|
Re: Proposal for Incubation in the Extensions PMC: MultiApps
Zach Robinson
Excited to see this proposed Nikolay! Nikolay has been sharing this project with some of the core teams over the last couple of months. We have even been giving some thought to adopting some of the behaviors and/or code from this extension into core CF. Some aspects I think are especially interesting: - declarative manifest behavior - an opinionated packaging structure - deployment orchestration CAPI is especially excited to see whether the community takes to some of this tooling as potential guidance for future roadmap. -Zach CAPI Project Lead
On Tue, Mar 20, 2018 at 9:35 AM Nikolay Valchev <nikolay.valchev@...> wrote:
|
|
|
|
Proposal for Incubation in the Extensions PMC: MultiApps
Nikolay Valchev
Hi All,
SAP is proposing MultiApps (aka CF MTA deploy service) for inclusion in the Extensions PMC as a new incubating project. MultiApps is envisioned to provide the missing higher-level lifecycle management capabilities for distributed applications in Cloud Foundry. It proposes a new declarative application model and corresponding tools helping developers achieve the following goals:
MultiApps is currently available on GitHub [1].
Details: Project Name: MultiApps Project Proposal: See [2]. Proposed Project Leads: Nikolay Valchev, SAP Proposed Scope: See [2] Development Operating Model: Dedicated committers (local) Technical Approach: CF CLI plugin and server application automating lifecycle operations Please let us know if you have any questions or feedback.
Best regards, Nikolay Valchev Development Architect and Product Owner, SAP
[1] https://github.com/SAP/cf-mta-deploy-service [2] https://docs.google.com/document/d/1TCx_2gv2_n-StcV4lzbbaD4rma9HfaRG7O9wb6-egk4
|
|
|
|
FINAL REMINDER: CAB call for March is Wednesday 03/21 @ 8a PST
Michael Maximilien
FYI...
toggle quoted messageShow quoted text
See below. Zoom soon. Best, dr.max ibm ☁ silicon valley, ca dr.max ibm ☁ silicon valley, ca
On Mar 14, 2018, at 12:06 PM, Michael Maximilien <maxim@...> wrote:
|
|
|
|
Re: A New Packaging Approach - CLI Tools Pushing Apps and the Story about the #loggregator “space drain” experiment
#loggregator
Mike Youngstrom
It is an interesting idea/concept. I'd say the auth model is a significant Con and potential large hurdle. I'm assuming the username and password passed with the cli is then used by the pushed app to continually query the space for new apps and bind the service, correct? I'm interested in seeing what UAA and Perm could come up with to improve this. It seems you'd either need to dynamically generate a service account with developer access to the space. Or figure out some way to give apps running in a space the ability to create a token to do management operations in the space it exists in. Neither seems very simple. Another Con would be lack of operator control over upgrading such a feature. If new versions this app are released end users would need to know to run the command again to upgrade it. Might be tricky as CC APIs evolve and such. Anything that the user doesn't feel like they have ownership over I as the operator would like to be able to upgrade for them. A CLI plugin pushed app sits in the middle somewhere. It seems to me a simpler approach to the original problem of sending all logs for apps in a space to a drain could be solved with a service broker. This broker would need CF_ADMIN client credentials but could simply scan all spaces for instances of itself then binding itself to all apps in spaces where it finds itself. As a broker it could be upgraded by the operators and would provide less permission complexities. Thoughts? Mike
On Mon, Mar 19, 2018 at 4:17 PM, Adam Hevenor <ahevenor@...> wrote:
|
|
|
|
A New Packaging Approach - CLI Tools Pushing Apps and the Story about the #loggregator “space drain” experiment
#loggregator
Back Story Space Drain But our noisy neighbor nozzle experience got us thinking. What if we we packaged an application with the CLI that was pushed when you ran a command, and that application managed the drain bindings for all the apps in your space. All of a sudden an initiative that involved 3 or more teams, was simplified into a 4 or 5 points in our backlog. Part of the work was figuring out some of the packaging technique so we ended up cutting a version of this in the latest cf-drain release. (It’s helpful for context to try this out which you can do so with the following command.) Feedback & Pro / Cons Pro’s
