How to change NATS Protocol property to 'TLS only' in TPCF v6 version.
Article ID: 417457
Updated On:
Products
Issue/Introduction
There is a breaking change in TPCF (Tanzu Platform for Cloud Foundry): NATS Message Bus is TLS only
Why Should I Be Concerned About This Change?
This completes a multi-stage deploy updating all NATS clients and servers to TLS only.
Starting in VMware Tanzu Platform for Cloud Foundry v10.0.0 the NATS Protocol property in the Networking tab defaulted to TLS only. This property is removed in VMware Tanzu Platform for Cloud Foundry v10.2.0 and NATS will always be TLS only. This means each ‘nats’ VM will now only be running the nats-tls bosh job.
How Can I Tell If I’m Affected?
This change affects all foundations.
What Should I Do About It?
Before upgrading to VMware Tanzu Platform for Cloud Foundry v10.2 or higher, the NATS Protocol property must be TLS only. To update this property in 10.0, in the Networking tab set the NATS Protocol property to be TLS only. To update this property in 6.0, set the .properties.nats_enabled_endpoints property to be https via the OM CLI and API.
If this property is not set to TLS only, then the following error will occur when you stage the 10.2+ tile:
Non-encrypted NATS is not supported in 10.2.x+.
You must update the 'NATS Protocol' property in the 'Networking' tab to 'TLS only' before upgrading to 10.2.x+. This property is removed in 10.2.0.What should I do if I upgrade TPCF directly from v6 to v10.2 bypassing v10.0?
As mentioned above, NATS Protocol property in the Networking tab defaulted to TLS only and users can select a desired option.
However, this property is not displayed or configurable in the Ops Manager UI for TPCF v6. Therefore, you will have to utilize the API to change NATS Protocol property to TLS only if your upgrade path is from v6 to v10.2 and bypassing v10.0.
This article provides a step-by-step instruction on how to change NATS Protocol property to TLS only in TPCF v6.
Resolution
Please validate the above procedure in your test environment before performing so in your production environment.
1. Refer to Using the Tanzu Operations Manager API to access the tanzu Operations Manager API and retrieve the access token.
2. Retrieve the TPCF product guid.
Refer to All deployed products if you need more information about this API endpoint usage.
$ curl https://YOUR-OPS-MANAGER-FQDN/api/v0/deployed/products -H "Content-Type: application/json" \
-H "Authorization: bearer $access_token" -k | jq '.' | grep "cf-"Expected outputs:
"installation_name": "cf-SOME-GUID",
"guid": "cf-SOME-GUID",3. Review the current value for .properties.nats_enabled_endpoints.
Refer to Getting A staged product's properties if you need more information about this API endpoint usage.
$ curl https://YOUR-OPS-MANAGER-FQDN/api/v0/staged/products/cf-SOME-GUID/properties -H "Content-Type: application/json" \
-H "Authorization: bearer $access_token" -k | jq '.properties' | grep -A 6 nats_enabled_endpointsExpected outputs:
".properties.nats_enabled_endpoints": {
"type": "selector",
"configurable": true,
"credential": false,
"value": "https_and_http",
"optional": false,
"selected_option": "https_and_http"4. Update the value to https.
Refer to Updating A staged product's properties if you need more information about this API endpoint usage.
$ curl https://YOUR-OPS-MANAGER-FQDN/api/v0/staged/products/cf-SOME-GUID/properties \
-X PUT -H "Content-type: application/json" \
-d '{"properties": {".properties.nats_enabled_endpoints": {"value": "https"}}}' \
-H "Authorization: bearer $access_token" -kExpected outputs:
{} means the API PUT request was completed successfully
{}5. Confirm the value now has been changed to https.
$ curl https://YOUR-OPS-MANAGER-FQDN/api/v0/staged/products/cf-SOME-GUID/properties -H "Content-Type: application/json" \
-H "Authorization: bearer $access_token" -k | jq '.properties' | grep -A 6 nats_enabled_endpointsExpected outputs:
".properties.nats_enabled_endpoints": {
"type": "selector",
"configurable": true,
"credential": false,
"value": "https",
"optional": false,
"selected_option": "https"6. Visit the Ops Manager UI > Click REVIEW PENDING CHANGES > Click SEE CHANGES for Tanzu Platform for Cloud Foundry. If you are seeing the following change, then you can select Tanzu Platform for Cloud Foundry and go ahead with Apply Change to complete the change.
instance_groups:
- name: nats
jobs:
- name: nats
properties:
nats:
+ disable: true
- disable: falseFeedback
