Resources
- Download release v2.14.0 from bosh.io.
- Verified with cloudfoundry/cf-deployment @
73904941fd0dd5842da7371e1cc3e630ba2719e4
.
Changes from v2.13.0 to v2.14.0
NOTE: As with the rep
job in Diego v2.13.0, the bbs
, file_server
, and locket
jobs now also control whether they set kernel parameters explicitly. Operators deploying to containerized BOSH clouds should opt out of this behavior on these jobs.
Significant changes
Routing
- As a CF app developer, I expect that my app instances remain routable when their Diego cell fails to maintain its presence and then quickly re-establishes it so that I do not experience app downtime (in flight)
- As a CF operator, I would like to opt the BBS into generating suspect ActualLRPs so that I can deliberately take on potential risk around LRP state machine errors
Per-Instance Proxy (Experimental)
- As a Diego operator, I expect to be able to configure the Envoy container proxy to require and to validate client certificates so that I can ensure that only authorized CF components such as the gorouter communicate with it
- As a CF operator, I expect to be able to disable the non-TLS-proxied port mappings on my containers so that I can ensure that all traffic entering the container from the infrastructure network goes through the per-container proxy (in flight)
Xenial Integration
BOSH job changes
None.
BOSH property changes
bbs
- Add
set_kernel_parameters
: Whether to set/proc/sys
kernel parameters. As discussed above, defaults totrue
, but on some containerized cloud providers should be set tofalse
. - Add
generate_suspect_actual_lrps
: Whether the BBS should generate ActualLRPs with a Suspect presence state when it detects missing cells during LRP convergence. Experimental; defaults tofalse
.
file_server
- Add
set_kernel_parameters
: Whether to set/proc/sys
kernel parameters. As discussed above, defaults totrue
, but on some containerized cloud providers should be set tofalse
.
locket
- Add
set_kernel_parameters
: Whether to set/proc/sys
kernel parameters. As discussed above, defaults totrue
, but on some containerized cloud providers should be set tofalse
.
rep
and rep_windows
- Add
containers.proxy.require_and_verify_client_certificates
: Whether the rep should configure the per-instance Envoy proxy to require and to verify client certificates. Experimental; defaults to false. - Add
containers.proxy.trusted_ca_certificates
: List of CA certificate bundles for the per-instance Envoy proxy to trust when verifying client certificates. Experimental. - Add
containers.proxy.verify_subject_alt_name
: List of Subject Alternative Names for the per-instance Envoy proxy to trust when verifying client certificates. Experimental. - Add
containers.proxy.enable_unproxied_port_mappings
: Whether the cell rep should establish port mappings directly to the desired ports on containers. Experimental; defaults totrue
.
vizzini
- Add
vizzini.container_proxy.ca
: CA certificate for test client to trust when running container-proxy tests. - Add
vizzini.container_proxy.client_cert
: Certificate for test client to present when running container-proxy tests. - Add
vizzini.container_proxy.client_key
: Private key for test client to use when running container-proxy tests.
BOSH link changes
None.