Changes from 0.1431.0 to 0.1432.0
- Depends on garden-linux-release v0.306.0.
Breaking changes from 0.1431.0
SSH Authentication to CF Instances
Associated to Diego story "The Diego SSH Proxy no longer accepts a user's access token as an SSH password for CF app instances".
Diego's SSH proxy no longer accepts a CF user's access token as a password for access to a CF app instance. It will instead accept only a one-time authorization code issued by UAA for its client. This client must also be registered with the UAA: for example, this client is registered for BOSH-lite deployments. As long as the name of the client is ssh-proxy
, CC will advertise the correct client name in its /v2/info
endpoint, and the Diego manifest-generation templates will flow the client secret to the SSH Proxy job.
For SSH access to CF app instances running on this release, we recommend you upgrade to version 0.2.0 or later of the Diego SSH plugin, or consult the diego-ssh repo for the current curl
-based instructions to request a code from UAA.
Other significant changes
SSH
- The Diego SSH Proxy can receive an authorization code as the SSH password to access a CF app instance
- The SSH plugin provides a command to print a one-time authorization code issued for the SSH proxy client
- The SSH plugin establishes SSH connections to CF app instances by sending an authorization code as the SSH password
- As a CF user, when I establish a port-forwarding session with the SSH plugin, I expect it not to drop when going through a load balancer with an idle timeout
- Audit records for SSH access to CF instances should include which index was accessed
Performance
- BBS clients should avoid doing SSL handshakes with the BBS server unnecessarily (still in flight)
- The BBS's etcd clients should avoid doing SSL handshakes with etcd unnecessarily (still in flight)
- Change default route-emitter communication timeout to 30s
Misc
- Remove the Receptor
- Merge PRs for Routing info change
- operator should be able to verify that when mapping apps to a route already bound to a service instance for which the broker returned a route_service_url, CC sends updateDesiredLRP calls to Diego
- Merge PRs for CAPI backwards-incompatible change to Diego staging response
- the buildpack lifecycle should return all process types in the staging response
- The Diego BOSH manifest should include the cflinuxfs2 rootfs path in the
garden.persistent_image_list
property - As a Diego operator, if a cell rep fails to start because it cannot ping Garden successfully, I can see a metric reporting how long the rep has been stalled
- Bump cflinuxfs2 stack to 1.9.0+
- Document how to secure BBS with mutual SSL auth in the diego-release README
- cloudfoundry-incubator/rep #3: Update client test to mach go 1.5 http errors
- cloudfoundry-incubator/executor #13: Improve leak detection in keyed lock test
- cloudfoundry/dropsonde #10: Added HasValue to FakeMetricSender
BOSH job changes
- Remove
receptor
job. The Lattice team has taken ownership of the receptor component and will be maintaining it from now on.
BOSH property changes
- Add
diego.ssh_proxy.uaa_token_url
: URL for the SSH proxy to use to request an access token from the UAA in exchange for its one-time auth code. - Add
diego.ssh_proxy.uaa_secret
: Client secret for the SSH proxy to supply to UAA. - Remove all properties under
diego.receptor
.