0.303.0

0.303.0

Release Date: August 09, 2024

Changes

• add additional unsafe params by @pnikonowicz in #431

Bosh Job Spec changes:

diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index de81a0e8..feafaf10 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -132,10 +132,16 @@ properties:
         name (required, string): Human-readable reference for the healthcheck
         script_path (required, string): Path to script that will be run periodically to determine
           service health
+        unrestricted_volumes (optional, array of unrestricted_volumes): Additional directories to be mounted in the bpm config for the route_registrar job.
+        privileged: (optional, boolean): Sets bpm privileged flag. defaults to false
         timeout (optional, string): The healthcheck script must exit within this timeout, otherwise
           the script is terminated with `SIGKILL` and the route is unregistered. Value is a string (e.g. "10s") and must parse to a positive time duration i.e. "-5s" is not permitted. Must be less than the value of `registration_interval`.
           Default: Half of the value of `registration_interval`
 
+      unrestricted_volume object
+        path (required, string): the path to be mounted
+        writable (optional, boolean): sets the writable flag. defaults to false
+
       options object
         lb_algo (optional, string): Load balancing algorithm for routing incoming requests to the backend: 'round-robin' or 'least-connection'. In cases where this option is not specified, the algorithm defined in gorouter spec is applied.
 

✨ Built with go 1.22.6

Full Changelog: v0.302.0...v0.303.0

0.302.0

0.302.0

Release Date: August 08, 2024

Changes

• ✨Adds drain_wait + load_balancer_healthy_threshold properties behaving similarly to gorouter's to provide better uptime during BOSH deployments by waiting for LBs to pull nodes about to be shut down out of service, and re-add them before moving on to the next.
• ✨Adds support for TLS backends with TCP routes. This enables TCP routes to use the envoy proxy settings on app containers used by HTTP routes, providing guaranteed TLS encryption between tcp-router + diego-cell VMs, without intervention from app teams. Additionally it allows for the disabling of the unproxied ports on containers since TCP route traffic can now go through envoy.
• 🐛Fixed a bug with v0.301.0 that caused problems with TCP routes when a postgres database was used for the routing-api. Thanks for finding this @schmidtsv!
• Bumped to golang 1.22.5
• Bumped tcp_router's haproxy to 2.8.10
• Testing + docs improvements

Bosh Job Spec changes:

diff --git a/jobs/tcp_router/spec b/jobs/tcp_router/spec
index 44fbb41a..aa6b764c 100644
--- a/jobs/tcp_router/spec
+++ b/jobs/tcp_router/spec
@@ -10,10 +10,16 @@ templates:
   routing_api_client_certificate.crt.erb: config/certs/routing-api/client.crt
   routing_api_client_private.key.erb: config/keys/routing-api/client.key
   routing_api_ca_certificate.crt.erb: config/certs/routing-api/ca_cert.crt
+  tcp_router_backend_client_cert_and_key.pem.erb: config/keys/tcp-router/backend/client_cert_and_key.pem
+  tcp_router_backend_ca.crt.erb: config/certs/tcp-router/backend/ca.crt
   tcp_router_health_check_certificate.pem.erb: config/certs/health.pem
+  # config/haproxy.conf is used for initial haproxy config when starting up
   haproxy.conf.erb: config/haproxy.conf
-  haproxy.conf.template.erb: config/haproxy.conf.template
+  # config/haproxy.conf.template is rendered by tcp-router when routes are provided
+  haproxy.conf.template.erb: config/haproxy.conf.template 
   bpm.yml.erb: config/bpm.yml
+  drain.erb: bin/drain
+  post-start.erb: bin/post-start
 
 packages:
   - routing_utils
@@ -46,6 +52,18 @@ properties:
     default: "1m"
   tcp_router.oauth_secret:
     description: "OAuth client secret used to obtain token for Routing API from UAA."
+  tcp_router.backend_tls.enabled:
+    description: |
+      Turns on support for TLS for TCP Router. Requires tcp_router.backend_tls.ca_cert to
+      be set. For mTLS also set tcp_router.backend_tls.client_cert and
+      tcp_router.backend_tls.client_key.
+    default: false
+  tcp_router.backend_tls.client_cert:
+    description: "TCP Router's TLS client cert used for mTLS with route backends"
+  tcp_router.backend_tls.client_key:
+    description: "TCP Router's TLS client private key used for mTLS with route backends"
+  tcp_router.backend_tls.ca_cert:
+    description: "TCP Router's TLS CA used with route backends"
 
   routing_api.uri:
     description: "URL where the routing API can be reached internally"
@@ -86,6 +104,19 @@ properties:
     description: "Fail the tcp router if routing_api.reserved_system_component_ports conflict with ports in existing router groups."
     default: "false"
 
+  tcp_router.drain_wait:
+    description: |
+      Delay in seconds after shut down is initiated before haproxy stops listening.
+      During this time haproxy will reject requests to the /health endpoint.
+      This accommodates requests forwarded by a load balancer until it considers the tcp_router unhealthy.
+    default: 20
+  tcp_router.load_balancer_healthy_threshold:
+    description: |
+      Time period in seconds to wait until declaring the tcp_router instance
+      started after starting the listener socket. This allows an external load
+      balancer time to register the instance as healthy."
+    default: 20
+
   uaa.token_endpoint:
     description: "UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA."
     default: uaa.service.cf.internal

✨ Built with go 1.22.6

Full Changelog: v0.301.0...v0.302.0

Resources

• Download release 0.302.0 from bosh.io.

