All Versions
21
Latest Version
Avg Release Cycle
11 days
Latest Release
1569 days ago

Changelog History
Page 2

  • v2.7.13 Changes

    September 14, 2020

    👌 Improvements

    🚀 This release contains improvements to Pipeline Generation and Integration

    👍 Enable Enterprise Vault support, use Safe to init

    Instead of using the Vault Genesis kit, some clients need to integrate with
    👍 their companies Enterprise Vault. This means supporting namespaces and
    disabling strongbox, the process that Safe uses to treat multiple Vault VMs
    as a single target when unsealing.

    ⚡️ Since Safe nicely wraps up support for this, the pipelines have been updated
    to use Safe to initialize connections to the Vault, making it seamless
    regardless of it being Enterprise or not, v1 or v2 kv backend.

    🔄 Changes:

    • In your ci.yml, under pipeline.vault, you can specify namespace as
      a string, and no-strongbox as a truthy value to connect to your
      enterprise vault.

    0️⃣ More dynamic 'default' pipeline layout.

    0️⃣ If ci.yml specifies a default layout, that layout will be used without
    0️⃣ having to specify it, but it will expect the fly target to also be default
    -- this is at odds with the concourse login addon which names the fly
    target the same as the environment name.

    To resolve this, if you only have a single layout in your ci.yml file, it
    0️⃣ will be considered the default, so it can be named the same as your fly
    target aka concourse environment. If you have muptiple layouts, a layout
    0️⃣ named default, if it exists, will be considered default to keep existing
    behaviour. Otherwise, if you have multiple named layouts and you didn't
    specify one in the repipe command, it will present you with a list to
    chose from. The -t|--target command will still behave as normal.

    👉 Use use https instead of ssh for git in pipeliens

    Some places must use https endpoints with basic auth for accessing git
    repositories instead of ssh with keys. This enables that ability.

    🔄 Change in behaviour:

    • In the ci.yml file, under pipeline.git, you specify username and
      password instead of private_key
    • If username and password are used, the URI used will be
      https://<host>/<owner>/<repo>.git but this can be specified directly
      using pipeline.git.uri

  • v2.7.12 Changes

    August 06, 2020

    🐛 Bug Fixes

    • 🛠 Fixes missing bosh config error in pipeline deployments

  • v2.7.11 Changes

    July 29, 2020

    👌 Improvements

    ➕ Add better kit id to exodus data

    🚀 As more things use the previously deployed kit to determine what needs
    ⬆️ to be upgraded, it is important to have this information correctly
    identified. Prior to this change, dev kits reported the name as dev and
    ✅ the version as latest (from the env yaml file)

    This change uses the kit name and version located in the kit.yml file
    directly, and also adds kit_is_dev to record that a dev kit is being
    👉 used.

    ➕ Added features to exodus export, info script

    🔋 Features are now stored in exodus on successful deploy, and reported by
    the info command.

    💥 BREAKING CHANGE Hooks now use CREDHUB_* environment variables to
    🚀 connect to credhub. This required your BOSH to be deployed with
    ⬆️ bosh-genesis-kit v1.15.1 or later - please upgrade your bosh prior to
    🚀 deploying any kits that use Credhub (cf, cf-app-autoscaler)

    Decouple vault/bosh with loading of env

    Not all genesis commands need vault or bosh, but it was being
    proactively connected any time the env was loaded.

    Kit Development Improvements

    ➕ Add ability to require connections to kit hooks

    Normally, hook don't need bosh or vault, but if they do, the kit can
    specify which hook needs vault or bosh (or in the future credhub) so
    the connection can be validated before the hooks are run (similar to the
    required_configs behaviour)

    👍 Allow feature hook to access the same environment variables and helper
    script that the other hooks use.

    🐛 Bug Fixes

    🔧 When safe was not configured with any targets, the error that occurred in
    Genesis was confusing and not explanatory. It will now plainly explain that
    it is can't read .saferc and therefore not select the desired vault.

    🛠 Fixed some BOSH config requirements that were problematic for some edge cases

    👌 Improve hook standard error handling.

    Previous improvements stopped STDERR from being output directly to
    ⏪ screen. This has been reverted so that STDERR would be output directly to
    the terminal in real time.

    Resolve recursion issue with feature hook checking if bosh create-env is
    specified, which needs to check features, which runs feature hook...

    Prevent double check_prereq calls

    Minimum Dependencies

    • bosh: v5.0.1
    • spruce: v1.26.0

  • v2.7.10 Changes

    June 25, 2020

    👌 Improvements

    The --cloud-config|--cc and --runtime-config|--rc have been streamlined
    into a single --config|-c with backwards compatibility to the existing
    -c (for cloud config). You can now specify named configs as such:

    -c [type[@name]=]/path/to/config.yml

    If type is not given, it is assumed cloud, and likewise if name is not
    0️⃣ given, it is assumed to be the unnamed default config for the given
    type.

    -c can be specified multiple times to specify multiple configs. It
    does not error check that you haven't specified the same type and name
    multiple times, so that's on you to ensure you're not doing that.

