Re: SSL termination for private domains

Home Messages Hashtags Subgroups

#5739

Re: SSL termination for private domains

Mike Youngstrom <youngm@...> #5739 An extension point would be more useful than something that only worked on the gorouters. Another thing that mitigates our need for this feature is that most all of our organization's applications (CF deployed or not) use one of 2 main wildcard domains. Use of domains outside these 2 are rare. We built a custom iteration with our DNS solution and CF that looks for new CF routes using one of those 2 domains and automatically add a dns entry (if not already taken) pointing to shared VIPs on our FLB that have a matching wildcard cert already configured. That allows us to add those 2 domains as CF shared domains that anyone can create routes for. Even though the domains are not dedicated to CF. I suppose that would be another reason why this isn't currently a major pain point for my users. Mike toggle quoted messageShow quoted text On Tue, Sep 20, 2016 at 3:54 PM, Shannon Coen <scoen(a)pivotal.io> wrote: Mike, What if the way the gorouters were configured with user-provided certs was a point of extension that could also be used to configure your FLB? How often do you have to manage certs on your LB? Is this of low value? Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Tue, Sep 20, 2016 at 12:43 PM, Mike Youngstrom <youngm(a)gmail.com> wrote: For us we handle all ssl termination in our FLB (Frontend Load Balancer). If a customer adds a custom domain then my team needs to add a vip and associated cert for that domain. This is something I don't think CF could do for us because we are using our FLB. So, FWIW this isn't a feature we would use since we use or FLB to manage this instead. Mike On Mon, Sep 19, 2016 at 11:25 PM, Shannon Coen <scoen(a)pivotal.io> wrote: Some time ago I sketched out an epic to add support for multiple certs to gorouter, configured via BOSH manifest property, but these stories have languished in the icebox while we've addressed more urgent work. I would like to hear from the community whether an operator managed feature would be of value, as it would be relatively cheap. I have also heard requests for user self-service management of certs for private domains, as Carlo described. This would be a much more complex feature to deliver, but I can certainly see the value. Tell me about the pain of managing TLS certificates. How are you dealing with this today? Which of these approaches would be more helpful in enabling your developers? Which of these features would you be more disappointed to hear would not be delivered? Thank you! Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Mon, Sep 19, 2016 at 6:11 PM, Carlo Alberto Ferraris < carlo.ferraris(a)rakuten.com> wrote: I have a question about the SSL termination epic[1], whose goal IIUC is to provide the ability for operators to have multiple TLS certificates: it seems only shared domains are being considered (because the stories talk about operators setting up multiple certs); are there no plans for private domains? Put otherwise: are there plans for allowing users to provide the cert for a domain they registered in their org? [1] https://www.pivotaltracker.com/epic/show/2135866 (I originally posted the question on slack but got no reply, so crossposting here) attachment.html
More All Messages By This Member

View All 16 Messages In Topic

#5739

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms