In the upcoming cf-release (v252), some components communicating with CC
via its internal API (for example: Loggregator, BBS, and TPS) will do so
over mutual TLS. This is part of an effort to have all Cloud Foundry
internal traffic be done over mutual TLS in lieu of basic auth. The CC and
other components must now be configured with several new certificates to
establish these mTLS connections. For most deployments, *use a shared CA
between CF and Diego deployments*.

Properties changes

For a cf-release deployment manifest, the following properties are
*required* for cloud_controller_ng and cloud_controller_worker jobs:

properties:
cc:
mutual_tls:
ca_cert:
public_cert:
private_key:

Within your diego-release deployment manifest, the following properties are
*required* for the tps job:

properties:
capi:
tps:
cc:
ca_cert:
client_cert:
client_key:

We have *removed* the following properties from the tps job:


- properties.capi.tps.cc.basic_auth_username
- properties.capi.tps.cc.basic_auth_password

Generating certificates

For instructions on how to generate the certificates for these properties,
please see this doc: https://github.com/cloudfoundry/capi-release/
blob/develop/docs/tls-configuration.md

We hope these changes are clear. If you run into trouble or have questions,
please feel free to reach out to us on slack
<https://cloudfoundry.slack.com/messages/capi/>!

- CAPI team