Upgrade your InfoSec, Ops and Dev teams with PCF 1.12
1 like528 views
PCF 1.12 enhances security for cloud-native applications with features such as mutual TLS for component communication and individual application instance identities. It introduces significant operational improvements like faster Ops Manager upgrades, the adoption of CredHub for credential management, and support for additional AWS regions. Development features include contextual service creation, multi-buildpack support, and tools for modern data processing using Spring Cloud Data Flow.
Upgrade your InfoSec, Ops and Dev teams with PCF 1.12
- 1. Upgrade your InfoSec, Ops and Dev teams with PCF 1.12 Jared Ruckle @jaredruckle Pieter Humphrey @pieterhumphrey
- 3. Secure BOSH Director/Agent HTTP traffic via TLS ● Ops Manager facilitates mutually authenticated and encrypted traffic between the BOSH Director and Agent present on each BOSH-created VM ● A TLS certificate is created for Director/ Agent HTTP traffic and passed to BOSH for use and placement on VMs
- 4. mTLS in CC-Diego inter-component communication ● Security Auditors can assure themselves components mutually authenticate and encrypt communication ● Mutual TLS now used for CAPI – Diego by default use of mTLS between CC and Diego components
- 5. mTLS: Application Instance Identity Credentials ● A new instance identity system for CF applications in ERT ● Each application instance will have a unique cert and key available to it that can be used to verify the application’s identity
- 6. Routing in PCF 1.12 ● Intelligent defaults + simple configuration of TLS for Gorouter and HAProxy ● mTLS Client Certificate Metadata Passed to Apps ● A better HAProxy from CF community now ships with ERT & Isolation Segment tiles R
- 7. Partitioned routing in ERT & Isolation Segments ● In 1.10 and 1.11, Gorouters deployed with ERT and Isolation Segment tiles all had access to the same routing table. ● Isolation Segment routers will now by default reject requests that are not for apps on the same Isolation Segment. ● ERT routers will continue to support routing of all registered routes by default. R
- 8. Elastic Runtime (ERT) v1.12 Security ERT now uses BOSH CredHub ● Some of ERT's internal creds are generated and stored in CredHub instead of Ops Manager ● Database passwords, inter component passwords ● No more plain text!
- 9. OpsMan v1.12 Security CredHub Migration Tools for PCF Tile Authors ● PCF (and partner) product teams can migrate their product’s credentials from Ops Mgr to CredHub ● Migrated credentials are no longer stored as clear text in the BOSH Manifest that Ops Mgr generates when deploying a product’s release ● Paves the way for future security enhancements such as automated rotation
- 11. Faster Upgrades of the Ops Manager Appliance ● The time required to upgrade Ops Mgr is significantly decreased ● Non-essential releases are removed ● installation.zip shrinks from 5 GB to a few MB ● Ops Manager no longer retains releases between upgrades ● Use BOSH Backup & Restore, not CFOps !
- 12. Manifest-Only Workflow with CredHub ● BOSH power users: CredHub can now be part of your workflow ● The new Ops Manager API generates a file used by CredHub to bulk load credentials from Ops Manager. ● Previously: Older Ops Manager-generated manifests contained credentials in plain text. !
- 13. Deploy PCF Additional AWS Regions Enterprises: ● Deploy PCF and supported products to additional AWS regions ● New regions include Ohio, Canada, and London For Federal Government Agencies & Federal Contractors: ● Deploy PCF and supported products to the AWS GovCloud region (us-gov-west-1) !
- 14. Support for GCP Shared VPC Networks ● Configure networks in Ops Manager with the ID of a Shared VPC (Virtual Private Cloud) network ● This helps your teams collaborate with each other ● Shared VPC is the mechanism that enables groups to share GCP resources (including non-Pivotal services) across projects ● Add a host ProjectID inside the BOSH Director Tile !
- 15. PCF Runtime for Windows ● BOSH Windows supports SSH, can use powershell ● Avoid RDP in preparation for 2016, consistency with BOSH experience ● Operators can manage the Windows admin password on Windows cells, randomize them per VM, or select the password on boot ● Autoconfigure VM Activation via KMS (Key Management Server) ● Windows Event Logs are consumable via syslog !
- 16. ! Metrics Forwarder for PCF ● A CF service that enables applications to emit metrics to the CF Loggregator subsystem ● Metrics can be subsequently consumed via the Loggregator Firehose ● Analyze custom metrics in your preferred logging tools (Splunk, Honeycomb, InfluxDB, DataDog, PCF Metrics 1.4, etc.) ● Java Buildpack + Spring Boot Actuators
- 17. C2C Networking in PCF 1.12 ● Container-to-container networking replaces legacy networking stack ○ No option to disable c2c networking ● Container networking policies support port ranges, easier to handle ranges ● cf networking commands unified in CF CLI ● Support for global logging of all application traffic ○ View logs for denied packets! ● Packet logs now include app/space/org information !
- 18. Gorouter Supports Max Connections per AI Use manifest property to configure a maximum number of concurrent connections per application instance ● This option helps reduce the “noisy neighbor” impact of an app with a large number of connections, from using up all available Gorouter resources Max concurrent connections is defined by the total of idle + active (including keepalive) !
- 19. Concourse for PCF: Platform Automation for Ops ● Automate ops at enterprise scale ● Manage platform differences as code ● Automate the entire ops lifecycle ● Design your platform operations !
- 21. Apps Manager: Contextual Service Creation ● Developers can create services without leaving the app or space view for an accelerated workflow ● Rapid service creation while remaining app-focused ● This workflow will support new schematized service parameters as well
- 22. Small Footprint ERT ● Install PCF ERT on a minimum of VMs ● Try the product without incurring significant infrastructure costs. ● A massively co-located ERT - as few as 4 VMs if state is outsourced ● Not currently designed to be the basis for a full prod install, just for eval
- 23. Multi-Buildpack Support Developers can deploy applications that utilize multiple buildpacks (BP) in sequence ● 1 app, run multiple BPs for it ● Supply additional app dependencies that current BP model doesn’t support ● No longer must rely on forking BP or Docker packaging ● System buildpacks useful in more scenarios Use cases ● Polyglot apps, apps with tech from multiple vendors ● Supply app server agents w/o custom BP ● Automated App Server CVE patching, or extra files in app server ● Extra language modules, customer – specific SW, patched root FS across apps
- 24. Steeltoe 1.1: How to do .NET on PCF ● Spring Boot Actuators for .NET apps ○ info health loggers trace ● GA Hystrix Circuit Breaker ● Container Networking & Direct addressing in Eureka ● Support for Config Server backed by Hashicorp Vault ● http://steeltoe.io/
- 25. Spring Cloud Data Flow 2
- 26. Spring Cloud Data Flow: Beta Testers Wanted! Spring Cloud Data Flow is a Microservices toolkit for building data integration and real-time data processing pipelines. Pipelines consist of Spring Boot apps, using Spring Cloud Stream for events or Spring Cloud Task for batch processes. The Data Flow server provides interfaces to compose and deploy pipelines onto platforms like PCF.
- 27. What is SCDF used for? Modernization and Replatforming Integration Messaging Batch, DBMS, files Next-Gen Data Workloads IoT, Machine Learning Event Stream Processing Progression of data-intensive use cases All sharing a common Spring Boot Microservices architecture. → Contact your PA or Chris Sterling [email protected]
- 28. Single Sign-On Service v1.5 ● Support for Azure OIDC ● Improved Framework Support ● New Sample Applications ● Support for Token Exchange (SAML Bearer, JWT Bearer, API Tokens)