Moving at The Speed of Startup With Pivotal Cloud Foundry 1.11

June 16, 2017 Jared Ruckle

In the world of microservices and cloud-native, customers want more than a partnership with their vendors. They desire a shared fate.

 When Pivotal Cloud Foundry customers ship code at the speed of a startup, they win. We heard all about success stories at this week’s CF Summit:

That’s the shared fate: Pivotal’s success is tightly linked to the success of our customers.

We discuss our product roadmaps with customers under this backdrop. Often, customers want to know answers to existential questions like “what’s important to the product team?” More practically, they want a steady drumbeat of new capabilities, and investment in areas they care about. Above all, they want to know how Pivotal Cloud Foundry will help them boost feature velocity and shrink mean time to recovery.

Pivotal Cloud Foundry 1.11 - now GA - shows the outcome of these discussions. The release illustrates the three broad categories of enhancements customers have come to expect from us.

  • Deliver on specific requests. “Bring more Spring Boot Actuators into Pivotal Cloud Foundry.” Check. We’ve integrated the heapdump, trace, and dump endpoints into Apps Manager.
  • Solve the timeless problems for developers. With the new Java Buildpack 4.1, Pivotal has further optimized JVM memory management. Most importantly, we make sure you never have to care about it.
  • Delight with solutions to unmet, unarticulated needs. Most enterprise security pros know that leaked credentials are the culprit behind many corporate breaches. The market is largely silent on how to deal with this problem at scale. Pivotal’s unique approach, CredHub, debuts in Pivotal Cloud Foundry 1.11.

 Let’s examine these new features in more detail through the lens of Pivotal Cloud Foundry’s roadmap themes.

Meet CredHub, a Secure Place to Manage Credentials

Container Networking Goes GA

Mount up! NFS v3 Volume Services Goes GA

Spring Cloud Data Flow 1.2 for Cloud Native Data

New Java Buildpack 4.1 Boosts JVM Memory Management

Additional Spring Boot Actuator Integrations Ease Troubleshooting

Deeper NSX Integration to Easily Control Access to VMs

Use Vault & Multiple Backends for Your Config Data with Spring Cloud Services 1.4

New On-Demand Services: MySQL and Redis

New Single Sign-On Tile Adds More Automation

Support for Azure Managed Disks

Support for Private Docker Repositories

BOSH Backup & Restore [BETA]

Scheduler for PCF Tile [BETA] 

Meet CredHub, a Secure Place to Manage Credentials

We've all read about it - a damaging security breach that loses your firm millions., and even lands you on the front page of the Wall Street Journal. This worst-case scenario comes up often in our discussions with customers.

The latest case study is SWIFT. The international banking exchange suffered an attack a few years ago as the Journal recently reported:

One vulnerability exploited at SWIFT was old passwords. Reducing risk from stale credentials is a hard problem to solve. But Pivotal set out to do just that with CredHub.

CredHub is a central point of control for credential generation, storage, lifecycle management, logging and access control. It debuts in Pivotal Cloud Foundry 1.11.

Our goal with this initial launch of CredHub is simple: remove credentials from BOSH deployment manifests. To achieve this, Ops Manager deploys CredHub co-located with the Director VM. 

From there, tile authors can define an authentication variables section in their 1.11 tiles. Credentials will then reside in CredHub. Over the next few weeks, Pivotal’s tile authors will migrate to Credhub in 1.11.x patch releases. Stay tuned!

The ultimate goal of CredHub: to “rotate” credentials often, in line with Pivotal’s 3 R’s cloud-native security vision. In this future state, leaked creds become far less damaging, and less valuable to hackers. This initial bootstrapping of CredHub is an important first step in helping customers run more securely. 

 

Container Networking Goes GA

Cloud Foundry’s new container networking stack was a beta feature in the 1.10 release. It’s now GA in 1.11. Here’s how this improves your security posture: apps running on Pivotal Cloud Foundry can now directly communicate with each other. Developers can create networking policies for app-to-app interactions. There’s no need for workarounds like whitelisting traffic and using public routes for private apps. Container networking helps you move to a zero-trust model, as we discussed in April.

VMware and NSX administrators will want to revisit how container networking helps enable “developer-ready infrastructure.”

Note that this feature supports the CNI project. As such, container networking is compatible with a variety of overlay plugins. Pivotal Cloud Foundry 1.11 ships with Silk, a new plugin optimized for Cloud Foundry. You are free to choose alternatives like Flannel if you prefer.

Mount up! NFS v3 Volume Services Goes GA

The conventional wisdom says cloud-native apps must be “stateless.” That is, they must have state stored in backing services. It’s true, every greenfield app you write should follow this pattern.

But what about the thousands of apps you have running today that pre-date this guidance? More specifically, those that rely on a file system?

We want Pivotal Cloud Foundry to be a “big tent” - the home for many, many kinds of enterprise apps. Now, there’s better support for these workloads as support for NFS v3 Volume Services matures from beta to GA.

The Cloud Foundry community decided that these apps could benefit from running on a cloud-native platform. Engineering teams from many different companies then went to work, and built the project’s NFS v3 Volume Services feature. 

