Releases: cloudfoundry/routing-release
Releases · cloudfoundry/routing-release
0.165.0
Release Highlights
- Routing components upgraded to golang 1.9.1 details, details
- TCP Router now provides BOSH link details
- Gorouter performance improved with logging optimization details
- Routing components now use uaa for DNS host check instead of consul, enabling removal of consul-agent in environments where BOSH DNS is enabled details
Increased availability / TLS with backends (in Progress)
- When
backends.enable_tls:trueGorouter doesn't prune routes withtls_portwhen ttl expires details - When
backends.enable_tls:trueGorouter prunes routes withtls_portwhen ttl expires and request fails details - Gorouter now uses
server_cert_domain_sanfield from NATS message field to validate app identity details
Bosh Backup and Restore (In progress) details
Manifest Property Changes
bbr_routing
| 0.164.0 | 0.165.0 | Default Value |
|---|---|---|
| did not exist | username |
routing-api |
| did not exist | password |
|
| did not exist | host |
sql-db.service.cf.internal |
| did not exist | port |
3306 |
| did not exist | adapter |
mysql |
| did not exist | database_name |
routing-api |
| did not exist | tables |
["router_groups"] |
| did not exist | release_level_backup |
true |
gorouter
| 0.164.0 | 0.165.0 | Default Value |
|---|---|---|
router.dns_health_check_host |
uaa.service.cf.internal |
routing-api
| 0.164.0 | 0.165.0 | Default Value |
|---|---|---|
dns_health_check_host |
uaa.service.cf.internal |
tcp_router
| 0.164.0 | 0.165.0 | Default Value |
|---|---|---|
dns_health_check_host |
uaa.service.cf.internal |
0.164.0
Release Highlights
Route Integrity
- Operators may now configure
router.backends.enable_tlsfor the Gorouter to enable support for routes withtls_portdetails - Gorouter now provides a client certificate for TLS handshake with backend when
tls_portis provided in NATSroute.registermessage details - Gorouter retries backends when the TLS handshake fails details
- Gorouter retries backends when it can't validate instance identity details
- Gorouter returns an error when it can't validate instance identity details
- Gorouter returns an error when backend certificate contains the wrong instance identity in a SAN even if the correct IP is a SAN details
- Gorouter provides
private_instance_idand atlsboolean in response from the/routesendpoint details - Gorouter now emits a metric
backend_invalid_tls_certthat is incremented when gorouter doesn't trust backend certs details - Gorouter now emits a metric
backend_invalid_idthat is incremented when the instance id cannot be validated for any backend details - Gorouter now emits a metric
backend_tls_handshake_failedis incremented when no backends are listening on TLS details - Gorouter now emits a metric
routes_prunedthat increments with each route pruned details
Misc
tcp-emitterhas been removed from routing-release details- A bug has been fixed which caused
X-Vcap-Request-Idheaders to be duplicated in responses from the Cloud Controller details
Manifest Property Changes
gorouter
| 0.163.0 | 0.164.0 | Default Value |
|---|---|---|
| did not exist | router.backends.enable_tls |
false |
0.163.0
Release Highlights
- Operator can now configure frontend idle timeout using
router.frontend_idle_timeoutdetails router.ca_certsnow supports only a string; multiple CA certs are supported as a concatenated string of PEM formatted certs details- go-sql-driver has been bumped to support native authentication details
In Progress
- Route Integrity epic details
Two properties added in support for mutual authentication with backends
Manifest Property Changes
gorouter
| 0.162.0 | 0.163.0 | Default Value |
|---|---|---|
| did not exist | router.frontend_idle_timeout |
900 |
router.ca_certs |
Changed from array of strings to string | |
| did not exist | router.backends.cert_chain |
|
| did not exist | router.backends.private_key |
0.162.0
Release Highlights
router.tls_pemnow takes a list of certificate chains and private keys as an array of objects, instead of a simple array details- Gorouter now emits a metric
backend_exhausted_connsthat is incremented when all backends have reachedrouter.backends.max_connsdetails
In Progress
- Route Integrity epic details
Manifest Property Changes
gorouter
| 0.161.0 | 0.162.0 | Default Value |
|---|---|---|
router.tls_pem |
Changed from array of strings to array of objects |
0.161.0
0.160.0
Release Highlights
This release includes a fix to a security vulnerability. We recommend all deployments upgrade to this release asap.
