From 048be0adbcea9f6cbdb5eaf2b54edb43ea5671cb Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Thu, 6 Feb 2020 16:54:48 -0800 Subject: [PATCH] CAP 1.5.2 (#703) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update chart versions for 1.5.1 to 1.5.2 upgrade (#697) * 1.5.2 metadata (#688) * Change productversion and releases table. * Update uaa and scf appendices * Add configgin-helper to list of roles * Update 1.5.2 entry in releases table * Update version numbers. * Update SCF version in SCF appendix. * Update values in appendices. * Remove rc tags and add additional values Co-authored-by: Lukáš Kucharczyk <31072879+KucharczykL@users.noreply.github.com> * Add Minibroker w/ Kube 1.16 note (#698) * Fix erroneous commands (#696) * Update working in Whats New to match Release Notes (#699) * Add note to contact support if upgrading from 1.5.1 w/ external db (#700) * Note cf-usb not compatible with Azure DBs (#701) * Update external db info for 1.5.2 (#702) Co-authored-by: Lukáš Kucharczyk <31072879+KucharczykL@users.noreply.github.com> --- xml/app_scf_values_yaml.xml | 266 +++++++++++++++++++++------ xml/app_uaa_values_yaml.xml | 66 ++++++- xml/cap_admin_backup-restore.xml | 12 +- xml/cap_admin_ccdb_key_rotation.xml | 23 +-- xml/cap_admin_external_db.xml | 273 ++++++++++++++++------------ xml/cap_admin_service_broker.xml | 24 ++- xml/cap_admin_upgrade.xml | 49 +++-- xml/cap_overview.xml | 41 +++-- xml/entity-decl.ent | 12 +- xml/repeated-content-decl.ent | 10 + 10 files changed, 532 insertions(+), 244 deletions(-) diff --git a/xml/app_scf_values_yaml.xml b/xml/app_scf_values_yaml.xml index da468f0b..ed821ef4 100644 --- a/xml/app_scf_values_yaml.xml +++ b/xml/app_scf_values_yaml.xml @@ -18,11 +18,11 @@ apiVersion: v1 -appVersion: 1.5.1 +appVersion: 1.5.2 description: A Helm chart for SUSE Cloud Foundry name: cf -version: 2.19.1 -scfVersion: 2.19.1 +version: 2.20.3 +scfVersion: 2.20.3+cf12.17.0.0.g7175b9de --- --- @@ -92,6 +92,7 @@ secrets: # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the name "auctioneer-rep-cert". AUCTIONEER_REP_CERT: ~ # PEM-encoded key @@ -99,6 +100,7 @@ secrets: # PEM-encoded server certificate # This value uses a generated default. + # This certificate uses the role name "diego-brain-auctioneer". AUCTIONEER_SERVER_CERT: ~ # PEM-encoded server key @@ -107,6 +109,7 @@ secrets: # A PEM-encoded TLS certificate of the Autoscaler API public https server. # This includes the Autoscaler ApiServer and the Service Broker. # This value uses a generated default. + # This certificate uses the names "autoscaler.{{.DOMAIN}}" and "localhost". AUTOSCALER_ASAPI_PUBLIC_SERVER_CERT: ~ # A PEM-encoded TLS key of the Autoscaler API public https server. This @@ -116,6 +119,9 @@ secrets: # A PEM-encoded TLS certificate of the Autoscaler API https server. This # includes the Autoscaler ApiServer and the Service Broker. # This value uses a generated default. + # This certificate uses the names + # "autoscaler-api-apiserver.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}" + # and "localhost". AUTOSCALER_ASAPI_SERVER_CERT: ~ # A PEM-encoded TLS key of the Autoscaler API https server. This includes the @@ -125,6 +131,7 @@ secrets: # A PEM-encoded TLS certificate for clients to connect to the Autoscaler # Metrics. This includes the Autoscaler Metrics Collector and Event Generator. # This value uses a generated default. + # This certificate uses the name "autoscaler-asmetrics-client-cert". AUTOSCALER_ASMETRICS_CLIENT_CERT: ~ # A PEM-encoded TLS key for clients to connect to the Autoscaler Metrics. This @@ -134,6 +141,10 @@ secrets: # A PEM-encoded TLS certificate of the Autoscaler Metrics https server. This # includes the Autoscaler Metrics Collector. # This value uses a generated default. + # This certificate uses the names + # "autoscaler-metrics-metricscollector.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}", + # "autoscaler-metrics-eventgenerator.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}", + # and "localhost". AUTOSCALER_ASMETRICS_SERVER_CERT: ~ # A PEM-encoded TLS key of the Autoscaler Metrics https server. This includes @@ -147,6 +158,7 @@ secrets: # A PEM-encoded TLS certificate for clients to connect to the Autoscaler # Scaling Engine. # This value uses a generated default. + # This certificate uses the name "autoscaler-scaling-engine-client-cert". AUTOSCALER_SCALING_ENGINE_CLIENT_CERT: ~ # A PEM-encoded TLS key for clients to connect to the Autoscaler Scaling @@ -155,6 +167,9 @@ secrets: # A PEM-encoded TLS certificate of the Autoscaler Scaling Engine https server. # This value uses a generated default. + # This certificate uses the names + # "autoscaler-actors-scalingengine.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}" + # and "localhost". AUTOSCALER_SCALING_ENGINE_SERVER_CERT: ~ # A PEM-encoded TLS key of the Autoscaler Scaling Engine https server. @@ -163,6 +178,7 @@ secrets: # A PEM-encoded TLS certificate for clients to connect to the Autoscaler # Scheduler. # This value uses a generated default. + # This certificate uses the name "autoscaler-scheduler-client-cert". AUTOSCALER_SCHEDULER_CLIENT_CERT: ~ # A PEM-encoded TLS key for clients to connect to the Autoscaler Scheduler. @@ -170,6 +186,9 @@ secrets: # A PEM-encoded TLS certificate of the Autoscaler Scheduler https server. # This value uses a generated default. + # This certificate uses the names + # "autoscaler-actors-scheduler.