diff --git a/docs/metrics.md b/docs/metrics.md index b53b640fd2..8f942930b8 100644 --- a/docs/metrics.md +++ b/docs/metrics.md @@ -100,20 +100,20 @@ ## Route Emitter -| Metric | Description | Unit | -| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | -| `RoutesTotal` | Number of (http and tcp) route associations (`external routes * backend instances`) in the route-emitter's routing table. Emitted periodically every emit cycle. | number | -| `HTTPRouteCount` | Number of (http and tcp) route associations (`external routes * backend instances`) in the route-emitter's routing table. Emitted periodically every emit cycle (only in local mode). | number | -| `TCPRouteCount` | Number of exposable ports (i.e. container ports) in the routing table. Emitted periodically every emit cycle (only in local mode). | number | -| `AddressCollisions` | Number of detected conflicting routes. A conflicting route is a set of two distinct instances with the same IP address on the routing table. | number | -| `MessagesEmitted` | Cumulative number of messages the route-emitter sends over NATS to the gorouter. | number | -| `RouteEmitterSyncDuration` | Time the route-emitter took to perform its synchronization pass. Emitted periodically. | ns | -| `RoutesRegistered` | Cumulative number of NATs route registrations emitted from the route-emitter as it reacts to changes to LRPs. | number | -| `RoutesUnregistered` | Cumulative number of NATs route unregistrations emitted from the route-emitter as it reacts to changes to LRPs. | number | -| `RoutesSynced` | Cumulative number of route **registrations** emitted from the route-emitter during its periodic route-table emission. | number | -| `ConsulDownMode` | Whether the route-emitter is able to connect with the consul correctly | 0 or 1 boolean | -| `LockHeld.` `v1-locks-route_emitter_lock` | Whether a route-emitter holds the route-emitter lock: 1 means the lock is held, and 0 means the lock was lost. Emitted periodically by the active route-emitter. | 0 or 1 (boolean) | -| `LockHeldDuration.` `v1-locks-route_emitter_lock` | Time the active route-emitter has held the route-emitter lock. Emitted periodically by the active route-emitter. | ns | +| Metric | Description | Unit | +| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | +| `AddressCollisions` | Number of detected conflicting routes. A conflicting route is a set of two distinct instances with the same IP address on the routing table. | number | +| `LockHeld.` `v1-locks-route_emitter_lock` | Whether a route-emitter holds the route-emitter lock: 1 means the lock is held, and 0 means the lock was lost. Emitted periodically by the active route-emitter. | 0 or 1 (boolean) | +| `LockHeldDuration.` `v1-locks-route_emitter_lock` | Time the active route-emitter has held the route-emitter lock. Emitted periodically by the active route-emitter. | ns | +| `MessagesEmitted` | Cumulative number of messages the route-emitter sends over NATS to the gorouter. | number | +| `RouteEmitterSyncDuration` | Time the active route-emitter took to perform its synchronization pass. Emitted periodically. | ns | +| `RoutesRegistered` | Cumulative number of route registrations emitted from the route-emitter as it reacts to changes to LRPs. | number | +| `RoutesSynced` | Cumulative number of route registrations emitted from the route-emitter during its periodic route-table synchronization. | number | +| `RoutesTotal` | Number of routes in the route-emitter's routing table. Emitted periodically. | number | +| `RoutesUnregistered` | Cumulative number of route unregistrations emitted from the route-emitter as it reacts to changes to LRPs. | number | +| `ConsulDownMode` | Whether the route-emitter is able to connect with the consul correctly | 0 or 1 boolean | +| `HTTPRouteCount` | Number of HTTP Routes in the route-emitter's routing table. Emitted periodically and only on local mode. | number | +| `TCPRouteCount` | Number of TCP Routes in the route-emitter's routing table. Emitted periodically and only on local mode and when tcp enabled. | number | ## SSH Proxy