0.301.0

⚠️ ⚠️ ⚠️ ⚠️ ⚠️ KNOWN ISSUE ⚠️ ⚠️ ⚠️ ⚠️ ⚠️

CAUTION: This release is affected by a known issue for users who use both Postgres for the Cloud Foundry database and TCP Routes. This will be fixed in a future release. Users who use both Postgres and TCP Routes should not upgrade to this version. This only applies if postgres is used for the core Cloud Foundry databases, not if apps use postgres services.

Changes

• 🐛Fixes a bug introduced in v0.298.0 where the X-Forwarded-Host header was incorrectly set for requests containing an Expect: 100-continue header. Thanks @maxmoehl !

✨ Built with go 1.22.4

Full Changelog: v0.300.0...v0.301.0

Resources

• Download release 0.301.0 from bosh.io.

0.300.0

Changes

• Update route registrar to only send 5 unregistration messages for an unhealthy route - cloudfoundry/route-registrar#46 . Thanks @andy-a-d-nguyen for your first contribution to CF!

✨ Built with go 1.22.4

Resources

• Download release 0.300.0 from bosh.io.

Full Changelog: v0.299.0...v0.300.0

0.299.0

Changes

• Bumped to Golang 1.22.4
• Added ability to enforce strict validation of route service signature. Thanks @maxmoehl, @b1tamara and @plowin !

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 8269440b..60c7b520 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -262,6 +262,9 @@ properties:
   router.route_services_timeout:
     description: "Expiry time of a route service signature in seconds"
     default: 60
+  router.route_services_strict_signature_validation:
+      description: "Enforce strict validation of a route service signature"
+      default: false
   router.max_header_kb:
     description: |
         This value controls the maximum number of bytes (in KB) the gorouter will read

✨ Built with go 1.22.4

Full Changelog: v0.298.0...v0.299.0

Resources

• Download release 0.299.0 from bosh.io.

0.298.0

Changes

• 🔒 Resolves CVE-2024-22279, which affected routing-releases 0.273.0 through 0.297.0.
• 🐛 Improve support for requests using the Expect: 100-continue header.
• 🐛 The missing_content_length_header metric introduced in 0.297.0 has been renamed to empty_content_length_header for more accuracy. Thanks @peanball!
• 🐛 The empty_content_length_header was fixed to more accurately capture events when the content-length header of a request was empty. Previously extra request types were being included erroneously.

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 712a761f..8269440b 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -306,6 +306,9 @@ properties:
   router.keep_alive_probe_interval:
     default: 1s
     description: Interval between TCP keep alive probes. Value is a string (e.g. "10s")
+  router.keep_alive_100_continue_requests:
+    description: "If set gorouter reuses backend connection for requests expecting 100-Continue"
+    default: false
   router.force_forwarded_proto_https:
     description: "Enables setting X-Forwarded-Proto header if SSL termination happened upstream and incorrectly set the header value. When this property is set to true gorouter sets the header X-Forwarded-Proto to https. When this value set to false, gorouter set the header X-Forwarded-Proto to the protocol of the incoming request"
     default: false

✨ Built with go 1.22.3

Full Changelog: v0.297.0...v0.298.0

Resources

• Download release 0.298.0 from bosh.io.

0.297.0

Changes

• 🐛FIXES KNOWN ISSUE Gorouter now correctly returns the status code provided by backends for workflows using 100-continue, or other 1xx interim status codes. Thanks for catching this @plowin @domdom82 and thanks @geofffranks for the quick fix!
• 🐛The TLS listener for the health status endpoint in gorouter now handles custom cipher-suites that do not include any of the required HTTP/2 ciphers. Thanks @MarcPaquette + @geofffranks!
• 🐛 Failing to establish a TCP connection to a backend no longer causes a panic when setting up a WebSocket connection. Thanks @domdom82!
• ✨The health status endpoint for gorouter is now able to log error messages encountered when it starts up, to aid in troubleshooting. Thanks @MarcPaquette and @geofffranks !
• ✨Gorouter now provides a missing_content_length_header metric that will flag requests that would have been hit by Golang 1.22's new check to reject requests that have an empty content-length header. This can be used to determine if an environment will be affected by disabling the go.httplaxcontentlength gorouter property. Thanks @mariash!
  • NOTE: The metric is counting requests unaffected by the new golang behavior and will be updated in 0.298.0+, where it is also renamed to empty_content_length_header.
• ✨Route registrar now allows operators to specify load blancing algorithms for individual routes. Thanks @b1tamara and @domdom82 !
• Bumped to golang 1.22.3

