Re: SSL termination for private domains


Shannon Coen
 

Mike,

What if the way the gorouters were configured with user-provided certs was
a point of extension that could also be used to configure your FLB?

How often do you have to manage certs on your LB? Is this of low value?

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Sep 20, 2016 at 12:43 PM, Mike Youngstrom <youngm(a)gmail.com> wrote:

For us we handle all ssl termination in our FLB (Frontend Load Balancer).
If a customer adds a custom domain then my team needs to add a vip and
associated cert for that domain. This is something I don't think CF could
do for us because we are using our FLB. So, FWIW this isn't a feature we
would use since we use or FLB to manage this instead.

Mike

On Mon, Sep 19, 2016 at 11:25 PM, Shannon Coen <scoen(a)pivotal.io> wrote:

Some time ago I sketched out an epic to add support for multiple certs to
gorouter, configured via BOSH manifest property, but these stories have
languished in the icebox while we've addressed more urgent work.

I would like to hear from the community whether an operator managed
feature would be of value, as it would be relatively cheap.

I have also heard requests for user self-service management of certs for
private domains, as Carlo described. This would be a much more complex
feature to deliver, but I can certainly see the value.

Tell me about the pain of managing TLS certificates. How are you dealing
with this today? Which of these approaches would be more helpful in
enabling your developers? Which of these features would you be more
disappointed to hear would not be delivered?

Thank you!

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Mon, Sep 19, 2016 at 6:11 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

I have a question about the SSL termination epic[1], whose goal IIUC is
to provide the ability for operators to have multiple TLS certificates: it
seems only shared domains are being considered (because the stories talk
about *operators* setting up multiple certs); are there no plans for
private domains? Put otherwise: are there plans for allowing *users* to
provide the cert for a domain they registered in their org?

[1] https://www.pivotaltracker.com/epic/show/2135866

(I originally posted the question on slack but got no reply, so
crossposting here)

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.