Re: Consul Encryption in CF v234+


Amit Kumar Gupta
 

Hi Carsten,

That's a good question. We haven't built anything specifically to support
0-downtime for the DEAs, but we have some upcoming changes to make the etcd
used by etcd-metric-server, routing-api, all loggregator components, and
HM9k also switch to TLS. This would affect all the metron agents colocated
on all the VMs, and we're building out a component to support a 0-downtime
transition.

This work is currently in flight:
https://www.pivotaltracker.com/epic/show/2566951

You could apply this concept to consul:

* create a new secure (TLS) consul cluster
* replace the existing consul cluster (don't change the job name or IPs,
just what processes it runs) with an HTTP proxy that proxies requests to
the secure cluster
* roll out the new IPs and TLS credentials to all clients of the consul
cluster
* after that deploy is done, nothing should be talking to the HTTP proxy,
and you can simply delete that job.

Best,
Amit

On Fri, Jun 24, 2016 at 8:46 AM, Long Nguyen <long.nguyen11288(a)gmail.com>
wrote:



Hi there!

We found that if you monit stop all the consul nodes before upgrading and
adding ssl. The deployment should upgrade without any issues.

Thanks,
Long

On June 23, 2016 at 11:56:04 AM, Hiort, Carsten, Springer DE (
carsten.hiort(a)springer.com) wrote:

Hi,

CF v234 enforces the use of SSL for Consul. We are currently wondering if
there is a supposed upgrade path.
When you switch to SSL and the Consul cluster get’s upgraded all machines
that are not yet upgraded will be blind with respect to service discovery/
DNS through Consul. This particularly affects the DEAs as they are not able
to figure out where to get the droplets from when staging causing a 500
when cf pushing. I did already try deploying the Certs on 231 with
require_ssl=false but then setting require_ssl true or upgrading to v234+
will still rest in this situation.
Any thoughts highly appreciated!


Thanks,

Carsten

---

Carsten Hiort
Platform Engineer
Platform Engineering

SpringerNature
Abraham-Lincoln-Str. 46, 65189 Wiesbaden, Germany
T +49 611 7878665
M +49 175 2965802

*carsten.hiort(a)springernature.com <carsten.hiort(a)springernature.com> *
www.springernature.com

Springer Nature is one of the world’s leading global research, educational
and professional publishers, created in May 2015 through the combination of
Nature Publishing Group,
Palgrave Macmillan, Macmillan Education and Springer Science+Business Media

Springer Fachmedien Wiesbaden GmbH
Registered Office: Wiesbaden | Amtsgericht Wiesbaden, HRB 9754
Directors: Armin Gross, Joachim Krieger, Dr. Niels Peter Thomas

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.