Join us for a look at Pivotal Cloud Foundry 1.12. This latest version includes many features to help enterprise InfoSec teams to run their modern applications more securely.
We will also discuss small footprint ERT, more tools for Windows operators and Steeltoe.
Thank you in advance for joining us.
The Pivotal Team
3. Secure BOSH Director/Agent HTTP traffic via TLS
● Ops Manager facilitates mutually
authenticated and encrypted traffic
between the BOSH Director and Agent
present on each BOSH-created VM
● A TLS certificate is created for Director/
Agent HTTP traffic and passed to BOSH
for use and placement on VMs
4. mTLS in CC-Diego inter-component communication
● Security Auditors can assure
themselves components mutually
authenticate and encrypt
communication
● Mutual TLS now used for CAPI –
Diego by default
use of mTLS between CC and Diego components
5. mTLS: Application Instance Identity Credentials
● A new instance identity system for
CF applications in ERT
● Each application instance will
have a unique cert and key
available to it that can be used to
verify the application’s identity
6. Routing in PCF 1.12
● Intelligent defaults + simple configuration of
TLS for Gorouter and HAProxy
● mTLS Client Certificate Metadata Passed to
Apps
● A better HAProxy from CF community now
ships with ERT & Isolation Segment tiles
R
7. Partitioned routing in ERT & Isolation Segments
● In 1.10 and 1.11, Gorouters deployed with ERT
and Isolation Segment tiles all had access to the
same routing table.
● Isolation Segment routers will now by default
reject requests that are not for apps on the same
Isolation Segment.
● ERT routers will continue to support routing of all
registered routes by default.
R
8. Elastic Runtime (ERT) v1.12 Security
ERT now uses BOSH CredHub
● Some of ERT's internal creds are generated and
stored in CredHub instead of Ops Manager
● Database passwords, inter component passwords
● No more plain text!
9. OpsMan v1.12 Security
CredHub Migration Tools for PCF Tile Authors
● PCF (and partner) product teams can migrate their product’s
credentials from Ops Mgr to CredHub
● Migrated credentials are no longer stored as clear text in the
BOSH Manifest that Ops Mgr generates when deploying a
product’s release
● Paves the way for future security enhancements such as
automated rotation
11. Faster Upgrades of the Ops Manager Appliance
● The time required to upgrade Ops Mgr is significantly decreased
● Non-essential releases are removed
● installation.zip shrinks from 5 GB to a few MB
● Ops Manager no longer retains releases between upgrades
● Use BOSH Backup & Restore, not CFOps
!
12. Manifest-Only Workflow with CredHub
● BOSH power users: CredHub can now be part of your workflow
● The new Ops Manager API generates a file used by CredHub to
bulk load credentials from Ops Manager.
● Previously: Older Ops Manager-generated manifests contained
credentials in plain text.
!
13. Deploy PCF Additional AWS Regions
Enterprises:
● Deploy PCF and supported products to additional AWS
regions
● New regions include Ohio, Canada, and London
For Federal Government Agencies & Federal Contractors:
● Deploy PCF and supported products to the AWS GovCloud
region (us-gov-west-1)
!
14. Support for GCP Shared VPC Networks
● Configure networks in Ops Manager with the ID of a Shared VPC
(Virtual Private Cloud) network
● This helps your teams collaborate with each other
● Shared VPC is the mechanism that enables groups to share GCP
resources (including non-Pivotal services) across projects
● Add a host ProjectID inside the BOSH Director Tile
!
15. PCF Runtime for Windows
● BOSH Windows supports SSH, can use powershell
● Avoid RDP in preparation for 2016, consistency with BOSH experience
● Operators can manage the Windows admin password on Windows cells,
randomize them per VM, or select the password on boot
● Autoconfigure VM Activation via KMS (Key Management Server)
● Windows Event Logs are consumable via syslog
!
16. !
Metrics Forwarder for PCF
● A CF service that enables applications to emit metrics to the CF
Loggregator subsystem
● Metrics can be subsequently consumed via the Loggregator Firehose
● Analyze custom metrics in your preferred logging tools (Splunk,
Honeycomb, InfluxDB, DataDog, PCF Metrics 1.4, etc.)
● Java Buildpack + Spring Boot Actuators
17. C2C Networking in PCF 1.12
● Container-to-container networking replaces legacy
networking stack
○ No option to disable c2c networking
● Container networking policies support port ranges,
easier to handle ranges
● cf networking commands unified in CF CLI
● Support for global logging of all application traffic
○ View logs for denied packets!
● Packet logs now include app/space/org information
!
18. Gorouter Supports Max Connections per AI
Use manifest property to configure a maximum number of
concurrent connections per application instance
● This option helps reduce the “noisy neighbor” impact of an app
with a large number of connections, from using up all available
Gorouter resources
Max concurrent connections is defined by the total of idle + active
(including keepalive)
!
19. Concourse for PCF: Platform Automation for Ops
● Automate ops at
enterprise scale
● Manage platform
differences as code
● Automate the entire ops
lifecycle
● Design your platform
operations
!
21. Apps Manager: Contextual Service Creation
● Developers can create services
without leaving the app or
space view for an accelerated
workflow
● Rapid service creation while
remaining app-focused
● This workflow will support new
schematized service
parameters as well
22. Small Footprint ERT
● Install PCF ERT on a minimum of VMs
● Try the product without incurring significant infrastructure costs.
● A massively co-located ERT - as few as 4 VMs if state is
outsourced
● Not currently designed to be the basis for a full prod install, just
for eval
23. Multi-Buildpack Support
Developers can deploy applications that utilize multiple buildpacks (BP) in sequence
● 1 app, run multiple BPs for it
● Supply additional app dependencies that current BP model doesn’t support
● No longer must rely on forking BP or Docker packaging
● System buildpacks useful in more scenarios
Use cases
● Polyglot apps, apps with tech from multiple vendors
● Supply app server agents w/o custom BP
● Automated App Server CVE patching, or extra files in app server
● Extra language modules, customer – specific SW, patched root FS across apps
24. Steeltoe 1.1: How to do .NET on PCF
● Spring Boot Actuators for .NET apps
○ info health loggers trace
● GA Hystrix Circuit Breaker
● Container Networking & Direct addressing in Eureka
● Support for Config Server backed by Hashicorp Vault
● http://steeltoe.io/
26. Spring Cloud Data Flow: Beta Testers Wanted!
Spring Cloud Data Flow is a Microservices toolkit
for building data integration and real-time data
processing pipelines.
Pipelines consist of Spring Boot apps, using
Spring Cloud Stream for events or
Spring Cloud Task for batch processes.
The Data Flow server provides interfaces to
compose and deploy pipelines onto platforms like
PCF.
27. What is SCDF used for?
Modernization
and
Replatforming
Integration
Messaging
Batch, DBMS, files
Next-Gen Data Workloads
IoT, Machine Learning
Event Stream Processing
Progression of data-intensive use cases
All sharing a common Spring Boot
Microservices architecture.
→ Contact your PA or Chris
Sterling csterling@pivotal.io
28. Single Sign-On Service v1.5
● Support for Azure OIDC
● Improved Framework Support
● New Sample Applications
● Support for Token Exchange (SAML Bearer, JWT Bearer, API Tokens)