Releases: cloudfoundry/routing-release
0.301.0
CAUTION: This release is affected by a known issue for users who use both Postgres for the Cloud Foundry database and TCP Routes. This will be fixed in a future release. Users who use both Postgres and TCP Routes should not upgrade to this version. This only applies if postgres is used for the core Cloud Foundry databases, not if apps use postgres services.
Changes
- 🐛Fixes a bug introduced in v0.298.0 where the
X-Forwarded-Hostheader was incorrectly set for requests containing anExpect: 100-continueheader. Thanks @maxmoehl !
✨ Built with go 1.22.4
Full Changelog: v0.300.0...v0.301.0
Resources
Contributors
Assets 3
0.300.0
Changes
- Update route registrar to only send 5 unregistration messages for an unhealthy route - cloudfoundry/route-registrar#46 . Thanks @andy-a-d-nguyen for your first contribution to CF!
✨ Built with go 1.22.4
Resources
Full Changelog: v0.299.0...v0.300.0
Contributors
Assets 3
0.299.0
Changes
- Bumped to Golang 1.22.4
- Added ability to enforce strict validation of route service signature. Thanks @maxmoehl, @b1tamara and @plowin !
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 8269440b..60c7b520 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -262,6 +262,9 @@ properties:
router.route_services_timeout:
description: "Expiry time of a route service signature in seconds"
default: 60
+ router.route_services_strict_signature_validation:
+ description: "Enforce strict validation of a route service signature"
+ default: false
router.max_header_kb:
description: |
This value controls the maximum number of bytes (in KB) the gorouter will read
✨ Built with go 1.22.4
Full Changelog: v0.298.0...v0.299.0
Resources
Contributors
Assets 3
0.298.0
Changes
- 🔒 Resolves CVE-2024-22279, which affected routing-releases 0.273.0 through 0.297.0.
- 🐛 Improve support for requests using the Expect: 100-continue header.
- 🐛 The missing_content_length_header metric introduced in 0.297.0 has been renamed to empty_content_length_header for more accuracy. Thanks @peanball!
- 🐛 The empty_content_length_header was fixed to more accurately capture events when the content-length header of a request was empty. Previously extra request types were being included erroneously.
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 712a761f..8269440b 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -306,6 +306,9 @@ properties:
router.keep_alive_probe_interval:
default: 1s
description: Interval between TCP keep alive probes. Value is a string (e.g. "10s")
+ router.keep_alive_100_continue_requests:
+ description: "If set gorouter reuses backend connection for requests expecting 100-Continue"
+ default: false
router.force_forwarded_proto_https:
description: "Enables setting X-Forwarded-Proto header if SSL termination happened upstream and incorrectly set the header value. When this property is set to true gorouter sets the header X-Forwarded-Proto to https. When this value set to false, gorouter set the header X-Forwarded-Proto to the protocol of the incoming request"
default: false
✨ Built with go 1.22.3
Full Changelog: v0.297.0...v0.298.0
Resources
Contributors
Assets 3
0.297.0
Changes
- 🐛FIXES KNOWN ISSUE Gorouter now correctly returns the status code provided by backends for workflows using 100-continue, or other 1xx interim status codes. Thanks for catching this @plowin @domdom82 and thanks @geofffranks for the quick fix!
- 🐛The TLS listener for the health status endpoint in gorouter now handles custom cipher-suites that do not include any of the required HTTP/2 ciphers. Thanks @MarcPaquette + @geofffranks!
- 🐛 Failing to establish a TCP connection to a backend no longer causes a panic when setting up a WebSocket connection. Thanks @domdom82!
- ✨The health status endpoint for gorouter is now able to log error messages encountered when it starts up, to aid in troubleshooting. Thanks @MarcPaquette and @geofffranks !
- ✨Gorouter now provides a
missing_content_length_headermetric that will flag requests that would have been hit by Golang 1.22's new check to reject requests that have an empty content-length header. This can be used to determine if an environment will be affected by disabling thego.httplaxcontentlengthgorouter property. Thanks @mariash!- NOTE: The metric is counting requests unaffected by the new golang behavior and will be updated in 0.298.0+, where it is also renamed to
empty_content_length_header.
