| Item | Link |
|---|---|
| Tracking Issue | cloudfoundry/community#1481 |
| RFC | cloudfoundry/community#1438 |
| routing-release | cloudfoundry/routing-release#535 |
| cloud_controller_ng | cloudfoundry/cloud_controller_ng#4910 |
Ruben Koster rkoster
rkoster
/ rfc0055-acceptance-testing.md
Created
May 6, 2026 09:24
RFC0055: App-to-App mTLS Routing — Acceptance Testing Guide
A simple Go application to test X-Forwarded-Client-Cert (XFCC) header format in Cloud Foundry environments with mTLS app-to-app routing.
This tool verifies that GoRouter correctly implements the Envoy XFCC format when routing requests over mTLS domains. It checks whether the XFCC header contains:
- ✅ Envoy format:
Hash=<hash>;Subject="<subject>";URI=<uri> - ❌ Raw PEM certificate (bug):
Cert="-----BEGIN CERTIFICATE-----\n..."
rkoster
/ api-design-alternatives.md
Last active
April 14, 2026 11:35
RFC #1438: L7 Route Access Policies — API Design Alternatives (TOC 2026-04-14)
Context for TOC discussion (2026-04-14). The Identity-Aware Routing RFC introduces L7 route-level access policies ("access rules") that control which apps can reach a route through GoRouter using mTLS identity. This document compares two placement options for the external CRUD API that manages these access rules.
Cloud Controller, the policy-server, and the routing-api are separate processes colocated on the api instance group. GoRouter routes requests to the correct backend using path-based prefix matching on api.<system_domain>. The current cf-deployment registers three overlapping prefixes:
rkoster
/ rfc-draft-domain-scoped-mtls-gorouter.md
Last active
March 31, 2026 07:51
RFC: Domain-Scoped mTLS for GoRouter (with Access Policy API)
- Name: Domain-Scoped mTLS for GoRouter
- Start Date: 2026-02-16
- Author(s): @rkoster, @beyhan, @maxmoehl
- Status: Draft
- RFC Pull Request: community#1438
rkoster
/ rfc-draft-domain-scoped-mtls-gorouter-v2.md
Created
March 25, 2026 13:05
RFC: Domain-Scoped mTLS for GoRouter (Revised with Access Policy API)
- Name: Domain-Scoped mTLS for GoRouter
- Start Date: 2026-02-16
- Author(s): @rkoster, @beyhan, @maxmoehl
- Status: Draft
- RFC Pull Request: community#1438
Cloud Foundry's RFC for Domain-Scoped mTLS on GoRouter proposes scope-based authorization that uses GoRouter's existing route-emitter tags (organization_id, space_id) to enforce "same org/space" boundary checks at the domain level. This experiment verifies that the tags carry the correct information when routes are shared across spaces.
When a route is shared from Space A to Space B (and both spaces have apps mapped to it), do the GoRouter route table tags reflect:
- (a) The route owner's org/space (Space A for all endpoints), or
The operations/use-compiled-releases.yml file in cf-deployment references stemcell version 1.423 for all compiled releases, even though newer stemcells are available. This is due to how the CI pipeline is configured to only recompile all releases on major stemcell version bumps.
Both PRs address NVMe device discovery challenges but for different cloud providers with fundamentally different approaches.
| Aspect | PR #396 (AWS) | PR #402 (Azure) |
|---|---|---|
| URL | cloudfoundry/bosh-agent#396 | cloudfoundry/bosh-agent#402 |
| Cloud Provider | AWS | Azure |
- Name: Domain-Scoped mTLS for GoRouter
- Start Date: 2026-02-16
- Author(s): @rkoster, @beyhan, @maxmoehl
- Status: Draft
- RFC Pull Request: community#1438
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use nix |
NewerOlder