Cloud Foundry Release Notes Report: July – September 2019

Hi again Cloud Foundry community! We’ve put together another round of project release roll-ups for you as a quick reference. With all the project teams doing such noteworthy work across Cloud Foundry, we believe it is useful for our community to have that work centralized in one place. Here are Q1 and Q2 release notes.

These notes outline major impacts to the developer experience and the operator experience, and will be useful as well to platform engineers working on Cloud Foundry. As always, please let us know if you find this useful (or not); we’d love to hear from you to make this release roll-up more meaningful to all of you in our community.

Read on for release notes from July, August, and September of 2019. 

Cloud Foundry Application Runtime

Cloud Foundry API

Platform Engineer Experience: 

• V3 routes are generally available.
• Added space/organization/app guid and name to app container metrics and log envelopes.
• Added ability to trace requests from the platform to the service broker.

Operator Experience:

• Breaking change: windows2016 stack support has been removed as it’s been replaced by the windows stack.
• Added initial telemetry collection. (Note: this is evolving and collection mechanism may change. Currently telemetry is written to the telemetry.log file located on the API vm at /var/vcap/sys/log/cloud_controller_ng/telemetry.log).
• Added a CANCELING state to rolling deployment status when a user cancels rolling deploy.
• capi-release components now use the new “flattened” ActualLRP API endpoints and associated instance-specific event types instead of ActualLRPGroup-based ones so that they will continue to function after their future removal.
• Ability to register a space scoped service broker without using v2 endpoints by the CLI admin or space developer.

Developer Experience:

• Ability to see last successful health check for a rolling deployment.
• Ability to view status for a rolling deployment.
• Atomically delete unmapped routes.
• Ability to see if matching routes exist for a domain.

CAPI Releases:

• v1.86.0
• v1.85.0
• v1.84.0

Cloud Foundry CLI

CF CLI v7 beta release is now available.  Do you have feedback or a bug report for the cf CLI v7 beta? Please file a GitHub issue, or reach out on Slack #v3-acceleration-team.

Developer Experience: 

• v6.46.1 release deprecates the following flag options on cf push:
  • –hostname
  • –no-hostname
  • -d for domain
  • –route-path

Operator Experience: 

• • cf services informs users of an available upgrade
    • cf service <name> provides additional details
    • cf update-service <name> –upgrade upgrades a service instance. 

• Note: This flag is in experimental stage and may change without notice.

CLI Releases:

• v6.46.1
• v6.46.0 

Networking

Operator Experience:

•  Operator can configure 
  • routing-api to support mTLS connections 
  • route-registrar and tcp-router to communicate over mTLS to routing-api
  • gorouter to fetch routes over mTLS from routing-api
  • gorouter with client certs for route services
• Routing-API supports deletion of Router Groups.
• HTTP stop/start metrics emit all tags provided during route registration.
• GoRouter supports indicator protocol to self-declare and self-document the monitoring and alerting behavior.

Networking Releases:

• v0.191.0
• v0.190.0
• v0.189.0

Diego

Operator Experience:

• Cloud controller generates https urls to file-server assets via a BOSH link from the file-server to ensure communication paths are secure.
• Ability to enable OCI mode on cells and see that app instance disk usage includes the app droplet, to ensure platform resources are being correctly accounted for.

Platform Engineer Experience:

•  Ability to configure vizzini errand with a preloaded rootfs that is included in Diego deployment to eliminate the need to change the code in diego-release, to run vizzini against environments with different configurations.
• Communication between the route emitter and routing API is over mTLS, thereby ensuring the security of the foundation.
• Observe the auctioneer logs and see what the auctioneer was trying to place when there was a placement failure to better diagnose the root cause of that placement failure.

Developer Experience:

• Ability to transfer staging results larger than 10k to the cloud controller so applications that generate larger staging results can successfully stage and subsequently start/run on the foundation.

