cloudfoundry/diego-release v1.35.0

Diego v1.35.0

on GitHub

Changes from v1.34.0 to v1.35.0

• Verified with garden-runc-release v1.11.1.
• Verified with garden-windows-bosh-release v0.13.0.
• Verified with etcd-release v117.
• Verified with cf-mysql-release v35.
• Verified with cflinuxfs2-release v1.187.0.

IMPORTANT: This version of diego-release is the last in the v1.x series, and we plan to release v2.0.0 as our next release with some breaking changes to job properties. We will also use the major version as license to remove some API endpoints and fields that have been deprecated since Diego v1.0.0. Please see the v2.0.0 proposal that was circulated on the cf-dev mailing list for more details. Users of cf-deployment will already be prepared to adopt these changes.

Significant changes

BBS API

• As a Diego operator, I expect to be able to configure the BBS to have a larger number of file descriptors so it can operate successfully in very large environments
• As a CF operator, I expect to see a complete list of the BBS API endpoints and fields deprecated before Diego v1.0.0 so that I can verify no other deployments are using them before upgrading to Diego v2.0.0
• As a Diego BBS API client, I expect BBS API fields that are no longer relevant to Diego v1.0.0 deployments to be deprecated so that I can stop using them

Container Placement

• As a Diego operator, I expect to see more complete cell and instance identifiers in the state response so that I can understand the live state of the cell and its workload
• As a Diego operator, I expect the auctioneer to validate that the cell state response comes from the intended cell so that it does not make placement decisions with incorrect information about the available cells

Container Execution

• As a Diego operator, I expect the cell rep process always to shut down after its evacuation timeout even if calls to its local Garden hang indefinitely

cfdot

• As a Diego operator, I expect to be able to opt cfdot into setting a request timeout on non-streaming requests to the BBS so that I do not exhaust system resources

Instance Identity Credentials

• As a Diego operator, I expect to find that instance-identity credential configuration is no longer experimental so that I can feel confident in enabling it in production environments

Volume Support

• volman gets csi plugin identity from the csi identity service
• make volman/voldriver units work on windows as well as ubuntu
• volman driver discovery doesn't appear to recover if a driver connection hangs
• csi local pats failing on missing VolumeAttributes

v2 Loggregator API Adoption

• As a CF operator, I expect to be able to configure the fileserver to emit its Golang-runtime metrics via the v2 loggregator API so that I can move away from the deprecated v1 UDP API

Per-Instance Proxy (Experimental)

• Inline the instance-identity TLS cert and key into the Envoy config

Test Suites and Tooling

• sync-submodule-config should run in CI
• As a Diego contributor, I expect to be able to run the initial or latest vizzini test suite against a locally deployed Diego with different combinations of v1.25.2 and latest components
• Investigate port allocation flake in units/inigo
• increase the wait time for processes in inigo and dusts
• Remove "HTTP" mode simulation test and related code

Security

• As a Diego operator, I expect to be able to opt the cell rep into using the new TLS BOSH properties for all HTTP client and server communication
• As a Diego operator, I expect the Diego cell to fail to deploy if the Diego cell opts into requiring TLS for its admin API but does not contain the correct SAN metadata in its TLS certificate

Documentation

• As a Diego operator, I expect to have an updated list of the BOSH properties deprecated as irrelevant in Diego v1 so that I can remove them safely in Diego v2

BOSH job changes

None.

BOSH property changes

auctioneer

• diego.auctioneer.bbs.require_ssl is deprecated and will be removed in Diego v2.
• diego.auctioneer.dropsonde_port is deprecated and will be removed in Diego v2.

bbs

• Added limits.open_files: Number of open files (including sockets) that each BBS API instance may hold open. Defaults to 100,000.
• diego.bbs.desired_lrp_creation_timeout is deprecated and will be removed in Diego v2.
• diego.bbs.dropsonde_port is deprecated and will be removed in Diego v2.
• diego.bbs.etcd.ca_cert is deprecated and will be removed in Diego v2.
• diego.bbs.etcd.client_cert is deprecated and will be removed in Diego v2.
• diego.bbs.etcd.client_key is deprecated and will be removed in Diego v2.
• diego.bbs.etcd.client_session_cache_size is deprecated and will be removed in Diego v2.
• diego.bbs.etcd.machines is deprecated and will be removed in Diego v2.
• diego.bbs.etcd.max_idle_conns_per_host is deprecated and will be removed in Diego v2.
• diego.bbs.etcd.require_ssl is deprecated and will be removed in Diego v2.
• diego.bbs.require_ssl is deprecated and will be removed in Diego v2.