- NOTE: The metric is counting requests unaffected by the new golang behavior and will be updated in 0.298.0+, where it is also renamed to
- ✨Route registrar now allows operators to specify load blancing algorithms for individual routes. Thanks @b1tamara and @domdom82 !
- Bumped to golang 1.22.3
Bosh Job Spec changes:
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index c51dbb9f..de81a0e8 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -125,7 +125,8 @@ properties:
with error, the route is unregistered.
router_group (required, string, for tcp routes): Name of the router group to which the TCP route should be added.
external_port (required, string, for tcp routes): Port that the TCP router will listen on.
- server_cert_domain_name_modifier (optional, string, for sni routes): a regex replace to help with complicated hostnames
+ server_cert_domain_name_modifier (optional, string, for sni routes): a regex replace to help with complicated hostnames.
+ options (optional, object, for http routes): Custom per-route options
health_check object
name (required, string): Human-readable reference for the healthcheck
@@ -135,6 +136,9 @@ properties:
the script is terminated with `SIGKILL` and the route is unregistered. Value is a string (e.g. "10s") and must parse to a positive time duration i.e. "-5s" is not permitted. Must be less than the value of `registration_interval`.
Default: Half of the value of `registration_interval`
+ options object
+ lb_algo (optional, string): Load balancing algorithm for routing incoming requests to the backend: 'round-robin' or 'least-connection'. In cases where this option is not specified, the algorithm defined in gorouter spec is applied.
+
example: |
- name: my-service
uris:
@@ -150,6 +154,8 @@ properties:
script_path: /path/to/script
timeout: 5s
route_service_url: https://my-oauth-proxy-route-service.example.com
+ options:
+ lb_algo: least-connection
- name: my-tls-endpoint
tls_port: 12346
server_cert_domain_san: "my-tls-endpoint.internal.com"
✨ Built with go 1.22.3
Full Changelog: v0.296.0...v0.297.0
Resources
Contributors
Assets 3
0.296.0
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
Changes
- Pass availability zone in route-registrar for AZ-aware routing of system components
- Bump Golang to 1.22
Bosh Job Spec changes:
diff --git a/jobs/acceptance_tests/spec b/jobs/acceptance_tests/spec
index e1a6a9ae..8122ddaf 100644
--- a/jobs/acceptance_tests/spec
+++ b/jobs/acceptance_tests/spec
@@ -7,7 +7,7 @@ templates:
bpm.yml.erb: config/bpm.yml
packages:
- - golang-1.21-linux
+ - golang-1.22-linux
- acceptance_tests
- rtr
- cf-cli-8-linux
diff --git a/jobs/smoke_tests/spec b/jobs/smoke_tests/spec
index b230192b..02edfd9d 100644
--- a/jobs/smoke_tests/spec
+++ b/jobs/smoke_tests/spec
@@ -7,7 +7,7 @@ templates:
bpm.yml.erb: config/bpm.yml
packages:
- - golang-1.21-linux
+ - golang-1.22-linux
- acceptance_tests
- cf-cli-8-linux
✨ Built with go 1.22.2
Full Changelog: v0.295.0...v0.296.0
Resources
0.295.0
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
Changes
- Resolves #401 by reverting the removal of the deprecated BuildNameToCertificate() call
- Bumps to golang 1.21.9 + golang.org/x/net 0.23.0 to patch CVE-2023-45288
✨ Built with go 1.21.9
Full Changelog: v0.294.0...v0.295.0
Resources
0.294.0
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
Changes
- Bump haproxy to 2.8.7
- update templates to not refer to consul
- Default the routing_api.enabled_api_endpoints to mtls
- Update template test for mTLS routing api default
- Upgrade cf-cli-8-linux
Bosh Job Spec changes:
diff --git a/jobs/routing-api/spec b/jobs/routing-api/spec
index 1d7efe3c..2e5cd361 100644
--- a/jobs/routing-api/spec
+++ b/jobs/routing-api/spec
@@ -95,7 +95,7 @@ properties:
routing_api.enabled_api_endpoints:
description: "Protocols that the routing api will listen on. Possible values: 'mtls', or 'both' (mTLS + HTTP)"
- default: "both"
+ default: "mtls"
routing_api.mtls_port:
description: "Port on which Routing API is running, listening with mTLS."
