community feedback on removing non-encrypted support from consul-release

Amit Kumar Gupta

Hey all!

The BOSH release of consul maintained by the core CF team [1] currently
supports both encrypted and unencrypted modes of operation. "encrypted"
means that all server-to-server and client-to-server is encrypted and
mutually authenticated via TLS, and all gossip traffic is encrypted using
an encryption key. "unencrypted" means none of the above.

We'd like to remove support for the non-encrypted mode of operation. All
production environments should be operating in encrypted mode, and all
production environments we know of do indeed. This should not affect the
developer workflow, as the BOSH-Lite tooling for the primary consumers of
consul-release (namely cf-release and diego-release) have built-in
self-signed certs.

We will continue to provide documentation and tooling to make it easy to
generate the right certs/keys for operating consul-release in encrypted

Does anyone have concerns about this proposal?

Amit, CF Infrastructure team PM

Join { to automatically receive all group messages.