Date   

Re: KubeCF 2.5.0 Is Out

Dieu Cao
 

Congrats KubeCF team!

-Dieu


From: cf-dev@... <cf-dev@...> on behalf of Krannich, Bernd via lists.cloudfoundry.org <bernd.krannich=sap.com@...>
Sent: Thursday, September 24, 2020 6:34 AM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] KubeCF 2.5.0 Is Out
 

Congrats to the KubeCF team!

 

Cheers,

Bernd

 

From: <cf-dev@...> on behalf of Chip Childers <cchilders@...>
Reply-To: "cf-dev@..." <cf-dev@...>
Date: Thursday, 24. September 2020 at 15:28
To: CF Developers Mailing List <cf-dev@...>
Subject: Re: [cf-dev] KubeCF 2.5.0 Is Out

 

+1 - Great accomplishment KubeCF team!


Chip Childers

Executive Director

Cloud Foundry Foundation

 

 

On Thu, Sep 24, 2020 8:07 AM, Simon D Moser smoser@... wrote:

Awesome! Great Job team - and we have container 2 container networking now in KubeCF, which is really great! Go CF Community!  

Mit freundlichen Grüßen / Kind regards

Simon Moser

Senior Technical Staff Member / IBM Master Inventor
Bluemix Application Platform Lead Architect
Dept. C727, IBM Research & Development Boeblingen

-------------------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Schoenaicher Str. 220
71032 Boeblingen
Phone: +49-7031-16-4304
Fax: +49-7031-16-4890
E-Mail: smoser@...
-------------------------------------------------------------------------------------------------------------------------------------------
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

*******
ITIL has led people to think in siloes ("go fix change management").
Project Management has led people to think in finite units of work instead of streams of product.
Both are fundamental dysfunctions of the framework model, not failures of execution.
Rob England



From:        "Jaime Gomes" <jaime.gomes@...>
To:        cf-dev@...
Date:        24/09/2020 10:03
Subject:        [EXTERNAL] [cf-dev] KubeCF 2.5.0 Is Out
Sent by:        cf-dev@...





Hey,
I am proud to announce another important milestone for KubeCF - the release of v2.5.0.This release reflects the intensive work integrating Eirini and the C2C networking support.
So, I am inviting everyone to check first therelease notes, take it for a spin and share the experience through the Slack channel (#kubecf-dev), where the team is promptly replying to any question from the community, and on Github, for bugs and features requests.
Thanks to everyone for the work and participation.
KubeCF




Stratos 4.1.0

Richard Cox
 

Hi All,

It gives me great pleasure to announce Stratos 4.1.0

Highlights include...
  • Support for Stratos API Keys
  • Endpoints list bug fixes and visual improvements
  • Bug fixes for fetching Gitlab and Github information when selecting source for an application
  • Add "The last day" to metrics time range selector

We welcome your feedback, comments and bug reports. Please feel free to raise them in github (https://github.com/cloudfoundry/stratos) or reach out directly to us in slack (#stratos)

Regards,

Richard Cox
on behalf of the Stratos team


Re: KubeCF 2.5.0 Is Out

Krannich, Bernd
 

Congrats to the KubeCF team!

 

Cheers,

Bernd

 

From: <cf-dev@...> on behalf of Chip Childers <cchilders@...>
Reply-To: "cf-dev@..." <cf-dev@...>
Date: Thursday, 24. September 2020 at 15:28
To: CF Developers Mailing List <cf-dev@...>
Subject: Re: [cf-dev] KubeCF 2.5.0 Is Out

 

+1 - Great accomplishment KubeCF team!


Chip Childers

Executive Director

Cloud Foundry Foundation

 

 

On Thu, Sep 24, 2020 8:07 AM, Simon D Moser smoser@... wrote:

Awesome! Great Job team - and we have container 2 container networking now in KubeCF, which is really great! Go CF Community!  

Mit freundlichen Grüßen / Kind regards

Simon Moser

Senior Technical Staff Member / IBM Master Inventor
Bluemix Application Platform Lead Architect
Dept. C727, IBM Research & Development Boeblingen

-------------------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Schoenaicher Str. 220
71032 Boeblingen
Phone: +49-7031-16-4304
Fax: +49-7031-16-4890
E-Mail: smoser@...
-------------------------------------------------------------------------------------------------------------------------------------------
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

*******
ITIL has led people to think in siloes ("go fix change management").
Project Management has led people to think in finite units of work instead of streams of product.
Both are fundamental dysfunctions of the framework model, not failures of execution.
Rob England



From:        "Jaime Gomes" <jaime.gomes@...>
To:        cf-dev@...
Date:        24/09/2020 10:03
Subject:        [EXTERNAL] [cf-dev] KubeCF 2.5.0 Is Out
Sent by:        cf-dev@...





