Release Highlights
- Gorouter is configurable to prune with TTL when using TLS to validate backend identity. This is a temporary mitigation of an issue where a route deregistration message is lost details
- gorouter_ctl runs correctly on Xenial stemcells details
- Operator can configure routing-api to support mTLS connections details
- Routing API provides a bosh link that route registrar consumes to enable mTLS with the routing api details
- Operator can configure route-registrar to communicate over mTLS to routing-api details
- gorouter consumes Routing-API Link for mtls properties details
- Operator can configure gorouter to fetch routes over mTLS from routing-api details
- TCP Router consumes Routing-API Link for mtls properties details
- Operator can configure tcp-router to communicate over mTLS to routing-api details
- Route registrar
route_registrar.routing_api.skip_ssl_validationproperty is now correctly applied details - Operator can to configure gorouter with client certs for route services details
- cloudfoundry/routing-release #146: Deploy does not fail when required property
server_cert_domain_sanis not configured details
Note: This new release requires that properties are configured for the routing-api mtls. If this isn't being consumed as part of cf-deployment, which has these properties as of v9.4.0, you will need to apply this ops file
Manifest Property Changes
| Job | Property | 0.188.0 Default | 0.189.0 Default |
|---|---|---|---|
| gorouter | router.route_services.cert_chain
| did not exist | undefined
|
| gorouter | router.route_services.private_key
| did not exist | undefined
|
| gorouter | routing_api.uri
| http://routing-api.service.cf.internal | https://routing-api.service.cf.internal |
| gorouter | routing_api.port
| 3000 | from routing_api link |
| gorouter | routing_api.ca_certs
| did not exist | from routing_api link |
| gorouter | routing_api.cert_chain
| did not exist | from routing_api link |
| gorouter | routing_api.private_key
| did not exist | from routing_api link |
| gorouter | router.prune_all_stale_routes
| did not exist | false |
| gorouter | router.set_kernel_parameters
| did not exist | true |
| route_registrar | route_registrar.logging_level
| did not exist | info |
| route_registrar | route_registrar.routing_api.api_url
| http://routing-api.service.cf.internal:3000 | https://routing-api.service.cf.internal:3001 |
| route_registrar | route_registrar.routing_api.client_cert
| did not exist | from routing_api link |
| route_registrar | route_registrar.routing_api.client_private_key
| did not exist | from routing_api link |
| route_registrar | route_registrar.routing_api.server_ca_cert
| did not exist | from routing_api link |
| routing-api | routing_api.enabled_api_endpoints
| did not exist | "both" |
| routing-api | routing_api.mtls_port
| did not exist | 3001 |
| routing-api | routing_api.mtls_ca
| did not exist | generated by credhub |
| routing-api | routing_api.mtls_server_cert
| did not exist | generated by credhub |
| routing-api | routing_api.mtls_server_key
| did not exist | generated by credhub |
| routing-api | routing_api.mtls_client_cert
| did not exist | generated by credhub |
| routing-api | routing_api.mtls_client_key
| did not exist | generated by credhub |
| routing-api | consul.servers
| http://127.0.0.1:8500 | removed property |
| routing-api | routing_api.skip_consul_lock
| false | removed property |
| tcp_router | routing_api.uri
| http://routing-api.service.cf.internal | https://routing-api.service.cf.internal |
| tcp_router | routing_api.port
| 3000 | from routing_api link |
| tcp_router | routing_api.client_cert
| did not exist | from routing_api link |
| tcp_router | routing_api.client_private_key
| did not exist | from routing_api link |
| tcp_router | routing_api.ca_cert
| did not exist | from routing_api link |