Skip to content

Commit

Permalink
Disable unproxied container ports and enable TLS for TCP Routing by d…
Browse files Browse the repository at this point in the history 
…efault, and provide ops-files to disable.

Enables TLS encryption for TCP Routes on the hop between tcp-router +
app containeris. This behaves the same as the TLS encryption between
gorouter and app containers, and relies on the same settings regarding
route integrity.

This allows us to finally disable the unproxied container ports, and
prevent network connections to app ports from hosts other than router
or tcp-router.

If operators wish to disable TLS for TCP routes, they must first
re-enable the unproxied ports by deploying with these ops files (as appropriate):

- operations/disable-tls-tcp-routing-stage-1-unproxied-ports.yml
- operations/disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml
- operations/experimental/disable-tls-tcp-routing-windows-stage-1-unproxied-ports.yml

Once the unproxied ports are re-enabled, a second deploy can be
performed to disable TLS for TCP Routes via these ops files (as appropriate):

- operations/disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml
- operations/disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml
- operations/experimental/disable-tls-tcp-routing-windows-stage-2-route-emitter.yml

Failing to disable this in a two-deploy fashion will result in downtime
for TCP Routes.
  • Loading branch information
@geofffranks
geofffranks committed Aug 19, 2024
1 parent 1bb0ff5 commit 6de54a5
Show file tree
Hide file tree
Showing 10 changed files with 65 additions and 0 deletions.
18 changes: 18 additions & 0 deletions cf-deployment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1463,6 +1463,11 @@ instance_groups:
router_group: default-tcp
tls_health_check_cert: ((tcp_router_lb_health_tls.certificate))
tls_health_check_key: ((tcp_router_lb_health_tls.private_key))
backend_tls:
enabled: true
client_cert: ((tcp_router_backend_tls.certificate))
client_key: ((tcp_router_backend_tls.private_key))
ca_cert: ((diego_instance_identity_ca.ca))
uaa:
ca_cert: "((uaa_ssl.ca))"
tls_port: 8443
Expand Down Expand Up @@ -1637,13 +1642,16 @@ instance_groups:
containers:
proxy:
enabled: true
enable_unproxied_port_mappings: false
require_and_verify_client_certificates: true
trusted_ca_certificates:
- ((gorouter_backend_tls.ca))
- ((ssh_proxy_backends_tls.ca))
- ((tcp_router_backend_tls.ca))
verify_subject_alt_name:
- gorouter.service.cf.internal
- ssh-proxy.service.cf.internal
- tcp-router.service.cf.internal
trusted_ca_certificates:
- ((diego_instance_identity_ca.ca))
- ((credhub_tls.ca))
Expand Down Expand Up @@ -1682,6 +1690,7 @@ instance_groups:
client_key: "((nats_client_cert.private_key))"
tcp:
enabled: true
enable_tls: true
uaa:
ca_cert: "((uaa_ssl.ca))"
client_secret: "((uaa_clients_tcp_emitter_secret))"
Expand Down Expand Up @@ -2486,6 +2495,15 @@ variables:
common_name: gorouter_lb_health_tls
alternative_names:
- gorouter.service.cf.internal
- name: tcp_router_backend_tls
type: certificate
options:
ca: service_cf_internal_ca
common_name: tcp-router_backend_tls
alternative_names:
- tcp-router.service.cf.internal
extended_key_usage:
- client_auth
- name: tcp_router_lb_health_tls
type: certificate
options:
Expand Down
4 changes: 4 additions & 0 deletions operations/add-persistent-isolation-segment-diego-cell.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,13 +70,16 @@
containers:
proxy:
enabled: true
enable_unproxied_port_mappings: false
require_and_verify_client_certificates: true
trusted_ca_certificates:
- ((gorouter_backend_tls.ca))
- ((ssh_proxy_backends_tls.ca))
- ((tcp_router_backend_tls.ca))
verify_subject_alt_name:
- gorouter.service.cf.internal
- ssh-proxy.service.cf.internal
- tcp-router.service.cf.internal
trusted_ca_certificates:
- ((diego_instance_identity_ca.ca))
- ((credhub_tls.ca))
Expand Down Expand Up @@ -134,6 +137,7 @@
timestamp: "rfc3339"
tcp:
enabled: true
enable_tls: true
uaa:
ca_cert: "((uaa_ssl.ca))"
client_secret: "((uaa_clients_tcp_emitter_secret))"
Expand Down
4 changes: 4 additions & 0 deletions operations/disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
- type: replace
path: /instance_groups/name=isolated-diego-cell/jobs/name=rep/properties/containers/proxy/enable_unproxied_port_mappings?
value: true
4 changes: 4 additions & 0 deletions operations/disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
- type: replace
path: /instance_groups/name=isolated-diego-cell/jobs/name=route_emitter/properties/tcp/enable_tls?
value: false
4 changes: 4 additions & 0 deletions operations/disable-tls-tcp-routing-stage-1-unproxied-ports.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
- type: replace
path: /instance_groups/name=diego-cell/jobs/name=rep/properties/containers/proxy/enable_unproxied_port_mappings?
value: true
8 changes: 8 additions & 0 deletions operations/disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
- type: replace
path: /instance_groups/name=tcp-router/jobs/name=tcp_router/properties/tcp_router/backend_tls?/enabled
value: false

