Conversation
rkoster
force-pushed
the
rfc-app-to-app-mtls-routing
branch
from
bce2e1d to
5557aeb
Compare
|
I really like this proposal. Just to be sure: It would be still possible to have an One use-case would be in the |
Enable authenticated and authorized app-to-app communication via GoRouter using mutual TLS (mTLS). Applications connect to a shared internal domain (apps.mtls.internal), where GoRouter validates client certificates and enforces per-route access control using a default-deny model. Key features: - Phase 1a: Domain-specific mTLS in GoRouter (validates instance identity) - Phase 1b: Authorization enforcement via allowed_sources route option - Phase 2 (optional): Egress HTTP proxy for simplified client adoption Depends on RFC-0027 (Generic Per-Route Features) for route options support.
rkoster
force-pushed
the
rfc-app-to-app-mtls-routing
branch
from
5557aeb to
8f3900a
Compare
@silvestre I have update the RFC with: |
|
This idea is really interesting but will be possible to have communication to app containers on different ports or different protocol than http? |
Give credit to Beyhan and Max for the initial work on this RFC
This RFC currently focuses on HTTP traffic via GoRouter, but non-HTTP protocol support is an interesting future direction. Current constraints:
What would be needed for non-HTTP support:
For now, this is out of scope to keep the RFC focused and achievable. But feel free to create a follow up RFC for Non-HTTP use cases. |
| - `any: true` is mutually exclusive with `apps`, `spaces`, and `orgs` | ||
| - If `any` is not set, at least one of `apps`, `spaces`, or `orgs` must be specified (default-deny) | ||
|
|
||
| This builds on the route options framework from [RFC-0027: Generic Per-Route Features](rfc-0027-generic-per-route-features.md). Phase 1b depends on RFC-0027 being implemented first. |
There was a problem hiding this comment.
We need to be careful with what we add to the per-route features. Each and every option we set in there will be transmitted via the NATS bus every 20s (unless adjusted by the operator) from each app instance to each gorouter instance. Even a slight increase in message size can have quite noticeable effects on the overall bandwidth consumption.
One of the thoughts we had, is to only allow very simple rules. Specifically allow from instances of the same app, from all apps within a space, from all apps within an org. This could be a simple enum option allowed_scope: app / space / org (name is just for illustration purposes) which would keep the size within a predictable scope.
If we go for a more flexible option we must introduce strict limits on the number of bytes each user is allowed to add to each route.
| - Only CF applications can connect (mTLS with instance identity) | ||
| - Traffic stays internal (no load balancer round-trip) | ||
| - The platform enforces which apps can call which routes | ||
| - Standard GoRouter features work (load balancing, retries, observability) |
There was a problem hiding this comment.
Especially for larger deployments it can be beneficial to have a TCP load balancer in front of gorouter to guarantee a reliable load balancing across gorouter instances as DNS load balancing is always at the mercy of a good client-side implementation.
I don't see why this wouldn't be possible with the proposed design, just wanted to mention it.
5 participants
Summary
This RFC proposes enabling authenticated and authorized app-to-app communication via GoRouter using mutual TLS (mTLS).
View the full RFC
Applications connect to a shared internal domain (
apps.mtls.internal), where GoRouter:allowed_sourcesKey Points
allowed_sourcesapps.mtls.internalis a separate domain tree, avoiding conflicts with existingapps.internalroutesallowed_sourcessupportImplementation Phases
allowed_sources(co-requisite with 1a)cc @cloudfoundry/toc @cloudfoundry/wg-app-runtime-interfaces