Diego v1.30.0

Changes from v1.29.2 to v1.30.0

• Verified with garden-runc-release v1.9.6.
• Verified with garden-windows-bosh-release v0.12.0.
• Verified with etcd-release v117.
• Verified with cf-mysql-release v35.
• Verified with cflinuxfs2-release v1.168.0.

IMPORTANT: The Diego team has identified a defect in this release for those operators that have enabled instance-identity credentials. If a Diego cell is configured to provide these credentials to app instances without also supplying those instances with Envoy proxies, the cell will be unable to complete stopping those instances once they have been running for long enough (namely, approximately twice the validity period of the instance-identity credentials, or two days by default). These extra instances will lead the cell to have less capacity to allocate and to app instances that have been scaled down and then back up not to have running replacement instances. We expect to correct this problem as quickly as possible in Diego v1.30.1, once story #153180473 is included in the release candidate, but in the meantime here are some mitigations that operators may find applicable:

• Disable instance-identity credentials if neither developers nor CF are already using them for critical functionality such as microservices trust or delivering service-instance credentials securely via CredHub.
• Roll the Diego version back to v1.29.2 (no BBS API or database schema changes would prevent this rollback from succeeding).
• Enable the Diego cells to provide per-instance Envoy proxies without yet enabling the gorouters to register TLS-proxied backend endpoints. Note that this configuration will not be effective in environments that permit running Docker-image-based apps, as those app instances will not yet be equipped with an Envoy proxy.
• Restart the cells after two instance-identity validity periods have elapsed, and increase the validity period from the default of 24 hours to several days.

The Diego team apologizes for the inconvenience.

Significant changes

BBS Relational Datastore

• As a CF operator, I expect the BBS eventually to exit when its backing Postgres database is unavailable (in flight)

cfdot

• As a Diego operator, I expect to be able to use cfdot to retrieve the state of a cell by its cell ID

Per-Instance Proxy (Experimental)

• As a client of a routable LRP instance, I expect to be able to continue to make secure TLS connections to its TLS proxy through successive expirations of the TLS credentials so that I can always verify the validity of the instance
• As a CF app developer, I expect to be able to use my desired memory allocation when the Envoy proxy is collocated with my app instances so that my app is not killed for excessive memory usage

Security

• As a Diego operator, I expect to be able to specify additional CA certificates for containers to trust as a structured list of certificates instead of as a single string of concatenated certificates so that I can append BOSH variables to it

BOSH job changes

None.

BOSH property changes

rep and rep_windows

• Added containers.trusted_ca_certificates. Deprecates diego.rep.trusted_certs.

BOSH link changes

None.