Upcoming Diego change: enabling TLS communication for the cell rep API


Eric Malm <emalm@...>
 

Hi, all,

The Diego team has been doing some work in the past few weeks to allow
operators to secure communication with the Diego cell rep API via mutual
TLS, just as we had previously done for communication with the Diego BBS
service. This capability will be present in the next final Diego release
(v0.1488.0).

Because both clients (the BBS and auctioneer) and servers (the cell reps
themselves) are switching security modes, rolling out TLS configuration
without incurring downtime requires some attention. Documentation for BOSH
operators to update an existing Diego deployment on v0.1487.0 or earlier is
available at https://github.com/cloudfoundry/diego-release/
blob/develop/docs/upgrading-secure-cell-rep-api.md, and the
procedure requires two full deploys to disable plain HTTP fully. It is safe
to add the TLS configuration properties for the first deploy to your BOSH
manifest or property-overrides stub file now: the jobs and Diego
manifest-generation script will ignore them until deploying v0.1488.0.

As with the BBS, enabling this security requires generating some X.509
certificate/key pairs and supplying them in the Diego deployment manifest.
The Diego team has updated its TLS documentation at https://github.com/
cloudfoundry/diego-release/blob/develop/docs/tls-configuration.md to cover
these credentials and added a helper script at https://github.com/
cloudfoundry/diego-release/blob/develop/scripts/generate-rep-certs to make
generating them as easy as possible.

To preserve backwards compatibility, the default is to remain on plain HTTP
communication when upgrading to v0.1488.0. It is possible to switch to TLS
communication after that upgrade, but to avoid downtime that switch
requires three separate deploy steps to update both clients and servers
seamlessly. Consequently, we recommend that operators of existing
deployments update now to avoid this additional complexity later.

We will of course also refer to these resources in the GitHub release notes
for v0.1488.0 when they are published.

Finally, the Diego team will be doing similar work to secure communication
to the Diego auctioneer soon, and will provide similar tooling and guidance
for enabling that security without downtime.

As always, please let us know if you have questions, and don't hesitate to
stop by the #diego channel on the CF OSS Slack!

Thanks,
Eric Malm, CF Runtime Diego PM

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.