All Versions
21
Latest Version
Avg Release Cycle
11 days
Latest Release
1229 days ago

Changelog History
Page 2

  • v2.7.13 Changes

    September 14, 2020

    ๐Ÿ‘Œ Improvements

    ๐Ÿš€ This release contains improvements to Pipeline Generation and Integration

    ๐Ÿ‘ Enable Enterprise Vault support, use Safe to init

    Instead of using the Vault Genesis kit, some clients need to integrate with
    ๐Ÿ‘ their companies Enterprise Vault. This means supporting namespaces and
    disabling strongbox, the process that Safe uses to treat multiple Vault VMs
    as a single target when unsealing.

    โšก๏ธ Since Safe nicely wraps up support for this, the pipelines have been updated
    to use Safe to initialize connections to the Vault, making it seamless
    regardless of it being Enterprise or not, v1 or v2 kv backend.

    ๐Ÿ”„ Changes:

    • In your ci.yml, under pipeline.vault, you can specify namespace as
      a string, and no-strongbox as a truthy value to connect to your
      enterprise vault.

    0๏ธโƒฃ More dynamic 'default' pipeline layout.

    0๏ธโƒฃ If ci.yml specifies a default layout, that layout will be used without
    0๏ธโƒฃ having to specify it, but it will expect the fly target to also be default
    -- this is at odds with the concourse login addon which names the fly
    target the same as the environment name.

    To resolve this, if you only have a single layout in your ci.yml file, it
    0๏ธโƒฃ will be considered the default, so it can be named the same as your fly
    target aka concourse environment. If you have muptiple layouts, a layout
    0๏ธโƒฃ named default, if it exists, will be considered default to keep existing
    behaviour. Otherwise, if you have multiple named layouts and you didn't
    specify one in the repipe command, it will present you with a list to
    chose from. The -t|--target command will still behave as normal.

    ๐Ÿ‘‰ Use use https instead of ssh for git in pipeliens

    Some places must use https endpoints with basic auth for accessing git
    repositories instead of ssh with keys. This enables that ability.

    ๐Ÿ”„ Change in behaviour:

    • In the ci.yml file, under pipeline.git, you specify username and
      password instead of private_key
    • If username and password are used, the URI used will be
      https://<host>/<owner>/<repo>.git but this can be specified directly
      using pipeline.git.uri

  • v2.7.12 Changes

    August 06, 2020

    ๐Ÿ› Bug Fixes

    • ๐Ÿ›  Fixes missing bosh config error in pipeline deployments

  • v2.7.11 Changes

    July 29, 2020

    ๐Ÿ‘Œ Improvements

    โž• Add better kit id to exodus data

    ๐Ÿš€ As more things use the previously deployed kit to determine what needs
    โฌ†๏ธ to be upgraded, it is important to have this information correctly
    identified. Prior to this change, dev kits reported the name as dev and
    โœ… the version as latest (from the env yaml file)

    This change uses the kit name and version located in the kit.yml file
    directly, and also adds kit_is_dev to record that a dev kit is being
    ๐Ÿ‘‰ used.

    โž• Added features to exodus export, info script

    ๐Ÿ”‹ Features are now stored in exodus on successful deploy, and reported by
    the info command.

    ๐Ÿ’ฅ BREAKING CHANGE Hooks now use CREDHUB_* environment variables to
    ๐Ÿš€ connect to credhub. This required your BOSH to be deployed with
    โฌ†๏ธ bosh-genesis-kit v1.15.1 or later - please upgrade your bosh prior to
    ๐Ÿš€ deploying any kits that use Credhub (cf, cf-app-autoscaler)

    Decouple vault/bosh with loading of env

    Not all genesis commands need vault or bosh, but it was being
    proactively connected any time the env was loaded.

    Kit Development Improvements

    โž• Add ability to require connections to kit hooks

    Normally, hook don't need bosh or vault, but if they do, the kit can
    specify which hook needs vault or bosh (or in the future credhub) so
    the connection can be validated before the hooks are run (similar to the
    required_configs behaviour)

    ๐Ÿ‘ Allow feature hook to access the same environment variables and helper
    script that the other hooks use.

    ๐Ÿ› Bug Fixes

    ๐Ÿ”ง When safe was not configured with any targets, the error that occurred in
    Genesis was confusing and not explanatory. It will now plainly explain that
    it is can't read .saferc and therefore not select the desired vault.