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}" + # and "localhost". AUTOSCALER_SCHEDULER_SERVER_CERT: ~ # A PEM-encoded TLS key of the Autoscaler Scheduler https server. @@ -181,6 +200,7 @@ secrets: # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the name "bbs-auctioneer-cert". BBS_AUCTIONEER_CERT: ~ # PEM-encoded key @@ -188,6 +208,7 @@ secrets: # PEM-encoded client certificate. # This value uses a generated default. + # This certificate uses the name "bbs-client-crt". BBS_CLIENT_CRT: ~ # PEM-encoded client key. @@ -195,6 +216,7 @@ secrets: # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the name "bbs-rep-cert". BBS_REP_CERT: ~ # PEM-encoded key @@ -202,6 +224,7 @@ secrets: # PEM-encoded client certificate. # This value uses a generated default. + # This certificate uses the role name "diego-api-bbs". BBS_SERVER_CRT: ~ # PEM-encoded client key. @@ -214,6 +237,7 @@ secrets: # PEM-encoded client certificate. # This value uses a generated default. + # This certificate uses the name "127.0.0.1". BITS_SERVICE_SSL_CERT: ~ # PEM-encoded client key. @@ -232,6 +256,7 @@ secrets: # The PEM-encoded certificate (optionally as a certificate chain) for serving # blobs over TLS/SSL. # This value uses a generated default. + # This certificate uses the role name "blobstore-blobstore". BLOBSTORE_TLS_CERT: ~ # The PEM-encoded private key for signing TLS/SSL traffic. @@ -247,6 +272,9 @@ secrets: # The PEM-encoded certificate for secure TLS communication over external # endpoints. # This value uses a generated default. + # This certificate uses the names "api", "api-set", "api-set.{{ + # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}", and "api.{{ + # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}". CC_PUBLIC_TLS_CERT: ~ # The PEM-encoded key for secure TLS communication over external endpoints. @@ -254,6 +282,7 @@ secrets: # The PEM-encoded certificate for internal cloud controller traffic. # This value uses a generated default. + # This certificate uses the role name "api". CC_SERVER_CRT: ~ # The PEM-encoded private key for internal cloud controller traffic. @@ -261,6 +290,7 @@ secrets: # The PEM-encoded certificate for internal cloud controller uploader traffic. # This value uses a generated default. + # This certificate uses the role name "cc-uploader-cc-uploader". CC_UPLOADER_CRT: ~ # The PEM-encoded private key for internal cloud controller uploader traffic. @@ -268,6 +298,7 @@ secrets: # PEM-encoded broker server certificate. # This value uses a generated default. + # This certificate uses the role name "cf-usb". CF_USB_BROKER_SERVER_CERT: ~ # PEM-encoded broker server key. @@ -281,8 +312,13 @@ secrets: # The password for the cluster administrator. CLUSTER_ADMIN_PASSWORD: ~ + # CA trusted for making TLS connections to targeted database server. + CREDHUB_DB_CA_CERT: ~ + # PEM-encoded server certificate # This value uses a generated default. + # This certificate uses the names "credhub-set" and + # "server.dc1.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}". CREDHUB_SERVER_CERT: ~ # PEM-encoded server key @@ -296,6 +332,8 @@ secrets: # PEM-encoded client certificate # This value uses a generated default. + # This certificate uses the names "locket-locket.{{.KUBERNETES_NAMESPACE}}" + # and "127.0.0.1". DIEGO_CLIENT_CERT: ~ # PEM-encoded client key @@ -303,6 +341,7 @@ secrets: # PEM-encoded certificate. # This value uses a generated default. + # This certificate uses the names "doppler", "log-cache", and "metron". DOPPLER_CERT: ~ # PEM-encoded key. @@ -310,6 +349,7 @@ secrets: # TLS certificate for Eirini server # This value uses a generated default. + # This certificate uses the name "eirini-client-crt". EIRINI_CLIENT_CRT: ~ # Private key associated with TLS certificate for Eirini server @@ -325,13 +365,24 @@ secrets: # TLS certificate for Eirini server # This value uses a generated default. + # This certificate uses the name "eirini-opi.{{ .KUBERNETES_NAMESPACE + # }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}". EIRINI_SERVER_CERT: ~ # Private key associated with TLS certificate for Eirini server EIRINI_SERVER_CERT_KEY: ~ + # PEM-encoded tls certificate that can be used for server auth. + # This value uses a generated default. + # This certificate uses the role name "diego-access". + FILE_SERVER_CERT: ~ + + # A PEM-encoded TLS key for the file server. + FILE_SERVER_CERT_KEY: ~ + # A PEM-encoded TLS certificate for the Galera server. # This value uses a generated default. + # This certificate uses the name "galera_server_certificate". GALERA_SERVER_CERT: ~ # A PEM-encoded TLS key for the Galera server. @@ -358,6 +409,7 @@ secrets: # PEM-encoded certificate. # This value uses a generated default. + # This certificate uses the names "localhost" and "metron". LOGGREGATOR_AGENT_CERT: ~ # PEM-encoded key. @@ -365,6 +417,7 @@ secrets: # PEM-encoded client certificate for loggregator mutual authentication # This value uses a generated default. + # This certificate uses the name "loggregator-client-cert". LOGGREGATOR_CLIENT_CERT: ~ # PEM-encoded client key for loggregator mutual authentication @@ -372,6 +425,7 @@ secrets: # PEM-encoded client certificate for loggregator forwarder authentication # This value uses a generated default. + # This certificate uses the name "loggregator-forward-cert". LOGGREGATOR_FORWARD_CERT: ~ # PEM-encoded client key for loggregator forwarder authentication @@ -379,6 +433,9 @@ secrets: # TLS cert for outgoing dropsonde connection # This value uses a generated default. + # This certificate uses the names "doppler" and + # "log-api-loggregator-trafficcontroller.{{ .KUBERNETES_NAMESPACE }}.svc.{{ + # .KUBERNETES_CLUSTER_DOMAIN }}". LOGGREGATOR_OUTGOING_CERT: ~ # TLS key for outgoing dropsonde connection @@ -386,6 +443,7 @@ secrets: # PEM-encoded certificate. # This value uses a generated default. + # This certificate uses the names "log-cache" and "localhost". LOG_CACHE_CERT: ~ # PEM-encoded key. @@ -393,6 +451,7 @@ secrets: # The TLS cert for the auth proxy. # This value uses a generated default. + # This certificate uses the names "log-cache" and "localhost". LOG_CACHE_CF_AUTH_PROXY_EXTERNAL_CERT: ~ # The TLS key for the auth proxy. @@ -400,10 +459,19 @@ secrets: # PEM-encoded certificate. # This value uses a generated default. - LOG_CACHE_TO_LOGGREGATOR_AGENT_CERT: ~ + # This certificate uses the names "log-cache" and "localhost". + LOG_CACHE_GATEWAY_PROXY_CERT: ~ + + # PEM-encoded key. + LOG_CACHE_GATEWAY_PROXY_CERT_KEY: ~ + + # PEM-encoded certificate. + # This value uses a generated default. + # This certificate uses the names "metrics_server" and "localhost". + METRICS_CERT: ~ # PEM-encoded key. - LOG_CACHE_TO_LOGGREGATOR_AGENT_CERT_KEY: ~ + METRICS_CERT_KEY: ~ # Password used for the monit API. # This value uses a generated default. @@ -456,6 +524,9 @@ secrets: # A PEM-encoded TLS certificate for the MySQL server. # This value uses a generated default. + # This certificate uses the names "mysql-set.