Skip to content

Latest commit

 

History

History
93 lines (64 loc) · 2.93 KB

README.md

File metadata and controls

93 lines (64 loc) · 2.93 KB

Træfik BOSH Release

This BOSH release deploys a Træfik reverse-proxy.

Træefik is a modern and dynamic reverse-proxy, that is well known for implementing on-demand Let's Encrypt certificates.

So the main use-case for this BOSH Release is to deploy Træfik in front of your Cloud Foundry routers. This enable all your Cloud Foundry applications to benefit from valid HTTPS certificates with absolutely no fuss. They are provisioned on the fly, when the first web request is made. See the main deployment manifest and related operations files for Cloud Foundry integration.

What is BOSH?

For those who don't know, BOSH is Borg++, where Google Borg is a large-scale cluster management tool. Borg is a proprietary tool by Google, whereas BOSH is Open Source.

For an introduction about what is BOSH, go watch this talk given by Benjamin Gandon from Gstack and then go read the Ultimate Guide to BOSH in order to lean more.

Usage

Here is a very basic way of using this BOSH Release. You'll need to properly target a previously-installed BOSH Director.

export BOSH_ENVIRONMENT=<alias>
export BOSH_DEPLOYMENT=traefik

git clone https://github.com/gstackio/traefik-boshrelease.git
cd traefik-boshrelease

mkdir tmp
> tmp/depl-creds.yml
chmod 600 tmp/depl-creds.yml

bosh deploy deployment/traefik-deployment.yml --vars-store tmp/depl-creds.yml

For more details and possible variants, go read the documentation in the deployment sub-directory.

An example for a Træfik deployment that is integrated to Cloud Foundry is available in the Easy Foundry distribution.

Caveat

When deployed in front of a Cloud Foundry installation, any attacker can forge any DNS, run an HTTPS request on Traefik, and trigger a certificate generation. When Let's Encrypt quotas are exceeded and a vertificate needs re-generating, this may lead to deny-of-Service.

This is due to Traefik not being aware of the existing routes in Cloud Foundry. Indeed Traefik should not generate any certificate for non-existing routes, and just serve a 502 response using the default certificate.

Contributing

Please feel free to submit issues and pull requests.

See the CONTRIBUTING docs for more details.

Author and License

Copyright © 2018-present, Benjamin Gandon, Gstack

Like the rest of BOSH, the Træfik BOSH release is released under the terms of the Apache 2.0 license.