Releases: cloudfoundry/routing-release
Releases · cloudfoundry/routing-release
0.293.0
Changes
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
- Add toggle to allow empty Content-Length headers
- fix: Enable syslog forwarding for gorouter
- fix: Don't retry more often than endpoints available
- Add an option to enable concurrent reads and responses in HTTP/1
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index e7c33d66..712a761f 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -161,6 +161,9 @@ properties:
router.enable_http2:
description: Enables support for HTTP/2 ingress traffic to the Gorouter. Also enables the option to use the HTTP/2 protocol for traffic to specified backends.
default: true
+ router.enable_http1_concurrent_read_write:
+ description: Enables concurrent request reads and response writes for HTTP/1 requests
+ default: false
router.min_tls_version:
description: Minimum accepted version of TLS protocol. All versions above this, up to the max_tls_version, will also be accepted. Valid values are TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.
default: TLSv1.2
@@ -194,8 +197,9 @@ properties:
router.backends.max_attempts:
description: |
Maximum number of attempts on failing requests against backend routes.
+ The number of attempts per request is limited by the number of endpoints on the route, regardless of this setting.
This includes CF apps and route-registrar endpoints.
- A value of 0 implies indefinite retries, i.e. retry until success or endpoint list is exhausted.
+ The minimum value for this setting is 1. This prevents gorouter from getting blocked by indefinite retries.
default: 3
router.backends.ca:
description: Certificate authority that was used to sign certificates for TLS-registered backends. In PEM format.
@@ -274,6 +278,15 @@ properties:
router.enable_log_attempts_details:
description: "Log additional fields in the access log that provide more details on the specific timings and attempts performed towards endpoints."
default: false
+ router.logging.syslog_tag:
+ description: "Tag to use when writing syslog messages"
+ default: "vcap.gorouter"
+ router.logging.syslog_addr:
+ description: "Address of a syslog server to send access logs"
+ default: "localhost:514"
+ router.logging.syslog_network:
+ description: "Network protocol to use when connecting to the syslog server. Valid values are 'tcp', 'udp', <empty>. When choosing an empty string value, the local syslog daemon is used."
+ default: "udp"
router.logging.format.timestamp:
description: |
Format for timestamp in component logs. Valid values are 'rfc3339', 'deprecated', and 'unix-epoch'."
@@ -492,6 +505,9 @@ properties:
router.write_access_logs_locally:
description: "Enables writing access log to local disk."
default: true
+ router.enable_access_log_streaming:
+ description: "Enables streaming access log to syslog server."
+ default: false
router.suspend_pruning_if_nats_unavailable:
description: |
Suspend pruning of routes when NATs is unavailable and maintain the
@@ -583,6 +599,14 @@ properties:
street_address: []
postal_code: []
default: []
+
healthchecker.failure_counter_file:
description: "File used by the healthchecker to monitor consecutive failures."
default: /var/vcap/data/gorouter/counters/consecutive_healthchecker_failures.count
+
+ go.httplaxcontentlength:
+ description: |
+ Environment Flag to temporarily allow requests containing an invalid, empty `Content-Length` header for backwards compatibility.
+ This toggle allows operators to add the `GODEBUG` field `httplaxcontentlength=1`, as allowable per the [go 1.22 release documentation](https://tip.golang.org/doc/go1.22#minor_library_changes).
+ Defaults to `false` as the default behavior in go 1.22+ is to reject these requests.
+ default: false
✨ Built with go 1.21.8
Full Changelog: v0.292.0...v0.293.0
Resources
0.292.0
Changes
- Dependency updates
- ✨ Adds support for
Partitionedcookies to gorouter to allow for sticky sessions in embedded contexts. More information on 3rd-party cookie deprecation.
✨ Built with go 1.21.7
Full Changelog: v0.291.0...v0.292.0
Resources
0.291.0
Changes
- Bugfix: Mitigates issue when operators set
router.route_service_internal_server_port. Previously, this configuration parameter was not passed through to the Gorouter configuration.
