2.26.0

• components of networking subsystems are built with golang 1.13.x
• Tested with silk-release v2.26.0

2.25.0

• Tested with silk-release v2.25.0

Release Highlights

• accepted: Operator can verify that bosh-dns-adapter is configured to handle higher traffic

2.24.0

• Tested with silk-release v2.24.0

Release Highlights

• Upgrade cf-cli bosh release to v1.16 for latest fixes details
• Clients of policy server external API receive a strict-transport-security header on HTTP requests details
• Policy Server External API can be configured to listen using TLS details

Manifest Property Changes

Job	Property	2.22.0 Default	2.23.0 Default
policy-server	enable_tls	did not exist	false
policy-server	server_cert	did not exist
policy-server	server_key	did not exist

2.23.0

• Tested with silk-release v2.23.0

Release Highlights

• golang version bumped to 1.12.6 story
• golang version is now discoverable in docs story
• Default values for database connections have been updated to reduce pressure on the database story
• Dynamic Egress ping tests can be disabled when running Networking Acceptance Tests to support environments that prevent ping requests story
• Increase timeout for fixture apps to start in Networking Acceptance Tests to better support small footprint environments story
• Policy Server API now returns X-XSS-Protection header story

Manifest Property Changes

Job	Property	2.22.0 Default	2.23.0 Default
policy-server	max_idle_connections	200	10
policy-server-internal	max_idle_connections	200	10

2.22.0

This release includes no new features. This release was cut in tandem with silk-release v2.22.0 which has a bug fix.

Tested with silk-release v2.22.0

2.21.0

This release includes the following features:

• Continued work towards achieving parity between Dynamic Egress Policy Configuration with ASGs
• General maintenance and continued work towards Istio/Envoy integration
• New vxlan-policy-agent-windows job, with limited support for dynamic egress (c2c policy is WIP)
• operator no longer needs to specify the VIPCIDR range in the bosh-dns-adapter. It can now be retrieved from a bosh-link provided by the Cloud Controller.

Tested with silk-release v2.21.0

Significant Changes

Istio/Envoy integration

• Ingress traffic to the app is proxied through Envoy

Dynamic Egress Policy Configuration parity with ASG

• User can configure a group of rules for Dynamic Egress Destinations
• User can set a default Dynamic Egress Policy
• User can set a Dynamic Egress Policy to "all" for network protocols
• User can set one IP range as a string when creating egress destinations
• User can configure a description per rule for Dynamic Egress Destinations
• User can supply one port range as a string when creating egress destination
• BUG FIX User should not be able to enable container-to-container communication through Dynamic Egress Policies

Miscellaneous

• Golang version updated to Golang 1.11
• operator no longer needs to specify the VIPCIDR range in the bosh-dns-adapter. It can now be retrieved from a bosh-link provided by the Cloud Controller
• cc ca cert optional when pulling it from cc provided link
• Cloud Controller to policy server communication should use TLS when available via Bosh links

2.20.0

This release includes the following feature:

• Continued work towards achieving parity between Dynamic Egress Policy Configuration with ASGs
• General maintenance and continued work towards Istio/Envoy integration

Tested with silk-release v2.20.0

Significant Changes

Istio/Envoy integration

• Pilot supports non-8080 app ports

Dynamic Egress Policy Configuration parity with ASG

• User can specify "running" or "staging" when creating a Dynamic Egress Policy
• User can set a default Dynamic Egress Policy
• Version numbers should be enforced in external policy server api egress policies endpoint

Miscellaneous

• CLI documentation story - Service Discovery
• Make cf-networking pipelines exposed, but not public

2.19.0

Significant Changes

• We finished our proof of concept for putting envoy in the data path 🎉🎉🎉. To try out this experimental feature use the enable-sidecar-egress-proxying.yml opsfile in addition to the other istio opsfiles.
• We have finished making the dynamic egress destination and dynamic egress policy endpoints idempotent. This should make it easier to script adding dynamic egress policies. See docs for how to use these endpoints.