Hey,
I am proud to announce another important milestone for KubeCF - the release of v2.5.0.This release reflects the intensive work integrating Eirini and the C2C networking support.
So, I am inviting everyone to check first therelease notes, take it for a spin and share the experience through the Slack channel (#kubecf-dev), where the team is promptly replying to any question from the community, and on Github, for bugs and features requests.
Thanks to everyone for the work and participation.
KubeCF




Re: KubeCF 2.5.0 Is Out

Chip Childers
 

+1 - Great accomplishment KubeCF team!

Chip Childers
Executive Director
Cloud Foundry Foundation



On Thu, Sep 24, 2020 8:07 AM, Simon D Moser smoser@... wrote:
Awesome! Great Job team - and we have container 2 container networking now in KubeCF, which is really great! Go CF Community!  

Mit freundlichen Grüßen / Kind regards

Simon Moser

Senior Technical Staff Member / IBM Master Inventor
Bluemix Application Platform Lead Architect
Dept. C727, IBM Research & Development Boeblingen

-------------------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Schoenaicher Str. 220
71032 Boeblingen
Phone: +49-7031-16-4304
Fax: +49-7031-16-4890
E-Mail: smoser@...
-------------------------------------------------------------------------------------------------------------------------------------------
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

*******
ITIL has led people to think in siloes ("go fix change management").
Project Management has led people to think in finite units of work instead of streams of product.
Both are fundamental dysfunctions of the framework model, not failures of execution.
⁃ Rob England




From:        "Jaime Gomes" <jaime.gomes@...>
To:        cf-dev@...
Date:        24/09/2020 10:03
Subject:        [EXTERNAL] [cf-dev] KubeCF 2.5.0 Is Out
Sent by:        cf-dev@...




Hey,
I am proud to announce another important milestone for KubeCF - the release of v2.5.0.This release reflects the intensive work integrating Eirini and the C2C networking support.
So, I am inviting everyone to check first therelease notes, take it for a spin and share the experience through the Slack channel (#kubecf-dev), where the team is promptly replying to any question from the community, and on Github, for bugs and features requests.
Thanks to everyone for the work and participation.
KubeCF





Re: KubeCF 2.5.0 Is Out

Simon D Moser
 

Awesome! Great Job team - and we have container 2 container networking now in KubeCF, which is really great! Go CF Community!  

Mit freundlichen Grüßen / Kind regards

Simon Moser

Senior Technical Staff Member / IBM Master Inventor
Bluemix Application Platform Lead Architect
Dept. C727, IBM Research & Development Boeblingen

-------------------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Schoenaicher Str. 220
71032 Boeblingen
Phone: +49-7031-16-4304
Fax: +49-7031-16-4890
E-Mail: smoser@...
-------------------------------------------------------------------------------------------------------------------------------------------
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

*******

ITIL has led people to think in siloes ("go fix change management").
Project Management has led people to think in finite units of work instead of streams of product.
Both are fundamental dysfunctions of the framework model, not failures of execution.
⁃ Rob England




From:        "Jaime Gomes" <jaime.gomes@...>
To:        cf-dev@...
Date:        24/09/2020 10:03
Subject:        [EXTERNAL] [cf-dev] KubeCF 2.5.0 Is Out
Sent by:        cf-dev@...




Hey,
I am proud to announce another important milestone for KubeCF - the release of v2.5.0.This release reflects the intensive work integrating Eirini and the C2C networking support.
So, I am inviting everyone to check first therelease notes, take it for a spin and share the experience through the Slack channel (#kubecf-dev), where the team is promptly replying to any question from the community, and on Github, for bugs and features requests.
Thanks to everyone for the work and participation.
KubeCF





KubeCF 2.5.0 Is Out

Jaime Gomes
 

Hey,

I am proud to announce another important milestone for KubeCF - the release of v2.5.0. This release reflects the intensive work integrating Eirini and the C2C networking support.

So, I am inviting everyone to check first the release notes, take it for a spin and share the experience through the Slack channel (#kubecf-dev), where the team is promptly replying to any question from the community, and on Github, for bugs and features requests.

Thanks to everyone for the work and participation.
KubeCF


Community awards nomination form - Respond by Monday!

Chip Childers
 

Hey folks... sorry about bumping the wrong form. Here's the post requesting nominations for community awards at summit!

https://www.cloudfoundry.org/blog/nominate-your-cloud-foundry-community-for-summit-awards-until-9-24/


Chip Childers
Executive Director
Cloud Foundry Foundation


Re: Cloud Foundry Summit Europe 2020 CFP Co-Chair Voting Form

Chip Childers
 

Sorry folks. Ignore the form below. Wrong form to bump in the list. :(

Chip Childers
Executive Director
Cloud Foundry Foundation



On Wed, Sep 23, 2020 4:09 PM, Chip Childers cchilders@... wrote:
Hi all! We're getting some great submissions for the community awards so far, but I know how busy the community is these days. We're extending the deadline until Monday to give those that are heads-down on project work a little more time.

If you haven't already, take some time to nominate your fellow community members, project team colleagues, etc...

Chip Childers
Executive Director
Cloud Foundry Foundation



On Wed, Sep 2, 2020 2:58 PM, Paige O'Connor poconnor@... wrote:
Google Forms
I've invited you to fill out a form:
Cloud Foundry Summit Europe 2020 CFP Co-Chair Voting Form
Cloud Foundry is looking to the community to vote for Co-Chairs to help curate content for Cloud Foundry Summit Europe 2020. Please vote on the nominated co-chairs next to each category to select the final co-chairs. Final co-chairs will be announced on Thursday, September 10.

Voting ends September 8, 2020 at 11:59pm PST.
Fill out form
Create your own Google Form


Re: Cloud Foundry Summit Europe 2020 CFP Co-Chair Voting Form

Chip Childers
 

Hi all! We're getting some great submissions for the community awards so far, but I know how busy the community is these days. We're extending the deadline until Monday to give those that are heads-down on project work a little more time.

If you haven't already, take some time to nominate your fellow community members, project team colleagues, etc...

Chip Childers
Executive Director
Cloud Foundry Foundation



On Wed, Sep 2, 2020 2:58 PM, Paige O'Connor poconnor@... wrote:
Google Forms
I've invited you to fill out a form:
Cloud Foundry Summit Europe 2020 CFP Co-Chair Voting Form
Cloud Foundry is looking to the community to vote for Co-Chairs to help curate content for Cloud Foundry Summit Europe 2020. Please vote on the nominated co-chairs next to each category to select the final co-chairs. Final co-chairs will be announced on Thursday, September 10.

Voting ends September 8, 2020 at 11:59pm PST.
Fill out form
Create your own Google Form


Cloud Foundry Summit Europe Virtual Schedule is Now Live!

Chip Childers
 

Hi All, 
Cloud Foundry Summit Europe 2020 schedule is now live!

The Summit will be held online over two half-days on Wednesday, October 21st and Thursday, October 22nd on Central European Summer Time.

Read the full press release here: 


Don't forget you can register here for free using this code: CFEU20CONT


We look forward to "seeing" you all at Summit!

Chip Childers
Executive Director
Cloud Foundry Foundation


Re: UAA api /introspect does not seem to be workign as expected #uaa

Shetty, Viraj S [CTR]
 

Jeremy, 

Thanks for your help ! I found what the problem was. 

I ran a local copy of the UAA on my laptop, pointing to the cloud database and ran your testcases; it all worked as expected ! I was able to use the /introspect endpoint with the bearer token. 

So, I started comparing the differences in the uaa.yml file (default and our yaml) and found that the problem was the setting in my uaa.yml file which excluded authorities in the tokens. 

    claims:
      exclude:
        - authorities

The default uaa.yml had this commented and I just uncommented it while deploying our UAA  When I removed this setting, I am able to use the /introspect with the bearer token. I could also see that the token for the client introspect-test now has the authorities set as below. Looks like the UAA code is looking at "authorities" claim and not the "scope" claim.  Is that expected ?

  "authorities": [
    "uaa.resource"
  ],
  "scope": [
    "uaa.resource"
  ],

I am just wondering why that option (exclude authorities) is there in the first place and if removing that option affects
anything else.

Thanks,
Viraj

 


Re: TLS for everything

caitlyny@...
 

Hi Jon,

I provided an update for #2 within the issue on Github.

Caitlyn


Re: TLS for everything

Jon Price
 

Hi David,

 

Done – Issue 906.