Mutual TLS and X-Forwarded-Client-Cert (XFCC)
- Gorouter now uses certificate authorities installed using BOSH Trusted Certs to validate certificates provided by clients in mTLS handshakes details
- Operators may now configure Gorouter with a configurable list of certificate authorities used to validate certificates provided by clients in mutual TLS handshakes details
- Operators may now configure Gorouter to overwrite the XFCC header with the client certificate received in mTLS handshakes details
- Operators may now configure Gorouter to forward the XFCC header only when the client connection is mTLS details
Mutual Certificates / SNI
- Operators may now configure Gorouter with multiple certificate chains. Gorouter will use SNI, when supported by the client, to serve the appropriate certificate details
Misc
- Route services authors may now modify context path and query parameters as long as the route matching new URI is not bound to a route service details
- Operators may now configure Gorouter with a limit for concurrent connections per backend details
- Operators may now configure the minimum TLS version Gorouter will support details
- Routing-API will now reclaim its Locket lock if it unexpectedly crashes without releasing the lock details
- Operators may now configure Gorouter cipher suites using either RFC or OpenSSL names details
- Gorouter will now close idle frontend TCP connections with clients after 5 seconds details
Manifest Property Changes
gorouter
| 0.159.0 | 0.160.0 | Default Value |
|---|---|---|
| did not exist | router.min_tls_version |
TLSv1.2 |
router.ssl_cert |
removed in favor of tls_pem |
|
router.ssl_key |
removed in favor of tls_pem |
|
| did not exist | router.tls_pem |
Required when enable_ssl: true |
| did not exist | router.ca_certs |
|
| did not exist | router.forwarded_client_cert |
always_forward |
| did not exist | router.backends.max_conns |
0 |
0.159.0
Highlights
This release includes a security fix.
Manifest Changes
None
0.158.0
Highlights
- All components have been upgraded to 1.8.x details
- Removed redundant content from Gorouter log message
backend-endpoint-faileddetails - Routing API returns a 204 response when deleting a tcp route that does not exist details
- Simplified start delays:
/healthwill report200 OKafter the value ofrouter.requested_route_registration_interval_in_secondsin seconds, and BOSH will consider Gorouter started (and allow the next instance to update) after an additional duration ofrouter.load_balancer_healthy_thresholdin seconds details - Gorouter now emits a metric
file_descriptorsto help operators monitor file descriptor consumption details - Manifest generation scripts support overriding release versions from a spiff stub details
- Gorouter now emits counter metrics periodically, regardless of whether they are incremented details
- Routing API now support updating the isolation segment for a TCP route details
Manifest Property Changes
None
0.157.0
Release Highlights
- Gorouter now emits app instance index as
instanceIndexwith HttpStartStop metric events details - Routing API now supports creation of TCP Routes with an isolation segment details
- Routing API now supports use of Locket for its distributed lock instead of Consul details
Manifest Property Changes
routing-api
| 0.156.0 | 0.157.0 | Default Value |
|---|---|---|
| did not exist | routing_api.locket.api_location |
|
| did not exist | routing_api.locket.ca_cert |
|
| did not exist | routing_api.locket.client_cert |
|
| did not exist | routing_api.locket.client_key |
|
| did not exist | routing_api.skip_consul_lock |
false |
0.156.0
Release Highlights
- Fixed bug which caused Gorouter latency metric for websockets/TCP connections to have large negative values details
property_overrides.acceptance_tests.default_timeoutis no longer required in spiff stubs details- Routing API now supports query parameter
isolation_segmentto filter list of TCP routes details