    ๐Ÿ›  Fixed some BOSH config requirements that were problematic for some edge cases

    ๐Ÿ‘Œ Improve hook standard error handling.

    Previous improvements stopped STDERR from being output directly to
    โช screen. This has been reverted so that STDERR would be output directly to
    the terminal in real time.

    Resolve recursion issue with feature hook checking if bosh create-env is
    specified, which needs to check features, which runs feature hook...

    Prevent double check_prereq calls

    Minimum Dependencies

    • bosh: v5.0.1
    • spruce: v1.26.0

  • v2.7.10 Changes

    June 25, 2020

    ๐Ÿ‘Œ Improvements

    The --cloud-config|--cc and --runtime-config|--rc have been streamlined
    into a single --config|-c with backwards compatibility to the existing
    -c (for cloud config). You can now specify named configs as such:

    -c [type[@name]=]/path/to/config.yml

    If type is not given, it is assumed cloud, and likewise if name is not
    0๏ธโƒฃ given, it is assumed to be the unnamed default config for the given
    type.

    -c can be specified multiple times to specify multiple configs. It
    does not error check that you haven't specified the same type and name
    multiple times, so that's on you to ensure you're not doing that.

    ๐Ÿ› Bug Fixes

    • The overly agressive downloading of cloud config for most activities has
      ๐Ÿš€ been reduced to only deployment and check, as was the previous behaviour.
      ๐Ÿš€ Likewise, the downloading of cloud config is not attempted when deploying a
      ๐Ÿš€ proto-bosh (or anything else that uses create-env for deployment)

  • v2.7.9 Changes

    June 23, 2020

    ๐Ÿ‘Œ Improvements

    โž• Add new secret type of UUID

    0๏ธโƒฃ In kit.yml, you can now generate UUIDs of all types. By default, you just
    need to specify the type 'uuid' for a path and key (similar to how 'random'
    works. The full syntax is:

    ๐Ÿ›  uuid [v1|time|v3|md5|v4|random|v5|sha1] [namespace (<UUID>|dns|url|oid|x500)] [name <string>] [fixed]

    With no arguments, a v4/random UUID is generated. If v3/md5 or v5/sha1 is
    ๐Ÿ— specified, it takes a name and optional namespace argument to build the
    hash, which will always generate the same value for the same input
    arguments, unlike the other versions. The name can be any string, and the
    namespace can be the pre-defined namespaces of dns, url, oid or x500, or any
    arbitrary UUID string.

    ๐Ÿ‘ Expanded config support. Kits can now specify which configs are required
    and for what hook scripts. This allows for custom cloud and runtime configs
    to be validated and used for information. Furthermore, cloud config can now
    be used during the new script to check if the required keys are present or
    even propose values that can be added.

    ๐Ÿ’… This is done using one of the following two styles:

    --- # kit.yml required_configs style 1
required_configs:
  - cloud
  - runtime
  - runtime@thiskit

--- # kit.yml required configs style 2
required_configs:
  cloud: true
  runtime: [blueprint new]
  funky: false

    ๐Ÿ’… In the first style, all hooks will require the listed configurations. In
    ๐Ÿ’… the second style, cloud config will always be required, runtime will
    ๐Ÿ–จ only be required when processing blueprint and new hooks, and funky
    will never be required.

    0๏ธโƒฃ By default, if no required_configs block is specified, only cloud config
    ๐Ÿ–จ is requred when processing blueprint, and no other hooks. This is
    effectively the previous behaviour.

    Add move_secrets_to_credhub bash helper function

    move_secrets_to_credhub src_path:key dst_path

    ๐Ÿšš This will move a secret under the environments Vault area to the
    environments credhub area. Do not include the secrets base before the
    ๐Ÿš€ src_path, or the bosh env/deployment prefix before the dst_path.

    Derived features are features that are artificially created by the
    hooks/features script to facilitate absent of other features or a specific
    ๐Ÿ‘ combination of features, so that secrets can be better specified (ie a
    secret that only exists if a feature ISN'T specified) They must start with
    a +, are not checked with the validation features, and cannot be
    explicitly stated in an environment file.

