Note: lists.cloudfoundry.org will be down for maintenance on Monday, September 26th, starting at 9AM Pacific Time (4PM Monday September 26, 2022 UTC), for approximately one hour.
- Announcing TLS from Gorouter to app containers: Delivering three important outcomes
Re: Announcing TLS from Gorouter to app containers: Delivering three important outcomes
Dr Nic Williams <drnicwilliams@...>
toggle quoted messageShow quoted text
From: cf-dev@... <cf-dev@...> on behalf of David Sabeti <dsabeti@...>
Sent: Friday, February 16, 2018 10:08:40 PM
Subject: Re: [cf-dev] Announcing TLS from Gorouter to app containers: Delivering three important outcomes
Congrats! Let me know if/when you want route integrity enabled by default in cf-deployment.
On Fri, Feb 16, 2018 at 6:08 PM Shannon Coen <scoen@...
behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using
operations file with
1.15.0. If these sound
valuable to you, please give it a try and send us your feedback.
security: Gorouter will encrypt
traffic to application containers via TLS.
resiliency: Gorouter will ignore
the TTL of app routes, keeping your apps available during failures in the routing control plane.
guarantees against misrouting:
Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers
to keep your apps running and the probability of port reuse is statistically significant.
this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort
represents our first integration with Envoy,
a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future
polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application.
We're currently rolling this feature
out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file.
details and configuration instructions, please see our documentation:
original proposal for the feature can be found here.
In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing.
Product Manager, Cloud Foundry
Join email@example.com to automatically receive all group messages.