diego/1.10.0

Changes from v1.9.0 to v1.10.0

• Verified with garden-runc-release v1.2.0.
• Verified with garden-windows-bosh-release v0.3.0.
• Verified with etcd-release v99.
• Verified with cf-mysql-release v34.
• Verified with cflinuxfs2-rootfs-release v1.56.0.

IMPORTANT: This version of Diego requires garden-runc version v1.2.0 or later, as the cell rep now uses the new Image field on the garden API ContainerSpec in order to pass Docker image credentials to the garden backend.

Significant changes

cfdot

• As a cfdot user, I expect to be able to retrieve the list of cells from the BBS

Routing

• As a Diego operator, I expect the route-emitter job to fail if it its NATS configuration is incorrect so that existing applications remain routable

De-Consuling Locks (Experimental)

• As a Diego operator, I expect to be able to configure cells to register and unregister their presence via a locket API instead of consul
• As a Diego operator, I expect the locket service to require mutual TLS authentication
• As a Diego operator, I expect the cell registration API to support 2000 simultaneous cell registrations with 250K instances (in flight)

Instance Identity Credentials (Experimental)

• As a Diego operator, I expect to be able to set the duration for which the instance-identity credentials are valid (in flight)

Volume Support

• Clean up lager logging
• volume services troubleshooting guide

v2 Loggregator API Adoption (Experimental)

• As a Diego operator, I expect to be able to opt the cell reps into emitting app logs via the v2 loggregator API

Docker Support

• As a BBS API client, I expect to be able to run Tasks and LRPs based on Docker images that require authenticated access

Windows Support

• As a Diego operator, I expect to be able to configure Windows cells to be able to download HTTPS assets both from publicly trusted sources and from internal sources

Test Suites and Tooling

• add a git hook that checks that canonical import paths are enforced
• Fix grootfs config in inigo

BOSH job changes

None.

BOSH property changes

NOTE: Starting with this release, some BOSH job properties are intended to be local to particular BOSH job templates. These template-local properties are listed in separate subsections below.

• Added benchmark-bbs.bbs.ca_cert: CA certificate for the BBS benchmark suite to validate the BBS and locket servers.
• Added benchmark-bbs.locket.api_location: Address of the locket server.
• Added diego.executor.instance_identity_validity_period_in_hours: Duration in hours for the instance-identity certificates to be valid. Experimental.
• Added diego.rep.locket.api_location: Location of the locket API for cells to register their presence.
• Added diego.route_emitter.healthcheck_address: Location at which the route-emitter should serve a health-check endpoint.

locket

• Added tls.ca_cert: CA certificate for locket server to validate client connections.
• Added tls.cert: Certificate for locket server to present.
• Added tls.key: Private key for locket server.

rep and rep_windows

• Added loggregator.use_v2_api: Whether to use the v2 Loggregator API when sending logs and metrics to the local metron agent.
• Added loggregator.v2_api_port: Port for the v2 Loggregator API.
• Added loggregator.ca_cert: CA certificate to use to validate the v2 Loggregator API connection to metron.
• Added loggregator.cert: Certificate to present when connecting to the v2 Loggregator API.
• Added loggregator.key: Private key for the v2 Loggregator API client.

BOSH link changes

None.

- name: "diego"
  version: "1.10.0"
  url: "https://bosh.io/d/github.com/cloudfoundry/diego-release?v=1.10.0"
  sha1: "3a9c9e5dacdcd65b2630b30cf9ed36f17fa3111d"

bosh upload-release --sha1 3a9c9e5dacdcd65b2630b30cf9ed36f17fa3111d \
  "https://bosh.io/d/github.com/cloudfoundry/diego-release?v=1.10.0"