cloudfoundry/diego-release v2.14.0

Diego v2.14.0

on GitHub

Resources

• Download release v2.14.0 from bosh.io.
• Verified with cloudfoundry/cf-deployment @ 73904941fd0dd5842da7371e1cc3e630ba2719e4.

Changes from v2.13.0 to v2.14.0

NOTE: As with the rep job in Diego v2.13.0, the bbs, file_server, and locket jobs now also control whether they set kernel parameters explicitly. Operators deploying to containerized BOSH clouds should opt out of this behavior on these jobs.

Significant changes

Routing

• As a CF app developer, I expect that my app instances remain routable when their Diego cell fails to maintain its presence and then quickly re-establishes it so that I do not experience app downtime (in flight)
• As a CF operator, I would like to opt the BBS into generating suspect ActualLRPs so that I can deliberately take on potential risk around LRP state machine errors

Per-Instance Proxy (Experimental)

• As a Diego operator, I expect to be able to configure the Envoy container proxy to require and to validate client certificates so that I can ensure that only authorized CF components such as the gorouter communicate with it
• As a CF operator, I expect to be able to disable the non-TLS-proxied port mappings on my containers so that I can ensure that all traffic entering the container from the infrastructure network goes through the per-container proxy (in flight)

Xenial Integration

• As a CF operator, I expect to be able to opt in or opt out all the Diego jobs from setting kernel parameters so that I can ensure that they are set appropriately on Xenial stemcells

BOSH job changes

None.

BOSH property changes

bbs

• Add set_kernel_parameters: Whether to set /proc/sys kernel parameters. As discussed above, defaults to true, but on some containerized cloud providers should be set to false.
• Add generate_suspect_actual_lrps: Whether the BBS should generate ActualLRPs with a Suspect presence state when it detects missing cells during LRP convergence. Experimental; defaults to false.

file_server

• Add set_kernel_parameters: Whether to set /proc/sys kernel parameters. As discussed above, defaults to true, but on some containerized cloud providers should be set to false.

locket

• Add set_kernel_parameters: Whether to set /proc/sys kernel parameters. As discussed above, defaults to true, but on some containerized cloud providers should be set to false.

rep and rep_windows

• Add containers.proxy.require_and_verify_client_certificates: Whether the rep should configure the per-instance Envoy proxy to require and to verify client certificates. Experimental; defaults to false.
• Add containers.proxy.trusted_ca_certificates: List of CA certificate bundles for the per-instance Envoy proxy to trust when verifying client certificates. Experimental.
• Add containers.proxy.verify_subject_alt_name: List of Subject Alternative Names for the per-instance Envoy proxy to trust when verifying client certificates. Experimental.
• Add containers.proxy.enable_unproxied_port_mappings: Whether the cell rep should establish port mappings directly to the desired ports on containers. Experimental; defaults to true.

vizzini

• Add vizzini.container_proxy.ca: CA certificate for test client to trust when running container-proxy tests.
• Add vizzini.container_proxy.client_cert: Certificate for test client to present when running container-proxy tests.
• Add vizzini.container_proxy.client_key: Private key for test client to use when running container-proxy tests.

BOSH link changes

None.