Important changes in CF v217


Amit Kumar Gupta
 

This release introduces significant improvements to the security of the
consul cluster, however the operator must introduce these changes over the
course of multiple deployments. If you are not running any consul servers
as part of your deployment, you can ignore these instructions. Otherwise,
please do the following:

1. Scale the number of consul servers in your existing deployment down to 1
instance. The consul.agent.servers.lan property must be updated to reflect
this; this should happen for free if you are using the standard tooling for
manifest generation. If you are deploying Diego alongside CF, you must
redeploy Diego as well to pick up the consul.agent.servers.lan change;
again, this should happen for free if using the standard manifest
generation tooling.

2. Generate SSL certificates, keys, and a separate encryption key for the
gossip protocol used by consul (instructions:
https://docs.cloudfoundry.org/deploying/consul-security.html). Upload the
v217 release and generate your manifest for CF (and then Diego, if also
deploying Diego).

3. Deploy CF (and then Diego, if also deploying Diego).

4. Scale the number of consul servers back up to whatever you had it at
before. Regenerate all relevant manifests and deploy.

Best,
Amit

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.