Learn how your legacy apps can run on Cloud Foundry - read Luke’s post for more.

Spring Cloud Data Flow 1.2 for Cloud Native Data

OK, fine - this open-source project isn’t technically part of the release. But it reflects a top roadmap priority for Pivotal’s engineers: to support streaming and batch data processing.

Our customers are keen to harness the power of data. Enterprises want to build apps around an exploding number of new data sources. And Pivotal wants to make this easy for them. How? By building atop the power of Spring Boot and Cloud Foundry for these use cases!

Spring Cloud Data Flow 1.2 includes several handy orchestration improvements for Spring Cloud Stream (for event-driven streaming) and Spring Cloud Task (for discrete workloads). Read the detailed post at the link below.

What’s next for Spring Cloud Data Flow? We plan to make it even easier for Pivotal Cloud Foundry customers to use it. That means integrating SCDF with the UAA security model and adding it to the Services Marketplace. A "Spring Cloud Data Flow for PCF" tile is coming soon. Stay tuned for the beta!

New Java Buildpack 4.1 Boosts JVM Memory Management

What’s life like for a Java developer who doesn’t use Cloud Foundry? There’s a good chance they’re stuck fiddling with low-level tasks, like setting JVM memory arguments.

Thankfully, the Java buildpack in Cloud Foundry saves you from having to bother with such things!

It gets better. The new Java Buildpack 4.1 takes memory management to a new level. Push your apps with this new buildpack. You’ll notice two things:

  • Improved JVM memory calculation, resulting in fewer app terminations.

  • Improved JVM Out of Memory Behavior. JVM terminal failures now include useful troubleshooting data: a histogram of the heap to the logs.

What’s more, the new buildpack simplifies memory calculator configuration; it uses standard Java memory flags.

Quite simply, the new buildpack is the most elegant way to tackle the thorny issue of Java memory management on a cloud-native platform. It helps your container use as much memory as possible, but not one iota more.

Our own Ben Hale wrote an excellent deep-dive on the technical attributes of the new buildpack. 

Try it out today - it's included with your Pivotal Cloud Foundry subscription and available from Pivotal Network

Note: the Java Buildpack 4.1 doesn’t ship as the default version in Pivotal Cloud Foundry 1.11. But it will be the default in the future.

Additional Spring Boot Actuator Integrations Ease Troubleshooting

Spring Boot is a Java developer's best friend. Why? It favors convention over configuration, giving the developer many modern architectural features “for free.” Spring Boot helps you quickly build web apps suitable for the cloud. 

To make Pivotal Cloud Foundry the best place to run Spring apps, we’ve added new Spring Boot Actuator integrations. Developers can now see vital troubleshooting information in context. The new actuator endpoints in Apps Manager are:

  • heapdump. View a snapshot of the memory for a Java process.

  • trace. View status and header information for HTTP requests.

  • dump. Find out what every thread in the JVM is doing at a particular point in time. You can download this report as well. 

View status and header information for HTTP requests in Apps Manager via the “trace” Spring Boot Actuator integration.

We released the first wave of Actuator endpoints in Pivotal Cloud Foundry 1.9 (info, health, loggers). With heapdump, trace, and dump, there’s now a total of 6 endpoints tightly (and securely!) integrated into the product.

Read more about integrations with Spring Boot Actuators in this tutorial.

Deeper NSX Integration to Easily Control Access to VMs

Operations Manager offers deeper integration with NSX in this release. Use new API endpoints to configure NSX security groups with the virtual machines running Cloud Foundry. Now, operators can manage access to VMs at a more granular level in four easy steps.

Fire up the vSphere console, then:

  1. Define a security group.

  2. Apply this security group to the desired VMs in your Cloud Foundry installation.

  3. Define the firewall rule(s) for these VMs.

  4. Associate the firewall rules with the security group. The firewall rules now apply to the VMs associated with the security group.

This makes it easier to apply corporate networking policies to your cloud-native apps and the platform that runs them. Dig into this engineering blog post if you’re curious about the underlying tech:

Use Vault & Multiple Backends for Your Config Data with Spring Cloud Services 1.4

As Pivotal Cloud Foundry and Spring adoption grows, engineering teams have more sophisticated microservices requirements. Operators want secure storage of sensitive information like credentials and API keys. And developers want access and control over less sensitive application specific configuration.

With Spring Cloud Services 1.4, product teams can now use HashiCorp Vault and Git together as backends for Config Server. Vault is a popular open source project for managing access to secrets and storing them securely. Git continues to be a popular repository tool for developers that can be used to quickly manipulate configuration data such as feature flags and environment specific variables. Now your teams can use the right repository for the job.

Learn how to use these new features in this overview of Spring Cloud Services 1.4.

New On-Demand Services: MySQL and Redis

Two new on-demand data services available for download: MySQL and Redis. Both products are written with the on-demand services SDK. Developers provision isolated instances via self-service. Operators can define plans, configure upgrade rules, and set quotas too.

Now there’s four on-demand data services from Pivotal: MySQL, Redis, Rabbit, and Pivotal Cloud Cache. These services are all deeply integrated with Pivotal Cloud Foundry and give you uniform operations across any cloud.

