Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

securing-traffic should include internal TLS and Envoy #206

Open
pburkholder opened this issue Aug 27, 2021 · 8 comments
Open

securing-traffic should include internal TLS and Envoy #206

pburkholder opened this issue Aug 27, 2021 · 8 comments
Labels
accepted

Comments

@pburkholder
Copy link

pburkholder commented Aug 27, 2021
edited
Loading

securing-traffic.html.md.erb is wrong/outdated since it doesn’t account for Envoy.

The guidance provided at https://gist.github.com/nikhilsuvarna/bd0aa0ef01880270c13d145c61a4af22 should be incorporated to correctly show how TLS is established between the GoRouter and AppContainer.

That is, The CF guide shows:
image

and:

image

but not anything like the current state with TLS to the container:

image

My knowledge of CF isn't enough to determine how much of the current document needs to be deleted as obsolete vs. just adding new content, so I'll start with an issue instead of a PR.
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

@pburkholder
Copy link
Author

cc: @nikhilsuvarna

@Scoobed
Copy link

Scoobed commented May 4, 2022

It would nice this was fixed as the using the GIST to explain it is not normally the best. But that gist really explains it well

@anita-flegg
Copy link
Contributor

@pburkholder , please get this change vetted by the experts in the CF slack channel. I will be happy to update the docs if they agree that it is applicable. Thanks :)

@anita-flegg
Copy link
Contributor

@ameowlia , would you review this please? I would like to make this improvement in the docs, but it looks like we need some expert input first :)

@ameowlia
Copy link
Member

ameowlia commented Sep 25, 2023
edited
Loading

@pburkholder is 100% right, these docs are quite outdated. Currently the only two options for configuring this traffic is:

  1. Gorouter establishes a tls connection with the app's sidecar envoy
  2. Gorouter establishes a mtls connection with the app's sidecar envoy

These have been the only two options for many years. We should update the docs to reflect as much.

@anita-flegg let me know how you want to move forward on this. If you want to do the first round of edits or if you want my team to.

@anita-flegg
Copy link
Contributor

Thanks @ameowlia, I will give it a try, and ask for input as needed :)

@anita-flegg
Copy link
Contributor

Hi @ameowlia , I removed all mention of the 3 termination options and added in the Envoy details.
I made a branch for it -- envoy: https://github.com/cloudfoundry/docs-cf-admin/blob/envoy/securing-traffic.html.md.erb
I think more stuff has to be removed or changed, but I didn't want to remove anything I was unsure about.
I also don't know how far back we want to go with the TLS versions.

Please review it and let me know if you need changes. I can do them, or your people can -- whatever is easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted
Projects
Application Runtime Platform Working Group
Status: Inbox
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pburkholder @cf-gitbot @ameowlia @Scoobed @anita-flegg