Re: Announcing TLS from Gorouter to app containers: Delivering three important outcomes

Dieu Cao <dcao@...>

Extremely excited to see this great milestone reached! Congrats to the Routing and Diego teams!


On Feb 16, 2018 7:47 PM, "Dr Nic Williams" <drnicwilliams@...> wrote:
Congrats on the work!

From: cf-dev@... <cf-dev@...> on behalf of David Sabeti <dsabeti@...>
Sent: Friday, February 16, 2018 10:08:40 PM
To: cf-dev@...
Subject: Re: [cf-dev] Announcing TLS from Gorouter to app containers: Delivering three important outcomes
Congrats! Let me know if/when you want route integrity enabled by default in cf-deployment.

On Fri, Feb 16, 2018 at 6:08 PM Shannon Coen <scoen@...> wrote:

On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback.

  1. Increased security: Gorouter will encrypt traffic to application containers via TLS.

  2. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane.

  3. Increased guarantees against misrouting: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant.

All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application.

We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file.

For details and configuration instructions, please see our documentation:

The original proposal for the feature can be found here.

In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing.


Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

Join to automatically receive all group messages.