Re: SSL termination for private domains


Mike Youngstrom <youngm@...>
 

An extension point would be more useful than something that only worked on
the gorouters.

Another thing that mitigates our need for this feature is that most all of
our organization's applications (CF deployed or not) use one of 2 main
wildcard domains. Use of domains outside these 2 are rare.

We built a custom iteration with our DNS solution and CF that looks for new
CF routes using one of those 2 domains and automatically add a dns entry
(if not already taken) pointing to shared VIPs on our FLB that have a
matching wildcard cert already configured. That allows us to add those 2
domains as CF shared domains that anyone can create routes for. Even
though the domains are not dedicated to CF.

I suppose that would be another reason why this isn't currently a major
pain point for my users.

Mike

On Tue, Sep 20, 2016 at 3:54 PM, Shannon Coen <scoen(a)pivotal.io> wrote:

Mike,

What if the way the gorouters were configured with user-provided certs was
a point of extension that could also be used to configure your FLB?

How often do you have to manage certs on your LB? Is this of low value?

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Sep 20, 2016 at 12:43 PM, Mike Youngstrom <youngm(a)gmail.com>
wrote:

For us we handle all ssl termination in our FLB (Frontend Load
Balancer). If a customer adds a custom domain then my team needs to add a
vip and associated cert for that domain. This is something I don't think
CF could do for us because we are using our FLB. So, FWIW this isn't a
feature we would use since we use or FLB to manage this instead.

Mike

On Mon, Sep 19, 2016 at 11:25 PM, Shannon Coen <scoen(a)pivotal.io> wrote:

Some time ago I sketched out an epic to add support for multiple certs
to gorouter, configured via BOSH manifest property, but these stories have
languished in the icebox while we've addressed more urgent work.

I would like to hear from the community whether an operator managed
feature would be of value, as it would be relatively cheap.

I have also heard requests for user self-service management of certs for
private domains, as Carlo described. This would be a much more complex
feature to deliver, but I can certainly see the value.

Tell me about the pain of managing TLS certificates. How are you dealing
with this today? Which of these approaches would be more helpful in
enabling your developers? Which of these features would you be more
disappointed to hear would not be delivered?

Thank you!

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Mon, Sep 19, 2016 at 6:11 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

I have a question about the SSL termination epic[1], whose goal IIUC is
to provide the ability for operators to have multiple TLS certificates: it
seems only shared domains are being considered (because the stories talk
about *operators* setting up multiple certs); are there no plans for
private domains? Put otherwise: are there plans for allowing *users* to
provide the cert for a domain they registered in their org?

[1] https://www.pivotaltracker.com/epic/show/2135866

(I originally posted the question on slack but got no reply, so
crossposting here)

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.