{{ .KUBERNETES_NAMESPACE + # }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}" and "mysql-proxy-set.{{ + # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}". MYSQL_SERVER_CERT: ~ # A PEM-encoded TLS key for the MySQL server. @@ -472,8 +543,26 @@ secrets: # LDAP service account password (required for LDAP integration only) PERSI_NFS_DRIVER_LDAP_PASSWORD: "-" + # PEM-encoded prom_scraper certificate + # This value uses a generated default. + # This certificate uses the role name "prom_scraper_metrics". + PROM_SCRAPER_METRICS_TLS_CERT: ~ + + # PEM-encoded prom_scraper key + PROM_SCRAPER_METRICS_TLS_CERT_KEY: ~ + + # PEM-encoded prom_scraper certificate + # This value uses a generated default. + # This certificate uses the name "prom-scraper-scrape-tls-cert". + PROM_SCRAPER_SCRAPE_TLS_CERT: ~ + + # PEM-encoded prom_scraper key + PROM_SCRAPER_SCRAPE_TLS_CERT_KEY: ~ + # PEM-encoded server certificate # This value uses a generated default. + # This certificate uses the role name "diego-cell" and the additional name + # "127.0.0.1". REP_SERVER_CERT: ~ # PEM-encoded server key @@ -481,6 +570,11 @@ secrets: # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the names "log-stream", "log-stream.((DOMAIN))", + # "rlp-gateway", + # "rlp-gateway.((KUBERNETES_NAMESPACE)).svc.((KUBERNETES_CLUSTER_DOMAIN))", + # "log-api", and + # "log-api.((KUBERNETES_NAMESPACE)).svc.((KUBERNETES_CLUSTER_DOMAIN))". RLP_GATEWAY_CERT: ~ # PEM-encoded key. @@ -494,6 +588,7 @@ secrets: # The public ssl cert for ssl termination. Will be ignored if ROUTER_TLS_PEM # is set. # This value uses a generated default. + # This certificate uses the name "*.{{.DOMAIN}}". ROUTER_SSL_CERT: ~ # The private ssl key for ssl termination. Will be ignored if ROUTER_TLS_PEM @@ -519,8 +614,25 @@ secrets: # -----END RSA PRIVATE KEY----- ROUTER_TLS_PEM: ~ + # PEM-encoded routing api mtls client certificate. + # This value uses a generated default. + # This certificate uses the role name "cf-usb". + ROUTING_API_MTLS_CLIENT_CERT: ~ + + # PEM-encoded routing api mtls client key. + ROUTING_API_MTLS_CLIENT_CERT_KEY: ~ + + # PEM-encoded routing api mtls server certificate. + # This value uses a generated default. + # This certificate uses the role name "cf-usb". + ROUTING_API_MTLS_SERVER_CERT: ~ + + # PEM-encoded routing api mtls server key. + ROUTING_API_MTLS_SERVER_CERT_KEY: ~ + # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the name "saml-serviceprovider-cert". SAML_SERVICEPROVIDER_CERT: ~ # PEM-encoded key. @@ -532,6 +644,7 @@ secrets: # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the name "adapter". SYSLOG_ADAPT_CERT: ~ # PEM-encoded key. @@ -539,6 +652,7 @@ secrets: # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the names "syslog_rlp" and "reverselogproxy". SYSLOG_RLP_CERT: ~ # PEM-encoded key. @@ -546,6 +660,7 @@ secrets: # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the name "syslog-sched-cert". SYSLOG_SCHED_CERT: ~ # PEM-encoded key. @@ -554,6 +669,7 @@ secrets: # PEM-encoded client certificate for internal communication between the cloud # controller and TPS. # This value uses a generated default. + # This certificate uses the name "tps-cc-client-crt". TPS_CC_CLIENT_CRT: ~ # PEM-encoded client key for internal communication between the cloud @@ -563,6 +679,7 @@ secrets: # PEM-encoded certificate for communication with the traffic controller of the # log infra structure. # This value uses a generated default. + # This certificate uses the name "trafficcontroller-cert". TRAFFICCONTROLLER_CERT: ~ # PEM-encoded key for communication with the traffic controller of the log @@ -640,6 +757,8 @@ secrets: # The server's ssl certificate. The default is a self-signed certificate and # should always be replaced for production deployments. # This value uses a generated default. + # This certificate uses the role name "uaa" and the additional names + # "uaa.{{.DOMAIN}}" and "*.uaa.{{.DOMAIN}}". UAA_SERVER_CERT: ~ # The server's ssl private key. Only passphrase-less keys are supported. @@ -701,11 +820,15 @@ env: # Expiration for generated certificates (in days) CERT_EXPIRATION: "10950" + # An ordered, colon-delimited list of golang supported TLS cipher suites in + # OpenSSL or RFC format. + CIPHER_SUITES: "ECDHE-ECDSA-CHACHA20-POLY1305:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384" + # The Oauth2 authorities available to the cluster administrator. CLUSTER_ADMIN_AUTHORITIES: "scim.write,scim.read,openid,cloud_controller.admin,clients.read,clients.write,doppler.firehose,routing.router_groups.read,routing.router_groups.write" # 'build' attribute in the /v2/info endpoint - CLUSTER_BUILD: "2.19.0" + CLUSTER_BUILD: "2.20.3" # 'description' attribute in the /v2/info endpoint CLUSTER_DESCRIPTION: "SUSE Cloud Foundry" @@ -716,6 +839,15 @@ env: # 'version' attribute in the /v2/info endpoint CLUSTER_VERSION: "2" + # Enables hostname verification for TLS connections to targeted database + # server. This property is only respected when targeting a MariaDB database. + # Hostname verification cannot be disabled for TLS connections to postgres + # databases. + CREDHUB_DB_HOST_VALIDATION: "true" + + # Requires only TLS connections to targeted database server. + CREDHUB_DB_REQUIRE_TLS: "true" + # Database driver to use for the external database server used to manage the # CF-internal databases. Only used if DB_EXTERNAL_HOST is set. Currently only # `mysql` is valid. @@ -730,15 +862,19 @@ env: # Only used if DB_EXTERNAL_HOST is set. DB_EXTERNAL_PORT: "3306" - # TLS configuration for the external database server to use for the + # SSL configuration for the external database server to use for the # CF-internal databases. Only used if DB_EXTERNAL_HOST is set. Valid values - # depend on which database driver is in use. - DB_EXTERNAL_SSL_MODE: ~ + # are 'false', 'skip-verify', 'preferred', and 'true'. + DB_EXTERNAL_SSL_MODE: "true" # Administrator user name for an external database