CAP 1.5.2 (#703)

* Update chart versions for 1.5.1 to 1.5.2 upgrade (#697)

* 1.5.2 metadata (#688)

* Change productversion and releases table.

* Update uaa and scf appendices

* Add configgin-helper to list of roles

* Update 1.5.2 entry in releases table

* Update version numbers.

* Update SCF version in SCF appendix.

* Update values in appendices.

* Remove rc tags and add additional values

Co-authored-by: Lukáš Kucharczyk <[email protected]>

* Add Minibroker w/ Kube 1.16 note (#698)

* Fix erroneous commands (#696)

* Update working in Whats New to match Release Notes (#699)

* Add note to contact support if upgrading from 1.5.1 w/ external db (#700)

* Note cf-usb not compatible with Azure DBs (#701)

* Update external db info for 1.5.2 (#702)

Co-authored-by: Lukáš Kucharczyk <[email protected]>

xml/app_uaa_values_yaml.xml

@@ -18,11 +18,11 @@
  </para>
 
 <screen>apiVersion: v1
-appVersion: 1.5.1
+appVersion: 1.5.2
 description: A Helm chart for SUSE UAA
 name: uaa
-version: 2.19.1
-scfVersion: 2.19.1
+version: 2.20.3
+scfVersion: 2.20.3+cf12.17.0.0.g7175b9de
 
 ---
 ---
@@ -90,6 +90,7 @@ secrets:
 
   # A PEM-encoded TLS certificate for the Galera server.
   # This value uses a generated default.
+  # This certificate uses the name "galera_server_certificate".
   GALERA_SERVER_CERT: ~
 
   # A PEM-encoded TLS key for the Galera server.
@@ -132,13 +133,17 @@ secrets:
 
   # A PEM-encoded TLS certificate for the MySQL server.
   # This value uses a generated default.
+  # This certificate uses the names "mysql-set.{{ .KUBERNETES_NAMESPACE
+  # }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}" and "mysql-proxy-set.{{
+  # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}".
   MYSQL_SERVER_CERT: ~
 
   # A PEM-encoded TLS key for the MySQL server.
   MYSQL_SERVER_CERT_KEY: ~
 
   # PEM-encoded certificate
   # This value uses a generated default.
+  # This certificate uses the name "saml-serviceprovider-cert".
   SAML_SERVICEPROVIDER_CERT: ~
 
   # PEM-encoded key.
@@ -155,6 +160,8 @@ secrets:
   # The server's ssl certificate. The default is a self-signed certificate and
   # should always be replaced for production deployments.
   # This value uses a generated default.
+  # This certificate uses the role name "uaa" and the additional names
+  # "uaa.{{.DOMAIN}}" and "*.uaa.{{.DOMAIN}}".
   UAA_SERVER_CERT: ~
 
   # The server's ssl private key. Only passphrase-less keys are supported.
@@ -186,6 +193,10 @@ env:
   # create the necessary databases. Only used if DB_EXTERNAL_HOST is set.
   DB_EXTERNAL_USER: ~
 
+  # A suffix that has to be appended to every user name for the external
+  # database; usually '@host'. Only used if DB_EXTERNAL_HOST is set.
+  DB_EXTERNAL_USER_HOST_SUFFIX: ""
+
   # Base domain name of the UAA endpoint; `uaa.${DOMAIN}` must be correctly
   # configured to point to this UAA instance.
   DOMAIN: ~
@@ -230,13 +241,48 @@ env:
   # SMTP server username, for password reset emails etc.
   SMTP_USER: ~
 
+  # Use TLS connection for UAA database.
+  # Valid options are:
+  # enabled (use TLS with full certificate validation),
+  # enabled_skip_hostname_validation (use TLS but skip validation of common and
+  # alt names in the host certificate),
+  # enabled_skip_all_validation (use TLS but do not validate anything about the
+  # host certificate),
+  # disabled (do not use TLS)
+  UAADB_TLS: "enabled"
+
   # The TCP port to report as the public port for the UAA server (root zone).
   UAA_PUBLIC_PORT: "2793"
 