Diego Releases:

• v2.37.0
• v2.36.0
• v2.35.0
• v2.34.0 

Eirini

Platform Engineer Experience:

• Added ability to report memory metrics.
• Enable TLS on Eirini endpoint.
• Native staging is the default, with added support to pass environment variables to buildpack.
• Increase routing resilience during upgrades.
• Ensure compatibility with clusters with existing PodSecurityPolicies.
• Allow user to provide pre-created certificate secrets (e.g. when using cert-manager).
• Initial disk quota support, currently hard-coded to 2GB for all apps.

Eirini Releases:

• v0.17.0
• v0.16.0
• v0.15.0 

Garden

Improvements to the dontpanic diagnostic tool, bug fixes to prevent leaking containers or leaking sockets, and improved resiliency to edge cases in Containerd mode.

Garden Releases:

• v1.19.7
• v1.19.6
• v1.19.5
• v1.19.4 

HAProxy BOSH Release

Operator Experience:

•  Addresses CVEs https://security-tracker.debian.org/tracker/CVE-2018-20615 and https://security-tracker.debian.org/tracker/CVE-2019-11323 
• haproxy can be configured to send traffic to backend servers in the same BOSH AZ as the haproxy server, to save cross-az traffic
• haproxy can bind to the default interface on both IPv4 and IPv6 simultaneously.
• BOSH Process Manager whitelists the filepath used for HAProxy’s logging device instead of hardcoding /dev/log. 

HAProxy BOSH Releases:

• v9.7.1
• v9.7.0 
• v9.6.2
• v9.6.1

Infrastructure 

Infrastructure Releases:

• v8.2.14
• v8.2.13
• v8.2.12
• v8.2.11
• v8.2.0
• v8.1.1 

Postgres Release

Supports PostgreSQL version 11.5. 

Postgres Release Releases:

• v39 

Release Integration

The release integration team release three major releases – v10.0.0, v11.0.0, and v12.0.0 – in this quarter.  Please take a look at the releases page and review the notes carefully.  Please reach out to the team on slack (#cf-deployment or #release-integration) if you have any questions.

Platform Engineer Experience:

•  Enables per-instance TLS terminating container proxy by default.
• v11.2.0 contains CAPI release that removes support for Windows 2016.

Manifest Updates

• Enabled mTLS endpoint for Routing API service component.
• Added UAA’s CA to Go-router’s trusted certs.

Rel-Int Releases:

• v12.0.0
• v11.2.0
• v11.1.0
• v11.0.0
• v10.1.0
• v10.0.0
• v9.5.0
• v9.4.0 

User Account & Authentication

Operator Experience:

• Added the ability to forward the IP address of the caller to the IdP when using OIDC password grant
• Improved UAA’s ability to reconnect to its database upon VM restart; eliminating UAA’s former 503/Failure mode
• The project team also released the following vulnerability fixes:
  • CVE-2019-11279: Addressed a privilege escalation via scope manipulation in UAA
  • CVE-2019-11278: Addressed a privilege escalation via blind SCIM injection in UAA

The project team updated the version numbers to move to a truly supported semantic versioning and to align the version numbers of the bosh released uaa and the standalone uaa given they are built off the same code.  The version(ing) applied to uaa has been synchronized with the version(ing) applied to [uaa-release](https://github.com/cloudfoundry/uaa-release/releases).  

Uaa-release moved to semantic versioning with version 73.0.0.  Both [uaa-release](https://github.com/cloudfoundry/uaa-release/releases) and [uaa](https://github.com/cloudfoundry/uaa/releases) will now follow semantic versioning guidelines.

UAA Releases:

• v74.1.0
• v74.0.0
• v73.7.0
• v4.35.0
• v4.32.0 

BOSH PMC

The incubating EFS Volume Services project team recently announced the move from cloudfoundry/incubator to cloudfoundry-attic on GitHub.

The BOSH team at VMware recently announced that they will be taking the Openstack CPI project from the SAP BOSH team towards the end of 2019.  Follow the discussion here and reach out to the project team if your organization is interested in helping to support it.