---

Envoy in the data path Features (experimental)

• User can give envoy in the data path demo: An app hits an internal route and network is proxied through envoy to communicate with another app

Dynamic Egress Features (experimental)

• As an operator, I want to idempotently add a new destination object in order to configure an egress policy
• As an operator, I want to idempotently delete a destination object
• As an operator with network.admin, I can idempotently add an egress policy from an app/space to a destination object
• As an operator with network.admin, I can list all egress policies with filters

Metric Features

• Policy Server should emit DB metrics
• Policy Server Internal should emit DB metrics

Other Features

• Policy server should comply with OAuth standard

Bug Fixes

• cc https endpoint configurations supplied in policy-server manifest job properties should have precedence over values from links
• Garden-cni job: Experimental Proxy Redirect CIDR bosh property fails to write iptable rule in container

Chores

• The policy cleaner now uses guids to query CAPI for spaces

---

Tested with silk-release v2.19.0

2.18.0

This release includes the following features

• Update destination object API is now available for configuring dynamic egress policy configuration
• Service accounts can now be used to access the policy server APIs
• Policy server can now connect to databases on Google or Azure clouds with TLS enabled
  Tested with silk-release v2.18.0

Significant Changes

Manifest changes

• An optional parameter has been added to the bosh-dns-adapter job to allow for internal service mesh domains. Routes created with these domains will be proxied through the sidecar envoy. This is a part of istio integration. Defaults to []
  • internal_service_mesh_domains
• An optional parameter has been added to the policy-server job to skip host name validation when using ssl validation. The policy-server-internal uses the same configuration applied to policy-server via bosh links.
  • database.skip_hostname_validation

Dynamic Egress Policy Configuration

• As an operator, I want to update a destination object - Error cases,
• As an operator, I want to update a destination object - Github
• API returns standard format when no policies are present
• Dynamic Egress - Update Github
• As an operator, I want to list all destination objects - Happy path - With filters
• Dynamic Egress acceptance tests should have all ips in destination for various test sites

TLS connection from policy server

• As a CF operator, I expect to be able to configure network policy server to ignore hostnames in server certificates for TLS connections to an external MySQL database for compatibility with Google and Azure Cloud SQL servers that does not provide a hostname in their certificates

Allow service accounts to access policy server APIs

• cloudfoundry/cf-networking-release #51: WIP: UAA Token Subject should be used rather than UserID

Miscellaneous

• BPM BBR scripts
• bosh-dns-adapter should work correctly when overriding the list address and port
• Add docs for large deployments

2.17.0

This release includes the following features

• You can now configure egress policies from app/space without having to restart the app. This release contains an experimental feature that can be activated with a feature flag in the bosh manifest. This has new network policy APIs to configure destination objects for external services and manage egress policies to them at the app and space levels (Currently done through Application Security Groups). You can find more instructions on our Github page.
  Tested with silk-release v2.17.0

Significant Changes

Dynamic Egress Policy Configuration

• Feature flag enforcing DE policies
• As an operator with network.admin, I can list all egress policies - Github
• As an operator, I want to add a new destination object in order to configure an egress policy - Error cases
• As an operator, I want to delete a destination object - Happy path
• As an operator, I want to delete a destination object - Error cases
• As an operator, I want to update a destination object - Happy path
• As an operator, I want to update a destination object - No permission
• As an operator with network.admin, I can add an egress policy from an app/space to a destination object - Happy path
• As an operator with network.admin, I can add an egress policy from an app/space to a destination object - Error Cases
• As an operator with network.admin, I can delete an egress policy - Happy path
• As an operator with network.admin, I can delete an egress policy - No permission
• As an operator with network.admin, I can list all egress policies - No filters
• As an operator with network.admin, I can list all egress policies - No permission
• Add acceptance test for initial dynamic egress policies
• Acceptance Test for ASG and Dynamic Egress Interaction
• Should not get a 502 error from bad request body

DB Open Connection Metrics

• Policy Server, Policy server internal and Silk controller should emit DBOpenConnections metrics