server; this is required to # create the necessary databases. Only used if DB_EXTERNAL_HOST is set. DB_EXTERNAL_USER: ~ + # A suffix that has to be appended to every user name for the external + # database; usually '@host'. + DB_EXTERNAL_USER_HOST_SUFFIX: "" + # The standard amount of disk (in MB) given to an application when not # overriden by the user via manifest, command line, etc. DEFAULT_APP_DISK_IN_MB: "1024" @@ -784,10 +920,10 @@ env: DROPLET_MAX_STAGED_STORED: "5" # Downloads app-bits and buildpacks from the bits-service - EIRINI_DOWNLOADER_IMAGE: "registry.suse.com/cap/recipe-downloader:0.18.0" + EIRINI_DOWNLOADER_IMAGE: "registry.suse.com/cap/recipe-downloader:0.30.0" # Executes the buildpackapplifecyle to build a Droplet - EIRINI_EXECUTOR_IMAGE: "registry.suse.com/cap/recipe-executor:0.18.0" + EIRINI_EXECUTOR_IMAGE: "registry.suse.com/cap/recipe-executor:0.31.0" # Address of Kubernetes' Heapster installation, used for reading Cloud Foundry # app metrics. @@ -810,7 +946,7 @@ env: EIRINI_SSH_PORT: "2222" # Uploads the Droplet to the bits-service - EIRINI_UPLOADER_IMAGE: "registry.suse.com/cap/recipe-uploader:0.17.0" + EIRINI_UPLOADER_IMAGE: "registry.suse.com/cap/recipe-uploader:0.28.0" # By default, Cloud Foundry does not enable Cloud Controller request logging. # To enable this feature, you must set this property to "true". You can learn @@ -1034,6 +1170,16 @@ env: # Concatenation of trusted CA certificates to be made available on the cell. TRUSTED_CERTS: ~ + # Use TLS connection for UAA database. + # Valid options are: + # enabled (use TLS with full certificate validation), + # enabled_skip_hostname_validation (use TLS but skip validation of common and + # alt names in the host certificate), + # enabled_skip_all_validation (use TLS but do not validate anything about the + # host certificate), + # disabled (do not use TLS) + UAADB_TLS: "enabled" + # The host name of the UAA server (root zone) UAA_HOST: ~ @@ -1089,6 +1235,12 @@ sizing: # - patch-properties: Dummy BOSH job used to host parameters that are used in # SCF patches for upstream bugs # + # - wait-for-database: This is a pre-start job to delay starting the rest of + # the role until a database connection is ready. Currently it only checks + # that a response can be obtained from the server, and not that it responds + # intelligently. + # + # # - cloud_controller_ng: The Cloud Controller provides primary Cloud Foundry # API that is by the CF CLI. The Cloud Controller uses a database to keep # tables for organizations, spaces, apps, services, service instances, user @@ -1097,12 +1249,13 @@ sizing: # # - route_registrar: Used for registering routes # - # Also: bpm, statsd_injector, go-buildpack, go-buildpack, binary-buildpack, - # binary-buildpack, nodejs-buildpack, nodejs-buildpack, ruby-buildpack, - # ruby-buildpack, php-buildpack, php-buildpack, python-buildpack, - # python-buildpack, staticfile-buildpack, staticfile-buildpack, - # nginx-buildpack, nginx-buildpack, java-buildpack, java-buildpack, - # dotnet-core-buildpack, and dotnet-core-buildpack + # Also: bpm, statsd_injector, suse-go-buildpack, go-buildpack, + # suse-binary-buildpack, binary-buildpack, suse-nodejs-buildpack, + # nodejs-buildpack, suse-ruby-buildpack, ruby-buildpack, suse-php-buildpack, + # php-buildpack, suse-python-buildpack, python-buildpack, + # suse-staticfile-buildpack, staticfile-buildpack, suse-nginx-buildpack, + # nginx-buildpack, suse-java-buildpack, java-buildpack, + # suse-dotnet-core-buildpack, and dotnet-core-buildpack api_group: # Node affinity rules can be specified here affinity: {} @@ -1409,6 +1562,31 @@ sizing: request: 128 limit: ~ + # The configgin-helper instance group contains the following jobs: + # + # - global-properties: Dummy BOSH job used to host global parameters that are + # required to configure SCF + # + # - configgin-helper: Copy configgin service account token to secret + configgin_helper: + # Node affinity rules can be specified here + affinity: {} + + # The configgin_helper instance group can scale between 1 and 65535 + # instances. + # For high availability it needs at least 2 instances. + count: ~ + + # Unit [millicore] + cpu: + request: 1000 + limit: ~ + + # Unit [MiB] + memory: + request: 64 + limit: ~ + # The configure-eirini instance group contains the following jobs: # # - configure-eirini-scf: Creates and configures components needed for Eirini @@ -1593,7 +1771,7 @@ sizing: # - route_registrar: Used for registering routes # # Also: log-cache-gateway, log-cache-nozzle, log-cache-cf-auth-proxy, - # log-cache-expvar-forwarder, log-cache, doppler, and bpm + # log-cache, doppler, and bpm doppler: # Node affinity rules can be specified here affinity: {} @@ -1757,42 +1935,12 @@ sizing: request: 128 limit: ~ - # The log-cache-scheduler instance group contains the following jobs: - # - # - global-properties: Dummy BOSH job used to host global parameters that are - # required to configure SCF - # - # - authorize-internal-ca: Install both internal and UAA CA certificates - # - # - log-cache-scheduler-properties: Dummy BOSH job used to host parameters - # that are used in SCF patches - # - # Also: log-cache-scheduler, log-cache-expvar-forwarder, and bpm - log_cache_scheduler: - # Node affinity rules can be specified here - affinity: {} - - # The log_cache_scheduler instance group can scale between 1 and 65535 - # instances. - # For high availability it needs at least 2 instances. - count: ~ - - # Unit [millicore] - cpu: - request: 2000 - limit: ~ - - # Unit [MiB] - memory: - request: 410 - limit: ~ - # The loggregator-agent instance group contains the following jobs: # # - global-properties: Dummy BOSH job used to host global parameters that are # required to configure SCF # - # Also: loggr-expvar-forwarder, loggregator_agent, and bpm + # Also: loggregator_agent, prom_scraper, and bpm loggregator_agent: # Node affinity rules can be specified here affinity: {} @@ -1877,8 +2025,8 @@ sizing: # - global-properties: Dummy BOSH job used to host global parameters that are # required to configure SCF # - # - nats: The NATS server provides