securing-traffic should include internal TLS and Envoy

[pburkholder]

securing-traffic.html.md.erb is wrong/outdated since it doesn’t account for Envoy.

The guidance provided at https://gist.github.com/nikhilsuvarna/bd0aa0ef01880270c13d145c61a4af22 should be incorporated to correctly show how TLS is established between the GoRouter and AppContainer.

That is, The CF guide shows:

and:

but not anything like the current state with TLS to the container:

My knowledge of CF isn't enough to determine how much of the current document needs to be deleted as obsolete vs. just adding new content, so I'll start with an issue instead of a PR.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[pburkholder]

cc: @nikhilsuvarna

[Scoobed]

It would nice this was fixed as the using the GIST to explain it is not normally the best. But that gist really explains it well

[anita-flegg]

@pburkholder , please get this change vetted by the experts in the CF slack channel. I will be happy to update the docs if they agree that it is applicable. Thanks :)

[anita-flegg]

@ameowlia , would you review this please? I would like to make this improvement in the docs, but it looks like we need some expert input first :)

[ameowlia]

@pburkholder is 100% right, these docs are quite outdated. Currently the only two options for configuring this traffic is:

1. Gorouter establishes a tls connection with the app's sidecar envoy
2. Gorouter establishes a mtls connection with the app's sidecar envoy

These have been the only two options for many years. We should update the docs to reflect as much.

@anita-flegg let me know how you want to move forward on this. If you want to do the first round of edits or if you want my team to.

[anita-flegg]

Thanks @ameowlia, I will give it a try, and ask for input as needed :)

[anita-flegg]

Hi @ameowlia , I removed all mention of the 3 termination options and added in the Envoy details.
I made a branch for it -- envoy: https://github.com/cloudfoundry/docs-cf-admin/blob/envoy/securing-traffic.html.md.erb
I think more stuff has to be removed or changed, but I didn't want to remove anything I was unsure about.
I also don't know how far back we want to go with the TLS versions.

Please review it and let me know if you need changes. I can do them, or your people can -- whatever is easier.