Skip to content

v3.0.0
Compare
Choose a tag to compare
@heyjcollins heyjcollins released this 26 Jul 23:57
v3.0.0
29d4094

⚠️ Please skip this version if you are upgrading from cf-deployment v2.7.0 or earlier

This release contains CAPI release v1.62.0 with the following issue:

  • There is an issue that causes some apps to go into a crashing state following a deployment. Those apps can be brought back up with a restart. Apps that would be affected are apps that are not regularly deployed.

❗💥Major release containing breaking changes💥❗

Please read the "Upgrading to CF-Deployment v3.0.0" instructions at the bottom of release notes.

Notices

cf-deployment v3.0.0 requires:

  • BOSH v262+ and 3468+ Linux stemcells
  • that you have uploaded a runtime-config for BOSH DNS
    • We have updated the bosh-deploy tasks in cf-deployment-concourse-tasks v7.0 so it uploads BOSH DNS runtime-config before BOSH deploy and we encourage you to use this task in your CI pipelines.

Summary of 3.0 Changes

  • bosh-dns must be enabled via runtime-config.
  • bosh-dns-aliases-release v0.0.2 is now enabled by default.
  • log-cache-release v1.3.0 is now enabled by default.
  • syslog-release has updated a variable name.
  • credhub is the only certified credential store going forward (although it may still function appropriately vars-store will no longer be validated in our release pipelines).
  • All symlinked and empty ops files previously maintained for backward compatibility have been deleted.

Manifest Updates

  • bosh-dns-aliases release added to support component aliasing now that bosh-dns is enabled by default via bosh runtime-config.
  • log-cache is now enabled by default in cf-deployment and colocated with the doppler.
  • dns_servers ip address added as a property of the silk release in support of bosh-dns

Ops-files

New Ops-files

  • operations/disable-log-cache.yml - Removes Log Cache and associated jobs from doppler VMs.
  • operations/rename-network-and-deployment.yml - the rename-network and rename-deployment ops files had to be merged in order to support enabling bosh-dns via runtime-config. An operator can rename the network and deployment by passing the variables network_name and deployment_name.
    • CAUTION: If you are using this ops file along with another ops file that increases the number of instance groups (e.g. windows-cell.yml, perm-services.yml, or secure-service-credentials.yml), this ops file will not rename the network for those instance groups.

Updated Ops-files

  • operations/addons/enable-component-syslog.yml && operations/addons/example-vars-files/vars-enable-component-syslog.yml
    • We've corrected the name of the permitted_peer variable used in this ops-file to syslog_permitted_peer for consistency with our naming convention.
    • IMPORTANT: If your deployment(s) were previously executed with enable-component-syslog, update your variable name to the new name before you deploy cf-deployment v3.0.0.
  • operations/bosh-lite.yml - Kernel parameter tuning for the rep on bosh-lite has been disabled.
  • operations/experimental/perm-service.yml - Perm configuration updated to access UAA over internal URL.
  • The following ops files have been deprecated. They've been temporarily kept as blank for backward compatibility and they will be deleted in cf-deployment v4.0.0:
    • operations/experimental/use-bosh-dns.yml
    • operations/experimental/use-bosh-dns-for-containers.yml
    • operations/experimental/use-bosh-dns-for-windows2016-containers.yml
    • operations/experimental/use-bosh-dns-rename-network-and-deployment.yml
    • operations/experimental/use-log-cache.yml
  • operations/experimental/use-compiled-releases-xenial-stemcell.yml - entries added to compile releases for newly added log-cache and bosh-dns-aliases releases
  • operations/use-compiled-releases.yml - entries added to compile releases for newly added log-cache and bosh-dns-aliases releases

Deleted Ops-files

  • operations/rename-deployment.yml - replaced by new ops file rename-network-and-deployment.yml (see above)
  • operations/rename-network.yml - replaced by new ops file rename-network-and-deployment.yml (see above)
  • operations/experimental/enable-service-discovery.yml - promoted out of experimental operations in v2.0.0

Other Updates

  • iaas-support/softlayer/add-system-domain-dns-alias.yml
    • Now that bosh-dns is enabled by default via bosh runtime-config, the alias for the system_domain in a Cloud Foundry deployed on a Softlayer VM with a Bosh-Lite director is set via the bosh-dns-aliases release rather than the bosh-dns release.
    • For more Information, see the Deploy Cloud Foundry on a Softlayer Bosh-Lite Director README.