    🐛 Bug Fixes

    • The overly agressive downloading of cloud config for most activities has
      🚀 been reduced to only deployment and check, as was the previous behaviour.
      🚀 Likewise, the downloading of cloud config is not attempted when deploying a
      🚀 proto-bosh (or anything else that uses create-env for deployment)

  • v2.7.9 Changes

    June 23, 2020

    👌 Improvements

    ➕ Add new secret type of UUID

    0️⃣ In kit.yml, you can now generate UUIDs of all types. By default, you just
    need to specify the type 'uuid' for a path and key (similar to how 'random'
    works. The full syntax is:

    🛠 uuid [v1|time|v3|md5|v4|random|v5|sha1] [namespace (<UUID>|dns|url|oid|x500)] [name <string>] [fixed]

    With no arguments, a v4/random UUID is generated. If v3/md5 or v5/sha1 is
    🏗 specified, it takes a name and optional namespace argument to build the
    hash, which will always generate the same value for the same input
    arguments, unlike the other versions. The name can be any string, and the
    namespace can be the pre-defined namespaces of dns, url, oid or x500, or any
    arbitrary UUID string.

    👍 Expanded config support. Kits can now specify which configs are required
    and for what hook scripts. This allows for custom cloud and runtime configs
    to be validated and used for information. Furthermore, cloud config can now
    be used during the new script to check if the required keys are present or
    even propose values that can be added.

    💅 This is done using one of the following two styles:

    --- # kit.yml required_configs style 1
required_configs:
  - cloud
  - runtime
  - runtime@thiskit

--- # kit.yml required configs style 2
required_configs:
  cloud: true
  runtime: [blueprint new]
  funky: false

    💅 In the first style, all hooks will require the listed configurations. In
    💅 the second style, cloud config will always be required, runtime will
    🖨 only be required when processing blueprint and new hooks, and funky
    will never be required.

    0️⃣ By default, if no required_configs block is specified, only cloud config
    🖨 is requred when processing blueprint, and no other hooks. This is
    effectively the previous behaviour.

    Add move_secrets_to_credhub bash helper function

    move_secrets_to_credhub src_path:key dst_path

    🚚 This will move a secret under the environments Vault area to the
    environments credhub area. Do not include the secrets base before the
    🚀 src_path, or the bosh env/deployment prefix before the dst_path.

    Derived features are features that are artificially created by the
    hooks/features script to facilitate absent of other features or a specific
    👍 combination of features, so that secrets can be better specified (ie a
    secret that only exists if a feature ISN'T specified) They must start with
    a +, are not checked with the validation features, and cannot be
    explicitly stated in an environment file.

    🐛 Bug Fixes

    🚀 Kit releases that preceed the current version by 30 or more releases are no
    longer reported as non-existant.

    ✅ Compiled kits no longer contain the spec tests and kit devtools, as they
    aren't needed to use the kit.

    👌 Improved details given when hooks fail, specifically when blueprint fails
    🔀 to determine which manifest fragments are requied for merging

    Don't populate missing maybe params

    When a parameter is conditionally available, the maybe: parameter
    dereference would prevent errors if the parameter was missing, but it would
    leave an empty string as the value. This changes that behaviour to drop the
    key or the array element that was being set to the missing parameter.

  • v2.7.9-rc4 Changes

    June 16, 2020

    🚀 Minor incremental release candidate to rc3:

    🐛 Bug Fixes

    - Missing setting alternate bosh and credhub envs on create
- 'config' config should be 'cloud' config for default required configs

  • v2.7.9-rc3 Changes

    June 16, 2020

    🚀 Release Candidate v2.7.9-rc3

    rc1 and rc2 were internal testing only

    👌 Improvements

    👍 Expanded config support. Kits can now specify which configs are required
    and for what hook scripts. This allows for custom cloud and runtime configs
    to be validated and used for information. Furthermore, cloud config can now
    be used during the new script to check if the required keys are present or
    even propose values that can be added.

    💅 This is done using one of the following two styles:

    --- # kit.yml required_configs style 1
required_configs:
  - cloud
  - runtime
  - runtime@thiskit

--- # kit.yml required configs style 2
required_configs:
  cloud: true
  runtime: [blueprint new]
  funky: false

    💅 In the first style, all hooks will require the listed configurations. In
    💅 the second style, cloud config will always be required, runtime will
    🖨 only be required when processing blueprint and new hooks, and funky
    will never be required.

    0️⃣ By default, if no required_configs block is specified, only cloud config
    🖨 is requred when processing blueprint, and no other hooks. This is
    effectively the previous behaviour.

    Added move_secrets_to_credhub bash helper function

    move_secrets_to_credhub src_path:key dst_path

    🚚 This will move a secret under the environments Vault area to the
    environments credhub area. Do not include the secrets base before the
    🚀 src_path, or the bosh env/deployment prefix before the dst_path.

    ➕ Added ccq and rcq helper functions that allow jq queries directly on
    provided cloud config and runtime config structures.

    🐛 Bug Fixes

    🚀 Kit releases that preceed the current version by 30 or more releases are no
    longer reported as non-existant.

    ✅ Compiled kits no longer contain the spec tests and kit devtools, as they
    aren't needed to use the kit.