benchmark-bbs

• benchmark-bbs.bbs.require_ssl is deprecated and will be removed in Diego v2.
• benchmark-bbs.etcd.ca_cert is deprecated and will be removed in Diego v2.
• benchmark-bbs.etcd.client_cert is deprecated and will be removed in Diego v2.
• benchmark-bbs.etcd.client_key is deprecated and will be removed in Diego v2.
• benchmark-bbs.etcd.client_session_cache_size is deprecated and will be removed in Diego v2.
• benchmark-bbs.etcd.machines is deprecated and will be removed in Diego v2.
• benchmark-bbs.etcd.max_idle_conns_per_host is deprecated and will be removed in Diego v2.
• benchmark-bbs.etcd.require_ssl is deprecated and will be removed in Diego v2.

cfdot

• diego.cfdot.bbs.use_ssl is deprecated and will be removed in Diego v2.

file_server

• Added loggregator.ca_cert: CA certificate bundle to use to verify the local metron agent certificate.
• Added loggregator.cert: Client certificate to present to the local metron agent for the v2 API.
• Added loggregator.key: Private key associated to the v2 API client certificate.
• Added loggregator.use_v2_api: Whether to use the v2 Loggregator API to emit component metrics. Defaults to false.
• Added loggregator.v2_api_port: Port on which to connect to the local metron agent for the v2 API. Defaults to 3458.
• diego.file_server.dropsonde_port is deprecated and will be removed in Diego v2.

locket

• dropsonde_port is deprecated and will be removed in Diego v2.

rep and rep_windows

• Added use_v2_tls: Whether to use the tls.ca_cert, tls.cert, and tls.key for most of the rep's client and server communications, excepting the Loggregator v2 API and Consul. Also deprecated, to be removed in Diego v2, but added for the purpose of validating configuration before upgrading to v2.
• admin_api.require_tls is deprecated and will be removed in Diego v2.
• diego.executor.export_network_env_vars is deprecated and will be removed in Diego v2.
• diego.executor.instance_identity_ca_cert is no longer experimental.
• diego.executor.instance_identity_private_key is no longer experimental.
• diego.executor.instance_identity_validity_period_in_hours is no longer experimental.
• diego.rep.bbs.ca_cert is deprecated and will be removed in Diego v2 in favor of tls.ca_cert.
• diego.rep.bbs.client_cert is deprecated and will be removed in Diego v2 in favor of tls.cert.
• diego.rep.bbs.client_key is deprecated and will be removed in Diego v2 in favor of tls.key.
• diego.rep.bbs.require_ssl is deprecated and will be removed in Diego v2.
• diego.rep.ca_cert is deprecated and will be removed in Diego v2 in favor of tls.ca_cert.
• diego.rep.dropsonde_port is deprecated and will be removed in Diego v2.
• diego.rep.enable_legacy_api_endpoints is deprecated and will be removed in Diego v2, as the workload and admin APIs will always be on separate ports in Diego v2.
• diego.rep.listen_addr is deprecated and will be removed in Diego v2 in favor of diego.rep.listen_addr_admin and diego.rep.listen_addr_securable.
• diego.rep.require_tls is deprecated and will be removed in Diego v2.
• diego.rep.server_cert is deprecated and will be removed in Diego v2 in favor of tls.cert.
• diego.rep.server_key is deprecated and will be removed in Diego v2 in favor of tls.key.

route_emitter and route_emitter_windows

• diego.route_emitter.bbs.require_ssl is deprecated and will be removed in Diego v2.
• diego.route_emitter.dropsonde_port is deprecated and will be removed in Diego v2.

ssh_proxy

• diego.ssh_proxy.bbs.require_ssl is deprecated and will be removed in Diego v2.
• diego.ssh_proxy.dropsonde_port is deprecated and will be removed in Diego v2.

vizzini

• vizzini.bbs.require_ssl is deprecated and will be removed in Diego v2.

BOSH link changes

None.