From a2607887abf257b511cc1788e20d0edaee041efa Mon Sep 17 00:00:00 2001 From: kart2bc Date: Wed, 9 Jul 2025 10:22:35 -0400 Subject: [PATCH 1/4] Remove old property: proxy.enabled - Diego release --- jobs/rep/spec | 3 --- jobs/rep/templates/setup_mounted_data_dirs.erb | 6 ++---- jobs/rep_windows/spec | 3 --- jobs/rep_windows/templates/rep.json.erb | 1 - 4 files changed, 2 insertions(+), 11 deletions(-) diff --git a/jobs/rep/spec b/jobs/rep/spec index 9dc49f2066..90bb7e033d 100644 --- a/jobs/rep/spec +++ b/jobs/rep/spec @@ -256,9 +256,6 @@ properties: description: "time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10." default: 10 - containers.proxy.enabled: - description: "Enable envoy proxy on garden containers. Requires valid TLS credentials in diego.executor.instance_identity_ca_cert and diego.executor.instance_identity_key." - default: false containers.proxy.additional_memory_allocation_mb: description: "Additional memory allocated to each container for the envoy proxy. This value must not be negative" default: 32 diff --git a/jobs/rep/templates/setup_mounted_data_dirs.erb b/jobs/rep/templates/setup_mounted_data_dirs.erb index 33030c8353..f359b4544d 100644 --- a/jobs/rep/templates/setup_mounted_data_dirs.erb +++ b/jobs/rep/templates/setup_mounted_data_dirs.erb @@ -72,7 +72,5 @@ rm -rf "$trusted_certs_dir" proxy_config_dir=${garden_shared_dir}/proxy_config rm -rf "$proxy_config_dir" -<% if p("containers.proxy.enabled") %> - mkdir -p "$proxy_config_dir" - chown -R vcap:vcap "$proxy_config_dir" -<% end %> +mkdir -p "$proxy_config_dir" +chown -R vcap:vcap "$proxy_config_dir" diff --git a/jobs/rep_windows/spec b/jobs/rep_windows/spec index d84d1c5849..10d69fcce1 100644 --- a/jobs/rep_windows/spec +++ b/jobs/rep_windows/spec @@ -264,9 +264,6 @@ properties: description: "time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10." default: 10 - containers.proxy.enabled: - description: "EXPERIMENTAL: Enable envoy proxy on garden containers. Currently doesn't work on windows cells but left here for compatability with the linux Rep" - default: false containers.proxy.additional_memory_allocation_mb: description: "EXPERIMENTAL: Additional memory allocated to each container for the envoy proxy. This must not be negative. Currently doesn't work on windows cells but left here for compatability with the linux Rep" default: 32 diff --git a/jobs/rep_windows/templates/rep.json.erb b/jobs/rep_windows/templates/rep.json.erb index 86450f7c5a..ae7cdce99d 100644 --- a/jobs/rep_windows/templates/rep.json.erb +++ b/jobs/rep_windows/templates/rep.json.erb @@ -59,7 +59,6 @@ disk_mb: p("diego.executor.disk_capacity_mb").to_s, declarative_healthcheck_path: p("declarative_healthcheck_path"), enable_healthcheck_metrics: p("enable_healthcheck_metrics"), - enable_container_proxy: p("containers.proxy.enabled"), container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"), container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"), container_proxy_verify_subject_alt_name: p("containers.proxy.verify_subject_alt_name"), From b708f5a5f2f55fe9e4a078fa8641758d5b6acc9a Mon Sep 17 00:00:00 2001 From: kart2bc Date: Wed, 9 Jul 2025 10:37:56 -0400 Subject: [PATCH 2/4] Remove old property: proxy.enabled - Diego release --- jobs/rep/spec | 4 ++-- jobs/rep/templates/rep.json.erb | 9 ++------- jobs/rep_windows/spec | 4 ++-- jobs/rep_windows/templates/rep.json.erb | 8 ++------ .../inigo/cell/instance_identity_test.go | 1 - 5 files changed, 8 insertions(+), 18 deletions(-) diff --git a/jobs/rep/spec b/jobs/rep/spec index 90bb7e033d..3265c9961e 100644 --- a/jobs/rep/spec +++ b/jobs/rep/spec @@ -265,7 +265,7 @@ properties: containers.proxy.require_and_verify_client_certificates: default: false - description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable." + description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property." containers.proxy.trusted_ca_certificates: default: [] @@ -296,7 +296,7 @@ properties: containers.proxy.enable_unproxied_port_mappings: default: true - description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true." + description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports." containers.trusted_ca_certificates: description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs." diff --git a/jobs/rep/templates/rep.json.erb b/jobs/rep/templates/rep.json.erb index 099c094da5..e1b00b35ff 100644 --- a/jobs/rep/templates/rep.json.erb +++ b/jobs/rep/templates/rep.json.erb @@ -59,7 +59,6 @@ disk_mb: p("diego.executor.disk_capacity_mb").to_s, declarative_healthcheck_path: "/var/vcap/packages/healthcheck", enable_healthcheck_metrics: p("enable_healthcheck_metrics"), - enable_container_proxy: p("containers.proxy.enabled"), container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"), container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"), container_proxy_verify_subject_alt_name: p("containers.proxy.verify_subject_alt_name"), @@ -188,15 +187,11 @@ config[:bbs_address] = "https://#{p("diego.rep.bbs.api_location")}" - if config[:enable_container_proxy] - begin + begin p("diego.executor.instance_identity_ca_cert") p("diego.executor.instance_identity_key") - rescue + rescue raise '"when containers.proxy.enabled is true, diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' - end - elsif !p("containers.proxy.enable_unproxied_port_mappings") - raise 'containers.proxy.enabled must be set to true in order to disable the unproxied port mappings' end if config[:container_proxy_require_and_verify_client_certs] diff --git a/jobs/rep_windows/spec b/jobs/rep_windows/spec index 10d69fcce1..b7d21de96b 100644 --- a/jobs/rep_windows/spec +++ b/jobs/rep_windows/spec @@ -273,7 +273,7 @@ properties: containers.proxy.require_and_verify_client_certificates: default: false - description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable." + description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. containers.proxy.trusted_ca_certificates: default: [] @@ -304,7 +304,7 @@ properties: containers.proxy.enable_unproxied_port_mappings: default: true - description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true." + description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. containers.trusted_ca_certificates: description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs." diff --git a/jobs/rep_windows/templates/rep.json.erb b/jobs/rep_windows/templates/rep.json.erb index ae7cdce99d..3137c0451c 100644 --- a/jobs/rep_windows/templates/rep.json.erb +++ b/jobs/rep_windows/templates/rep.json.erb @@ -187,15 +187,11 @@ config[:bbs_address] = "https://#{p("diego.rep.bbs.api_location")}" - if config[:enable_container_proxy] - begin + begin p("diego.executor.instance_identity_ca_cert") p("diego.executor.instance_identity_key") - rescue + rescue raise '"when containers.proxy.enabled is true, diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' - end - elsif !p("containers.proxy.enable_unproxied_port_mappings") - raise 'containers.proxy.enabled must be set to true in order to disable the unproxied port mappings' end if config[:container_proxy_require_and_verify_client_certs] diff --git a/src/code.cloudfoundry.org/inigo/cell/instance_identity_test.go b/src/code.cloudfoundry.org/inigo/cell/instance_identity_test.go index addde3268a..0a03610aad 100644 --- a/src/code.cloudfoundry.org/inigo/cell/instance_identity_test.go +++ b/src/code.cloudfoundry.org/inigo/cell/instance_identity_test.go @@ -351,7 +351,6 @@ var _ = Describe("InstanceIdentity", func() { BeforeEach(func() { enableContainerProxy = func(config *config.RepConfig) { - config.EnableContainerProxy = true config.EnvoyConfigRefreshDelay = durationjson.Duration(time.Second) config.ContainerProxyPath = filepath.Dir(os.Getenv("PROXY_BINARY")) From 66af0d982f3a740e8f953cf227c786a143c33397 Mon Sep 17 00:00:00 2001 From: kart2bc Date: Wed, 9 Jul 2025 10:37:56 -0400 Subject: [PATCH 3/4] Remove old property: proxy.enabled - Diego release --- jobs/rep/templates/rep.json.erb | 4 ++-- jobs/rep_windows/templates/rep.json.erb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/jobs/rep/templates/rep.json.erb b/jobs/rep/templates/rep.json.erb index e1b00b35ff..c38ac1a08d 100644 --- a/jobs/rep/templates/rep.json.erb +++ b/jobs/rep/templates/rep.json.erb @@ -203,8 +203,8 @@ if_p("diego.executor.instance_identity_ca_cert", "diego.executor.instance_identity_key", - "diego.executor.instance_identity_validity_period_in_hours") do |cert, key, validity_period| - if !(cert.empty? || key.empty? || validity_period < 1) + "diego.executor.instance_identity_validity_period_in_hours") do |validity_period| + if !(validity_period < 1) config[:instance_identity_ca_path] = "#{conf_dir}/certs/rep/instance_identity.crt" config[:instance_identity_private_key_path] = "#{conf_dir}/certs/rep/instance_identity.key" config[:instance_identity_cred_dir] = instance_identity_dir diff --git a/jobs/rep_windows/templates/rep.json.erb b/jobs/rep_windows/templates/rep.json.erb index 3137c0451c..7b5fee8b4c 100644 --- a/jobs/rep_windows/templates/rep.json.erb +++ b/jobs/rep_windows/templates/rep.json.erb @@ -203,8 +203,8 @@ if_p("diego.executor.instance_identity_ca_cert", "diego.executor.instance_identity_key", - "diego.executor.instance_identity_validity_period_in_hours") do |cert, key, validity_period| - if !(cert.empty? || key.empty? || validity_period < 1) + "diego.executor.instance_identity_validity_period_in_hours") do |validity_period| + if !(validity_period < 1) config[:instance_identity_ca_path] = "#{conf_dir}/certs/rep/instance_identity.crt" config[:instance_identity_private_key_path] = "#{conf_dir}/certs/rep/instance_identity.key" config[:instance_identity_cred_dir] = instance_identity_dir From 093acc5b1672c6e15908b52c1e49bd995fed07a6 Mon Sep 17 00:00:00 2001 From: kart2bc Date: Wed, 9 Jul 2025 10:37:56 -0400 Subject: [PATCH 4/4] Remove old property: proxy.enabled - Diego release --- docs/060-envoy-proxy-configuration.md | 2 -- jobs/rep/templates/rep.json.erb | 7 +++---- jobs/rep_windows/templates/rep.json.erb | 7 +++---- .../inigo/cell/instance_identity_test.go | 1 + 4 files changed, 7 insertions(+), 10 deletions(-) diff --git a/docs/060-envoy-proxy-configuration.md b/docs/060-envoy-proxy-configuration.md index 39f183dd01..aa1ff3218f 100644 --- a/docs/060-envoy-proxy-configuration.md +++ b/docs/060-envoy-proxy-configuration.md @@ -21,8 +21,6 @@ This document describes how to enable the per-container [Envoy proxy](https://gi ## Enabling Per-Container Envoy Proxy -A deployment operator enables the Linux cell reps to run an Envoy proxy process for each container by setting the `containers.proxy.enabled` property on the `rep` job to `true`. - [Instance Identity Credentials](https://docs.cloudfoundry.org/adminguide/instance-identity.html) must also be enabled on the Diego cell rep so that it can configure the Envoy proxy process with the required TLS configuration. diff --git a/jobs/rep/templates/rep.json.erb b/jobs/rep/templates/rep.json.erb index c38ac1a08d..af9b7df1cc 100644 --- a/jobs/rep/templates/rep.json.erb +++ b/jobs/rep/templates/rep.json.erb @@ -59,6 +59,7 @@ disk_mb: p("diego.executor.disk_capacity_mb").to_s, declarative_healthcheck_path: "/var/vcap/packages/healthcheck", enable_healthcheck_metrics: p("enable_healthcheck_metrics"), + enable_container_proxy: "true", container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"), container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"), container_proxy_verify_subject_alt_name: p("containers.proxy.verify_subject_alt_name"), @@ -191,7 +192,7 @@ p("diego.executor.instance_identity_ca_cert") p("diego.executor.instance_identity_key") rescue - raise '"when containers.proxy.enabled is true, diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' + raise '"diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' end if config[:container_proxy_require_and_verify_client_certs] @@ -201,9 +202,7 @@ end end - if_p("diego.executor.instance_identity_ca_cert", - "diego.executor.instance_identity_key", - "diego.executor.instance_identity_validity_period_in_hours") do |validity_period| + if_p("diego.executor.instance_identity_validity_period_in_hours") do |validity_period| if !(validity_period < 1) config[:instance_identity_ca_path] = "#{conf_dir}/certs/rep/instance_identity.crt" config[:instance_identity_private_key_path] = "#{conf_dir}/certs/rep/instance_identity.key" diff --git a/jobs/rep_windows/templates/rep.json.erb b/jobs/rep_windows/templates/rep.json.erb index 7b5fee8b4c..4619815319 100644 --- a/jobs/rep_windows/templates/rep.json.erb +++ b/jobs/rep_windows/templates/rep.json.erb @@ -59,6 +59,7 @@ disk_mb: p("diego.executor.disk_capacity_mb").to_s, declarative_healthcheck_path: p("declarative_healthcheck_path"), enable_healthcheck_metrics: p("enable_healthcheck_metrics"), + enable_container_proxy: "true", container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"), container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"), container_proxy_verify_subject_alt_name: p("containers.proxy.verify_subject_alt_name"), @@ -191,7 +192,7 @@ p("diego.executor.instance_identity_ca_cert") p("diego.executor.instance_identity_key") rescue - raise '"when containers.proxy.enabled is true, diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' + raise '"diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' end if config[:container_proxy_require_and_verify_client_certs] @@ -201,9 +202,7 @@ end end - if_p("diego.executor.instance_identity_ca_cert", - "diego.executor.instance_identity_key", - "diego.executor.instance_identity_validity_period_in_hours") do |validity_period| + if_p("diego.executor.instance_identity_validity_period_in_hours") do |validity_period| if !(validity_period < 1) config[:instance_identity_ca_path] = "#{conf_dir}/certs/rep/instance_identity.crt" config[:instance_identity_private_key_path] = "#{conf_dir}/certs/rep/instance_identity.key" diff --git a/src/code.cloudfoundry.org/inigo/cell/instance_identity_test.go b/src/code.cloudfoundry.org/inigo/cell/instance_identity_test.go index 0a03610aad..addde3268a 100644 --- a/src/code.cloudfoundry.org/inigo/cell/instance_identity_test.go +++ b/src/code.cloudfoundry.org/inigo/cell/instance_identity_test.go @@ -351,6 +351,7 @@ var _ = Describe("InstanceIdentity", func() { BeforeEach(func() { enableContainerProxy = func(config *config.RepConfig) { + config.EnableContainerProxy = true config.EnvoyConfigRefreshDelay = durationjson.Duration(time.Second) config.ContainerProxyPath = filepath.Dir(os.Getenv("PROXY_BINARY"))