    ๐Ÿ› Bug Fixes

    ๐Ÿš€ Kit releases that preceed the current version by 30 or more releases are no
    longer reported as non-existant.

    โœ… Compiled kits no longer contain the spec tests and kit devtools, as they
    aren't needed to use the kit.

    ๐Ÿ‘Œ Improved details given when hooks fail, specifically when blueprint fails
    ๐Ÿ”€ to determine which manifest fragments are requied for merging

    Don't populate missing maybe params

    When a parameter is conditionally available, the maybe: parameter
    dereference would prevent errors if the parameter was missing, but it would
    leave an empty string as the value. This changes that behaviour to drop the
    key or the array element that was being set to the missing parameter.

  • v2.7.9-rc4 Changes

    June 16, 2020

    ๐Ÿš€ Minor incremental release candidate to rc3:

    ๐Ÿ› Bug Fixes

    - Missing setting alternate bosh and credhub envs on create
- 'config' config should be 'cloud' config for default required configs

  • v2.7.9-rc3 Changes

    June 16, 2020

    ๐Ÿš€ Release Candidate v2.7.9-rc3

    โœ… rc1 and rc2 were internal testing only

    ๐Ÿ‘Œ Improvements

    ๐Ÿ‘ Expanded config support. Kits can now specify which configs are required
    and for what hook scripts. This allows for custom cloud and runtime configs
    to be validated and used for information. Furthermore, cloud config can now
    be used during the new script to check if the required keys are present or
    even propose values that can be added.

    ๐Ÿ’… This is done using one of the following two styles:

    --- # kit.yml required_configs style 1
required_configs:
  - cloud
  - runtime
  - runtime@thiskit

--- # kit.yml required configs style 2
required_configs:
  cloud: true
  runtime: [blueprint new]
  funky: false

    ๐Ÿ’… In the first style, all hooks will require the listed configurations. In
    ๐Ÿ’… the second style, cloud config will always be required, runtime will
    ๐Ÿ–จ only be required when processing blueprint and new hooks, and funky
    will never be required.

    0๏ธโƒฃ By default, if no required_configs block is specified, only cloud config
    ๐Ÿ–จ is requred when processing blueprint, and no other hooks. This is
    effectively the previous behaviour.

    Added move_secrets_to_credhub bash helper function

    move_secrets_to_credhub src_path:key dst_path

    ๐Ÿšš This will move a secret under the environments Vault area to the
    environments credhub area. Do not include the secrets base before the
    ๐Ÿš€ src_path, or the bosh env/deployment prefix before the dst_path.

    โž• Added ccq and rcq helper functions that allow jq queries directly on
    provided cloud config and runtime config structures.

    ๐Ÿ› Bug Fixes

    ๐Ÿš€ Kit releases that preceed the current version by 30 or more releases are no
    longer reported as non-existant.

    โœ… Compiled kits no longer contain the spec tests and kit devtools, as they
    aren't needed to use the kit.

    ๐Ÿ‘Œ Improved details given when hooks fail, specifically when blueprint fails
    ๐Ÿ”€ to determine which manifest fragments are requied for merging

    Don't populate missing maybe params

    When a parameter is conditionally available, the maybe: parameter
    dereference would prevent errors if the parameter was missing, but it would
    leave an empty string as the value. This changes that behaviour to drop the
    key or the array element that was being set to the missing parameter.

  • v2.7.8 Changes

    May 21, 2020

    ๐Ÿ’ฅ Breaking Changes

    No longer set $HTTPS_PROXY to $BOSH_ALL_PROXY

    This broke under two conditions:

    If you wanted to use BOSH via a proxy, but your vault was on your
    home network

    ๐Ÿ‘ If you used a protocol of ssh+socks5, which is not supported by
    HTTPS_PROXY.

    Instead, if you are setting BOSH_ALL_PROXY, you must set HTTPS_PROXY or
    alternatively SAFE_ALL_PROXY instead of relying on Genesis to do that
    for you.

    ๐Ÿ‘Œ Improvements

    ๐Ÿ‘ Now supports extraction of bosh variables and credhub secrets into exodus
    ๐Ÿ‘ data for cross-kit integration and addon support.