publish-subscribe messaging system for the - # Cloud Controller, the DEA , HM9000, and other Cloud Foundry components. + # - nats: NATS server providing a publish-subscribe messaging system for Cloud + # Foundry components. # # Also: bpm nats: @@ -2097,11 +2245,7 @@ sizing: # - global-uaa-properties: Dummy BOSH job used to host global parameters that # are required to configure SCF / fissile # - # - wait-for-database: This is a pre-start job to delay starting the rest of - # the role until a database connection is ready. Currently it only checks - # that a response can be obtained from the server, and not that it responds - # intelligently. - # + # - authorize-internal-ca: Install both internal and UAA CA certificates # # - uaa: The UAA is the identity management service for Cloud Foundry. It's # primary role is as an OAuth2 provider, issuing tokens for client @@ -2110,6 +2254,14 @@ sizing: # as an SSO service using those credentials (or others). It has endpoints # for managing user accounts and for registering OAuth2 clients, as well as # various other management functions. + # + # - wait-for-database: This is a pre-start job to delay starting the rest of + # the role until a database connection is ready. Currently it only checks + # that a response can be obtained from the server, and not that it responds + # intelligently. + # + # + # Also: bpm uaa: # Node affinity rules can be specified here affinity: {} diff --git a/xml/app_uaa_values_yaml.xml b/xml/app_uaa_values_yaml.xml index 8d7711c7..7d5713a0 100644 --- a/xml/app_uaa_values_yaml.xml +++ b/xml/app_uaa_values_yaml.xml @@ -18,11 +18,11 @@ apiVersion: v1 -appVersion: 1.5.1 +appVersion: 1.5.2 description: A Helm chart for SUSE UAA name: uaa -version: 2.19.1 -scfVersion: 2.19.1 +version: 2.20.3 +scfVersion: 2.20.3+cf12.17.0.0.g7175b9de --- --- @@ -90,6 +90,7 @@ secrets: # A PEM-encoded TLS certificate for the Galera server. # This value uses a generated default. + # This certificate uses the name "galera_server_certificate". GALERA_SERVER_CERT: ~ # A PEM-encoded TLS key for the Galera server. @@ -132,6 +133,9 @@ secrets: # A PEM-encoded TLS certificate for the MySQL server. # This value uses a generated default. + # This certificate uses the names "mysql-set.{{ .KUBERNETES_NAMESPACE + # }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}" and "mysql-proxy-set.{{ + # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}". MYSQL_SERVER_CERT: ~ # A PEM-encoded TLS key for the MySQL server. @@ -139,6 +143,7 @@ secrets: # PEM-encoded certificate # This value uses a generated default. + # This certificate uses the name "saml-serviceprovider-cert". SAML_SERVICEPROVIDER_CERT: ~ # PEM-encoded key. @@ -155,6 +160,8 @@ secrets: # The server's ssl certificate. The default is a self-signed certificate and # should always be replaced for production deployments. # This value uses a generated default. + # This certificate uses the role name "uaa" and the additional names + # "uaa.{{.DOMAIN}}" and "*.uaa.{{.DOMAIN}}". UAA_SERVER_CERT: ~ # The server's ssl private key. Only passphrase-less keys are supported. @@ -186,6 +193,10 @@ env: # create the necessary databases. Only used if DB_EXTERNAL_HOST is set. DB_EXTERNAL_USER: ~ + # A suffix that has to be appended to every user name for the external + # database; usually '@host'. Only used if DB_EXTERNAL_HOST is set. + DB_EXTERNAL_USER_HOST_SUFFIX: "" + # Base domain name of the UAA endpoint; `uaa.${DOMAIN}` must be correctly # configured to point to this UAA instance. DOMAIN: ~ @@ -230,6 +241,16 @@ env: # SMTP server username, for password reset emails etc. SMTP_USER: ~ + # Use TLS connection for UAA database. + # Valid options are: + # enabled (use TLS with full certificate validation), + # enabled_skip_hostname_validation (use TLS but skip validation of common and + # alt names in the host certificate), + # enabled_skip_all_validation (use TLS but do not validate anything about the + # host certificate), + # disabled (do not use TLS) + UAADB_TLS: "enabled" + # The TCP port to report as the public port for the UAA server (root zone). UAA_PUBLIC_PORT: "2793" @@ -237,6 +258,31 @@ env: # group. Due to limitations on the allowable names, any dashes ("-") in the # instance group names are replaced with underscores ("_"). sizing: + # The configgin-helper instance group contains the following jobs: + # + # - global-properties: Dummy BOSH job used to host global parameters that are + # required to configure SCF + # + # - configgin-helper: Copy configgin service account token to secret + configgin_helper: + # Node affinity rules can be specified here + affinity: {} + + # The configgin_helper instance group can scale between 1 and 65535 + # instances. + # For high availability it needs at least 2 instances. + count: ~ + + # Unit [millicore] + cpu: + request: 1000 + limit: ~ + + # Unit [MiB] + memory: + request: 64 + limit: ~ + # The mysql instance group contains the following jobs: # # - global-uaa-properties: Dummy BOSH job used to host global parameters that @@ -347,12 +393,6 @@ sizing: # - global-uaa-properties: Dummy BOSH job used to host global parameters that # are required to configure SCF / fissile # - # - wait-for-database: This is a pre-start job to delay starting the rest of - # the role until a database connection is ready. Currently it only checks - # that a response can be obtained from the server, and not that it responds - # intelligently. - # - # # - uaa: The UAA is the identity management service for Cloud Foundry. It's # primary role is as an OAuth2 provider, issuing tokens for client # applications to use when they act on behalf of Cloud Foundry users. It can @@ -360,6 +400,14 @@ sizing: # as an SSO service using those credentials (or others). It has endpoints # for managing user accounts and for registering OAuth2 clients, as well as # various other management functions. + # + # - wait-for-database: This is a pre-start job to delay starting the rest of + # the role until a database connection is ready. Currently it only checks + # that a response can be obtained from the server, and not that it responds + # intelligently. + # + # + # Also: bpm uaa: # Node affinity rules can be specified here affinity: {} diff --git a/xml/cap_admin_backup-restore.xml b/xml/cap_admin_backup-restore.xml index 92f339ff..4bbcdb08 100644 --- a/xml/cap_admin_backup-restore.xml +++ b/xml/cap_admin_backup-restore.xml @@ -872,16 +872,6 @@ done necessary. - - - Change the encryption key in the configuration file. In the example - command, replace migrated_key with the key - you set earlier: - -&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c \ -'sed --in-place "/db_encryption_key:/c\\db_encryption_key: \"$(echo $CC_DB_ENCRYPTION_KEYS | jq -r .migrated_key)\"" /var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml' - - Run the rotation for the encryption keys: @@ -890,7 +880,7 @@ done "source /var/vcap/jobs/cloud_controller_ng/bin/ruby_version.sh; \ export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml; \ cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng; \ -bundle exec rake rotate_cc_database_key:perform +bundle exec rake rotate_cc_database_key:perform" diff --git a/xml/cap_admin_ccdb_key_rotation.xml b/xml/cap_admin_ccdb_key_rotation.xml index 01f01d12..43922c60 100644 --- a/xml/cap_admin_ccdb_key_rotation.xml +++ b/xml/cap_admin_ccdb_key_rotation.xml @@ -31,8 +31,10 @@ - Create a file called new-key-values.yaml with content - of the form: + Add env.CC_DB_CURRENT_KEY_LABEL and + secrets.CC_DB_ENCRYPTION_KEYS to your + scf-config-values.yaml. Replace the example values with + your own. env: CC_DB_CURRENT_KEY_LABEL: new_key @@ -64,7 +66,6 @@ secrets: &prompt.user;helm upgrade susecf-scf suse/cf \ --values scf-config-values.yaml \ ---values new-key-values.yaml \ --set "secrets.UAA_CA_CERT=${CA_CERT}" \ --version &latestscfchart; @@ -74,21 +75,17 @@ secrets: Perform the rotation: - - - Change the encryption key in the config file. No output should be - produced: - -&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c 'sed --in-place "/db_encryption_key:/c\\db_encryption_key: \"$(echo $CC_DB_ENCRYPTION_KEYS | jq -r .new_key)\"" /var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml' - - Run the rotation for the encryption keys. A series of JSON-formatted log entries describing the key rotation progress for various Cloud Controller models will be displayed: -&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c 'export PATH=/var/vcap/packages/ruby-2.4/bin:$PATH ; export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml ; cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng ; /var/vcap/packages/ruby-2.4/bin/bundle exec rake rotate_cc_database_key:perform' +&prompt.user;kubectl exec --namespace scf api-group-0 -- bash -c \ +'source /var/vcap/jobs/cloud_controller_ng/bin/ruby_version.sh; \ +export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml; \ +cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng; \ +bundle exec rake rotate_cc_database_key:perform' @@ -105,7 +102,7 @@ secrets: encryption_key_label is empty, the default generated key is still being used -&prompt.user;kubectl exec --stdin --tty mysql-0 --namespace scf -- /bin/bash -c 'mysql -p${MYSQL_ADMIN_PASSWORD}' +&prompt.user;kubectl exec --stdin --tty mysql-0 --namespace scf -- /bin/bash -c 'mysql -p${MYSQL_ADMIN_PASSWORD} --socket /var/vcap/sys/run/pxc-mysql/mysqld.sock' MariaDB [(none)]> select name, encrypted_environment_variables, encryption_key_label from ccdb.apps; +--------+--------------------------------------------------------------------------------------------------------------+----------------------+ | name | encrypted_environment_variables | encryption_key_label | diff --git a/xml/cap_admin_external_db.xml b/xml/cap_admin_external_db.xml index 4272a7f1..90555222 100644 --- a/xml/cap_admin_external_db.xml +++ b/xml/cap_admin_external_db.xml @@ -9,7 +9,7 @@ xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink"> - External Database for <literal>uaa</literal> and <literal>scf</literal> + External Database yes @@ -17,153 +17,188 @@ By default, internal &mariadb; instances serve as the backing databases for - internal components of uaa and scf. - These components can be configured to use an external database system, such as - a data service offered by a cloud service provider or an existing high - availability database server. + internal components of &productname;. These components can be configured to + use an external database system, such as a data service offered by a cloud + service provider or an existing high availability database server. - The current &productname; release supports the following databases: + The current &productname; release is compatible with the following external + databases: - &mariadb; + Amazon RDS &mariadb; - MySQL + Azure MariaDB - - Configuration - - This section describes how to configure &productname; to use an external - database with internal components of uaa and - scf. The deployment and configuration of the external - database itself is the responsibility of the operator and beyond the scope of - this documentation. It is assumed the external database has been deployed and - accessible. - - - In order to configure &productname; to use an external database, add and - define the following &helm; values in your - scf-config-values.yaml. - + + Important Considerations - In the env section: + If you are using external UAA with an external database you must set up two + separate database instances; one for UAA and one for SCF. One external + database instance for both an external UAA and an SCF setup is not + supported and will cause data conflicts resulting in deployment failures. - - - - DB_EXTERNAL_HOST. The hostname for the external - database server. - - - - - DB_EXTERNAL_PORT. The port for the external database - server. By default, this is 3306. - - - - - DB_EXTERNAL_USER. The name of an administrator user - name for the external database server. This is required to create the - necessary databases. - - - - In the secrets section: + When the external database server is configured to use TLS, it + must support both TLS and unencrypted + connections; if the external database server only accepts