cf-dev@lists.cloudfoundry.org | Announcing TLS from Gorouter to app containers: Delivering three important outcomes

Home Messages Hashtags Subgroups

Date Date 1 - 7 of 7

Announcing TLS from Gorouter to app containers: Delivering three important outcomes

Krannich, Bernd <bernd.krannich@...> #7749 Same here! Congrats from the SAP side of the house to the teams for getting this in! Regards, Bernd From: <cf-dev@...> on behalf of Dieu Cao <dcao@...> Reply-To: "cf-dev@..." <cf-dev@...> Date: Saturday, 17. February 2018 at 05:44 To: "cf-dev@..." <cf-dev@...> Subject: Re: [cf-dev] Announcing TLS from Gorouter to app containers: Delivering three important outcomes Extremely excited to see this great milestone reached! Congrats to the Routing and Diego teams! Dieu toggle quoted message Show quoted text On Feb 16, 2018 7:47 PM, "Dr Nic Williams" <drnicwilliams@...> wrote: Congrats on the work! From: cf-dev@... <cf-dev@...> on behalf of David Sabeti <dsabeti@...> Sent: Friday, February 16, 2018 10:08:40 PM To: cf-dev@... Subject: Re: [cf-dev] Announcing TLS from Gorouter to app containers: Delivering three important outcomes Congrats! Let me know if/when you want route integrity enabled by default in cf-deployment. On Fri, Feb 16, 2018 at 6:08 PM Shannon Coen <scoen@...> wrote: On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback. Increased security: Gorouter will encrypt traffic to application containers via TLS. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane. Increased guarantees against misrouting: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant. All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application. We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file. For details and configuration instructions, please see our documentation: TLS to Apps and Other Back-End Services Preventing Misrouting The original proposal for the feature can be found here. In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing. Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
More
Dieu Cao <dcao@...> #7746 Extremely excited to see this great milestone reached! Congrats to the Routing and Diego teams! Dieu toggle quoted message Show quoted text On Feb 16, 2018 7:47 PM, "Dr Nic Williams" <drnicwilliams@...> wrote: Congrats on the work! From: cf-dev@... <cf-dev@...> on behalf of David Sabeti <dsabeti@...> Sent: Friday, February 16, 2018 10:08:40 PM To: cf-dev@... Subject: Re: [cf-dev] Announcing TLS from Gorouter to app containers: Delivering three important outcomes Congrats! Let me know if/when you want route integrity enabled by default in cf-deployment. On Fri, Feb 16, 2018 at 6:08 PM Shannon Coen <scoen@...> wrote: On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback. Increased security: Gorouter will encrypt traffic to application containers via TLS. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane. Increased guarantees against misrouting: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant. All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application. We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file. For details and configuration instructions, please see our documentation: TLS to Apps and Other Back-End Services Preventing Misrouting The original proposal for the feature can be found here. In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing. Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
More All Messages By This Member
Dr Nic Williams <drnicwilliams@...> #7745 Congrats on the work! toggle quoted message Show quoted text From: cf-dev@... <cf-dev@...> on behalf of David Sabeti <dsabeti@...> Sent: Friday, February 16, 2018 10:08:40 PM To: cf-dev@... Subject: Re: [cf-dev] Announcing TLS from Gorouter to app containers: Delivering three important outcomes Congrats! Let me know if/when you want route integrity enabled by default in cf-deployment. On Fri, Feb 16, 2018 at 6:08 PM Shannon Coen <scoen@...> wrote: On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback. Increased security: Gorouter will encrypt traffic to application containers via TLS. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane. Increased guarantees against misrouting: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant. All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application. We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file. For details and configuration instructions, please see our documentation: TLS to Apps and Other Back-End Services Preventing Misrouting The original proposal for the feature can be found here. In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing. Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
More All Messages By This Member
David Sabeti #7744 Congrats! Let me know if/when you want route integrity enabled by default in cf-deployment. toggle quoted message Show quoted text On Fri, Feb 16, 2018 at 6:08 PM Shannon Coen <scoen@...> wrote: On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback. Increased security: Gorouter will encrypt traffic to application containers via TLS. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane. Increased guarantees against misrouting: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant. All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application. We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file. For details and configuration instructions, please see our documentation: TLS to Apps and Other Back-End Services Preventing Misrouting The original proposal for the feature can be found here. In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing. Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
More All Messages By This Member
Onsi Fakhouri <ofakhouri@...> #7743 Bravo! Such a beautifully integrated solution! toggle quoted message Show quoted text On Feb 16, 2018, at 7:12 PM, Amit Kumar Gupta <agupta@...> wrote: Wow, that's a beautiful set of improvements, and all rolled into one to boot! Congrats routing and diego teams! Looking forward to seeing the real-world data from PWS. Cheers, Amit On Fri, Feb 16, 2018 at 6:07 PM, Shannon Coen <scoen@...> wrote: On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback. Increased security: Gorouter will encrypt traffic to application containers via TLS. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane. Increased guarantees against misrouting: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant. All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application. We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file. For details and configuration instructions, please see our documentation: TLS to Apps and Other Back-End Services Preventing Misrouting The original proposal for the feature can be found here. In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing. Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
More
Amit Kumar Gupta #7742 Wow, that's a beautiful set of improvements, and all rolled into one to boot! Congrats routing and diego teams! Looking forward to seeing the real-world data from PWS. Cheers, Amit toggle quoted message Show quoted text On Fri, Feb 16, 2018 at 6:07 PM, Shannon Coen <scoen@...> wrote: On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback. Increased security: Gorouter will encrypt traffic to application containers via TLS. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane. Increased guarantees against misrouting: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant. All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application. We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file. For details and configuration instructions, please see our documentation: TLS to Apps and Other Back-End Services Preventing Misrouting The original proposal for the feature can be found here. In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing. Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
More All Messages By This Member
Shannon Coen #7741 On behalf of Eric Malm, the CF Diego team, and the CF Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one big shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback. Increased security: Gorouter will encrypt traffic to application containers via TLS. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane. Increased guarantees against misrouting: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant. All this without any additional burden on application developers. Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application. We're currently rolling this feature out on Pivotal Web Services, where we'll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file. For details and configuration instructions, please see our documentation: TLS to Apps and Other Back-End Services Preventing Misrouting The original proposal for the feature can be found here. In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing. Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
More All Messages By This Member

1 - 7 of 7

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms