update cf-deployment to 44.4.0 (#234)

genesis-community · Jan 10, 2025 · 418efda · 418efda
1 parent db031f8
commit 418efda
Show file tree

Hide file tree

Showing 40 changed files with 448 additions and 392 deletions.
diff --git a/cf-deployment/cf-deployment.yml b/cf-deployment/cf-deployment.yml
@@ -1,6 +1,6 @@
 ---
 name: cf
-manifest_version: v40.12.0
+manifest_version: v44.4.0
 update:
   canaries: 1
   canary_watch_time: 30000-1200000
@@ -328,7 +328,7 @@ instance_groups:
   - z1
   - z2
   instances: 2
-  vm_type: minimal
+  vm_type: medium
   stemcell: default
   networks:
   - name: default
@@ -841,16 +841,16 @@ instance_groups:
   networks:
   - name: default
   jobs:
-  - name: redis
+  - name: valkey
     release: capi
   - name: cloud_controller_ng
     release: capi
     provides:
       cloud_controller: {as: cloud_controller, shared: true}
     properties:
       name: cf-deployment
-      build: v40.12.0 # AUTO-POPULATED; DO NOT EDIT
-      version: 40 # AUTO-POPULATED; DO NOT EDIT
+      build: v44.4.0 # AUTO-POPULATED; DO NOT EDIT
+      version: 44 # AUTO-POPULATED; DO NOT EDIT
       router:
         route_services_secret: "((router_route_services_secret))"
       system_domain: "((system_domain))"
@@ -888,6 +888,7 @@ instance_groups:
             buildpack/cflinuxfs4: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
             buildpack/windows: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
             docker: docker_app_lifecycle/docker_app_lifecycle.tgz
+            cnb/cflinuxfs4: cnb_app_lifecycle/cnb_app_lifecycle.tgz
         default_stack: cflinuxfs4
         stacks:
         - name: cflinuxfs4
@@ -898,6 +899,8 @@ instance_groups:
         default_staging_security_groups:
         - public_networks
         - dns
+        security_groups:
+          enable_comma_delimited_destinations: true
         security_group_definitions:
         - name: public_networks
           rules:
@@ -950,7 +953,6 @@ instance_groups:
             encryption_key_0: "((cc_db_encryption_key))"
         staging_upload_user: staging_user
         staging_upload_password: "((cc_staging_upload_password))"
-        legacy_md5_buildpack_paths_enabled: false
         temporary_use_logcache: true
         logcache:
           host: log-cache.service.cf.internal
@@ -1175,6 +1177,7 @@ instance_groups:
             buildpack/cflinuxfs4: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
             buildpack/windows: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
             docker: docker_app_lifecycle/docker_app_lifecycle.tgz
+            cnb/cflinuxfs4: cnb_app_lifecycle/cnb_app_lifecycle.tgz
         database_encryption: *cc-database-encryption
         staging_upload_user: staging_user
         staging_upload_password: "((cc_staging_upload_password))"
@@ -1257,6 +1260,7 @@ instance_groups:
             buildpack/cflinuxfs4: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
             buildpack/windows: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
             docker: docker_app_lifecycle/docker_app_lifecycle.tgz
+            cnb/cflinuxfs4: cnb_app_lifecycle/cnb_app_lifecycle.tgz
         staging_upload_user: staging_user
         staging_upload_password: "((cc_staging_upload_password))"
         resource_pool: *blobstore-properties
@@ -1292,6 +1296,7 @@ instance_groups:
             buildpack/cflinuxfs4: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
             buildpack/windows: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
             docker: docker_app_lifecycle/docker_app_lifecycle.tgz
+            cnb/cflinuxfs4: cnb_app_lifecycle/cnb_app_lifecycle.tgz
         mutual_tls:
           ca_cert: "((cc_tls.ca))"
           private_key: "((cc_tls.private_key))"
@@ -1445,6 +1450,8 @@ instance_groups:
   instances: 2
   vm_type: minimal
   stemcell: default
+  update:
+    serial: true
   vm_extensions:
   - cf-tcp-router-network-properties
   networks:
@@ -1458,6 +1465,11 @@ instance_groups:
         router_group: default-tcp
         tls_health_check_cert: ((tcp_router_lb_health_tls.certificate))
         tls_health_check_key:  ((tcp_router_lb_health_tls.private_key))
+        backend_tls:
+          enabled: true
+          client_cert: ((tcp_router_backend_tls.certificate))
+          client_key: ((tcp_router_backend_tls.private_key))
+          ca_cert: ((diego_instance_identity_ca.ca))
       uaa:
         ca_cert: "((uaa_ssl.ca))"
         tls_port: 8443
@@ -1632,13 +1644,16 @@ instance_groups:
       containers:
         proxy:
           enabled: true
+          enable_unproxied_port_mappings: false
           require_and_verify_client_certificates: true
           trusted_ca_certificates:
           - ((gorouter_backend_tls.ca))
           - ((ssh_proxy_backends_tls.ca))
+          - ((tcp_router_backend_tls.ca))
           verify_subject_alt_name:
           - gorouter.service.cf.internal
           - ssh-proxy.service.cf.internal
+          - tcp-router.service.cf.internal
         trusted_ca_certificates:
         - ((diego_instance_identity_ca.ca))
         - ((credhub_tls.ca))
@@ -1677,6 +1692,7 @@ instance_groups:
               client_key: "((nats_client_cert.private_key))"
       tcp:
         enabled: true
+        enable_tls: true
       uaa:
         ca_cert: "((uaa_ssl.ca))"
         client_secret: "((uaa_clients_tcp_emitter_secret))"
@@ -2481,6 +2497,15 @@ variables:
     common_name: gorouter_lb_health_tls
     alternative_names:
     - gorouter.service.cf.internal
+- name: tcp_router_backend_tls
+  type: certificate
+  options:
+    ca: service_cf_internal_ca
+    common_name: tcp-router_backend_tls
+    alternative_names:
+    - tcp-router.service.cf.internal
+    extended_key_usage:
+    - client_auth
 - name: tcp_router_lb_health_tls
   type: certificate
   options:
@@ -2792,126 +2817,126 @@ variables:
 
 releases:
 - name: binary-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/binary-buildpack-release?v=1.1.11
-  version: 1.1.11
-  sha1: dc680a771bad6c9205797ac6bba6ef4d1aa7b18e
+  url: https://bosh.io/d/github.com/cloudfoundry/binary-buildpack-release?v=1.1.14
+  version: 1.1.14
+  sha1: f9e6145b2b9e2c71a59cbf0572fcb25a99b98c59
 - name: bpm
-  url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=1.2.19
-  version: 1.2.19
-  sha1: 8052def173f1e1d87dcbbce353dd2e6d1df96177
+  url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=1.4.1
+  version: 1.4.1
+  sha1: 1d2f22a5d024cb34f6d7d2da3f1ee95e4a8cdd61
 - name: capi
-  url: https://bosh.io/d/github.com/cloudfoundry/capi-release?v=1.181.0
-  version: 1.181.0
-  sha1: c369c5290d922fdfda7177bd747435633285515c
+  url: https://bosh.io/d/github.com/cloudfoundry/capi-release?v=1.195.0
+  version: 1.195.0
+  sha1: 92baa45ee839bf5a5a763c54696b841ef8024528
 - name: cf-networking
-  url: https://bosh.io/d/github.com/cloudfoundry/cf-networking-release?v=3.46.0
-  version: 3.46.0
-  sha1: 28ae3c49a0509d0899353273059d122529e632dc
+  url: https://bosh.io/d/github.com/cloudfoundry/cf-networking-release?v=3.52.0
+  version: 3.52.0
+  sha1: b67b8673e687d4dc1b00b098192d5b5c14ae681a
 - name: cf-smoke-tests
-  url: https://bosh.io/d/github.com/cloudfoundry/cf-smoke-tests-release?v=42.0.146
-  version: 42.0.146
-  sha1: 0718da741dcc81e7290c04bcab25205b69566b97
+  url: https://bosh.io/d/github.com/cloudfoundry/cf-smoke-tests-release?v=42.0.171
+  version: 42.0.171
+  sha1: dcc2c329ccd5cd3c1ae7e5ff06a6704c3de70603
 - name: cflinuxfs4
-  url: https://bosh.io/d/github.com/cloudfoundry/cflinuxfs4-release?v=1.95.0
-  version: 1.95.0
-  sha1: 299639ae2e6d50920b6d3bb22e88e1bcfbce95d4
+  url: https://bosh.io/d/github.com/cloudfoundry/cflinuxfs4-release?v=1.174.0
+  version: 1.174.0
+  sha1: 0034c23d813f0f433c3296c6f2a89a96d4c422c3
 - name: credhub
-  url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=2.12.74
-  version: 2.12.74
-  sha1: 2f1b40d6035fa600ba770bf51c39e16f88461497
+  url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=2.12.93
+  version: 2.12.93
+  sha1: 839113e27736a71972f8c44362ed3f1cbc0f5720
 - name: diego
-  url: https://bosh.io/d/github.com/cloudfoundry/diego-release?v=2.99.0
-  version: 2.99.0
-  sha1: b0f6b9f60d441d80a45a4dcec5f90224b315704e
+  url: https://bosh.io/d/github.com/cloudfoundry/diego-release?v=2.105.0
+  version: 2.105.0
+  sha1: 2b859378fc80cc983fbc875ebf934d7a3eab66f1
 - name: dotnet-core-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/dotnet-core-buildpack-release?v=2.4.27
-  version: 2.4.27
-  sha1: 2dafeb8390835f71aaeab3bb6bd3b2df1fa23a33
+  url: https://bosh.io/d/github.com/cloudfoundry/dotnet-core-buildpack-release?v=2.4.33
+  version: 2.4.33
+  sha1: 2b0f1b44aecdf1fad688329b8e1ffdcc451b8991
 - name: garden-runc
-  url: https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.53.0
-  version: 1.53.0
-  sha1: 727479842888aa9752b0f556702d987424ef7254
+  url: https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.57.0
+  version: 1.57.0
+  sha1: 56cb4687e28cfbb6ed90e0b5afe28c118b7e9c6e
 - name: go-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/go-buildpack-release?v=1.10.18
-  version: 1.10.18
-  sha1: 810ca15c34e2d38abc025aca6941f3c2dce92c40
+  url: https://bosh.io/d/github.com/cloudfoundry/go-buildpack-release?v=1.10.23
+  version: 1.10.23
+  sha1: c6dbd9573fc51ab92cb2f631e9b848e5bb990eec
 - name: java-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/java-buildpack-release?v=4.69.0
-  version: 4.69.0
-  sha1: 114c678a042a89cb293db912c13915b5ef1009a8
+  url: https://bosh.io/d/github.com/cloudfoundry/java-buildpack-release?v=4.71.0
+  version: 4.71.0
+  sha1: 82356fa16049c360e9287adbe1c82098264dc1fe
 - name: loggregator
-  url: https://bosh.io/d/github.com/cloudfoundry/loggregator-release?v=107.0.14
-  version: 107.0.14
-  sha1: 6a41e9642d8e3cd6191c0b54e7678719800b2826
+  url: https://bosh.io/d/github.com/cloudfoundry/loggregator-release?v=107.0.17
+  version: 107.0.17
+  sha1: bba6ece58f146d822a37894c1bdc14b601964ba6
 - name: nats
-  url: https://bosh.io/d/github.com/cloudfoundry/nats-release?v=56.19.0
-  version: 56.19.0
-  sha1: 945d4fe29150cb8091a21f295a6a163b735b5dd4
+  url: https://bosh.io/d/github.com/cloudfoundry/nats-release?v=56.25.0
+  version: 56.25.0
+  sha1: 2702d51f44e6798191d916e801cbccfbecafde83
 - name: nginx-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/nginx-buildpack-release?v=1.2.13
-  version: 1.2.13
-  sha1: b40f90f64d559436e187b21b836fb2d3c84eab35
+  url: https://bosh.io/d/github.com/cloudfoundry/nginx-buildpack-release?v=1.2.19
+  version: 1.2.19
+  sha1: f9c83865ba934c4f232cd97e234dd07577b5b26e
 - name: r-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/r-buildpack-release?v=1.2.11
-  version: 1.2.11
-  sha1: d4f1ac487955a3ce49f198a0a919d194b847cdbc
+  url: https://bosh.io/d/github.com/cloudfoundry/r-buildpack-release?v=1.2.15
+  version: 1.2.15
+  sha1: eb7862d246dd85e9d9027d5d3f9e90fe1664345c
 - name: nodejs-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/nodejs-buildpack-release?v=1.8.24
-  version: 1.8.24
-  sha1: f915df715dc47be62116c5f319808b4a91b7b4bb
+  url: https://bosh.io/d/github.com/cloudfoundry/nodejs-buildpack-release?v=1.8.29
+  version: 1.8.29
+  sha1: b9da829e7ee0ac1210c70860a6f17ebed172afd9
 - name: php-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/php-buildpack-release?v=4.6.18
-  version: 4.6.18
-  sha1: 6152d00052556cdeb7327b14edd2734ecf1a15ea
+  url: https://bosh.io/d/github.com/cloudfoundry/php-buildpack-release?v=4.6.23
+  version: 4.6.23
+  sha1: f8b0b367923a23225dd318b0c405ac264d782b89
 - name: pxc
-  url: https://bosh.io/d/github.com/cloudfoundry/pxc-release?v=1.0.28
-  version: 1.0.28
-  sha1: f80440917c86a6c3fc96dbdb2dccb2c6c3439e1d
+  url: https://bosh.io/d/github.com/cloudfoundry/pxc-release?v=1.0.31
+  version: 1.0.31
+  sha1: e2e951dfe9e374d3715d3156bf1132a4e0ffb2a5
 - name: python-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/python-buildpack-release?v=1.8.23
-  version: 1.8.23
-  sha1: fc2fa861b2af95ba118e63eebac24df1ffbfb29d
+  url: https://bosh.io/d/github.com/cloudfoundry/python-buildpack-release?v=1.8.29
+  version: 1.8.29
+  sha1: e9bf6abc64e54ab9143861ab5f8798680389e062
 - name: routing
-  url: https://bosh.io/d/github.com/cloudfoundry/routing-release?v=0.297.0
-  version: 0.297.0
-  sha1: 41d9ea3c5ef61e4170e0261c27c22651f7055f33
+  url: https://bosh.io/d/github.com/cloudfoundry/routing-release?v=0.316.0
+  version: 0.316.0
+  sha1: 506465f7f457312a074ac127466e21a2268a7019
 - name: ruby-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/ruby-buildpack-release?v=1.10.13
-  version: 1.10.13
-  sha1: 94bb7b5c71076fdc0e22275319eadef8a3d66241
+  url: https://bosh.io/d/github.com/cloudfoundry/ruby-buildpack-release?v=1.10.18
+  version: 1.10.18
+  sha1: 6bbe14f8f374a42e2220ddc49957b213d1d3d1db
 - name: silk
-  url: https://bosh.io/d/github.com/cloudfoundry/silk-release?v=3.46.0
-  version: 3.46.0
-  sha1: 868ed3c5f61e9ffb2d2b4bd044e8eeddcc1bfd1d
+  url: https://bosh.io/d/github.com/cloudfoundry/silk-release?v=3.52.0
+  version: 3.52.0
+  sha1: e5e2aa65a28a4f9d9db1539e7cb533c34d0f7684
 - name: staticfile-buildpack
-  url: https://bosh.io/d/github.com/cloudfoundry/staticfile-buildpack-release?v=1.6.12
-  version: 1.6.12
-  sha1: e2610a5de94538bf83b0f85161faa951d3cbb76a
+  url: https://bosh.io/d/github.com/cloudfoundry/staticfile-buildpack-release?v=1.6.17
+  version: 1.6.17
+  sha1: 9e9f49090ee388e9ad34246c82b80ad412280937
 - name: statsd-injector
-  url: https://bosh.io/d/github.com/cloudfoundry/statsd-injector-release?v=1.11.40
-  version: 1.11.40
-  sha1: eaa5e465d8310113ae90bc9b7d956319f1315d14
+  url: https://bosh.io/d/github.com/cloudfoundry/statsd-injector-release?v=1.11.43
+  version: 1.11.43
+  sha1: 351aedae5cd3a2279428e1429388f8ad415f99ba
 - name: uaa
-  url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=77.9.0
-  version: 77.9.0
-  sha1: 2880e700842c87d6ae615a9b41e152d0091fc3bd
+  url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=77.17.0
+  version: 77.17.0
+  sha1: b617ba847bbe05c5c3e31f3f3a5cb50e732992c7
 - name: loggregator-agent
-  url: https://bosh.io/d/github.com/cloudfoundry/loggregator-agent-release?v=8.1.1
-  version: 8.1.1
-  sha1: 4a65bd6a4e5585025fb1c24d7698057a091e1b50
+  url: https://bosh.io/d/github.com/cloudfoundry/loggregator-agent-release?v=8.3.0
+  version: 8.3.0
+  sha1: a425e43b561f9df3fed255786424885ae12a5f80
 - name: log-cache
-  url: https://bosh.io/d/github.com/cloudfoundry/log-cache-release?v=3.0.11
-  version: 3.0.11
-  sha1: 49e40454c467ac76224565cce7d51739af9a96d1
