Closed jgeorge300 closed 6 years ago
cf-gitbot
commented
6 years ago We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.
The labels on this github issue will be updated when the story is started.
abbyachau
commented
6 years ago Thank you @jgeorge300. Prioritised for engineering review.
jtarchie
commented
6 years ago We have a fix for the health check. Thanks for pointing it out.
@jgeorge300, the terraform for AWS always does SSL termination at the load balancer. The options routing_disable_http is configuration to disable HTTP traffic on the gorouter; it does not affect the load balancer. The terraform for the LB only allows SSL traffic.
This means that routing_disable_http: false should always be set, as the traffic forwarded from the LB to the gorouter is always needs to hit port 80. We are going to deprecate the setting for the AWS installation pipeline in the future.
Thanks for reporting the issue. It helped us find some good things.
Edit: I meant false instead of true for the value. The inversion of enabling a disable attribute always gets me.
abbyachau
commented
6 years ago Hi @jgeorge300 please could you let us know what your use case is for setting routing_disable_http: true? The reason I'm asking, as @jtarchie mentions above, the AWS install pipeline terraform scripts terminates ssl at the load balancer, and as such, we were contemplating removing the routing_disable_http entirely. Thanks.
jgeorge300
commented
6 years ago Hey @abbyachau I work for a healthcare company and we're required to have all data be encrypted at rest and during transmission. Disabling http routing prevents the accidental use of non-encrypted traffic. My installation is also configured to terminate ssl at the gorouter not the ELB.
jtarchie
commented
6 years ago @jgeorge300 are you using the terraform scripts provided by the pcf-pipelines to create your environment?
If so, how did you modify the ELB to not do SSL termination?
None the less, it seems we have resolved the issue with the health check. The fact that we discovered this other issue with routing_disable_http is another issue. I'd like to discuss it more, but maybe in another issue.
jgeorge300
commented
6 years ago @jtarchie both. At the moment, I use the terraform scripts exclusively in our dev environment. Our other environments were created with the old CloudFormation templates, so I have to update the AWS resources directly. I'm working to migrate them into terraform, but its taking time.
abbyachau
commented
6 years ago Hi @jgeorge300 thanks again for creating this issue. We've fixed the ELB healthcheck so that it now targets the correct endpoint and port. We will be releasing v23.1 which will contain this fix. We will also not remove routing_disable_http, based on your feedback. If you have any additional comments/feedback please do not hesitate to create a new issue. Thanks again.
Issue
When setting 'routing_disable_http: true' for a new installation of PCF 2.0 on AWS. The healthcheck in the Pcf-Http-Elb will fail as they are still configured to use port 80.
According to the gorouter documentation, this method for the healthcheck has been deprecated.
Context
Unable to route to applications in PCF as the ELB does not see a healthy router.
Current result
The routers in the Pcf-Http-Elb show as 'OutOfService'
Steps to Reproduce
Disable http routing and apply changes.
Possible Fix
Update the pipeline to use the current documented method for health checking the routers.