Re: community feedback on removing non-encrypted support from consul-release

Home Messages Hashtags Subgroups

Zach Robinson <zrobinson@...> #1375 I love the idea of secure by default, with simple tooling provided to enable development workflows. If things work well on this release it's probably a good idea to start using a similar pattern throughout. -Zach toggle quoted message Show quoted text On Fri, Feb 5, 2016 at 4:04 PM, Amit Gupta <agupta(a)pivotal.io> wrote: Hey all! The BOSH release of consul maintained by the core CF team [1] currently supports both encrypted and unencrypted modes of operation. "encrypted" means that all server-to-server and client-to-server is encrypted and mutually authenticated via TLS, and all gossip traffic is encrypted using an encryption key. "unencrypted" means none of the above. We'd like to remove support for the non-encrypted mode of operation. All production environments should be operating in encrypted mode, and all production environments we know of do indeed. This should not affect the developer workflow, as the BOSH-Lite tooling for the primary consumers of consul-release (namely cf-release and diego-release) have built-in self-signed certs. We will continue to provide documentation and tooling to make it easy to generate the right certs/keys for operating consul-release in encrypted mode. Does anyone have concerns about this proposal? Thanks, Amit, CF Infrastructure team PM attachment.html attachment.html
More

Join cf-bosh@lists.cloudfoundry.org to automatically receive all group messages.