This topic describes the changes in this minor release of Tanzu Cloud Service Broker for GCP.

v1.7.1

Release Date: January 3, 2025

Resolved Issues

• CredHub Certificate Validation Not Respecting Broker Config:

In previous version of the Cloud Service Broker (CSB) for GCP (v1.7.0), the broker did not properly pick up the CA certificate specified in its configuration when communicating with CredHub. This forced operators to rely on the Ops Manager root CA being installed at the operating system (OS) level on the BOSH-managed VM, to avoid causing a “certificate signed by unknown authority” error for CredHub-bound credentials.

Resolution:

• Certificate Loading from Config: The broker now correctly reads the ca_cert from configuration file and uses it to validate CredHub’s certificate.
• Eliminates Manual OS-Level CA Injection: You are no longer required to embed the Ops Manager CA certificate at the OS level for the broker to establish a trusted TLS connection with CredHub.

v1.7.0

Release Date: November 27, 2024

Breaking Changes

• Retirement of Beta GCP Services: The following Services are no longer available starting in this release:

  • csb-gcp-spanner
  • csb-gcp-redis
  • csb-gcp-stackdriver-trace
  • csb-gcp-bigquery

  You must delete all instances of this service before upgrading to this version.

• Deploy-all errand no longer exists: The deploy-all errand has been removed from Cloud Service Broker for GCP. Previously, this errand was used to deploy the broker. Now, the broker is a BOSH-managed virtual machine and is deployed as part of the main job within the BOSH deployment lifecycle.

• You cannot upgrade the service broker if service instances are not up-to-date: A step in the installation phase stops the process if there are any outdated instances.

  The Cloud Service Broker will not start if there are any instances that are not upgraded. Therefore, ensure that all instances are upgraded before staging the new version of the tile.

  For these reasons, verify that there are no service instances pending upgrade before staging the new version of the tile.

  You can see whether there are instances with a pending upgrade by using the CLI plug-in. For more information, see Verify that all instances are up to date with the CLI plug-in.

Features

Transition to BOSH-Managed Cloud Service Broker:

The Cloud Service Broker runs as a BOSH-managed virtual machine, not as a Cloud Foundry application as in prior releases. This upgrade leverages the benefits of BOSH, including enhanced deployment lifecycle management, high availability, and drain operations during upgrades.

Action Required:

• Update Resource Config:
  • Adjust the resource config settings to accommodate the resources for the virtual machine deployment of the Cloud Service Broker.
  • Select the number of instances for the broker VMs based on your HA requirements in the Resource Config section.

Cloud Service Broker Post-Deploy BOSH Errands:

This release integrates several Cloud Service Broker operational actions into new BOSH errands, which are executed during the post-deploy lifecycle.

Action Required:

• Ensure the new errands, the upgrade operation for all service instances, register broker and delete app based Cloud Service Broker, are enabled and configured for your environment, otherwise the broker will not be able to manage service instances. This is the default behavior for the installations.

• Update Resource Config:

  • Adjust the resource config settings to accommodate the resources for the new errands.

Feature Toggle: Enable CF Sharing:

This release introduces a new feature toggle that allows enabling or disabling sharing a service instance between spaces. By default, this feature is enabled.

Enhanced MySQL Server-Level SSL/TLS Enforcement:

MySQL now enforces SSL/TLS encryption not only at the user level but also at the server level. This enhancement ensures that the server only accepts secure connections encrypted with SSL/TLS and validated by client certificates. As a result, the GCP console will indicate that SSL/TLS encryption is enabled when insecure connections are disallowed, further strengthening connection security.

Resolved Issues

Service Instance Creation Stability During Upgrades:

This release resolves an issue where service instances in the process of being created could be left incomplete if the Cloud Service Broker was upgraded or shut down during their creation. Previously, this could result in orphaned resources on your IaaS and service instances marked as failed upon the broker’s next startup.

By adding BOSH drain operations during upgrades and shutdowns, the Cloud Service Broker now allows any in-progress service instance creations to complete before proceeding with the upgrade or shutdown. This enhancement ensures smoother and more reliable operations, preventing incomplete provisioning and resource inconsistencies.

Known Issues

Issue with Service Binding in CSB 1.7.0 when using CredHub:

“Broker Fails to Validate CredHub Certificate”

After upgrading to CSB 1.7.0, binding services to apps throws an exception when attempting to store credentials in CredHub. The broker fails to validate the CredHub server certificate due to a missing Operations Manager CA certificate in the BOSH-managed VM.

Workaround:

To resolve the issue, add the Operations Manager CA certificate to BOSH-managed VMs by setting opsmanager_root_ca_trusted_certs: true in the Director configuration.

To enable this feature:

1. Navigate to the BOSH Director Config pane.
2. Click Security > Include Tanzu Ops Manager Root CA in Trusted Certs.
3. Select the checkbox to place the Tanzu Operations Manager Root CA into the trusted certificate field.

After this option is enabled, the BOSH Director includes the Tanzu Operations Manager Root CA in the trust store of every VM it deploys.

View Release Notes for another Version

To view the release notes for another product version, select the version from drop-down menu at the top of this page. For older, out-of-support versions, contact Broadcom Support.