cloudfoundry/cf-networking-release 2.18.0

on GitHub

This release includes the following features

• Update destination object API is now available for configuring dynamic egress policy configuration
• Service accounts can now be used to access the policy server APIs
• Policy server can now connect to databases on Google or Azure clouds with TLS enabled
  Tested with silk-release v2.18.0

Significant Changes

Manifest changes

• An optional parameter has been added to the bosh-dns-adapter job to allow for internal service mesh domains. Routes created with these domains will be proxied through the sidecar envoy. This is a part of istio integration. Defaults to []
  • internal_service_mesh_domains
• An optional parameter has been added to the policy-server job to skip host name validation when using ssl validation. The policy-server-internal uses the same configuration applied to policy-server via bosh links.
  • database.skip_hostname_validation

Dynamic Egress Policy Configuration

• As an operator, I want to update a destination object - Error cases,
• As an operator, I want to update a destination object - Github
• API returns standard format when no policies are present
• Dynamic Egress - Update Github
• As an operator, I want to list all destination objects - Happy path - With filters
• Dynamic Egress acceptance tests should have all ips in destination for various test sites

TLS connection from policy server

• As a CF operator, I expect to be able to configure network policy server to ignore hostnames in server certificates for TLS connections to an external MySQL database for compatibility with Google and Azure Cloud SQL servers that does not provide a hostname in their certificates

Allow service accounts to access policy server APIs

• cloudfoundry/cf-networking-release #51: WIP: UAA Token Subject should be used rather than UserID

Miscellaneous

• BPM BBR scripts
• bosh-dns-adapter should work correctly when overriding the list address and port
• Add docs for large deployments