    โœ… When testing availability of the vault, it specifies the alias and url of
    the vault instead of specifying "selected vault"

    ๐Ÿš€ Clarify usage of --recreate and --fix options for deploy

    ๐Ÿ› Bug Fixes

    โฑ Universal support for timeout detection when attempting to connect to remote
    ๐Ÿ›  BOSH and Vault, with better feedback in case of timeout (Fixes #412)

    โž• Adds support for multiline provided secrets rotation and addition (Fixes #413)

    ๐Ÿ›  Fix typo in rotate-secrets help (Fixes #414)

    ๐Ÿš€ Deployments using legacy mode for secrets providers now get the vault
    connection validated prior to using it

    ๐Ÿ›  Fixed bug where non-standard secrets mount would report the vault was
    uninitialized.

    Kit Authoring Improvements

    Kit manifests can now use the same environment variables used by the hooks
    script, via spruce, to perform actions such as:
    (( vault $GENESIS_EXODUS_MOUNT params.cf_deployment_name ":admin_password" ))

    โž• Add features hook

    ๐Ÿ–จ While blueprint hook has the ability to make decisions on when a feature
    is NOT present, or on specific combinations of features, that ability is
    beyond other interactions.

    We used to have a subkit hook which would allow you to create derived
    ๐Ÿ”‹ features so that default features and not-features could show up as
    explicit features, which allows things like secrets management to
    determine dependencies for these. (ie lack of a features can result in a
    0๏ธโƒฃ not-feature derived feature to add secrets for a default state)

    This has been re-realized as a features hook, which given a list of
    features in the $GENESIS_REQUESTED_FEATURES value, can provide a
    derived list of features, which will be used by internal genesis for the
    environment's features list, which in turn will be used to populate
    $GENESIS_REQUESTED_FEATURES for other hooks.

  • v2.7.8-rc1 Changes

    May 07, 2020

    ๐Ÿ‘Œ Improvements

    ๐Ÿ‘ Now supports extraction of bosh variables and credhub secrets into exodus
    ๐Ÿ‘ data for cross-kit integration and addon support.

    โœ… When testing availability of the vault, it specifies the alias and url of
    the vault instead of specifying "selected vault"

    ๐Ÿ› Bug Fixes

    โฑ Universal support for timeout detection when attempting to connect to remote
    ๐Ÿ›  BOSH and Vault, with better feedback in case of timeout (Fixes #412)

    โž• Adds support for multiline provided secrets rotation and addition (Fixes #413)

    ๐Ÿ›  Fix typo in rotate-secrets help (Fixes #414)

    ๐Ÿš€ Deployments using legacy mode for secrets providers now get the vault
    connection validated prior to using it

    ๐Ÿ›  Fixed bug where non-standard secrets mount would report the vault was
    uninitialized.

  • v2.7.7 Changes

    April 23, 2020

    ๐Ÿ‘Œ Improvements

    Soften secrets validation assessment

    โš  This commit lowers the validation assessment from error to warning on the
    following:

    X509:

    • CN doesn't match kit's expected CN
    • SAN doesn't match kit's expected SAN, or if CN matches a diffent SAN
    • Usage doesn't match kit's expected usage.

    dhparams, rsa and ssh:

    • size doesn't match kit's expectation

    random string:

    • size doesn't match kits expection
    • characters used contain invalid characters

    โž• Added warnings for when certificate is expected to expire withing the
    next 30 days.

    Ensure genesis.env is present, warn on params.env

    ๐Ÿ—„ 2.6.13 deprecated params.env, and for a brief time printed a warning
    to that effect until it was determined that it was too noisy.

    ๐Ÿšš 2.7.0-2.7.6 removed the usage of params.env and enforced the migration
    of params.env to genesis.env, and kits declared with minimum version of
    2.7.0 were expected to use genesis.env where they before used
    params.env.

    โš  After pushback, we have decided to soften the stance, and print warnings
    ๐Ÿ”– when the environment uses a kit with genesis_version_min of 2.7.0 or
    higher. As these kits require genesis.env to be set, we do so as part
    ๐Ÿ”€ of the manifest merge.

    ๐Ÿ› Bug Fixes

    ๐Ÿ›  Fix kit version lookup on unsaved new environments

    Fix expanded path in GENESIS_CALLBACK_BIN

    If the genesis binary invoked involved a symlink in the path, then the
    ๐Ÿ›  binary reference would have the full path. This fixes that.