securing-traffic should include internal TLS and Envoy

cloudfoundry / docs-cf-admin

A place to put documentation about how to operate your Cloud Foundry deployment using the command line tools bosh and cf

Apache License 2.0

18 stars 109 forks source link

securing-traffic should include internal TLS and Envoy #206

Open pburkholder opened 3 years ago

pburkholder commented 3 years ago

securing-traffic.html.md.erb is wrong/outdated since it doesn’t account for Envoy.

The guidance provided at https://gist.github.com/nikhilsuvarna/bd0aa0ef01880270c13d145c61a4af22 should be incorporated to correctly show how TLS is established between the GoRouter and AppContainer.

That is, The CF guide shows:

and:

but not anything like the current state with TLS to the container:

My knowledge of CF isn't enough to determine how much of the current document needs to be deleted as obsolete vs. just adding new content, so I'll start with an issue instead of a PR.

cf-gitbot commented 3 years ago

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

pburkholder commented 3 years ago

cc: @nikhilsuvarna

Scoobed commented 2 years ago

It would nice this was fixed as the using the GIST to explain it is not normally the best. But that gist really explains it well

anita-flegg commented 1 year ago

@pburkholder , please get this change vetted by the experts in the CF slack channel. I will be happy to update the docs if they agree that it is applicable. Thanks :)

anita-flegg commented 1 year ago

@ameowlia , would you review this please? I would like to make this improvement in the docs, but it looks like we need some expert input first :)

ameowlia commented 1 year ago

@pburkholder is 100% right, these docs are quite outdated. Currently the only two options for configuring this traffic is:

Gorouter establishes a tls connection with the app's sidecar envoy
Gorouter establishes a mtls connection with the app's sidecar envoy

These have been the only two options for many years. We should update the docs to reflect as much.

@anita-flegg let me know how you want to move forward on this. If you want to do the first round of edits or if you want my team to.

anita-flegg commented 1 year ago

Thanks @ameowlia, I will give it a try, and ask for input as needed :)

anita-flegg commented 1 year ago

Hi @ameowlia , I removed all mention of the 3 termination options and added in the Envoy details. I made a branch for it -- envoy: https://github.com/cloudfoundry/docs-cf-admin/blob/envoy/securing-traffic.html.md.erb I think more stuff has to be removed or changed, but I didn't want to remove anything I was unsure about. I also don't know how far back we want to go with the TLS versions.

Please review it and let me know if you need changes. I can do them, or your people can -- whatever is easier.