0.289.0
·
3791 commits
to develop
since this release
❗BREAKING CHANGES ❗
- A new reserved port 7070 had been added - Thanks @domdom82!
- Before deploying, please double-check your reserved ports settings for any clashes with port 7070, especially the
router.prometheus.portproperty.
Changes
- (Feature) Add route_services_internal_server_port property
- (Bug) Add cipher-suites for TLS 1.3 and auto-generate the list from now on
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 30f535b8..c291be45 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -207,7 +207,7 @@ properties:
description:
An ordered, colon-delimited list of golang supported TLS cipher suites in OpenSSL or RFC format.
The selected cipher suite will be negotiated according to the order of this list during a TLS handshake.
- See https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/cipher_suites.go#L369-L390 for golang supported cipher suites.
+ See https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/tls/cipher_suites.go#L663-L690 for golang supported cipher suites.
The first four of these are supported for TLSv1.0/1.1 only.
See https://www.openssl.org/docs/man1.1.0/apps/ciphers.html for a mapping of OpenSSL and RFC suite names.
default: "ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
@@ -243,6 +243,9 @@ properties:
router.route_services_internal_lookup_allowlist:
description: "a list of host names for route services that should be resolved internally. Each entry can be a fully qualified domain name or DNS wildcard (i.e. wildcard on 1 segment of a subdomain). If the list is empty, it is not in effect and internal lookup will be attempted for all host names, which can lead to CVE-2019-3789. Please turn on internal lookup only with an allowlist."
default: []
+ router.route_services_internal_server_port:
+ description: "Gorouter will use this port for internal route services."
+ default: 7070
router.route_services_secret_decrypt_only:
description: "To rotate keys, add your new key here and deploy. Then swap this key with the value of route_services_secret and deploy again."
default: ""
✨ Built with go 1.21.6
Full Changelog: v0.288.0...v0.289.0
Resources
Contributors
domdom82