Scheduler Release Notes

This topic contains release notes for Scheduler v1.5.0.

Releases

v1.5.0

Release Date: March 15, 2021

  • [Security Fix] Updated dependencies to mitigate CVE
  • [Bug Fix] Bump Go to 1.16 (see Breaking Changes below)
  • [Bug Fix] Scheduler could exhaust available RAM with a large amount of history. Instead Scheduler now paginates through history.
  • [Bug Fix] Service keys can be deleted. In v1.4.0 attempting to delete a service key errored.

Breaking Changes in Scheduler v1.5.0

X.509 Certificates

Scheduler v1.5.0 bumps Go to 1.16. This version of Go changes the treatment of X.509 certificates. This applies to the scheduler-broker application and the scheduler cf CLI plugin.

The CommonName field on certificates will not be treated as a hostname when no Subject Alternative Names are present.

Refer to the Go 1.16 release notes for further details of other changes to treatment of certificates.

TLS Termination

Before upgrading, verify that the system domain for Tanzu Application Service is terminating TLS with a certificate that includes a Subject Alternative Name (SAN) for domains under the system domain.

  • For example, if your system domain is configured as sys.example.com, verify that the certificate presented by api.sys.example.com includes a SAN for api.sys.example.com or a wildcard *.sys.example.com.
  • The login.sys.example.com and scheduler.sys.example.com endpoints should also present certificates that include a SAN for these subdomains. These can be covered by the same wildcard.

If your configured certificates do not include a SAN for these domains, you must regenerate the certificates. If you attempt to upgrade to Scheduler v1.5.0 without regenerating the certificates, you see an error similar to the following in the scheduler service broker logs:

http: panic serving 192.0.2.2:41122: Post "https://login.example.com/check_token": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

This change impacts the Scheduler cf CLI plugin shipped in this release. If the certificates do not include a SAN, the cf CLI produces an error similar to the following:

Get "https://scheduler.example.com/jobs?page=1&space_guid=d7759aae-22da-440c-aac8-1bdb0d58ff51": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

For both cases, check that your certificates include SANs for these domains.

Database TLS connections

Before upgrading to this release, verify that certificates associated with your MySQL instances that scheduler is configured to use include Subject Alternative Names (SANs).

For example, if you configure Scheduler with an external Amazon RDS database, confirm that it is presenting a certificate with a SAN. For more information, see Rotating your SSL/TLS certificate.

macOS cf CLI plugin

Scheduler v1.5.0 bumps Go to v1.16. The cf CLI plugin requires macOS 10.12 Sierra or later.

View Release Notes for Another Version

To view the release notes for another product version, select the version from the dropdown at the top of this page.