default: 3001
✨ Built with go 1.21.8
Full Changelog: v0.293.0...v0.294.0
Resources
0.293.0
Changes
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
- Add toggle to allow empty Content-Length headers
- fix: Enable syslog forwarding for gorouter
- fix: Don't retry more often than endpoints available
- Add an option to enable concurrent reads and responses in HTTP/1
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index e7c33d66..712a761f 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -161,6 +161,9 @@ properties:
router.enable_http2:
description: Enables support for HTTP/2 ingress traffic to the Gorouter. Also enables the option to use the HTTP/2 protocol for traffic to specified backends.
default: true
+ router.enable_http1_concurrent_read_write:
+ description: Enables concurrent request reads and response writes for HTTP/1 requests
+ default: false
router.min_tls_version:
description: Minimum accepted version of TLS protocol. All versions above this, up to the max_tls_version, will also be accepted. Valid values are TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.
default: TLSv1.2
@@ -194,8 +197,9 @@ properties:
router.backends.max_attempts:
description: |
Maximum number of attempts on failing requests against backend routes.
+ The number of attempts per request is limited by the number of endpoints on the route, regardless of this setting.
This includes CF apps and route-registrar endpoints.
- A value of 0 implies indefinite retries, i.e. retry until success or endpoint list is exhausted.
+ The minimum value for this setting is 1. This prevents gorouter from getting blocked by indefinite retries.
default: 3
router.backends.ca:
description: Certificate authority that was used to sign certificates for TLS-registered backends. In PEM format.
@@ -274,6 +278,15 @@ properties:
router.enable_log_attempts_details:
description: "Log additional fields in the access log that provide more details on the specific timings and attempts performed towards endpoints."
default: false
+ router.logging.syslog_tag:
+ description: "Tag to use when writing syslog messages"
+ default: "vcap.gorouter"
+ router.logging.syslog_addr:
+ description: "Address of a syslog server to send access logs"
+ default: "localhost:514"
+ router.logging.syslog_network:
+ description: "Network protocol to use when connecting to the syslog server. Valid values are 'tcp', 'udp', <empty>. When choosing an empty string value, the local syslog daemon is used."
+ default: "udp"
router.logging.format.timestamp:
description: |
Format for timestamp in component logs. Valid values are 'rfc3339', 'deprecated', and 'unix-epoch'."
@@ -492,6 +505,9 @@ properties:
router.write_access_logs_locally:
description: "Enables writing access log to local disk."
default: true
+ router.enable_access_log_streaming:
+ description: "Enables streaming access log to syslog server."
+ default: false
router.suspend_pruning_if_nats_unavailable:
description: |
Suspend pruning of routes when NATs is unavailable and maintain the
@@ -583,6 +599,14 @@ properties:
street_address: []
postal_code: []
default: []
+
healthchecker.failure_counter_file:
description: "File used by the healthchecker to monitor consecutive failures."
default: /var/vcap/data/gorouter/counters/consecutive_healthchecker_failures.count
+
+ go.httplaxcontentlength:
+ description: |
+ Environment Flag to temporarily allow requests containing an invalid, empty `Content-Length` header for backwards compatibility.
+ This toggle allows operators to add the `GODEBUG` field `httplaxcontentlength=1`, as allowable per the [go 1.22 release documentation](https://tip.golang.org/doc/go1.22#minor_library_changes).
+ Defaults to `false` as the default behavior in go 1.22+ is to reject these requests.
+ default: false
✨ Built with go 1.21.8
Full Changelog: v0.292.0...v0.293.0
Resources
0.292.0
Changes
- Dependency updates
- ✨ Adds support for
Partitionedcookies to gorouter to allow for sticky sessions in embedded contexts. More information on 3rd-party cookie deprecation.
✨ Built with go 1.21.7
Full Changelog: v0.291.0...v0.292.0