Bosh Job Spec changes:

diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index c51dbb9f..de81a0e8 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -125,7 +125,8 @@ properties:
           with error, the route is unregistered.
         router_group (required, string, for tcp routes): Name of the router group to which the TCP route should be added.
         external_port (required, string, for tcp routes): Port that the TCP router will listen on.
-        server_cert_domain_name_modifier (optional, string, for sni routes): a regex replace to help with complicated hostnames
+        server_cert_domain_name_modifier (optional, string, for sni routes): a regex replace to help with complicated hostnames.
+        options (optional, object, for http routes): Custom per-route options
 
       health_check object
         name (required, string): Human-readable reference for the healthcheck
@@ -135,6 +136,9 @@ properties:
           the script is terminated with `SIGKILL` and the route is unregistered. Value is a string (e.g. "10s") and must parse to a positive time duration i.e. "-5s" is not permitted. Must be less than the value of `registration_interval`.
           Default: Half of the value of `registration_interval`
 
+      options object
+        lb_algo (optional, string): Load balancing algorithm for routing incoming requests to the backend: 'round-robin' or 'least-connection'. In cases where this option is not specified, the algorithm defined in gorouter spec is applied.
+
     example: |
       - name: my-service
         uris:
@@ -150,6 +154,8 @@ properties:
           script_path: /path/to/script
           timeout: 5s
         route_service_url: https://my-oauth-proxy-route-service.example.com
+        options:
+          lb_algo: least-connection
       - name: my-tls-endpoint
         tls_port: 12346
         server_cert_domain_san: "my-tls-endpoint.internal.com"

✨ Built with go 1.22.3

Full Changelog: v0.296.0...v0.297.0

Resources

• Download release 0.297.0 from bosh.io.

0.296.0

⚠️ This release contains a known issue: for request/response workflows using Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised. ⚠️

Changes

• Pass availability zone in route-registrar for AZ-aware routing of system components
• Bump Golang to 1.22

Bosh Job Spec changes:

diff --git a/jobs/acceptance_tests/spec b/jobs/acceptance_tests/spec
index e1a6a9ae..8122ddaf 100644
--- a/jobs/acceptance_tests/spec
+++ b/jobs/acceptance_tests/spec
@@ -7,7 +7,7 @@ templates:
   bpm.yml.erb: config/bpm.yml
 
 packages:
- - golang-1.21-linux
+ - golang-1.22-linux
  - acceptance_tests
  - rtr
  - cf-cli-8-linux
diff --git a/jobs/smoke_tests/spec b/jobs/smoke_tests/spec
index b230192b..02edfd9d 100644
--- a/jobs/smoke_tests/spec
+++ b/jobs/smoke_tests/spec
@@ -7,7 +7,7 @@ templates:
   bpm.yml.erb: config/bpm.yml
 
 packages:
- - golang-1.21-linux
+ - golang-1.22-linux
  - acceptance_tests
  - cf-cli-8-linux
 

✨ Built with go 1.22.2

Full Changelog: v0.295.0...v0.296.0

Resources

• Download release 0.296.0 from bosh.io.

0.295.0

⚠️ This release contains a known issue: for request/response workflows using Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised. ⚠️

Changes

• Resolves #401 by reverting the removal of the deprecated BuildNameToCertificate() call
• Bumps to golang 1.21.9 + golang.org/x/net 0.23.0 to patch CVE-2023-45288

✨ Built with go 1.21.9

Full Changelog: v0.294.0...v0.295.0

Resources

• Download release 0.295.0 from bosh.io.

0.294.0

⚠️ This release contains a known issue: gorouter will no longer present the most specific certificate match but rather the first certificate that matches. See #401 for details. Upgrading to routing-release 0.295.0 is advised. ⚠️

⚠️ This release contains a known issue: for request/response workflows using Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised. ⚠️

Changes

• Bump haproxy to 2.8.7
• update templates to not refer to consul
• Default the routing_api.enabled_api_endpoints to mtls
• Update template test for mTLS routing api default
• Upgrade cf-cli-8-linux

Bosh Job Spec changes:

diff --git a/jobs/routing-api/spec b/jobs/routing-api/spec
index 1d7efe3c..2e5cd361 100644
--- a/jobs/routing-api/spec
+++ b/jobs/routing-api/spec
@@ -95,7 +95,7 @@ properties:
 
   routing_api.enabled_api_endpoints:
     description: "Protocols that the routing api will listen on. Possible values: 'mtls', or 'both' (mTLS + HTTP)"
-    default: "both"
+    default: "mtls"
   routing_api.mtls_port:
     description: "Port on which Routing API is running, listening with mTLS."
     default: 3001

✨ Built with go 1.21.8

Full Changelog: v0.293.0...v0.294.0

Resources

• Download release 0.294.0 from bosh.io.