    👌 Improved details given when hooks fail, specifically when blueprint fails
    🔀 to determine which manifest fragments are requied for merging

    Don't populate missing maybe params

    When a parameter is conditionally available, the maybe: parameter
    dereference would prevent errors if the parameter was missing, but it would
    leave an empty string as the value. This changes that behaviour to drop the
    key or the array element that was being set to the missing parameter.

  • v2.7.8 Changes

    May 21, 2020

    💥 Breaking Changes

    No longer set $HTTPS_PROXY to $BOSH_ALL_PROXY

    This broke under two conditions:

    If you wanted to use BOSH via a proxy, but your vault was on your
    home network

    👍 If you used a protocol of ssh+socks5, which is not supported by
    HTTPS_PROXY.

    Instead, if you are setting BOSH_ALL_PROXY, you must set HTTPS_PROXY or
    alternatively SAFE_ALL_PROXY instead of relying on Genesis to do that
    for you.

    👌 Improvements

    👍 Now supports extraction of bosh variables and credhub secrets into exodus
    👍 data for cross-kit integration and addon support.

    ✅ When testing availability of the vault, it specifies the alias and url of
    the vault instead of specifying "selected vault"

    🚀 Clarify usage of --recreate and --fix options for deploy

    🐛 Bug Fixes

    ⏱ Universal support for timeout detection when attempting to connect to remote
    🛠 BOSH and Vault, with better feedback in case of timeout (Fixes #412)

    ➕ Adds support for multiline provided secrets rotation and addition (Fixes #413)

    🛠 Fix typo in rotate-secrets help (Fixes #414)

    🚀 Deployments using legacy mode for secrets providers now get the vault
    connection validated prior to using it

    🛠 Fixed bug where non-standard secrets mount would report the vault was
    uninitialized.

    Kit Authoring Improvements

    Kit manifests can now use the same environment variables used by the hooks
    script, via spruce, to perform actions such as:
    (( vault $GENESIS_EXODUS_MOUNT params.cf_deployment_name ":admin_password" ))

    ➕ Add features hook

    🖨 While blueprint hook has the ability to make decisions on when a feature
    is NOT present, or on specific combinations of features, that ability is
    beyond other interactions.

    We used to have a subkit hook which would allow you to create derived
    🔋 features so that default features and not-features could show up as
    explicit features, which allows things like secrets management to
    determine dependencies for these. (ie lack of a features can result in a
    0️⃣ not-feature derived feature to add secrets for a default state)

    This has been re-realized as a features hook, which given a list of
    features in the $GENESIS_REQUESTED_FEATURES value, can provide a
    derived list of features, which will be used by internal genesis for the
    environment's features list, which in turn will be used to populate
    $GENESIS_REQUESTED_FEATURES for other hooks.

  • v2.7.8-rc1 Changes

    May 07, 2020

    👌 Improvements

    👍 Now supports extraction of bosh variables and credhub secrets into exodus
    👍 data for cross-kit integration and addon support.

    ✅ When testing availability of the vault, it specifies the alias and url of
    the vault instead of specifying "selected vault"

    🐛 Bug Fixes

    ⏱ Universal support for timeout detection when attempting to connect to remote
    🛠 BOSH and Vault, with better feedback in case of timeout (Fixes #412)

    ➕ Adds support for multiline provided secrets rotation and addition (Fixes #413)

    🛠 Fix typo in rotate-secrets help (Fixes #414)

    🚀 Deployments using legacy mode for secrets providers now get the vault
    connection validated prior to using it

    🛠 Fixed bug where non-standard secrets mount would report the vault was
    uninitialized.

  • v2.7.7 Changes

    April 23, 2020

    👌 Improvements

    Soften secrets validation assessment

    ⚠ This commit lowers the validation assessment from error to warning on the
    following:

    X509:

    • CN doesn't match kit's expected CN
    • SAN doesn't match kit's expected SAN, or if CN matches a diffent SAN
    • Usage doesn't match kit's expected usage.

    dhparams, rsa and ssh:

    • size doesn't match kit's expectation

    random string:

    • size doesn't match kits expection
    • characters used contain invalid characters

    ➕ Added warnings for when certificate is expected to expire withing the
    next 30 days.

    Ensure genesis.env is present, warn on params.env

    🗄 2.6.13 deprecated params.env, and for a brief time printed a warning
    to that effect until it was determined that it was too noisy.

    🚚 2.7.0-2.7.6 removed the usage of params.env and enforced the migration
    of params.env to genesis.env, and kits declared with minimum version of
    2.7.0 were expected to use genesis.env where they before used
    params.env.

    ⚠ After pushback, we have decided to soften the stance, and print warnings
    🔖 when the environment uses a kit with genesis_version_min of 2.7.0 or
    higher. As these kits require genesis.env to be set, we do so as part
    🔀 of the manifest merge.

    🐛 Bug Fixes

    🛠 Fix kit version lookup on unsaved new environments

    Fix expanded path in GENESIS_CALLBACK_BIN

    If the genesis binary invoked involved a symlink in the path, then the
    🛠 binary reference would have the full path. This fixes that.