Announcing TLS from Gorouter to app containers: Delivering three important outcomes
On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback.
All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application.
We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file.
For details and configuration instructions, please see our documentation:
The original proposal for the feature can be found here.
In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing.
Product Manager, Cloud Foundry