+  url: https://bosh.io/d/github.com/cloudfoundry/log-cache-release?v=3.1.5
+  version: 3.1.5
+  sha1: d095f5965f5dda9e80d9ea6feba39e51a93e7dcf
 - name: bosh-dns-aliases
   url: https://bosh.io/d/github.com/cloudfoundry/bosh-dns-aliases-release?v=0.0.4
   version: 0.0.4
   sha1: 55b3dced813ff9ed92a05cda02156e4b5604b273
 - name: cf-cli
-  url: https://bosh.io/d/github.com/bosh-packages/cf-cli-release?v=1.63.0
-  version: 1.63.0
-  sha1: 19fc1dcd4cb5dcc4df42e42317afd175dcb91903
+  url: https://bosh.io/d/github.com/bosh-packages/cf-cli-release?v=1.67.0
+  version: 1.67.0
+  sha1: 1cb37275a9ee65f69521fc889d5c561ff878a0b4
 stemcells:
 - alias: default
   os: ubuntu-jammy
-  version: "1.445"
+  version: "1.621"
diff --git a/cf-deployment/iaas-support/bosh-lite/cloud-config.yml b/cf-deployment/iaas-support/bosh-lite/cloud-config.yml
@@ -58,6 +58,7 @@ vm_types:
 - name: minimal
 - name: small
 - name: small-highmem
+- name: medium
 # Note: the "default" vm type is not used in cf-deployment.
 # it is included for compatibility with the bosh-deployment
 # cloud-config.

diff --git a/cf-deployment/operations/README.md b/cf-deployment/operations/README.md
@@ -39,6 +39,10 @@ This is the README for Ops-files. To learn more about `cf-deployment`, go to the
 | [`disable-router-tls-termination.yml`](disable-router-tls-termination.yml) | Eliminates keys related to performing TLS termination within the gorouter job. | Useful for deployments where TLS termination is performed prior to the gorouter - for instance, on AWS, such termination is commonly done at the ELB. This also eliminates the need to specify `((router_ssl.certificate))` and `((router_ssl.private_key))` in the var files. | **NO** |
 | [`disable-http2.yml`](disable-http2.yml) | Prevent gorouter from accepting and forwarding HTTP/2 requests. | | **NO** |
 | [`disable-dynamic-asgs.yml`](disable-dynamic-asgs.yml) | Disable dynamic updates for security groups. | | **NO** |
+| [`disable-tls-tcp-routing-stage-1-unproxied-ports.yml`](disable-tls-tcp-routing-stage-1-unproxied-ports.yml) | Stage 1 deployment for disabling TLS for TCP Routes on. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO ** |
+| [`disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml`](disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml) | Stage 2 deployment for disabling TLS for TCP Routes on. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO ** |
+| [`disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml`](disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml) | Stage 1 deployment for disabling TLS for TCP Routes on isolation segments. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO ** |
+| [`disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml`](disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml) | Stage 2 deployment for disabling TLS for TCP Routes on isolation segments. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO ** |
 | [`enable-cc-rate-limiting.yml`](enable-cc-rate-limiting.yml) | Enable rate limiting for UAA-authenticated endpoints. | Introduces variables `cc_rate_limiter_general_limit` and `cc_rate_limiter_unauthenticated_limit` | **NO** |
 | [`enable-cc-v2-rate-limiting.yml`](enable-cc-rate-limiting.yml) | Enable V2 API rate limiting for UAA-authenticated endpoints. | Introduces variables `cc_v2_rate_limiter_general_limit`, `cc_v2_rate_limiter_admin_limit` and `cc_v2_rate_limiter_reset_interval_in_minutes` | **NO** |
 | [`enable-cpu-throttling.yml`](enable-cpu-throttling.yml) | Configure Garden containers with CPU entitlement. | This ops file requires `set-cpu-weight.yml`. | **YES** |