0.308.0

0.308.0

Release Date: September 04, 2024

⚠️ ⚠️ ⚠️ ⚠️ ⚠️ KNOWN ISSUE ⚠️ ⚠️ ⚠️ ⚠️ ⚠️

CAUTION: This release is affected by a memory leak in the route registrar job. Users can monitor their VMs’ memory usage and monit restart the route_registrar process as necessary.

Changes

• Route Registrar now allows hosts to be configured per route
  • By default it will use the top level host config

✨ Built with go 1.22.6

Full Changelog: v0.307.0...v0.308.0

Resources

• Download release 0.308.0 from bosh.io.

0.307.0

0.307.0

Release Date: August 27, 2024

⚠️ ⚠️ ⚠️ ⚠️ ⚠️ KNOWN ISSUE ⚠️ ⚠️ ⚠️ ⚠️ ⚠️

CAUTION: This release is affected by a memory leak in the route registrar job. Users can monitor their VMs’ memory usage and monit restart the route_registrar process as necessary.

Changes

• Bump healthchecker-boshrelease vendored packages

✨ Built with go 1.22.6

Full Changelog: v0.306.0...v0.307.0

Resources

• Download release 0.307.0 from bosh.io.

0.306.0

0.306.0

Release Date: August 26, 2024

⚠️ ⚠️ ⚠️ ⚠️ ⚠️ KNOWN ISSUE ⚠️ ⚠️ ⚠️ ⚠️ ⚠️

CAUTION: This release is affected by a memory leak in the route registrar job. Users can monitor their VMs’ memory usage and monit restart the route_registrar process as necessary.

Changes

• 🐛Fixes a bug where TCP routes were incorrectly detected as existing records in routing-api when the only difference between the new route and existing record was that the SNI Hostname or TLS TCP Port were different. This resulted in backends for TLS TCP Routes being ignored in certain scenarios.

✨ Built with go 1.22.6

Full Changelog: v0.305.0...v0.306.0

Resources

• Download release 0.306.0 from bosh.io.

0.305.0

0.305.0

Release Date: August 23, 2024

⚠️ ⚠️ ⚠️ ⚠️ ⚠️ KNOWN ISSUE ⚠️ ⚠️ ⚠️ ⚠️ ⚠️

CAUTION: This release is affected by a memory leak in the route registrar job. Users can monitor their VMs’ memory usage and monit restart the route_registrar process as necessary.

Changes

• Route-registrar can dynamically scan and register routes at paths matching route_registrar.dynamic_config_globs

Bosh Job Spec changes:

diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index feafaf10..4f887265 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -94,6 +94,10 @@ properties:
   route_registrar.routing_api.server_ca_cert:
     description: "Routing API Certificate Authority"
 
+  route_registrar.dynamic_config_globs:
+    description: "Files matching the globs contain routes configuration that will be loaded dynamically. Parent directory must exist for bpm to mount it."
+    default: [/var/vcap/jobs/*/config/route_registrar/config.yml]
+
   route_registrar.routes:
     description: |
       (required, array of objects): Routes that will be registered

✨ Built with go 1.22.6

Full Changelog: v0.304.0...v0.305.0

Resources

• Download release 0.305.0 from bosh.io.

0.304.0

0.304.0

Release Date: August 13, 2024

Changes

• Addresses issues with routing-api DB migration logic to fix the following bugs:
  • 🐛 Failed DB migrations would not re-run without manual intervention in the database
  • 🐛 DB migrations could run prior to the active routing-api server receiving code updates
  • 🐛 Failed DB migrations did not result in BOSH deployment failures
• 🐛Works around an issue with Gorm + the V6 schema changes for TLS TCP Routing that did not always get applied properly.

✨ Built with go 1.22.6

Full Changelog: v0.303.0...v0.304.0

Resources

• Download release 0.304.0 from bosh.io.

0.303.0

0.303.0

Release Date: August 09, 2024

Changes

• add additional unsafe params by @pnikonowicz in #431

Bosh Job Spec changes:

diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index de81a0e8..feafaf10 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -132,10 +132,16 @@ properties:
         name (required, string): Human-readable reference for the healthcheck
         script_path (required, string): Path to script that will be run periodically to determine
           service health
+        unrestricted_volumes (optional, array of unrestricted_volumes): Additional directories to be mounted in the bpm config for the route_registrar job.
+        privileged: (optional, boolean): Sets bpm privileged flag. defaults to false
         timeout (optional, string): The healthcheck script must exit within this timeout, otherwise
           the script is terminated with `SIGKILL` and the route is unregistered. Value is a string (e.g. "10s") and must parse to a positive time duration i.e. "-5s" is not permitted. Must be less than the value of `registration_interval`.
           Default: Half of the value of `registration_interval`
 
+      unrestricted_volume object
+        path (required, string): the path to be mounted
+        writable (optional, boolean): sets the writable flag. defaults to false
+
       options object
         lb_algo (optional, string): Load balancing algorithm for routing incoming requests to the backend: 'round-robin' or 'least-connection'. In cases where this option is not specified, the algorithm defined in gorouter spec is applied.
 