Want to know more about the new MySQL tile? Watch this webinar and read the docs. Learn more about on-demand Redis at this upcoming webinar.

The new Single Sign-on tile boosts developer productivity while automating more ops tasks.
 
Developers can now specify client and resource configurations in the application manifest. Before, you had to take extra steps to configure this through the user interface. This feature eases on-boarding, and automates the integration of your apps and SSO.
 
For operators: you can now federate with Google through OpenID Connect. Configure OpenID Connect and LDAP integrations via a new user interface. There's also a UI to help you administer the SSO service plans of each user.
 
Operators can also use "Required User Groups" to specify authentication filters per application. This restricts which users can access your applications within SSO.

Support for Azure Managed Disks

How can deployment of Pivotal Cloud Foundry get any easier on Microsoft Azure? There’s already a useful template from the Azure Marketplace, with baked-in best practices. And the Pivotal Cloud Foundry on Azure reference architecture offers practical guidelines for operators.

Pivotal Cloud Foundry 1.11 goes further, with support for Azure Managed Disks! Now, when you deploy the platform on Managed Disks, you don’t need to create storage accounts ahead of your deployment. And you don’t need to worry about adding storage capacity as your Pivotal Cloud Foundry footprint expands. Managed Disks does it for you.

Support for Private Docker Repositories

Cloud Foundry supports running containers you've already built. This is important, because you may have existing processes and workflows that produce containers as an output. What about container images hosted in access-controlled repos? Now you can bring them to Pivotal Cloud Foundry! 

When using the image, the developer can supply repository location and credentials to access said image. The feature is tightly integrated with Cloud Foundry. Append your cf push command like so:

cf push --docker-image <my-private-registry:5000/image/name:v2> --docker-username <username>

From there, the platform works its magic!

NOTE: If the environment variable CF_DOCKER_PASSWORD is not set, you will be prompted to enter the password.

BOSH Backup & Restore [BETA]

Responsible IT teams are always thinking about the bad things that can happen, from a data corruption to the complete loss of a data center. Responsible vendors think about it too. Pivotal’s approach to this in the past has been CFOps, an automation utility.

A few months back, it was clear we needed a better solution for our customers. Their Pivotal Cloud Foundry deployments are growing in complexity, and the platform itself is becoming more and more capable.

Our engineers have re-mastered the backup and restore workflow with a new beta feature in Pivotal Cloud Foundry 1.11 - BOSH Backup and Restore, or BBR for short.

BBR is a new BOSH extension to backup and restore BOSH deployments and BOSH Directors. Operators will use BBR to backup supported BOSH releases they have deployed.

This takes the idea of CFOps, and turns it on its head somewhat. It’s an approach that’s engineered with distributed systems in mind. Let’s review a few ways in which BBR offers customers advantages.

  • It’s more flexible. BBR works for any deployment or BOSH director that implements backup / restore. CFOps only supports Elastic Runtime and Operations Manager.

  • Decentralized responsibility. CFOps was the single source for backup/restore logic. Now, BOSH release authors control their own logic. This places ownership where it belongs, within the release itself.

  • It supports on-demand instances. Easily restore on-demand instances of Rabbit, Redis, and many other tiles that are BOSH-deployed. (The data for each instance is restored as each service implements its backup and restore script, per the previous bullet.) 

The BOSH Backup and Restore beta supports these releases:

  • BOSH Director

  • Credhub

  • UAA (postgres)

  • Elastic Runtime

Support for open source Cloud Foundry and data services are coming soon. Want to learn more, or participate in our beta program? Contact us today!

Scheduler for PCF Tile [BETA]

Tasks - recently introduced into Pivotal Cloud Foundry - help developers contend with one-off jobs. As it happens, these ad hoc jobs often need to be done at regular intervals.

Scheduler for PCF, released as a public beta recently, adds automation to Tasks. It’s cron for Pivotal Cloud Foundry.

Today, many developers still use an aging batch scheduling product. Common use cases include performing nightly updates to e-commerce sites, or to backup databases. Now Scheduler for PCF gives developers a flexible enterprise scheduler that easily integrates with their modern apps.

Scheduler for PCF tackles scheduling for any cf-deployed application. It’s also handy for scheduling and executing Spring Batch or Spring Cloud Task microservices.

Re-kindle Your Competitive Advantage in the Age of Software

Big companies often have decades of experience in their industry. Imagine what they’ll do when they figure out how to be great at software. With Pivotal Cloud Foundry 1.11, that path to new industry leadership via software gets a little easier.

Read the full documentation below, and start capitalizing on your new competitive advantage!

Take your Spring skills to the next level! Register for SpringOnePlatform before June 24 and save $400!

About the Author

Jared Ruckle

Jared works in product marketing at VMware.

Follow on Twitter Follow on Linkedin More Content by Jared Ruckle

No Previous Articles

Next
Compounding Open Source Cloud Foundry Value: The Pivotal Difference
Compounding Open Source Cloud Foundry Value: The Pivotal Difference

This post articulates the add-on time saving and agility services PCF layers atop CF Release, as well as th...