 

I too have been involved in several conversations over the past several years about this, back in 2015 we had a meeting with Dieu Cao (Hi Dieu!) and the former chief security officer a Pivotal, Justin Smith about this and I also did a talk at the 2015 CF Summit about using IPsec. 

 

It’s exciting to see how close we are getting to securing every endpoint, only a few more thousand lines of PEM text in the deployment manifest and we are done!

 

-- Jon Price

 

From: cf-dev@... <cf-dev@...> On Behalf Of David McClure
Sent: Tuesday, September 15, 2020 4:36 PM
To: cf-dev@...
Subject: Re: [cf-dev] TLS for everything

 

Hi everyone,

 

Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.

 

That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:

 

  1. Create an issue to track this feature of cf-for-vms in the cf-deployment github repo
    https://github.com/cloudfoundry/cf-deployment/issues
  2. While it's good to continue discussing this anywhere and everywhere (Slack, email, etc), let's make that that Github issue the canonical home for discussion about this going forward and try to "close the loop" back there if discussions are had elsewhere.
  3. If separate issues can be carved out for specific components, create issues on their repositories and link them back to the Github issue on cf-deployment.
    Github's auto-linking between issues should help us make these more discoverable, regardless of which direction the link is going.

Jon, would you like to do the honors as the thread starter here?

 


From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] TLS for everything

 

+1 on desiring everything to be encrypted on the network.

 

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.

On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:

We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

 

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:

Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?

2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222

3) route_registrar - not using nats-tls

4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--

Peter Burkholder |  cloud.gov compliance & security

please use cloud-gov-compliance@... for cloud.gov matters

 


Re: UAA api /introspect does not seem to be workign as expected #uaa

Shetty, Viraj S [CTR]
 

Hi Jeremy, 

Thanks for that testcase. I followed your testcase on our UAA Server except with one change; since we are setup with MFA, I used the uaac token sso to get Marissas token. The UAA app version is 74.24.0 and the UAAC version is 4.2.0. You can see I got the access denied error that I received with Postman. I attached snippet of the log errors. Also, I upgraded to UAA 74.24.0 by downloading source from https://github.com/cloudfoundry/uaa/archive/v74.24.0.zip  and compiling it using gradle. I am wondering if I am doing something incorrect during installation. Next I will try with a brand new intallation and see if that works. 


----- Command entered -----

COMMAND> uaac version
UAA client 4.2.0
 
COMMAND> uaac info
Unknown key: Max-Age = 86400
  app
    version: 74.24.0
{truncated} 
 
COMMAND> uaac token client get admin
Client secret:  ************************
 
Successfully fetched token via client credentials grant.
Target: https://*****************
Context: admin, from client admin
 
 
COMMAND> uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
New client secret:  ***************
Verify new client secret:  ***************
  scope: uaa.none
  client_id: introspect-test
  resource_ids: none
  authorized_grant_types: client_credentials
  autoapprove:
  authorities: uaa.resource
  name: introspect-test
  required_user_groups:
  lastmodified: 1600268652000
  id: introspect-test
  
PS C:\Users\vshetty\source\repos\pservices-cyberark-api\bin> uaac user add marissa --given_name marissa --family_name koala
 --emails marisa@...
Password:  *****
Verify password:  *****
user account successfully added
 
COMMAND> uaac token sso get seswt-uaa-cli
Client secret:
Passcode (from https://********/passcode):  ******
 
Successfully fetched token via owner passcode grant.
Target: https://***************
Context: marissa, from client seswt-uaa-cli
 
COMMAND> uaac context marissa
{ captured Marissa's token }
 
COMMAND> uaac token client get introspect-test
Client secret:  ***************
{ double checked that the token has the uaa.resource scope }

Successfully fetched token via client credentials grant.
Target: https://**************
Context: introspect-test, from client introspect-test
 
# MARISSA-TOKEN is actual token 
COMMAND> uaac curl --trace /introspect -X POST -d "token=MARISSA-TOKEN"
POST https://*****/introspect
REQUEST BODY: "token=MARISSA-TOKEN"
 
403 Forbidden
RESPONSE HEADERS:
  Date: Wed, 16 Sep 2020 15:18:29 GMT
  Content-Type: application/json
  Transfer-Encoding: chunked
  Connection: close
  Vary: Accept-Encoding
  Cache-Control: no-store
  Pragma: no-cache
  Strict-Transport-Security: max-age=31536000 ; includeSubDomains
  X-Content-Type-Options: nosniff
  X-Vcap-Request-Id: 86dbda61-e43d-43e9-650f-2150836c4ea0
  X-Xss-Protection: 1; mode=block
  X-Frame-Options: DENY
RESPONSE BODY:
{
  "error": "access_denied",
  "error_description": "Access is denied"
}