✨ Built with go 1.21.7
Full Changelog: v0.290.0...v0.291.0
Resources
0.290.0
Changes
- ✨Adds opt-in support for NTLM + other challenge-response based authentication using
Authorization: Negotiateflows by automatically enabling sticky sessions for those requests. - Golang bump to 1.21.7
- Go package dependency bumps
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index c291be45..e7c33d66 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -123,6 +123,9 @@ properties:
router.sticky_session_cookie_names:
description: "The names of the cookies to use for handling sticky sessions"
default: [ "JSESSIONID" ]
+ router.sticky_sessions_for_auth_negotiate:
+ description: "Controls whether or not gorouter will apply sticky sessions to request/response flows using 'Authorization: Negotiate'"
+ default: false
router.drain_wait:
description: |
Delay in seconds after shut down is initiated before server stops listening.
✨ Built with go 1.21.7
Full Changelog: v0.289.0...v0.290.0
Resources
0.289.0
❗BREAKING CHANGES ❗
- A new reserved port 7070 had been added - Thanks @domdom82!
- Before deploying, please double-check your reserved ports settings for any clashes with port 7070, especially the
router.prometheus.portproperty.
Changes
- (Feature) Add route_services_internal_server_port property
- (Bug) Add cipher-suites for TLS 1.3 and auto-generate the list from now on
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 30f535b8..c291be45 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -207,7 +207,7 @@ properties:
description:
An ordered, colon-delimited list of golang supported TLS cipher suites in OpenSSL or RFC format.
The selected cipher suite will be negotiated according to the order of this list during a TLS handshake.
- See https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/cipher_suites.go#L369-L390 for golang supported cipher suites.
+ See https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/tls/cipher_suites.go#L663-L690 for golang supported cipher suites.
The first four of these are supported for TLSv1.0/1.1 only.
See https://www.openssl.org/docs/man1.1.0/apps/ciphers.html for a mapping of OpenSSL and RFC suite names.
default: "ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
@@ -243,6 +243,9 @@ properties:
router.route_services_internal_lookup_allowlist:
description: "a list of host names for route services that should be resolved internally. Each entry can be a fully qualified domain name or DNS wildcard (i.e. wildcard on 1 segment of a subdomain). If the list is empty, it is not in effect and internal lookup will be attempted for all host names, which can lead to CVE-2019-3789. Please turn on internal lookup only with an allowlist."
default: []
+ router.route_services_internal_server_port:
+ description: "Gorouter will use this port for internal route services."
+ default: 7070
router.route_services_secret_decrypt_only:
description: "To rotate keys, add your new key here and deploy. Then swap this key with the value of route_services_secret and deploy again."
default: ""
✨ Built with go 1.21.6
Full Changelog: v0.288.0...v0.289.0
Resources
Contributors
domdom82
Assets 3
0.288.0
Changes
- ✨ [Feature] Operators can now configure to prefer AZ-local backends before proxying to backends in other availability zones (#356)
- Protect against data race when ReverseProxy modifies response headers
- Fix ability to start gorouter with the default config (cloudfoundry/gorouter#387)
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 8fc23a78..30f535b8 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -101,6 +101,16 @@ properties:
router.balancing_algorithm:
description: "Algorithm used to distribute requests for a route across backends. Supported values are round-robin and least-connection"
default: round-robin
+ router.balancing_algorithm_az_preference:
+ description: |
+ Configuration option used in conjunction with the `router.balancing_algorithm` to decide from which
+ availability zone to pick a suitable backend. Defaults to "None".
+ "none" - There is no preference regarding availability zones. The router uses the
+ `router.balancing_algorithm` across all possible backends in all existing AZs.
+ "locally-optimistic" - On the initial attempt to pick a backend, the router will use
+ `router.balancing_algorithm` across all backends in the same AZ as the router itself. Subsequent
+ retries, in the case of failure or unavailability, will use _all_ available AZs.
+ default: "none"
router.number_of_cpus:
description: "Number of CPUs to utilize, the default (-1) will equal the number of available CPUs"
default: -1
✨ Built with go 1.21.6
Full Changelog: v0.287.0...v0.288.0
Resources
0.287.0
Changes
- Route-Registrar now supports specifying a nats server CA via the
nats.tls.ca_certproperty if it is not present via a BOSH link. (#379) Thanks @benjaminguttmann-avtq!!