Con’s
|
|
|
|
Re: Feedback request: Disable logging Client IP’s in the Gorouter logs for compliance with the EU General Data Protection Regulation (GDPR)
Stefan Mayr
Hi,
Am 13.03.2018 um 00:39 schrieb Shubha Anjur Tupil: Hello everyone,Our deployment scenario is #2. The L7 load balancer inserts a X-Forwarded-For header. 2. Is there a compelling reason from an operator perspective forAll external request to gorouter are coming through the L7 load balancer. So for most debugging use cases the load balancer IP in gorouter access log would not provide any value - but the client IP from the X-Forwarded-For header does. This brings up another point: it is not generally forbidden to store ip addresses for specific uses cases, at least in germany. E.g, as far as I understand the current situation we are allowed the store IP addresses for defense or debugging purpose for a limited time if (!) this is documented in the public data privacy statement. It looks like 1-2 weeks are generally acceptable for this use case. 3. Does the user experience benefit by having just one option outweighFor us this would not provide any advantage to have seperate configuration options. If we cannot limit the timeframe keept by logrotation we would disable IP logging. We would love to hear from you if you have thoughts on this.This topics raises some other questions about the IP addresses being passed around in multiple components. gorouter creates the RTR log messages that we can read from loggregator. Does loggregator buffer those messages or disk or is this only kept in memory? When is this information purged from loggregator? Next component we see is the buildpack. Some also show classic access log information on stdout. Did anybody check if none of the buildpacks writes this information to disk? Regards, Stefan
|
|
|
|
Re: Cloud Foundry and Kubernetes Integration Efforts
Krannich, Bernd <bernd.krannich@...>
Hello Shannon,
I think you are referring to my original mail that was pointing to four documents in total, correct?
Please let me know if you continue to face issues with commenting in any of the docs.
Thanks in advance, Bernd
From: <cf-dev@...> on behalf of Shannon Coen <scoen@...>
Hello Bernd,
Would you please grant anyone with the link permissions to comment on these docs?
Thank you.
Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
On Fri, Jan 5, 2018 at 4:03 PM, Adam Hevenor <ahevenor@...>
wrote:
|
|
|
|
Identifying CF Resources
Christopher Brown <cbrown@...>
Hi all, The Permissions component ("Perm") we're building to store and evaluate roles for Cloud Foundry needs to be able to identify resources across component boundaries so that it knows which policies to apply for any given permission check. AWS does this using their ARN scheme. I'd like to work out if something like this would be the correct approach for Perm. We'd like to find something which can identify resources across foundations and encode the object hierarchy into the resource identifier. For example, an application inside PWS could be identified by: pws:cc:application/[org guid]/[space guid]/[app guid] I don't want to get too into the weeds of the exact format yet but if you:
then I'd be interested in talking with you about this requirement and what the solution could look like. All the best, Christopher CF Permissions PM
|
|
|
|
Re: Cloud Foundry and Kubernetes Integration Efforts
Shannon Coen
Hello Bernd, Would you please grant anyone with the link permissions to comment on these docs? Thank you. Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
On Fri, Jan 5, 2018 at 4:03 PM, Adam Hevenor <ahevenor@...> wrote: Bernd -
|
|
|
|
Re: Feature Narrative - Isolated Loggregator Components
Mike Youngstrom
Thanks for posting this Adam. I love the direction and improvements the Loggregator team has been working towards lately! Isolation segment support will be yet another plus. Mike
On Tue, Mar 13, 2018 at 12:26 PM, Adam Hevenor <ahevenor@...> wrote: One of the benefits we see of having re-engineered the persistance layer of Loggregator (see log-cache announcement) is a simpler architecture which can be deployed to multiple times within Cloud Foundry Application Runtime. This makes the concept of isolation segments one that works nicely with Loggregator, which is a feature we have received consistent feedback on over the last year.
