TLS Support for Route Registrar

[cweibel]

Is there any plans to support tls for the route registrared endpoints?

I attempted to configure the autoscaler api to route_registrar using tls_port and specifying the ca_cert, server_cert and server_key (see https://gist.github.com/cweibel/f222664f3c7aabddc5e95242285b3e3e for a stub of the ops file I was using). That failed with SSL Certificate Required errors.

On a hunch, I retrieved the user/pass for the eventgenerator health endpoints from credhub. I was able to

curl http://user:[email protected]_system_domain/health

And get a 200 back.

When I configured route_registrar for this health endpoint to use tls_port, ca_cert, server_cert and server_key with:

#eventgenerator (health 6205)
- type: replace
  path: /instance_groups/name=eventgenerator/jobs/name=eventgenerator/properties/autoscaler/eventgenerator/health/ca_cert?
  value: ((app_autoscaler_ca_cert.ca))  
- type: replace
  path: /instance_groups/name=eventgenerator/jobs/name=eventgenerator/properties/autoscaler/eventgenerator/health/server_cert?
  value: ((eventgenerator_server_rr_cert.certificate))
- type: replace
  path: /instance_groups/name=eventgenerator/jobs/name=eventgenerator/properties/autoscaler/eventgenerator/health/server_key?
  value: ((eventgenerator_server_rr_cert.private_key))

- type: remove
  path: /instance_groups/name=eventgenerator/jobs/name=route_registrar/properties/route_registrar/routes/name=autoscaler_eventgenerator_health/port
- type: replace
  path: /instance_groups/name=eventgenerator/jobs/name=route_registrar/properties/route_registrar/routes/name=autoscaler_eventgenerator_health/tls_port?
  value: 6205
- type: replace
  path: /instance_groups/name=eventgenerator/jobs/name=route_registrar/properties/route_registrar/routes/name=autoscaler_eventgenerator_health/timeout?
  value: 10s
- type: replace
  path: /instance_groups/name=eventgenerator/jobs/name=route_registrar/properties/route_registrar/routes/name=autoscaler_eventgenerator_health/server_cert_domain_san?
  value: app-autoscaler.eventgenerator.service.cf.internal

and deploy, this time when I curl:

curl -k https://user:[email protected]_system_domain/health

I get back:

496 SSL Certificate Required

Upon digging into the commit that added support for defining the ca_cert, server_cert and server_key (#2303) it appears that support was added for mTLS but not TLS like the routing release is expecting.

Am I missing something? To me it looks like configuring the tls_port for the route_register jobs doesn't work in autoscaler and I've heard that the routing team is moving towards only allowing TLS (https) route_register configurations at some point in the future.

[silvestre]

Ugh, sorry for the super-late reply, I just saw your question.

For this to work you need to use

• a ca-cert that is trusted by Gorouter. An ops file could add it via

  path: /instance_groups/name=router/jobs/name=gorouter/properties/router/ca_certs/-
  

• and a server_auth cert signed by it

Not sure if your eventgenerator_server_rr_cert is signed by app_autoscaler_ca_cert.ca, but if yes you try trusting it in GoRouter. But I would suggest creating a dedicated CA.

[cweibel]

Hoping to get back to this next sprint and spike this out, thank you!