diff --git a/docs/060-envoy-proxy-configuration.md b/docs/060-envoy-proxy-configuration.md index 39f183dd01..aa1ff3218f 100644 --- a/docs/060-envoy-proxy-configuration.md +++ b/docs/060-envoy-proxy-configuration.md @@ -21,8 +21,6 @@ This document describes how to enable the per-container [Envoy proxy](https://gi ## Enabling Per-Container Envoy Proxy -A deployment operator enables the Linux cell reps to run an Envoy proxy process for each container by setting the `containers.proxy.enabled` property on the `rep` job to `true`. - [Instance Identity Credentials](https://docs.cloudfoundry.org/adminguide/instance-identity.html) must also be enabled on the Diego cell rep so that it can configure the Envoy proxy process with the required TLS configuration. diff --git a/jobs/rep/spec b/jobs/rep/spec index 9dc49f2066..3265c9961e 100644 --- a/jobs/rep/spec +++ b/jobs/rep/spec @@ -256,9 +256,6 @@ properties: description: "time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10." default: 10 - containers.proxy.enabled: - description: "Enable envoy proxy on garden containers. Requires valid TLS credentials in diego.executor.instance_identity_ca_cert and diego.executor.instance_identity_key." - default: false containers.proxy.additional_memory_allocation_mb: description: "Additional memory allocated to each container for the envoy proxy. This value must not be negative" default: 32 @@ -268,7 +265,7 @@ properties: containers.proxy.require_and_verify_client_certificates: default: false - description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable." + description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property." containers.proxy.trusted_ca_certificates: default: [] @@ -299,7 +296,7 @@ properties: containers.proxy.enable_unproxied_port_mappings: default: true - description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true." + description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports." containers.trusted_ca_certificates: description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs." diff --git a/jobs/rep/templates/rep.json.erb b/jobs/rep/templates/rep.json.erb index 099c094da5..af9b7df1cc 100644 --- a/jobs/rep/templates/rep.json.erb +++ b/jobs/rep/templates/rep.json.erb @@ -59,7 +59,7 @@ disk_mb: p("diego.executor.disk_capacity_mb").to_s, declarative_healthcheck_path: "/var/vcap/packages/healthcheck", enable_healthcheck_metrics: p("enable_healthcheck_metrics"), - enable_container_proxy: p("containers.proxy.enabled"), + enable_container_proxy: "true", container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"), container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"), container_proxy_verify_subject_alt_name: p("containers.proxy.verify_subject_alt_name"), @@ -188,15 +188,11 @@ config[:bbs_address] = "https://#{p("diego.rep.bbs.api_location")}" - if config[:enable_container_proxy] - begin + begin p("diego.executor.instance_identity_ca_cert") p("diego.executor.instance_identity_key") - rescue - raise '"when containers.proxy.enabled is true, diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' - end - elsif !p("containers.proxy.enable_unproxied_port_mappings") - raise 'containers.proxy.enabled must be set to true in order to disable the unproxied port mappings' + rescue + raise '"diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' end if config[:container_proxy_require_and_verify_client_certs] @@ -206,10 +202,8 @@ end end - if_p("diego.executor.instance_identity_ca_cert", - "diego.executor.instance_identity_key", - "diego.executor.instance_identity_validity_period_in_hours") do |cert, key, validity_period| - if !(cert.empty? || key.empty? || validity_period < 1) + if_p("diego.executor.instance_identity_validity_period_in_hours") do |validity_period| + if !(validity_period < 1) config[:instance_identity_ca_path] = "#{conf_dir}/certs/rep/instance_identity.crt" config[:instance_identity_private_key_path] = "#{conf_dir}/certs/rep/instance_identity.key" config[:instance_identity_cred_dir] = instance_identity_dir diff --git a/jobs/rep/templates/setup_mounted_data_dirs.erb b/jobs/rep/templates/setup_mounted_data_dirs.erb index 33030c8353..f359b4544d 100644 --- a/jobs/rep/templates/setup_mounted_data_dirs.erb +++ b/jobs/rep/templates/setup_mounted_data_dirs.erb @@ -72,7 +72,5 @@ rm -rf "$trusted_certs_dir" proxy_config_dir=${garden_shared_dir}/proxy_config rm -rf "$proxy_config_dir" -<% if p("containers.proxy.enabled") %> - mkdir -p "$proxy_config_dir" - chown -R vcap:vcap "$proxy_config_dir" -<% end %> +mkdir -p "$proxy_config_dir" +chown -R vcap:vcap "$proxy_config_dir" diff --git a/jobs/rep_windows/spec b/jobs/rep_windows/spec index d84d1c5849..b7d21de96b 100644 --- a/jobs/rep_windows/spec +++ b/jobs/rep_windows/spec @@ -264,9 +264,6 @@ properties: description: "time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10." default: 10 - containers.proxy.enabled: - description: "EXPERIMENTAL: Enable envoy proxy on garden containers. Currently doesn't work on windows cells but left here for compatability with the linux Rep" - default: false containers.proxy.additional_memory_allocation_mb: description: "EXPERIMENTAL: Additional memory allocated to each container for the envoy proxy. This must not be negative. Currently doesn't work on windows cells but left here for compatability with the linux Rep" default: 32 @@ -276,7 +273,7 @@ properties: containers.proxy.require_and_verify_client_certificates: default: false - description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable." + description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. containers.proxy.trusted_ca_certificates: default: [] @@ -307,7 +304,7 @@ properties: containers.proxy.enable_unproxied_port_mappings: default: true - description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true." + description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. containers.trusted_ca_certificates: description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs." diff --git a/jobs/rep_windows/templates/rep.json.erb b/jobs/rep_windows/templates/rep.json.erb index 86450f7c5a..4619815319 100644 --- a/jobs/rep_windows/templates/rep.json.erb +++ b/jobs/rep_windows/templates/rep.json.erb @@ -59,7 +59,7 @@ disk_mb: p("diego.executor.disk_capacity_mb").to_s, declarative_healthcheck_path: p("declarative_healthcheck_path"), enable_healthcheck_metrics: p("enable_healthcheck_metrics"), - enable_container_proxy: p("containers.proxy.enabled"), + enable_container_proxy: "true", container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"), container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"), container_proxy_verify_subject_alt_name: p("containers.proxy.verify_subject_alt_name"), @@ -188,15 +188,11 @@ config[:bbs_address] = "https://#{p("diego.rep.bbs.api_location")}" - if config[:enable_container_proxy] - begin + begin p("diego.executor.instance_identity_ca_cert") p("diego.executor.instance_identity_key") - rescue - raise '"when containers.proxy.enabled is true, diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' - end - elsif !p("containers.proxy.enable_unproxied_port_mappings") - raise 'containers.proxy.enabled must be set to true in order to disable the unproxied port mappings' + rescue + raise '"diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set' end if config[:container_proxy_require_and_verify_client_certs] @@ -206,10 +202,8 @@ end end - if_p("diego.executor.instance_identity_ca_cert", - "diego.executor.instance_identity_key", - "diego.executor.instance_identity_validity_period_in_hours") do |cert, key, validity_period| - if !(cert.empty? || key.empty? || validity_period < 1) + if_p("diego.executor.instance_identity_validity_period_in_hours") do |validity_period| + if !(validity_period < 1) config[:instance_identity_ca_path] = "#{conf_dir}/certs/rep/instance_identity.crt" config[:instance_identity_private_key_path] = "#{conf_dir}/certs/rep/instance_identity.key" config[:instance_identity_cred_dir] = instance_identity_dir