diff --git a/docs/tls-configuration.md b/docs/tls-configuration.md index f1329dea89..e275f50c95 100644 --- a/docs/tls-configuration.md +++ b/docs/tls-configuration.md @@ -12,15 +12,12 @@ the rep servers on the cell vms, via the `diego.rep.require_tls` and `false`. When enabled, the operator must provide TLS certificates and keys for the rep server and its clients (other components in the Diego deployment). -TLS with mutual authentication can be enabled for communication to the Auctioneer -server, via the presence of any of the following properties: `diego.auctioneer.ca_cert`, -`diego.auctioneer.server_cert`, `diego.auctioneer.server_key`. If TLS is enabled for -the Auctioneer, the operator must also specify the client certificates and keys -required for mutual authentication in the following properties: `diego.bbs.auctioneer.ca_cert`, -`diego.bbs.auctioneer.client_cert`, `diego.bbs.auctioneer.client_key`. -The operator may also set `diego.bbs.auctioneer.require_tls` to `true` to ensure -that all communication between the BBS and the Auctioneer server is secured using TLS -with mutual authentication. + +TLS with mutual authentication can be enabled for communication to +the Auctioneer server, via the `diego.auctioneer.require_tls` and +`diego.bbs.auctioneer.require_tls` BOSH properties. These properties default to +`false`. When enabled, the operator must provide TLS certificates and keys for +the Auctioneer server and the BBS client. TLS with mutual authentication can be enabled for upload and download of assets into the containers, via the presence of the following properties: diff --git a/jobs/auctioneer/spec b/jobs/auctioneer/spec index 001cf950b5..da88bae1a4 100644 --- a/jobs/auctioneer/spec +++ b/jobs/auctioneer/spec @@ -21,6 +21,9 @@ packages: - auctioneer properties: + diego.auctioneer.require_tls: + description: "Whether to require mutual TLS for communication to the securable auctioneer API server" + default: false diego.auctioneer.ca_cert: description: "PEM-encoded CA certificate for the auctioneer API server." diego.auctioneer.server_cert: diff --git a/jobs/auctioneer/templates/auctioneer.json.erb b/jobs/auctioneer/templates/auctioneer.json.erb index e8c39b9b31..fc8c54222d 100644 --- a/jobs/auctioneer/templates/auctioneer.json.erb +++ b/jobs/auctioneer/templates/auctioneer.json.erb @@ -2,6 +2,7 @@ CONF_DIR = "/var/vcap/jobs/auctioneer/config" config = { + require_tls: p("diego.auctioneer.require_tls"), dropsonde_port: p("diego.auctioneer.dropsonde_port"), consul_cluster: "http://127.0.0.1:8500", debug_address: p("diego.auctioneer.debug_addr"), @@ -37,7 +38,7 @@ config[:rep_ca_cert] = "#{CONF_DIR}/certs/rep/ca.crt" end - if p("diego.auctioneer.ca_cert", "") != "" || p("diego.auctioneer.server_cert", "") != "" || p("diego.auctioneer.server_key", "") != "" + if p("diego.auctioneer.require_tls") config[:ca_cert_file] = "#{CONF_DIR}/certs/auctioneer/ca.crt" config[:server_cert_file] = "#{CONF_DIR}/certs/auctioneer/server.crt" config[:server_key_file] = "#{CONF_DIR}/certs/auctioneer/server.key" diff --git a/jobs/auctioneer/templates/auctioneer_ca.crt.erb b/jobs/auctioneer/templates/auctioneer_ca.crt.erb index 23a0e0b08b..1bf7690c2e 100644 --- a/jobs/auctioneer/templates/auctioneer_ca.crt.erb +++ b/jobs/auctioneer/templates/auctioneer_ca.crt.erb @@ -1,3 +1,7 @@ -<% if_p("diego.auctioneer.ca_cert") do |value| %> +<% if p("diego.auctioneer.require_tls") %> +<%= p("diego.auctioneer.ca_cert") %> +<% else %> + <% if_p("diego.auctioneer.ca_cert") do |value| %> <%= value %> + <% end %> <% end %> diff --git a/jobs/auctioneer/templates/auctioneer_server.crt.erb b/jobs/auctioneer/templates/auctioneer_server.crt.erb index ce646ce247..193fd15e31 100644 --- a/jobs/auctioneer/templates/auctioneer_server.crt.erb +++ b/jobs/auctioneer/templates/auctioneer_server.crt.erb @@ -1,3 +1,7 @@ -<% if_p("diego.auctioneer.server_cert") do |value| %> +<% if p("diego.auctioneer.require_tls") %> +<%= p("diego.auctioneer.server_cert") %> +<% else %> + <% if_p("diego.auctioneer.server_cert") do |value| %> <%= value %> + <% end %> <% end %> diff --git a/jobs/auctioneer/templates/auctioneer_server.key.erb b/jobs/auctioneer/templates/auctioneer_server.key.erb index 23d3f9e507..21aec118d7 100644 --- a/jobs/auctioneer/templates/auctioneer_server.key.erb +++ b/jobs/auctioneer/templates/auctioneer_server.key.erb @@ -1,3 +1,7 @@ -<% if_p("diego.auctioneer.server_key") do |value| %> +<% if p("diego.auctioneer.require_tls") %> +<%= p("diego.auctioneer.server_key") %> +<% else %> + <% if_p("diego.auctioneer.server_key") do |value| %> <%= value %> + <% end %> <% end %> diff --git a/packages/healthcheck/packaging b/packages/healthcheck/packaging index 8a725d2451..7a6a9c39bc 100644 --- a/packages/healthcheck/packaging +++ b/packages/healthcheck/packaging @@ -9,7 +9,6 @@ export PATH=$GOROOT/bin:$PATH CGO_ENABLED=0 go build -a -installsuffix static code.cloudfoundry.org/healthcheck/cmd/healthcheck GOOS=windows CGO_ENABLED=0 go build -a -installsuffix static code.cloudfoundry.org/healthcheck/cmd/healthcheck -GOOS=windows CGO_ENABLED=0 go build -o healthcheck-external-port.exe -tags=external -a -installsuffix static code.cloudfoundry.org/healthcheck/cmd/healthcheck for binary in healthcheck; do ldd $binary && echo "$binary must be statically linked" && false @@ -17,7 +16,6 @@ done cp healthcheck ${BOSH_INSTALL_TARGET} cp healthcheck.exe ${BOSH_INSTALL_TARGET} -cp healthcheck-external-port.exe ${BOSH_INSTALL_TARGET} # clean up source artifacts rm -rf ${BOSH_INSTALL_TARGET}/src ${BOSH_INSTALL_TARGET}/pkg diff --git a/packages/windows_app_lifecycle/packaging b/packages/windows_app_lifecycle/packaging index a060979d7a..081818b652 100644 --- a/packages/windows_app_lifecycle/packaging +++ b/packages/windows_app_lifecycle/packaging @@ -3,5 +3,5 @@ set -e mkdir -p tmp tar -xzf lifecycles/windows_app_lifecycle-*.tgz -C tmp tar -xzf /var/vcap/packages/diego-sshd/diego-sshd-windows.tgz -C tmp -cp /var/vcap/packages/healthcheck/healthcheck-external-port.exe tmp/healthcheck.exe +cp /var/vcap/packages/healthcheck/healthcheck.exe tmp tar -zcf ${BOSH_INSTALL_TARGET}/windows_app_lifecycle.tgz -C tmp . diff --git a/src/code.cloudfoundry.org/bbs b/src/code.cloudfoundry.org/bbs index 54192cae0e..16208c27cc 160000 --- a/src/code.cloudfoundry.org/bbs +++ b/src/code.cloudfoundry.org/bbs @@ -1 +1 @@ -Subproject commit 54192cae0e835f9b4d6026625ec3377645e18271 +Subproject commit 16208c27cc3c7bf7f6284627fbf8c4aba91b0f60 diff --git a/src/code.cloudfoundry.org/guardian b/src/code.cloudfoundry.org/guardian index d0c9f6bfd3..0272c51f32 160000 --- a/src/code.cloudfoundry.org/guardian +++ b/src/code.cloudfoundry.org/guardian @@ -1 +1 @@ -Subproject commit d0c9f6bfd32f44cc26a115cceae5f036fd0be019 +Subproject commit 0272c51f324eae1ab96a3b158ac8af2efe48173a diff --git a/src/code.cloudfoundry.org/healthcheck b/src/code.cloudfoundry.org/healthcheck index 2c8e6a82b7..2461471eac 160000 --- a/src/code.cloudfoundry.org/healthcheck +++ b/src/code.cloudfoundry.org/healthcheck @@ -1 +1 @@ -Subproject commit 2c8e6a82b7584d6dcfd9a81fcc01947a59fa62d5 +Subproject commit 2461471eacc8f123e5e1d6634151d26dfc306eaf diff --git a/src/code.cloudfoundry.org/inigo b/src/code.cloudfoundry.org/inigo index 145772431b..ba35dd753b 160000 --- a/src/code.cloudfoundry.org/inigo +++ b/src/code.cloudfoundry.org/inigo @@ -1 +1 @@ -Subproject commit 145772431b887d6ca03b72af14a8f8062ff063d5 +Subproject commit ba35dd753b5c80d6d0ef8d29e7972455e6f3f3bb diff --git a/src/code.cloudfoundry.org/route-emitter b/src/code.cloudfoundry.org/route-emitter index f95c6093df..1a74604862 160000 --- a/src/code.cloudfoundry.org/route-emitter +++ b/src/code.cloudfoundry.org/route-emitter @@ -1 +1 @@ -Subproject commit f95c6093df6494bbbfebe2440538583fef2244da +Subproject commit 1a74604862d0d3c1c8174315d7bf0e3be91623c6 diff --git a/src/code.cloudfoundry.org/vizzini b/src/code.cloudfoundry.org/vizzini index 3e2396f519..bbe672752a 160000 --- a/src/code.cloudfoundry.org/vizzini +++ b/src/code.cloudfoundry.org/vizzini @@ -1 +1 @@ -Subproject commit 3e2396f519ced792968a4df53f9099a2e5088415 +Subproject commit bbe672752acf36317bf8f788c10abbe2643e2d60