1.13.0

This release has the following new features:

• Multi-homing

• CORS support

• Initial support for CNI plugin chaining

• Tested with silk-release v0.3.0

Significant Changes

Manifest Changes

New Properties

• An optional parameter has been added to the garden-cni job to
  specify search domains. These domains will be configured in containers' /etc/resolv.conf.
  • cf_networking.search_domains
• An optional parameter has been added to the silk-daemon job to configure which network
  container traffic should be sent over based on network interface name. This property is
  not recommended for use and is temporary. If empty, the default network is used.
  • cf_networking.silk_daemon.temporary_vxlan_interface
• An optional parameter has been added to the silk-daemon job to configure which network
  container traffic should be sent over based on bosh network name. If empty, the default
  gateway network is used.
  • cf_networking.silk_daemon.vxlan_network
• An optional parameter has been added to list domains from which Cross-Origin
  requests will be accepted.
  • cf_networking.policy_server.allowed_cors_domains

Multiple Interfaces

• An operator can configure a BOSH property to indicate which interface name to use for VXLAN traffic
• Underlay network can be specified in job properties by bosh network name

DNS Features

• BOSH property for search domains are returned to Garden

CORS

• Support CORS on policy-server /networking endpoints

CNI

• Garden External Networker supports CNI Chaining

Tests

• CAT for ASGs applying to tasks

Chores

• Update to go 1.10
• use cloudfoundry/filelock repo
• Add fast fail to shipit cf-app-sd release
• Update the manifest change log for cf-networking-release 1.13.0
• ship-it publishes releases as drafts

1.12.0

This release includes a few enhancements and partial support for splitting cf-networking-release into core and swappable parts.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

• Tested with silk-release v0.2.0

Significant Changes

Silk Release

• Create silk-release with swappable parts of cf-networking-release
• An operator can upgrade to using silk-release and cf-networking-release
• Properties in silk-release are not name spaced to cf-networking
• Update cf-networking-release and silk-release db timeout connection defaults
• finish shipping silk 0.1.0

Chores

• create new images in ci on timer
• Set up CI for silk-release
• Fix in silk pipeline
• Investigate ginkgo + golang 1.10 + silk
• Stop using the cats-concourse-task repo

Service Discovery

• Enhance Cats & Dogs to demo service discovery with phase 1 of service discovery
• Cat& Dogs example apps are in their own github repo

Bugs

• cloudfoundry/cf-networking-release #33: CustomIPTablesCompatibilityTest should be skipped by default

Documentation

• The team understands and documents the interfaces available to 3rd party network integrators

1.11.0

• Set up CI for silk-release
• Create silk-release with swappable parts of cf-networking-release
• An operator can upgrade to using silk-release and cf-networking-release
• Enhance Cats & Dogs to demo service discovery with phase 1 of service discovery
• cloudfoundry/cf-networking-release #33: CustomIPTablesCompatibilityTest should be skipped by default
• An operator can configure a BOSH property to indicate which interface to use for VXLAN traffic
• Properties in silk-release are not name spaced to cf-networking
• Cat& Dogs example apps are in their own github repo
• Fix in silk pipeline
• Tested with silk-release v0.1.0

1.10.0

This release enables a new feature that enables operators to run BOSH add-ons that modify iptables rules on cells.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

None

Significant Changes

iptables

• CF networking plays nice with add-ons that change iptables

Miscellaneous fixes and chores

• cloudfoundry/cf-networking-release #24: Samples README to remind diego defaults $PORT to 8080
• An app dev should be able to understand how to use Cats & Dogs to demo service discovery through updated documentation
• Investigate Toque-push failure
• Update CI to handle new bbl version
• Upgrade concourse to 3.8.0
• make smoke test org idempotently created
• tag docker images
• Styling for cats & dogs backend app
• Pin to newest cf-deployment-concourse task release
• delete trucker-test-upgrade
• cloudfoundry/cf-networking-release #32: Add optional skip_icmp_tests to acceptance-tests

1.9.0

The main change in this release is a patch to better handle database parameters in Silk.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

None

Significant Changes

Chores

• App dev should see new CLI commands in example app documentation instead of the plugin commands
• Bump golang1.9.2
• task_connectivity test does not work on all environments
• Move relevant CI parts from CI repo to cf-networking-release
• update containernetworking dependecies
• Run silk ci weekly
• Remove build-dev-mysql-ifb-image from ci
• set up firehose nozzle from beret -> datadog
• Add cf-app-sd-release to dashboard
• Fix broken deployments in CI

Silk database changes

• Private backlog silk controller story

1.8.0

• Move cf-networking-release out of incubator

1.7.0

Lots of small enhancements in this release - support for rootless mode, setting max open/idle connections on Silk controller and support for BBR on mySQL.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

New Properties

• An optional parameter has been added to turn on bosh backup and restore.
  By default, this property is set to false and backup and restore is turned off.
  • release_level_backup
• An optional parameter has been added to configure the max number of
  open and idle connections to the silk-controller database.
  • cf_networking.silk_controller.max_open_connections
  • cf_networking.silk_controller.max_idle_connections

Significant Changes

CLI

• Networking acceptance tests use CF CLI
• An operator uses the CF CLI instead of the plugin

BBR

• operator can use scripts deployed with a colocated job to backup the policy server database on postgresql

Rootless Mode

• Garden network-plugin api does not guarantee that it will run plugins as root

Enhancements

• add config flag to not run tests that require internet
• Set max open/idle connections in silk-controller
• bump go to 1.9

1.6.0

The primary change in this release is a change in the default directories for CNI plugins integrating into Cloud Foundry.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

Changed Properties

• The value for cf_networking.garden_external_networker.cni_plugin_dir now defaults to /var/vcap/packages/cni/bin
• The value for cf_networking.garden_external_networker.cni_config_dir now defaults to /var/vcap/jobs/cni/config/cni

Significant Changes

Policies for Tasks

• Validate container networking works with tasks

Debugging Enhancements

• Policy server creates request ids

CNI

• The default configuration for CNI plugin and config is not silk specific

1.5.0

This release includes initial support for BBR. Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

Links Enabled
The policy-server now provides database connection info via a link which the new policy-server-internal job consumes:

• cf_networking.policy_server.database.type
• cf_networking.policy_server.database.username
• cf_networking.policy_server.database.password
• cf_networking.policy_server.database.port
• cf_networking.policy_server.database.name
• cf_networking.policy_server.database.host

New Properties

• REQUIRED: A new job policy-server-internal has been added. This job requires the following properties:
  • cf_networking.policy_server_internal.ca_cert
  • cf_networking.policy_server_internal.server_cert
  • cf_networking.policy_server_internal.server_key
    There are additional optional paramaters that can be set and are viewable in the spec file
• An optional parameter has been added to configure the path to the iptables kernel log for
  the iptables_logger.
  • cf_networking.iptables_logger.kernel_log_file

Removed Properties

• The policy-server job has removed the following properties:
  • cf_networking.policy_server.internal_listen_port
  • cf_networking.policy_server.ca_cert
  • cf_networking.policy_server.server_cert
  • cf_networking.policy_server.server_key

Changed Properties

• The consul.agent.services.policy-server property for the consul_agent job on the api instance group
  should be renamed to consul.agent.services.policy-server-internal.

Significant Changes

CLI Changes

• CLI can discover CF networking API endpoints and versions

BBR Changes

• An operator can lock the policy server so policies cannot be added/deleted
• operator can use scripts deployed with a colocated job to restore the policy server database on mysql
• operator can use scripts deployed with a colocated job to lock and unlock the policy server API
• operator can use scripts deployed with a colocated job to backup the policy server database on mysql

Chores

• error response functions should take logger as an arg
• Fix "connection refused" in postgres-tests
• bump the go-sql-driver

1.4.0

CF networking policies now support port ranges in addition to a single port in policy configuration. In addition, the silk controller provides a link for the silk daemon to configure the overlay network for cf-networking.

Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues. Verified with the following:

• CF deployment

Manifest Changes

Links Enabled
The silk-controller job now provides two properties via links which the silk-daemon job consumes:

• cf_networking.network
• cf_networking.subnet_prefix_length
  ** This means you are able to remove the properties (listed above) from the silk-daemon job. **

If your deployment contains more than a single instance group that has the silk-controller job,
then you will need to explicitly name the cf_network link. For more information,
see the documentation.

New Properties

• An optional parameter has been added to configure the port of the metron agent for
  the iptables_logger. This port will be used to forward metrics. Previously, no such
  port existed.
  • cf_networking.iptables_logger.metron_port

Significant Changes

Port Ranges

• As an operator I would like to specify a range of ports in policy configuration APIs
• As an operator I would like to specify a range of ports in policy configuration CLI
• As an operator I would like to see a range of ports in policy configuration CLI
• As an operator I would like to remove access for a range of ports in policy configuration CLI

Optimizations

• Operators can configure a single property to change the overlay network
• policy-server and silk-controller work with MySQL 5.6
• Operators should see info on resource consumption of log forwarder in github

Logging Enhancemetns

• Iptables-logger logs a metric for uptime
• fix flaky iptables logger tests
• iptables logger is running in a cf-release deployment

Chores

• allow running ifb tests on a dev workstation
• Fix issue with unbound running security groups on mitre
• Rename GetRoutableLeases to GetActiveLeases
• Policy-server wrappers use http.Request.Context for passing values