IMPORTANT

• This release requires the Nginx for Cloud Controller to have valid SSL configuration as part of requiring all internal communication within Cloud Foundry to use Mutual TLS. The Diego BBS and Cloud Controller should use a common CA. For existing deployments, use the Diego CA to generate a key and cert using cloud-controller-ng.service.cf.internal as the CN. The Diego CA and Cloud Controller Cert and Key should be configured per the job spec changes below.
• This release contains a fix for the bulk query used by HM9K for those using the DEA Runtime. We recommend scaling HM9K to 0 instances, deploying this CAPI-Release, then scaling HM9K back to original number of instances.
• This release changes how we've included the fog gem dependency. Previously, we included the entire fog gem and all providers. This release only includes supported fog providers listed below. If there's a provider that you need that is missing, let us know and we'll happily add it back.
  • fog-azure-rm
  • fog-aws
  • fog-local
  • fog-openstack
  • fog-google

CC API Version: 2.70.0 and 3.5.0

Service Broker API Version: 2.11

CAPI Release

• Bump to Ruby 2.3.3, Golang 1.7.4, Nginx 1.11.8 details

Cloud Controller

• API Client can list apps in alphabetical order details
• API client can specify an array of buildpacks for V3 App details
• API client can specify an array of buildpacks for V3 Droplet details
• Appears as though push and restage are using different memory calculations details
• As a CF operator, I expect all app instances, app tasks, and staging tasks to have reasonable container-wide PID limits details
• As an API user, I can List all Staging Security Groups for the Space details
• As an app developer, I would like my app to emit logs with a "hostname" to my syslog drains details
• BUILDPACK CACHE should use SHA-256 to ensure they have not been corrupted or tampered with details
• BUILDPACKS should use SHA-256 to ensure they have not been corrupted or tampered with details
• Expose app_domains property as a link details
• Expose system_domain property as a link details
• Operator does not observe increased error rate in New Relic due to HTTP 404 details
• Operator does not observe increased error rate in New Relic due to expired tokens details
• PACKAGES should use SHA-256 to ensure they have not been corrupted or tampered with details
• Rate limiting blocks concurrent requests resulting in long request times for heavy users details
• Recursive app deletion with app bound to services that fail to unbind should fail gracefully details
• system_domain_organization should be defaulted to "system" details
• deleting a security group or space that have a staging_security_group association fails details
• explicitly require fog metagems in our gemfile instead of fog details
• minimum staging memory is not configurable. details

Pull Requests and Issues

• #42: Generalize running_in_container function details
• cloudfoundry/cloud_controller_ng#669: CF list Application Security Group inconsistency details
• cloudfoundry/cloud_controller_ng#753: Fail to list all Service Plans for a service broker using q=service_broker_guid%20IN%20 filter details
• cloudfoundry/cloud_controller_ng#756: /v2/organizations/GUID/summary returns no spaces when queried with cloud_controller.admin_read_only scope details

Job Spec Changes

• Cloud Controller now requires SSL configuration with the following properties:
  • cc.mutual_tls.ca_cert: PEM-encoded CA certificate for secure, mutually authenticated TLS communication
  • cc.mutual_tls.public_cert: PEM-encoded certificate for secure, mutually authenticated TLS communication
  • cc.mutual_tls.private_key: PEM-encoded key for secure, mutually authenticated TLS communication