key for communication from the BBS to the rep.
  • Added diego.bbs.rep.client_session_cache_size: Size of the TLS session cache for the BBS to keep for communication to the rep.
  • Added diego.rep.enable_legacy_api_endpoints: Whether to enable the auction, LRP, and Task endpoints on the legacy rep API server
  • Added diego.rep.listen_addr_admin: If legacy endpoints are disabled, the address and port on which to serve the administrative endpoints used to ping and drain the rep.
  • Added diego.rep.advertise_domain: Base domain at which the rep should advertise its secure API
  • Added diego.rep.listen_addr_securable: Address and port for the TLS-capable server on which the rep serves its workload (Task and LRP) endpoints.
  • Added diego.rep.require_tls: Whether to require mutual TLS for communication to the securable rep API server.
  • Added diego.rep.ca_cert: CA certificate for the rep to use in its TLS-capable API server.
  • Added diego.rep.server_cert: Certificate for the rep to present from its TLS-capable API server.
  • Added diego.rep.server_key: Key for the rep to use in its TLS-capable API server.
  • Added diego.ssh_proxy.healthcheck_listen_addr: Address and port on which the SSH proxy health-check server listens.
  • Removed all diego.canary.* properties.

Upload this release version to the Director:

$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/diego-release?v=0.1488.0 --sha1 aad822353a4753232172896981da1f1f10f45194

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- name: diego
  version: "0.1488.0"

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: aad822353a4753232172896981da1f1f10f45194 release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/diego-release?v=0.1488.0

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/diego-release?v=0.1488.0