diego/1.12.0

Changes from v1.11.0 to v1.12.0

• Verified with garden-runc-release v1.4.0.
• Verified with garden-windows-bosh-release v0.4.0.
• Verified with etcd-release v99.
• Verified with cf-mysql-release v34.
• Verified with cflinuxfs2-rootfs-release v1.60.0.

IMPORTANT: In advance of their use in the forthcoming v1.26.0 of capi-release, the manifest-generation script and templates require three new values in the property-overrides stub, property_overrides.cc_uploader.ca_cert, client_cert, and client_key, for the CC-Uploader component to use when communicating to Cloud Controller. Please consult the TLS documentation in capi-release for more information.

IMPORTANT: As of this Diego release, we consider the route-emitter job in local mode to be ready for use in production environments for HTTP route registrations. Work is also nearly complete to enable the local route-emitter to register TCP routes, but some of the BOSH properties that configure that mode will change in the next Diego release with the conclusion of story #142885525, and the manifest-generation script will extract more values from the CF manifest automatically.

Significant changes

SSH

• cloudfoundry/diego-ssh #30: SSH appears to hang with OpenSSH 7.3p1 from ubuntu yaketty
• cloudfoundry/diego-release #288: Update golang crypto library

Routing

• operator should be able use BBS client to verify that when a desired LRP is created with an http route and router group guid, that only gorouters configured with this guid add the route to their table (in flight)

Local Route Emitters

• As a Diego operator, I expect the route-emitter not to fetch the DesiredLRP if it has routing information for at least one of its ports

Local Route Emitters: TCP (Experimental)

• As a Diego operator, I expect to be able to opt the cell-local route-emitters into registering TCP routes with the routing API when UAA authentication is required

Instance Identity Credentials (Experimental)

• As a CF app developer, I expect the instance-identity certificates presented to a Linux app container always to be valid
• As an app developer, I expect the instance-identity credential files to be replaced atomically in the Linux container filesystem on rotation
• Fix ifrit panics

v2 Loggregator API Adoption (Experimental)

• As a Diego operator, I expect the cell reps to emit rep component metrics via the v2 loggregator API if so configured
• Use the gogo proto backend to generate loggregator pb.go files
• cloudfoundry/diego-release #289: Use InstanceId field instead of source_instance tag

Manifest Generation

• cloudfoundry/diego-release #292: Add CC-Uploader server mTLS certificates

Test Suites and Tooling

• fix flaky route-emitter watcher test suite
• look into route-emitter flaky tests

Documentation

• As a CF operator, I expect the examples/aws documentation and templates to contain information about configuring the CC-Uploader with required TLS credentials

BOSH job changes

None.

BOSH property changes

route_emitter and route_emitter_windows

Added uaa.ca_cert: CA certificate bundle to trust when verifying the UAA server’s certificate. Added uaa.client_name: Name of the UAA client for the route-emitter to use. Defaults to tcp_emitter. Added uaa.client_secret: Secret for the route-emitter UAA client. Added uaa.port: Port on which to communicate with the UAA. Defaults to 8443 for direct internal communication. Added uaa.skip_cert_verify: Whether the route-emitter should skip verification of the UAA server’s certificate. Added uaa.url: URL at which to communicate with the UAA. Defaults to https://uaa.service.cf.internal for direct internal communication.

BOSH link changes

None.

- name: "diego"
  version: "1.12.0"
  url: "https://bosh.io/d/github.com/cloudfoundry/diego-release?v=1.12.0"
  sha1: "6fe4073431ac2dcb7072493fae0f6c22f780e8a2"

bosh upload-release --sha1 6fe4073431ac2dcb7072493fae0f6c22f780e8a2 \
  "https://bosh.io/d/github.com/cloudfoundry/diego-release?v=1.12.0"