--- Log file contents --- 

   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select id,version,created,lastmodified,name,subdomain,description,config,active from identity_zone where subdomain=? and active = ?]
   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.449] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [true], value class [java.lang.Boolean], SQL type unknown
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 7 of 20 in additional filter chain; firing Filter: 'DisableIdTokenResponseTypeFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/introspect response_type:null
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/introspect response_type:null
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 8 of 20 in additional filter chain; firing Filter: 'HttpsEnforcementFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'introspectSecurity' processing request POST /introspect
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 9 of 20 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 10 of 20 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 11 of 20 in additional filter chain; firing Filter: 'HeaderWriterFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 12 of 20 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SESSION_LOGGER: No session found by id: Caching result for getSession(false) for this HttpServletRequest.
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.462] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select client_id, client_secret, resource_ids, scope, authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove, lastmodified, required_user_groups from oauth_client_details where client_id = ? and identity_zone_id = ?]
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [introspect-test], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [uaa], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- OAuth2AuthenticationProcessingFilter: Authentication success: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 13 of 20 in additional filter chain; firing Filter: 'IdentityZoneSwitchingFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 14 of 20 in additional filter chain; firing Filter: 'DisableUserManagementSecurityFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 15 of 20 in additional filter chain; firing Filter: 'DisableInternalUserManagementFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 16 of 20 in additional filter chain; firing Filter: 'ClientBasicAuthenticationFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 17 of 20 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 18 of 20 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 19 of 20 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.499] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@17088b23, returned: -1
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.500] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: Loading properties [messages.properties]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.503] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en] - neither plain properties nor XML
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.504] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en_US] - neither plain properties nor XML
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'scimUserBootstrap'
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'delegatingApplicationListener'
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChai


Re: Topics or presentations? CAB call: Wednesday, Sept. 16th @ 8AM PT / 11AM ET / 4PM CET

Troy Topnik
 

GOOD NEWS EVERYONE!

We have a couple of presentations for tomorrow:

    • Auto-patching of app images: Piyali Banerjee, CAPI, VMware

    • New Quarks Secret feature: Mario Manno, Quarks, SUSE


TT

--
Troy Topnik
Senior Product Manager, 
SUSE Cloud Application Platform 
troy.topnik@...
 


Re: TLS for everything

David McClure
 

Hi everyone,

Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.

That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:

  1. Create an issue to track this feature of cf-for-vms in the cf-deployment github repo
    https://github.com/cloudfoundry/cf-deployment/issues
  2. While it's good to continue discussing this anywhere and everywhere (Slack, email, etc), let's make that that Github issue the canonical home for discussion about this going forward and try to "close the loop" back there if discussions are had elsewhere.
  3. If separate issues can be carved out for specific components, create issues on their repositories and link them back to the Github issue on cf-deployment.
    Github's auto-linking between issues should help us make these more discoverable, regardless of which direction the link is going.
Jon, would you like to do the honors as the thread starter here?


From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] TLS for everything
 
+1 on desiring everything to be encrypted on the network.

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.

On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security


Re: UAA api /introspect does not seem to be workign as expected #uaa

Jeremy Morony
 

Hi Viraj,

I couldn't replicate the issue you've described.  While logs are always helpful, more helpful would be a small set up replicating the issue. For example, this is what I did to replicate your issue using the UAA in development:

./gradlew clean run
uaac target http://localhost:8080/uaa
uaac token client get admin
uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
uaac token owner get cf marissa -p koala --scope uaa.user
uaac contexts #extract marissa's access token
uaac token client get introspect-test
uaac curl --trace /introspect -X POST -d "token=marissas-access-token"

200
RESPONSE HEADERS:
<snip>
RESPONSE BODY:
{
  "active": true // other claims omitted
}


From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Friday, September 11, 2020 12:44 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa
 
Jeremy, 

I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? 

Thanks,
Viraj 


Re: TLS for everything

Miki Mokrysz <miki.mokrysz@...>
 

+1 on desiring everything to be encrypted on the network.

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.


On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters


Re: TLS for everything

Peter Burkholder
 

We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters


TLS for everything

Jon Price
 

Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.