Skip to content

Add enable-identity-aware-routing ops-file (RFC0055)#1353

Open
rkoster wants to merge 7 commits into
developfrom
add-identity-aware-routing
Open

Add enable-identity-aware-routing ops-file (RFC0055)#1353
rkoster wants to merge 7 commits into
developfrom
add-identity-aware-routing

Conversation

@rkoster

@rkoster rkoster commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Adds ops-files to enable RFC0055 app-to-app mTLS routing via *.apps.identity.

Files added

File Purpose
operations/enable-identity-aware-routing.yml Main ops-file (cflinuxfs4 + rep)
operations/enable-identity-aware-routing-cflinuxfs5.yml cflinuxfs5 trust companion
operations/use-operator-provided-identity-routing-domain.yml Domain-override companion
operations/example-vars-files/vars-use-operator-provided-identity-routing-domain.yml Example vars

What the main ops-file does

  1. Adds BOSH DNS alias _.apps.identity → router instance group
  2. Configures gorouter with a new mTLS domain *.apps.identity — client certs are verified against the existing diego_instance_identity_ca, X-Forwarded-Client-Cert is forwarded in Envoy format
  3. Adds SNI TLS cert for *.apps.identity on the router (new apps_identity_ca + apps_identity_router_tls BOSH variables)
  4. Injects apps_identity_ca as a trusted cert in cflinuxfs4 app containers and Diego rep

Usage

# Standard (hardcoded *.apps.identity domain)
bosh -d cf deploy cf-deployment.yml \
  -o operations/enable-identity-aware-routing.yml

# With cflinuxfs5 (apply add-cflinuxfs5.yml first)
bosh -d cf deploy cf-deployment.yml \
  -o operations/experimental/add-cflinuxfs5.yml \
  -o operations/enable-identity-aware-routing.yml \
  -o operations/enable-identity-aware-routing-cflinuxfs5.yml

# Custom domain
bosh -d cf deploy cf-deployment.yml \
  -o operations/enable-identity-aware-routing.yml \
  -o operations/use-operator-provided-identity-routing-domain.yml \
  -v identity_routing_domain=apps.mycompany.internal

Reference

@ard-wg-gitbot

ard-wg-gitbot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! 👀

@rkoster rkoster mentioned this pull request Jun 19, 2026
Open
7 tasks
@rkoster rkoster changed the base branch from main to develop June 19, 2026 13:36
jochenehret
jochenehret requested changes Jun 22, 2026
View reviewed changes

@jochenehret jochenehret left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These new ops files must be unit-tested:
https://github.com/cloudfoundry/cf-deployment/blob/main/units/tests/standard_test/operations.yml

Questions:

  1. Should this feature be enabled in one of the cf-deployment validation environments?
  2. Are there integration tests planned for CATs? Or are there already tests in the routing test suite?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jochenehret jochenehret jochenehret requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rkoster @ard-wg-gitbot @jochenehret