TLS connections + some SCF components will not be able to communicate with the database + server. - - - - DB_EXTERNAL_PASSWORD. The corresponding password for - the administrator user defined for DB_EXTERNAL_USER. - - - - In the enable section: + Note that Amazon RDS uses a CA that is not currently recognized as a + well-known CA within UAA. Therefore, you must use the flag + env.UAADB_TLS to + enabled_skip_all_validation to disable server + certificate validation for TLS connections to RDS. If you are using + credhub, you will need to pass in the RDS CA via the + secrets.CREDHUB_DB_CA_CERT flag to ensure credhub is + able to validate the RDS server cert. - - - - mysql: false . This option disables the start and use - of the internal database-related roles (mysql, mysql-proxy). It is - currently not possible to do this automatically when an external database - is used. - - - + + + Configuration - The following snippet contains the relevant &helm; values defined in an - example scf-config-values.yaml. Replace the example - values with the connection details of your database. - -env: - DB_EXTERNAL_HOST: my-external-db.chnutnopvydk.us-west-2.rds.amazonaws.com - DB_EXTERNAL_PORT: 3306 - DB_EXTERNAL_USER: admin - -secrets: - DB_EXTERNAL_PASSWORD: password - -enable: - mysql: false - - - The backing databases for uaa and scf - can be independently configured by supplying the above &helm; values in - separate scf-config-values.yaml files (or as command - line options). They can be configured to share the same external database, use different - external databases, or use the internal database. The table below outlines - the compatible combinations. + This section describes the components involved and their associated + configuration options when connecting to an external database. The + configuration options are specified through &helm; values inside the + scf-config-values.yaml. The deployment and + configuration of the external database itself is the responsibility of the + operator and beyond the scope of this documentation. It is assumed the + external database has been deployed and accessible. - - - - - uaa - scf - - - - - Internal database - Internal database - - - Internal database - External database - - - External database - Internal database - - - External database A - External database A - - - External database A - External database B - - - - + + Configuration during Initial Install Only + + Configuration of &productname; to use an external database + must be done during the initial + installation and cannot be changed afterwards. + + + + + database-seeder + + + The database-seeder runs during installation and + created databases inside the service for the various clients (Cloud + Controller, Diego, UAA, etc.). It uses these configuration variables: + + + + + env.DB_EXTERNAL_HOST: Hostname for an external + database server to use for the CF-internal databases. If not set, the + internal database is used and the remaining + DB_EXTERNAL_* variables are ignored. + + + + + env.DB_EXTERNAL_USER_HOST_SUFFIX: A suffix that has + to be appended to every user name for the external database; usually + @host. Must include the @ sign. + Empty by default. + + + + + env.DB_EXTERNAL_PORT: Port for an external database + server to use for the CF-internal databases. Default: + 3306. + + + + + env.DB_EXTERNAL_SSL_MODE: SSL configuration for the + external database server. Valid values: false + (database-seeder will communicate over plain TCP), + skip-verify, preferred, and + true. Default: true. + + + + + env.DB_EXTERNAL_USER: Administrator user name for an + external database server; this is required to create the necessary + databases. DB_EXTERNAL_USER_HOST_SUFFIX will be + appended to this user name, so this variable should include just the + user name without the host suffix. + + + + + secrets.DB_EXTERNAL_PASSWORD: Administrator password + for an external database server; this is required to create the + necessary databases. + + + + + The user and password are only used by the seeder to create the databases. + All clients will then use database specific usernames and passwords. + + + + + credhub + + + + + secrets.CREDHUB_DB_CA_CERT: CA trusted for making TLS + connections to targeted database server. + + + + + env.CREDHUB_DB_HOST_VALIDATION: Enables hostname + verification for TLS connections to targeted database server. Default: + true. + + + + + env.CREDHUB_DB_REQUIRE_TLS: Requires only TLS + connections to targeted database server. Default: + true. + + + + + + + uaa + + + env.UAADB_TLS: Use TLS connection for UAA database. + Valid options are: enabled (use TLS with full + certificate validation), + enabled_skip_hostname_validation (use TLS but skip + validation of common and alt names in the host certificate), + enabled_skip_all_validation (use TLS but do not + validate anything about the host certificate), and + disabled (do not use TLS). Default: + enabled. + + + + After your configuration file has been updated, refer to the platform-specific instructions to deploy uaa and/or diff --git a/xml/cap_admin_service_broker.xml b/xml/cap_admin_service_broker.xml index 439726c8..b2481236 100644 --- a/xml/cap_admin_service_broker.xml +++ b/xml/cap_admin_service_broker.xml @@ -174,12 +174,22 @@ - An external &mysql; or &postgresql; installation with account credentials that - allow creating and deleting databases and users. + An external &mysql; or &postgresql; installation with account credentials + that allow creating and deleting databases and users. + + Azure Databases and <literal>cf-usb</literal> + + The cf-usb service broker is not compatible with an + external database hosted on Azure. We recommend using the service + brokers that are provided by Microsoft Azure for OSBAPI connections + to their hosted database services. + + + For testing purposes you may create an insecure security group: @@ -797,5 +807,15 @@ mysql-service 1 Mon May 21 11:40:11 2018 DEPLOYED cf-usb-sidecar-mysql + + Upgrading &productname; When Using Minibroker + + If you are upgrading &productname; to 1.5.2 and already use Minibroker to + connect to