 # The sizing section contains configuration to change each individual instance
 # group. Due to limitations on the allowable names, any dashes ("-") in the
 # instance group names are replaced with underscores ("_").
 sizing:
+  # The configgin-helper instance group contains the following jobs:
+  #
+  # - global-properties: Dummy BOSH job used to host global parameters that are
+  #   required to configure SCF
+  #
+  # - configgin-helper: Copy configgin service account token to secret
+  configgin_helper:
+    # Node affinity rules can be specified here
+    affinity: {}
+
+    # The configgin_helper instance group can scale between 1 and 65535
+    # instances.
+    # For high availability it needs at least 2 instances.
+    count: ~
+
+    # Unit [millicore]
+    cpu:
+      request: 1000
+      limit: ~
+
+    # Unit [MiB]
+    memory:
+      request: 64
+      limit: ~
+
   # The mysql instance group contains the following jobs:
   #
   # - global-uaa-properties: Dummy BOSH job used to host global parameters that
@@ -347,19 +393,21 @@ sizing:
   # - global-uaa-properties: Dummy BOSH job used to host global parameters that
   #   are required to configure SCF / fissile
   #
-  # - wait-for-database: This is a pre-start job to delay starting the rest of
-  #   the role until a database connection is ready. Currently it only checks
-  #   that a response can be obtained from the server, and not that it responds
-  #   intelligently.
-  #
-  #
   # - uaa: The UAA is the identity management service for Cloud Foundry. It's
   #   primary role is as an OAuth2 provider, issuing tokens for client
   #   applications to use when they act on behalf of Cloud Foundry users. It can
   #   also authenticate users with their Cloud Foundry credentials, and can act
   #   as an SSO service using those credentials (or others). It has endpoints
   #   for managing user accounts and for registering OAuth2 clients, as well as
   #   various other management functions.
+  #
+  # - wait-for-database: This is a pre-start job to delay starting the rest of
+  #   the role until a database connection is ready. Currently it only checks
+  #   that a response can be obtained from the server, and not that it responds
+  #   intelligently.
+  #
+  #
+  # Also: bpm
   uaa:
     # Node affinity rules can be specified here
     affinity: {}

xml/cap_admin_backup-restore.xml

@@ -872,16 +872,6 @@ done
       necessary.
      </para>
      <substeps>
-      <step>
-       <para>
-        Change the encryption key in the configuration file. In the example
-        command, replace <replaceable>migrated_key</replaceable> with the key
-        you set earlier:
-       </para>
-<screen>&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c \
-'sed --in-place "/db_encryption_key:/c\\db_encryption_key: \"$(echo $CC_DB_ENCRYPTION_KEYS | jq -r .<replaceable>migrated_key</replaceable>)\"" /var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml'
-</screen>
-      </step>
       <step>
        <para>
         Run the rotation for the encryption keys:
@@ -890,7 +880,7 @@ done
 "source /var/vcap/jobs/cloud_controller_ng/bin/ruby_version.sh; \
 export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml; \
 cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng; \
-bundle exec rake rotate_cc_database_key:perform
+bundle exec rake rotate_cc_database_key:perform"
 </screen>
       </step>
       <step>

xml/cap_admin_ccdb_key_rotation.xml

@@ -31,8 +31,10 @@
  <procedure>
   <step>
    <para>
-    Create a file called <filename>new-key-values.yaml</filename> with content
-    of the form:
+    Add <literal>env.CC_DB_CURRENT_KEY_LABEL</literal> and
+    <literal>secrets.CC_DB_ENCRYPTION_KEYS</literal> to your
+    <filename>scf-config-values.yaml</filename>. Replace the example values with
+    your own.
    </para>
 <screen>env:
   CC_DB_CURRENT_KEY_LABEL: <replaceable>new_key</replaceable>
@@ -64,7 +66,6 @@ secrets:
   <step>
 <screen>&prompt.user;helm upgrade susecf-scf suse/cf \
 --values scf-config-values.yaml \
---values <replaceable>new-key-values.yaml</replaceable> \
 --set "secrets.UAA_CA_CERT=${CA_CERT}" \
 --version &latestscfchart;
    </screen>
@@ -74,21 +75,17 @@ secrets:
     Perform the rotation:
    </para>
    <substeps>
-    <step>
-     <para>
-      Change the encryption key in the config file. No output should be
-      produced:
-     </para>
-<screen>&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c 'sed --in-place "/db_encryption_key:/c\\db_encryption_key: \"$(echo $CC_DB_ENCRYPTION_KEYS | jq -r .new_key)\"" /var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml'
-     </screen>
-    </step>
     <step>
      <para>
       Run the rotation for the encryption keys. A series of JSON-formatted log
       entries describing the key rotation progress for various Cloud Controller
       models will be displayed:
      </para>
-<screen>&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c 'export PATH=/var/vcap/packages/ruby-2.4/bin:$PATH ; export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml ; cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng ; /var/vcap/packages/ruby-2.4/bin/bundle exec rake rotate_cc_database_key:perform'
+<screen>&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c \
+'source /var/vcap/jobs/cloud_controller_ng/bin/ruby_version.sh; \
+export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml; \
+cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng; \
+bundle exec rake rotate_cc_database_key:perform'
      </screen>
     </step>
     <step>
@@ -105,7 +102,7 @@ secrets:
     <literal>encryption_key_label</literal> is empty, the default generated key
     is still being used
    </para>
-<screen>&prompt.user;kubectl exec --stdin --tty mysql-0 --namespace scf -- /bin/bash -c 'mysql -p${MYSQL_ADMIN_PASSWORD}'
+<screen>&prompt.user;kubectl exec --stdin --tty mysql-0 --namespace scf -- /bin/bash -c 'mysql -p${MYSQL_ADMIN_PASSWORD} --socket /var/vcap/sys/run/pxc-mysql/mysqld.sock'
 MariaDB [(none)]> select name, encrypted_environment_variables, encryption_key_label from ccdb.apps;
 +--------+--------------------------------------------------------------------------------------------------------------+----------------------+
 | name   | encrypted_environment_variables                                                                              | encryption_key_label |