Operator Experience:

• Ability to add new endpoints for starting and stopping an instance without impacting the entire deployment.
• Further improvements to new start, stop, recreate, and restart commands
  • Show useful Result in tasks output,
  • Create events when running new commands,
  • Do not allow commands to run on errand VMs, and 
  • Support task cancellation.

BOSH Releases:

• v270.5.0
• v267.15.0
• v270.4.0
• v270.3.0 

Extensions PMC

App-Autoscaler

Operator Experience:

• Supports loggregator v2 API to stream multiple application metrics in parallel.

App-Autoscaler Releases:

• v1.2.4
• v1.2.3
• v2.0.0 

BOSH Backup and Restore

Operator Experience:

• Ensures a backup is not logged as “successful” if draining fails.

Backup and Restore Releases:

• v1.5.2

CF Buildpacks

Go Buildpack

• Removes cflinuxfs2 dependencies from manifest.

Go Buildpack Releases

• v1.9.0
• v1.8.43
• v1.8.42 

Java Buildpack

• Removed cflinuxfs2 (trusty) support.
• Enhancements to metric writer with cloud foundry-specific dimensions.
• Removed Dyadic EKM integration.

Java Buildpack Releases:

• v4.22
• v4.21
• v4.20

.NET Core Buildpack

• When a .NET Core framework version is unavailable, roll forward to the next minor line.
• Add support for dotnetcore 3 Preview/
• Remove dotnet-runtime and dotnet-aspnetcore 2.1.10 and 2.2.4 for all stacks.
• Remove dotnet-sdk 2.1.507, 2.2.107, 2.2.203, and 2.2.204 for all stacks.

.NET Core Buildpack Releases:

• v2.2.14 
• v2.2.13

Nodejs Buildpack

Nodejs Buildpack Releases:

• v1.6.56
• v1.6.55
• v1.6.54
• v1.6.53
• v1.6.52

Nginx Buildpack

Nginx Buildpack Releases:

• v1.0.18
• v1.0.17
• v1.0.15

PHP Buildpack

• Remove support for nginx 1.15.x because it is deprecated.
• Make httpd default 2.4.41.

PHP Buildpack Releases:

• v4.3.82
• v4.3.81
• v4.3.80
• v4.3.79

Python Buildpack

Python Buildpack Releases:

• v1.6.37
• v1.6.36
• v1.6.35

R Buildpack

• Remove cflinuxfs2 for R 3.6.0.
• Remove R 3.4 from the buildpack as it has been deprecated.

R Buildpack Releases:

• v1.0.13
• v1.0.12
• v1.0.11

Ruby Buildpack

Ruby Buildpack Releases:

• v1.7.44
• v1.7.43
• v1.7.42

Staticfile Buildpack 

• Bug fixes and removal of nginx 1.17.0 because it has been deprecated.

Staticfile Buildpack Releases:

• v1.4.44

CF-Dev

Developer Experience:

•  Updated cf-deployment version to v11.2.0
• Accommodate execution in powershell environments with conflicting modules installed.

cf-dev Releases:

• v0.0.17 

CredHub

Platform Engineer Experience:

• Allows CredHub to start before uaa is available.
• Ensures a TLS connection between a Key Management Service provider plugin and CredHub over a UNIX socket connection.
• Make CredHub healthcheck endpoint more secure.
• Allow non-active encryptions to be <20 characters.
• Add new certificate_authority and self_signed fields to /api/v1/certificates response.
• Add new generated field to /api/v1/certificates response.
• Creates new certificate credential versions when transitional flag is moved during certificate rotations.
• Returns credential version in descending order.

Credhub Releases:

• v2.5.6
• v2.5.5
• v2.5.4
• v2.5.3
• v2.5.2
• v2.5.1
• v2.5.0 

MultiApps

MultiApps Releases

• v1.78.0
• v1.77.0
• v1.75.0
• v1.74.0
• v1.73.0

Notifications

Notifications Releases

• Version 61
• Version 60
• Version 59

Stratos 

• Added Application Autoscaler UI
• Added imagelist to the helm chart
• Enhancements to breadcrumbs, notifications, metrics, and failed messages.

Stratos Releases

• v2.5.0