- type: replace
path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/tcp/enable_tls?
value: false
4 changes: 4 additions & 0 deletions operations/experimental/disable-tls-tcp-routing-windows-stage-1-unproxied-ports.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
- type: replace
path: /instance_groups/name=windows2019-cell/jobs/name=rep_windows/properties/containers/proxy/enable_unproxied_port_mappings?
value: true
4 changes: 4 additions & 0 deletions operations/experimental/disable-tls-tcp-routing-windows-stage-2-route-emitter.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
- type: replace
path: /instance_groups/name=windows2019-cell/jobs/name=route_emitter_windows/properties/tcp/enable_tls?
value: false
8 changes: 8 additions & 0 deletions operations/experimental/enable-nginx-routing-integrity-windows2019.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
- type: replace
path: /instance_groups/name=windows2019-cell/jobs/name=rep_windows/properties/containers?/proxy/enabled
value: true
- type: replace
path: /instance_groups/name=windows2019-cell/jobs/name=rep_windows/properties/containers?/proxy/enable_unproxied_port_mappings
value: false
- type: replace
path: /instance_groups/name=windows2019-cell/jobs/name=rep_windows/properties/containers?/proxy/require_and_verify_client_certificates
value: true
Expand All @@ -9,11 +12,16 @@
value:
- ((gorouter_backend_tls.ca))
- ((ssh_proxy_backends_tls.ca))
((tcp_router_backend_tls.ca))
- type: replace
path: /instance_groups/name=windows2019-cell/jobs/name=rep_windows/properties/containers?/proxy/verify_subject_alt_name
value:
- gorouter.service.cf.internal
- ssh-proxy.service.cf.internal
- tcp-router.service.cf.internal
- type: replace
path: /instance_groups/name=windows2019-cell/jobs/name=route_emitter_windows/properties/tcp?/enable_tls
value: true
- type: replace
path: /instance_groups/name=windows2019-cell/jobs/-
value:
Expand Down
7 changes: 7 additions & 0 deletions operations/windows2019-cell.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,13 @@
client_cert: ((nats_client_cert.certificate))
client_key: ((nats_client_cert.private_key))
enabled: true
internal_routes:
enabled: true
uaa:
ca_cert: "((uaa_ssl.ca))"
client_secret: "((uaa_clients_tcp_emitter_secret))"
tcp:
enabled: true
logging:
format:
timestamp: rfc3339
Expand Down

0 comments on commit 6de54a5

Please sign in to comment.