Bosh Job Spec changes:
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index be708025..c51dbb9f 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -53,6 +53,8 @@ properties:
description: "PEM-encoded certificate for the route-registrar to present to NATS for verification when connecting via TLS."
nats.tls.client_key:
description: "PEM-encoded private key for the route-registrar to present to NATS for verification when connecting via TLS."
+ nats.tls.ca_cert:
+ description: "The certificate authority certificate used for the route registrar"
nats.fail_if_using_nats_without_tls:
description: |
Connecting to nats (instead of nats-tls) is deprecated. The nats
✨ Built with go 1.21.6
Full Changelog: v0.286.0...v0.287.0
Resources
Contributors
benjaminguttmann-avtq
Assets 3
0.286.0
❗BREAKING CHANGES ❗
- The deprecated
/varzand/healthzendpoints for gorouter on port 8080 have been removed - Thanks @ameowlia and @geofffranks! - The
/routesendpoint on gorouter's port 8080 has been moved to port 8082, and is available only on localhost - Thanks @ameowlia and @geofffranks! - TLS certificates for gorouter + tcp_router's health endpoints are now required to deploy. Fortunately this is provided automatically in cf-deployment - Thanks @ameowlia and @geofffranks!
Changes
- 🐛 Fix a nil panic in gorouter cloudfoundry/gorouter#372 - Thanks @maxmoehl + @domdom82!
- ✨ Adds availability zone info to endpoint data in gorouter cloudfoundry/gorouter#381 - Thanks @ameowlia!
- ✨ Speed up gorouter's route registry cloudfoundry/gorouter#379 - Thanks @peanball and @domdom82 !
- ✨ Also more performance improvements to gorouter's route registry cloudfoundry/gorouter#378 - Thanks @peanball and @domdom82!
- ✨ Adds an always-on TLS capable healthcheck endpoint for gorouter on port 8443 - Thanks @marc and @geofffranks!
- ✨ Adds an always-on TLS capable healthcheck endpoint for tcp_router on port 443 - Thanks @ameowlia and @geofffranks!
- ✨ Operators can now toggle off the non-tls healthcheck endpoint for gorouter via
router.status.enable_nontls_health_checks- Thanks @ameowlia and @geofffranks! - ✨ Operators can now toggle off the non-tls healthcheck endpoint for tcp_router via
tcp_router.enable_nontls_health_checks- Thanks @ameowlia and @geofffranks!
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 35576742..8fc23a78 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -57,11 +57,21 @@ properties:
default: router-status
router.status.password:
description: "Password for HTTP basic auth to the /varz and /routes endpoints."
+ router.status.enable_nontls_health_checks:
+ description: "Toggles whether or not gorouter will listen on a non-tls endpoint for load balancer health checks."
+ default: true
+ router.status.enable_deprecated_varz_healthz_endpoints:
+ description: |
+ Toggles whether or not gorouter will respond to the deprecated /healthz,
+ /varz, and /routes endpoints on its non-tls load balancer status port.
+ Requires 'router.status.enable_nontls_health_checks' to be true.
+ default: false
router.status.routes.port:
description: "Port used for the /routes endpoint (available on localhost-only)"
default: 8082
router.status.tls.port:
description: "Port used for the TLS listener of the LB healthcheck endpoint"
+ default: 8443
router.status.tls.certificate:
description: "TLS Certificate used for the TLS listener of the LB healthcheck endpoint"
router.status.tls.key:
diff --git a/jobs/tcp_router/spec b/jobs/tcp_router/spec
index dd3b8a4e..44fbb41a 100644
--- a/jobs/tcp_router/spec
+++ b/jobs/tcp_router/spec
@@ -10,6 +10,7 @@ templates:
routing_api_client_certificate.crt.erb: config/certs/routing-api/client.crt
routing_api_client_private.key.erb: config/keys/routing-api/client.key
routing_api_ca_certificate.crt.erb: config/certs/routing-api/ca_cert.crt
+ tcp_router_health_check_certificate.pem.erb: config/certs/health.pem
haproxy.conf.erb: config/haproxy.conf
haproxy.conf.template.erb: config/haproxy.conf.template
bpm.yml.erb: config/bpm.yml
@@ -66,9 +67,20 @@ properties:
tcp_router.request_timeout_in_seconds:
description: "Server and client timeouts in seconds"
default: 300
+
+ tcp_router.enable_nontls_health_checks:
+ description: "Toggles on/off whether or not to listen for load balancer health check requests on the non-tls `tcp_router.health_check_port` port"
+ default: true
tcp_router.health_check_port:
description: "Load balancer in front of TCP Routers should be configured to check the health of TCP Router instances by establishing a TCP connection on this port"
default: 80
+ tcp_router.tls_health_check_port:
+ description: "Load balancer in front of TCP Routers should be configured to check the health of TCP Router instances by establishing a TLS connection on this port"
+ default: 443
+ tcp_router.tls_health_check_cert:
+ description: "TLS certificate to use on the TCP Router's TLS health check port"
+ tcp_router.tls_health_check_key:
+ description: "TLS private key to use on the TCP Router's TLS health check port"
tcp_router.fail_on_router_port_conflicts:
description: "Fail the tcp router if routing_api.reserved_system_component_ports conflict with ports in existing router groups."
✨ Built with go 1.21.6
Full Changelog: v0.285.0...v0.286.0
Resources
Contributors
marc, peanball, and 4 other contributors
Assets 3
0.285.0
Changes
- A new
localhost:8082endpoint has been added for retrieving the routing table on gorouter. This is in preparation of removing non-TLS LB-health check endpoints from the public:8080listener for increased security./var/vcap/jobs/gorouter/bin/retrieve-local-routesis updated and still the official way to retrieve the local routing table on a gorouter. The port this listens on can be configured via therouter.status.routes.portproperty. - A new TLS-enabled endpoint for LB health checks has been added on
:8443. This can be configured via therouter.status.tls.port,router.status.tls.certificateandrouter.status.tls.keyproperties. - routing-api has been updated to work towards supporting a TLS-only CF deployment. Thanks @reneighbor!
- gorouter's
proxypackage received some test enhancements for increased test stability. Thanks @domdom82! - gorouter's
pool.Endpoint.Equals()received a performance improvement thanks to @peanball! - Route-registrar will now fail if it configured to talk to NATS without using TLS. This can be toggled via the
nats.fail_if_using_nats_without_tlsproperty. thanks @ameowlia!
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index e9a9dd73..35576742 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -57,6 +57,15 @@ properties:
default: router-status
router.status.password:
description: "Password for HTTP basic auth to the /varz and /routes endpoints."
+ router.status.routes.port:
+ description: "Port used for the /routes endpoint (available on localhost-only)"
+ default: 8082
+ router.status.tls.port:
+ description: "Port used for the TLS listener of the LB healthcheck endpoint"
+ router.status.tls.certificate:
+ description: "TLS Certificate used for the TLS listener of the LB healthcheck endpoint"
+ router.status.tls.key:
+ description: "Private Key used for the TLS listener of the LB healthcheck endpoint"
router.prometheus.port:
description: "Port for the prometheus endpoint."
router.prometheus.server_name:
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index bf3d9a03..be708025 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -53,6 +53,13 @@ properties:
description: "PEM-encoded certificate for the route-registrar to present to NATS for verification when connecting via TLS."
nats.tls.client_key:
description: "PEM-encoded private key for the route-registrar to present to NATS for verification when connecting via TLS."
+ nats.fail_if_using_nats_without_tls:
+ description: |
+ Connecting to nats (instead of nats-tls) is deprecated. The nats
+ process will be removed soon. Please migrate to using nats-tls as soon
+ as possible. If you must continue using nats for a short time you can
+ set this flag to false.
+ default: true
host:
description: (string, optional) By default, route_registrar will detect the IP of the VM and use it, in combination with port as the backend destination for each uri being registered. This property enables overriding the destination hostname or IP.
✨ Built with go 1.21.5
Full Changelog: v0.284.0...v0.285.0
Resources
Contributors
reneighbor, peanball, and 2 other contributors
Assets 3
0.284.0
Changes
- Upgrade to Golang 1.21.4
- Bump dependencies
✨ Built with go 1.21.4
Full Changelog: v0.283.0...v0.284.0