|
|
|
|
Re: Designing a new routing tier for Cloud Foundry
Shannon Coen
FWIW, on Feb 26th we shared more context on this initiative here:
http://cf-dev.70369.x6.nabble.com/cf-dev-Additional-context-on-Istio-integration-td8408.html#a8411 https://docs.google.com/document/d/1LgLY0g39fzpg1_4zTckbH1mOuuSKGvYwp2tkakoe9ys/edit# -- Sent from: http://cf-dev.70369.x6.nabble.com/
|
|
|
|
Re: Announcing DNS-based service discovery for container networking
Michael Maximilien
Congrats to the team and to you Usha for getting this done with a heterogeneous group. Looks really good to me, well done. Yet another feature that’s helping CF push the envelop of cloud application development and management, while remaining simple and easy to use. Cheers, Max
On Thu, Mar 15, 2018 at 9:54 AM Usha Ramachandran <uramachandran@...> wrote:
--
dr.max
Sent from my iPhone
http://maximilien.org
|
|
|
|
CF routing-release 0.174.0
Shubha Anjur Tupil
Hi, We cut a release yesterday evening. The release included a fix for an issue we discovered on PWS while rolling out a feature to enable TLS between Gorouter and backend applications. - When a connection to a TLS enabled backend fails, Gorouter tries to send a request to another backend of the app before returning a response to the client. In an environment where some backends are TLS enabled and some are not, if the Gorouter first chooses a TLS enabled backend and fails, and if it subsequently chooses a non TLS backend, then it will appropriately use a plain text request. [details](https://www.pivotaltracker.com/story/show/155981374) Regards, Shubha & Shannon Product Manager, Routing
|
|
|
|
Announcing DNS-based service discovery for container networking
Usha Ramachandran
Hello everyone, We are excited to announce the availability of DNS-based polyglot service discovery on Cloud Foundry. With this feature, Cloud Foundry apps in all languages and frameworks can leverage container-to-container networking. Many Cloud Foundry teams came together to deliver this feature. A big thank you to CAPI, Routing, Diego, BOSH, CLI and Release Integration teams for their participation in conversations and cross-team development. To find out more about the feature and the use cases, read this blog post. To try it out, follow our instructions to deploy with cf-deployment v1.17.0 or later. Polyglot service discovery is currently an experimental feature. It is deployed to Pivotal Web Services, where we will watch it and make generally available if all goes well. We look forward to your feedback! Please reach out to us on #container-networking on Cloud Foundry slack if you have any questions! Thank you, CF Networking Team
|
|
|
|
Re: CF CLI v6.35.0 Release Today - service instance sharing; client credentials
Gowrisankar M
Hello All, CF services sharing when it will be available for user-provided services? BRs,Gowrisankar
On Thu, Mar 15, 2018 at 12:53 AM, Matthias Winzeler <matthias.winzeler@...> wrote:
|
|
|
|
CF CLI v6.35.1 Release Today - patch for services issue
Jay Badenhope <jbadenhope@...>
Fixed regressions
Other fixes
Thanks for reading. Jay --
|
|
|
|
Re: CF CLI v6.35.0 Release Today - service instance sharing; client credentials
Matthias Winzeler
Hi Tian Thanks for the information - this sounds good. We're looking forward for clients with user permission since this will solve the issue with SAML federated users who want to interact with the API interactively (currently not possible, so we create local users for them). -Matthias 2018-03-14 20:02 GMT+01:00 Tian Wang <tiwang@...>:
--
|
|
|
|
REMINDER: CAB call for March is Wednesday 03/21 @ 8a PST
Michael Maximilien
FYI... Reminder that the CAB call for March is scheduled for next Wednesday 03/21 @ 8a PST. WIP agenda and zoom info in [1] but summary here:
a. MS SQL Service Broker proposal [3] by Jared Gordon of Pivotal and team (Pivotal and Microsoft) b. CF-Dev [4] proposal [5] by Stephen Levine of Pivotal I will send one more reminder next week on this list. Zoom soon. Best, PS: next month the CAB call will be during CF Summit in Boston and we will try to get a room so we can do it live! If you will be at summit, plan to join us. ------ dr.max ibm ☁ silicon valley, ca
|
|
|
|
Re: CF CLI v6.35.0 Release Today - service instance sharing; client credentials
Tian Wang
Hi Matthias, The service accounts feature today works for global scopes on clients created in UAA such as `cloud_controller.admin` and `cloud_controller.admin_read_ The current plan is to integrate down the line with the Perm project which will provide the ability to assign clients with space and org fine-grained authorizations, so that they can act essentially the same as a user. Regards, Tian
On Sat, Mar 10, 2018 at 12:52 AM, Matthias Winzeler <matthias.winzeler@...> wrote:
|
|
|
|
Windows Acceptance Tests
Ashley Hathaway
Hello all! This is a heads up that the Garden Windows team has completed simplifying our test suite by moving Windows Acceptance Tests (WATs) into CF Acceptance Tests (CATs). CATs can now be configured to run tests against a CF deployment with Windows cells. The WATs repo will be moved into the cloudfoundry-attic in 60 days (mid-May). We recommend within this time if you can move off WATs please do so. For any feedback or thoughts please feel free to reach out. We're also available on the CF #garden-windows Slack  Thanks! The Garden Windows Team
|
|
|