external databases and are using &kube; 1.16 or higher, which is + the case with &caasp; 4.1, you will need to update the database version to + a compatible version and migrate your data over via the database’s suggested + mechanism. This may require a database export/import. + + diff --git a/xml/cap_admin_upgrade.xml b/xml/cap_admin_upgrade.xml index 164a7cc2..ca6e5e1b 100644 --- a/xml/cap_admin_upgrade.xml +++ b/xml/cap_admin_upgrade.xml @@ -131,8 +131,27 @@ . + + Upgrading &productname; When Using Minibroker + + If you are upgrading &productname; to 1.5.2 and already use Minibroker to + connect to external databases and are using &kube; 1.16 or higher, which is + the case with &caasp; 4.1, you will need to update the database version to + a compatible version and migrate your data over via the database’s suggested + mechanism. This may require a database export/import. + + + + + Upgrading from 1.5.1 When Using External Database + + If you are upgrading &productname; to 1.5.2 and use an external database in + 1.5.1, please contact support for further instructions. + + + - For upgrades from &productname; 1.5 to 1.5.1, if + For upgrades from &productname; 1.5.1 to 1.5.2, if the mysql roles of uaa and scf are in high availability mode, it is recommended to first scale them to single availability. Performing an upgrade with these @@ -217,7 +236,7 @@ sizing: &prompt.user;helm upgrade susecf-uaa suse/uaa \ --values scf-config-values.yaml \ --values ha-strict-false-single-mysql.yaml \ ---version 2.18.0 +--version 2.19.1 Monitor progress using the watch command. @@ -271,7 +290,7 @@ sizing: &prompt.user;helm upgrade susecf-scf suse/cf \ --values scf-config-values.yaml \ --values ha-strict-false-single-mysql.yaml \ ---version 2.18.0 +--version 2.19.1 Monitor progress using the watch command. @@ -322,7 +341,7 @@ sizing: &prompt.user;helm upgrade susecf-uaa suse/uaa \ --values scf-config-values.yaml \ --values ha-strict-false-single-mysql.yaml \ ---version 2.19.1 +--version 2.20.3 Monitor progress using the watch command. @@ -360,7 +379,7 @@ sizing: &prompt.user;helm upgrade susecf-scf suse/cf \ --values scf-config-values.yaml \ --values ha-strict-false-single-mysql.yaml \ ---version 2.19.1 \ +--version 2.20.3 \ --set "secrets.UAA_CA_CERT=${CA_CERT}" @@ -393,7 +412,7 @@ sizing: &prompt.user;helm upgrade susecf-uaa suse/uaa \ --values scf-config-values.yaml \ --values ha-strict-true.yaml \ ---version 2.19.1 +--version 2.20.3 Monitor progress using the watch command. @@ -431,7 +450,7 @@ sizing: &prompt.user;helm upgrade susecf-scf suse/cf \ --values scf-config-values.yaml \ --values ha-strict-true.yaml \ ---version 2.19.1 \ +--version 2.20.3 \ --set "secrets.UAA_CA_CERT=${CA_CERT}" @@ -483,7 +502,7 @@ sizing: &prompt.user;helm upgrade susecf-uaa suse/uaa \ --values scf-config-values.yaml \ --values uaa-sizing.yaml \ ---version 2.18.0 +--version 2.19.1 Monitor progress using the watch command. @@ -546,7 +565,7 @@ sizing: &prompt.user;helm upgrade susecf-scf suse/cf \ --values scf-config-values.yaml \ --values scf-sizing.yaml \ ---version 2.18.0 +--version 2.19.1 Monitor progress using the watch command. @@ -602,7 +621,7 @@ sizing: &prompt.user;helm upgrade susecf-uaa suse/uaa \ --values scf-config-values.yaml \ --values uaa-sizing.yaml \ ---version 2.19.1 +--version 2.20.3 Monitor progress using the watch command. @@ -633,7 +652,7 @@ sizing: &prompt.user;helm upgrade susecf-scf suse/cf \ --values scf-config-values.yaml \ --values scf-sizing.yaml \ ---version 2.19.1 \ +--version 2.20.3 \ --set "secrets.UAA_CA_CERT=${CA_CERT}" @@ -667,7 +686,7 @@ sizing: &prompt.user;helm upgrade susecf-uaa suse/uaa \ --values scf-config-values.yaml \ --values uaa-sizing.yaml \ ---version 2.19.1 +--version 2.20.3 Monitor progress using the watch command. @@ -705,7 +724,7 @@ sizing: &prompt.user;helm upgrade susecf-scf suse/cf \ --values scf-config-values.yaml \ --values scf-sizing.yaml \ ---version 2.19.1 \ +--version 2.20.3 \ --set "secrets.UAA_CA_CERT=${CA_CERT}" @@ -743,7 +762,7 @@ sizing: &prompt.user;helm upgrade susecf-uaa suse/uaa \ --values scf-config-values.yaml \ ---version 2.19.1 +--version 2.20.3 Monitor progress using the watch command. @@ -768,7 +787,7 @@ sizing: &prompt.user;helm upgrade susecf-scf suse/cf \ --values scf-config-values.yaml \ ---version 2.19.1 \ +--version 2.20.3 \ --set "secrets.UAA_CA_CERT=${CA_CERT}" diff --git a/xml/cap_overview.xml b/xml/cap_overview.xml index f6904ac3..7d3e6c26 100644 --- a/xml/cap_overview.xml +++ b/xml/cap_overview.xml @@ -29,46 +29,56 @@ - Support for Eirini SSH feature + cf-deployment has been updated to 12.17 - Support for external Cloud Controller and UAA database configuration + Optimized startup time for various roles - Ingress controller now available for UAA embedded in SCF - - - - - AUDIT_WRITE capabilities added for CRI-O + Added/fixed podAntiAffinity rules for various roles - The Stratos UI has been updated to version 2.6.0: + The Stratos UI has been updated to version 2.7.0: - For a full list of features and fixes see + Added support for &caasp; V4.1 and &kube; 1.16+ environments + + + + + Display last operation and service broker info for service instances + + + + + For a full list of features and fixes see - The Stratos Metrics has been updated to version 1.1.1: + The Stratos Metrics has been updated to version 1.1.2: - For a full list of updates see + Added support for &caasp; V4.1 and &kube; 1.16+ environments + + + + + For a full list of updates see @@ -550,6 +560,13 @@ + + configgin-helper + + + + + diego-api diff --git a/xml/entity-decl.ent b/xml/entity-decl.ent index 4dea08b9..4f9cff76 100644 --- a/xml/entity-decl.ent +++ b/xml/entity-decl.ent @@ -4,16 +4,16 @@ - + - - - - + + + + - + diff --git a/xml/repeated-content-decl.ent b/xml/repeated-content-decl.ent index 8fdbb6b9..f8769317 100644 --- a/xml/repeated-content-decl.ent +++ b/xml/repeated-content-decl.ent @@ -213,6 +213,16 @@ Before you start deploying &productname;, review the following documents: &latestscfchart; &lateststratoschart; 1.1.1 + + 2.144.0 + 6.49.0 + + + + 1.5.1 + 2.19.1 + 2.6.0 + 1.1.0 2.138.0 6.46.1