-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable TLS for TCP Routing by default, disable unproxied container ports, and provide ops-files to disable #1195
Enable TLS for TCP Routing by default, disable unproxied container ports, and provide ops-files to disable #1195
Conversation
Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! 👀 |
…efault, and provide ops-files to disable. Enables TLS encryption for TCP Routes on the hop between tcp-router + app containeris. This behaves the same as the TLS encryption between gorouter and app containers, and relies on the same settings regarding route integrity. This allows us to finally disable the unproxied container ports, and prevent network connections to app ports from hosts other than router or tcp-router. If operators wish to disable TLS for TCP routes, they must first re-enable the unproxied ports by deploying with these ops files (as appropriate): - operations/disable-tls-tcp-routing-stage-1-unproxied-ports.yml - operations/disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml - operations/experimental/disable-tls-tcp-routing-windows-stage-1-unproxied-ports.yml Once the unproxied ports are re-enabled, a second deploy can be performed to disable TLS for TCP Routes via these ops files (as appropriate): - operations/disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml - operations/disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml - operations/experimental/disable-tls-tcp-routing-windows-stage-2-route-emitter.yml Failing to disable this in a two-deploy fashion will result in downtime for TCP Routes.
6de54a5
to
8fe499c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please
- Add to/Update the ops file READMEs.
- Add to/Update the unit tests for the ops file changes.
Should any of the ops files be tested in the CF-D fanouts? |
The ones related to disabling things don't need to be. Adding the isolation segment + windows ops files if not already present would be appreciated. I'm on the fence if the experimental windows-nginx ops file should be added, this probably gets tested in cats with envoy-nginx-release so would be a little redundant for something labeled experimental. |
Working on getting the unit tests validated for this + will update soon, but due to a bug we found yesterday + fixed, this shouldn't get merged until routing-release 0.306.0 is included in cf-d. |
routing-release 0.306.0 is now released, and I pushed up the updats requested for this PR. |
Please take a moment to review the questions before submitting the PR
WHAT is this change about?
Enables TLS encryption for TCP Routes on the hop between tcp-router + app containeris. This behaves the same as the TLS encryption between gorouter and app containers, and relies on the same settings regarding route integrity.
This allows us to finally disable the unproxied container ports, and prevent network connections to app ports from hosts other than router or tcp-router.
If operators wish to disable TLS for TCP routes, they must first re-enable the unproxied ports by deploying with these ops files (as appropriate):
Once the unproxied ports are re-enabled, a second deploy can be performed to disable TLS for TCP Routes via these ops files (as appropriate):
Failing to disable this in a two-deploy fashion will result in downtime for TCP Routes.
What customer problem is being addressed? Use customer persona to define the problem e.g. Alana is unable to...
Please provide any contextual information.
Has a cf-deployment including this change passed cf-acceptance-tests?
When run with cloudfoundry/cf-acceptance-tests#1203, no changes are needed for this to pass CATs.
Does this PR introduce a breaking change? Please take a moment to read through the examples before answering the question.
This change disables unproxied ports for app containers. This will prevent processes other than gorouter + tcp-router from connecting to app ports via the underlay network.
How should this change be described in cf-deployment release notes?
Three notes:
Does this PR introduce a new BOSH release into the base cf-deployment.yml manifest or any ops-files?
Does this PR make a change to an experimental or GA'd feature/component?
Please provide Acceptance Criteria for this change?
What is the level of urgency for publishing this change?
Tag your pair, your PM, and/or team!
@cloudfoundry/wg-app-runtime-platform-networking-approvers