Release and Stemcell Updates

Release New Version Old Version
backup-and-restore-sdk 1.9.0 1.8.1
cf-networking 2.10.0 2.8.0
java-buildpack 4.13.1 4.13
nats 25 24
silk 2.10.0 2.9.0
log-cache 1.3.0 1.4.0
bosh-dns-aliases 0.0.2 N/A
nfs-volume 1.4.1 1.4.0
windows2016fs 1.5.0 1.4.0
bits-service 2.8.0 2.7.0
pxc 0.12.0 0.11.0

Upgrading to CF-Deployment v3.0.0

This release of cf-deployment requires that BOSH DNS be provided by a runtime-config. This will require you to run some additional steps before deploying this release.

You may want to review the BOSH DNS architecture documentation
provided by the BOSH team.

If you HAVE NOT already enabled BOSH DNS in your Cloud Foundry...

you will need to upload the dns.yml runtime-config from bosh-deployment. Then you can deploy as normal.
See the step-by-step instructions in the section titled "For installs that DID NOT have BOSH DNS enabled previously."

If you HAVE already enabled BOSH DNS in your Cloud Foundry...

with the use-bosh-dns.yml ops-file, you will also need to move your credentials to the namespace expected by the runtime-config before you upgrade to cf-d v3.0.0.
See the step-by-step instructions in the section titled "For installs that DID have BOSH DNS enabled previously."

Warning

If you use the rename-network-and-deployment.yml and any ops-files that adds instance groups (window cells, isolation segments, etc...), you will need to make sure the network is renamed for those instance groups as well.

Deploy Instructions

For installs that DID NOT have BOSH DNS enabled previously

  1. Confirm that your director has the property director.local_dns.enabled set to true. (If you are using bosh-deployment version v1.0.0 or higher or bbl v5.10.0 or higher this will be set by default)

  2. Upload a named runtime config for BOSH DNS:

    bosh update-runtime-config bosh-deployment/runtime-configs/dns.yml --name=dns

  3. Deploy CF

    bosh deploy cf-deployment/cf-deployment.yml \
  -v system_domain=<system-domain> \
  ...

For installs that DID have BOSH DNS enabled previously

  1. Upload a named runtime-config for BOSH DNS : 
    bosh update-runtime-config bosh-deployment/runtime-configs/dns.yml --name=dns
  2. Log in to the BOSH director CredHub
  3. Migrate credentials from /bosh-director-name/cf namespace to / namespace 
    #!/bin/bash
set -eu

create_ca() {
  cred_name=$1

  old_cred_name=$(credhub find -n $cred_name -j | jq .credentials[0].name -r)
  json=$(credhub get -n $old_cred_name -j)

  certificate=$(echo "$json" | jq .value.certificate -r)
  private_key=$(echo "$json" | jq .value.private_key -r)

  credhub set -n "${cred_name}" -t certificate -c "${certificate}" -p "${private_key}" -r "${certificate}"
}

create_cert() {
  cred_name=$1
  ca_name=$2

  old_cred_name=$(credhub find -n $cred_name -j | jq .credentials[0].name -r)
  json=$(credhub get -n $old_cred_name -j)

  certificate=$(echo "$json" | jq .value.certificate -r)
  private_key=$(echo "$json" | jq .value.private_key -r)

  credhub set -n "${cred_name}" -t certificate -c "${certificate}" -p "${private_key}" -m "${ca_name}"
}

main() {
  create_ca "dns_healthcheck_tls_ca"
  create_ca "dns_api_tls_ca"

  create_cert "dns_healthcheck_server_tls" "dns_healthcheck_tls_ca"
  create_cert "dns_healthcheck_client_tls" "dns_healthcheck_tls_ca"

  create_cert "dns_api_server_tls" "dns_api_tls_ca"
  create_cert "dns_api_client_tls" "dns_api_tls_ca"
}

main
  4. Deploy CF 
    bosh deploy cf-deployment/cf-deployment.yml \
  -v system_domain=<system-domain> \
  ...
  5. Delete old credentials
Assets 2
Loading