✨ Built with go 1.22.6

Full Changelog: v0.302.0...v0.303.0

0.302.0

0.302.0

Release Date: August 08, 2024

Changes

• ✨Adds drain_wait + load_balancer_healthy_threshold properties behaving similarly to gorouter's to provide better uptime during BOSH deployments by waiting for LBs to pull nodes about to be shut down out of service, and re-add them before moving on to the next.
• ✨Adds support for TLS backends with TCP routes. This enables TCP routes to use the envoy proxy settings on app containers used by HTTP routes, providing guaranteed TLS encryption between tcp-router + diego-cell VMs, without intervention from app teams. Additionally it allows for the disabling of the unproxied ports on containers since TCP route traffic can now go through envoy.
• 🐛Fixed a bug with v0.301.0 that caused problems with TCP routes when a postgres database was used for the routing-api. Thanks for finding this @schmidtsv!
• Bumped to golang 1.22.5
• Bumped tcp_router's haproxy to 2.8.10
• Testing + docs improvements

Bosh Job Spec changes:

diff --git a/jobs/tcp_router/spec b/jobs/tcp_router/spec
index 44fbb41a..aa6b764c 100644
--- a/jobs/tcp_router/spec
+++ b/jobs/tcp_router/spec
@@ -10,10 +10,16 @@ templates:
   routing_api_client_certificate.crt.erb: config/certs/routing-api/client.crt
   routing_api_client_private.key.erb: config/keys/routing-api/client.key
   routing_api_ca_certificate.crt.erb: config/certs/routing-api/ca_cert.crt
+  tcp_router_backend_client_cert_and_key.pem.erb: config/keys/tcp-router/backend/client_cert_and_key.pem
+  tcp_router_backend_ca.crt.erb: config/certs/tcp-router/backend/ca.crt
   tcp_router_health_check_certificate.pem.erb: config/certs/health.pem
+  # config/haproxy.conf is used for initial haproxy config when starting up
   haproxy.conf.erb: config/haproxy.conf
-  haproxy.conf.template.erb: config/haproxy.conf.template
+  # config/haproxy.conf.template is rendered by tcp-router when routes are provided
+  haproxy.conf.template.erb: config/haproxy.conf.template 
   bpm.yml.erb: config/bpm.yml
+  drain.erb: bin/drain
+  post-start.erb: bin/post-start
 
 packages:
   - routing_utils
@@ -46,6 +52,18 @@ properties:
     default: "1m"
   tcp_router.oauth_secret:
     description: "OAuth client secret used to obtain token for Routing API from UAA."
+  tcp_router.backend_tls.enabled:
+    description: |
+      Turns on support for TLS for TCP Router. Requires tcp_router.backend_tls.ca_cert to
+      be set. For mTLS also set tcp_router.backend_tls.client_cert and
+      tcp_router.backend_tls.client_key.
+    default: false
+  tcp_router.backend_tls.client_cert:
+    description: "TCP Router's TLS client cert used for mTLS with route backends"
+  tcp_router.backend_tls.client_key:
+    description: "TCP Router's TLS client private key used for mTLS with route backends"
+  tcp_router.backend_tls.ca_cert:
+    description: "TCP Router's TLS CA used with route backends"
 
   routing_api.uri:
     description: "URL where the routing API can be reached internally"
@@ -86,6 +104,19 @@ properties:
     description: "Fail the tcp router if routing_api.reserved_system_component_ports conflict with ports in existing router groups."
     default: "false"
 
+  tcp_router.drain_wait:
+    description: |
+      Delay in seconds after shut down is initiated before haproxy stops listening.
+      During this time haproxy will reject requests to the /health endpoint.
+      This accommodates requests forwarded by a load balancer until it considers the tcp_router unhealthy.
+    default: 20
+  tcp_router.load_balancer_healthy_threshold:
+    description: |
+      Time period in seconds to wait until declaring the tcp_router instance
+      started after starting the listener socket. This allows an external load
+      balancer time to register the instance as healthy."
+    default: 20
+
   uaa.token_endpoint:
     description: "UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA."
     default: uaa.service.cf.internal

✨ Built with go 1.22.6

Full Changelog: v0.301.0...v0.302.0

Resources

• Download release 0.302.0 from bosh.io.

0.301.0

⚠️ ⚠️ ⚠️ ⚠️ ⚠️ KNOWN ISSUE ⚠️ ⚠️ ⚠️ ⚠️ ⚠️

CAUTION: This release is affected by a known issue for users who use both Postgres for the Cloud Foundry database and TCP Routes. This will be fixed in a future release. Users who use both Postgres and TCP Routes should not upgrade to this version. This only applies if postgres is used for the core Cloud Foundry databases, not if apps use postgres services.

Changes

• 🐛Fixes a bug introduced in v0.298.0 where the X-Forwarded-Host header was incorrectly set for requests containing an Expect: 100-continue header. Thanks @maxmoehl !

✨ Built with go 1.22.4

Full Changelog: v0.300.0...v0.301.0

Resources

• Download release 0.301.0 from bosh.io.

0.300.0

Changes

• Update route registrar to only send 5 unregistration messages for an unhealthy route - cloudfoundry/route-registrar#46 . Thanks @andy-a-d-nguyen for your first contribution to CF!

✨ Built with go 1.22.4

Resources

• Download release 0.300.0 from bosh.io.

Full Changelog: v0.299.0...v0.300.0

0.299.0

Changes

• Bumped to Golang 1.22.4
• Added ability to enforce strict validation of route service signature. Thanks @maxmoehl, @b1tamara and @plowin !

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 8269440b..60c7b520 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -262,6 +262,9 @@ properties:
   router.route_services_timeout:
     description: "Expiry time of a route service signature in seconds"
     default: 60
+  router.route_services_strict_signature_validation:
+      description: "Enforce strict validation of a route service signature"
+      default: false
   router.max_header_kb:
     description: |
         This value controls the maximum number of bytes (in KB) the gorouter will read

✨ Built with go 1.22.4

Full Changelog: v0.298.0...v0.299.0

Resources

• Download release 0.299.0 from bosh.io.