diff --git a/cf-deployment/deploy-cf.html.md.erb b/cf-deployment/deploy-cf.html.md.erb index 9c48c31..40df78e 100644 --- a/cf-deployment/deploy-cf.html.md.erb +++ b/cf-deployment/deploy-cf.html.md.erb @@ -41,6 +41,8 @@ To deploy Windows Diego Cells, use the [windows2019-cell.yml](https://github.com See the [Ops Files](https://github.com/cloudfoundry/cf-deployment#ops-files) section of the `cf-deployment` repository README for a description of all available ops files. +To require mutual TLS and enable identity-aware routing on a domain, use the [enable-identity-aware-routing.yml](https://github.com/cloudfoundry/cf-deployment/blob/master/operations/enable-identity-aware-routing.yml) ops file. For full setup instructions, see [Enabling identity-aware routing](enable-identity-aware-routing.html). + ## Step 3: Determine Variables `cf-deployment` requires additional information to provide environment-specific or sensitive configuration. diff --git a/cf-deployment/enable-identity-aware-routing.html.md.erb b/cf-deployment/enable-identity-aware-routing.html.md.erb new file mode 100644 index 0000000..1a57f05 --- /dev/null +++ b/cf-deployment/enable-identity-aware-routing.html.md.erb @@ -0,0 +1,290 @@ +--- +title: Enabling identity-aware routing +owner: CF for VMs Networking +--- + +This topic describes how an operator enables identity-aware routing—per-domain +mutual TLS (mTLS) for the Gorouter—on a `cf-deployment`-based foundation by +applying the `enable-identity-aware-routing.yml` ops file. + +For an overview of how identity-aware routing works, see +Identity-aware routing. + +

After you deploy, you must register the identity-aware domain in +<%= vars.app_runtime_abbr %> with cf create-shared-domain … --enforce-route-policies +(see Register the domain). Developers then map routes +on that domain and manage route policies.

+ +## Overview + +Identity-aware routing lets the Gorouter require and verify a caller's +client certificate on a designated domain, so that app-to-app HTTP traffic is +authenticated with mutual TLS. On a `cf-deployment` foundation you enable it by +applying a single ops file, which configures the Gorouter, generates the required +certificates, and establishes trust between the Gorouter and app containers. + +This topic includes the following sections: + +* [Prerequisites](#prerequisites) +* [Apply the ops file](#apply) +* [What the ops file configures](#what-it-configures) +* [Certificates and certificate authorities](#certificates) +* [The router.domains BOSH property](#router-domains) +* [Trusting the CA in cflinuxfs5](#cflinuxfs5) +* [Use an operator-provided domain](#custom-domain) +* [Register the domain](#register-domain) +* [Related reading](#related-reading) + +## Prerequisites + +Before you enable identity-aware routing, ensure the following: + +* You have a working `cf-deployment` foundation deployed with BOSH. See +Deploying Cloud Foundry. + +* Diego instance identity is enabled. This is the default in `cf-deployment`. The +ops file reuses the existing `diego_instance_identity_ca` to validate caller +certificates. + +* BOSH DNS is in use. This is the default in `cf-deployment`. The ops file adds a +BOSH DNS alias for the identity-aware domain. + +* You have admin access to register the domain in <%= vars.app_runtime_abbr %> +after deploying. + +## Apply the ops file + +Apply `enable-identity-aware-routing.yml` during your `bosh deploy`, the same way +as any other `cf-deployment` ops file: + +
+$ bosh -e YOUR-ENV -d cf deploy cf-deployment/cf-deployment.yml \
+  -o cf-deployment/operations/enable-identity-aware-routing.yml \
+  --vars-store deployment-vars.yml \
+  -v system_domain=YOUR-SYSTEM-DOMAIN
+
+ +The ops file generates new credentials into your vars-store on deploy, so no manual +certificate creation is required for the default `*.apps.identity` domain. For more +information, see [Certificates and certificate authorities](#certificates). + +Two companion ops files extend this configuration: + +* To trust the generated CA on the cflinuxfs5 stack, see +[Trusting the CA in cflinuxfs5](#cflinuxfs5). + +* To use a domain other than `*.apps.identity`, see +[Use an operator-provided domain](#custom-domain). + +You can view the ops file in the `cf-deployment` repository: +[enable-identity-aware-routing.yml](https://github.com/cloudfoundry/cf-deployment/blob/master/operations/enable-identity-aware-routing.yml). + +## What the ops file configures + +The ops file applies the following changes to your deployment manifest: + + + + + + + + + + + + + + + + + + + + + + +
ConfiguresDetails
BOSH DNS aliasResolves the *.apps.identity wildcard to the Gorouter instances +(alias label _.apps.identity, the BOSH DNS wildcard form).
Gorouter router.domainsAdds *.apps.identity as an mTLS domain that validates caller +certificates against diego_instance_identity_ca, with forwarding mode +sanitize_set and XFCC format envoy.
Gorouter server (SNI) certificateAppends a *.apps.identity server certificate to +router.tls_pem (variable apps_identity_router_tls), served +through SNI.
CA trustInjects apps_identity_ca into the cflinuxfs4 rootfs trust store and +the Diego rep, so app containers trust the Gorouter's server certificate +on the domain.
+ +The certificate and CA relationships are explained in +[Certificates and certificate authorities](#certificates), and the per-domain +property fields in [The router.domains BOSH property](#router-domains). + +## Certificates and certificate authorities + +Identity-aware routing uses two certificate authorities: one to authenticate the +caller to the Gorouter, and one to authenticate the Gorouter back to the caller. + + + + + + + + + + + + + + + + + + +
Certificate / CARole
diego_instance_identity_ca (existing)Validates the caller's client certificate at the Gorouter. The ops file sets it +as the domain's ca_certs. This CA already exists in <%= vars.app_runtime_abbr %>; +the ops file does not generate it.
apps_identity_ca (generated)Signs the Gorouter's server certificate for *.apps.identity. It is +trusted inside app containers and the Diego rep.
apps_identity_router_tls (generated)The Gorouter's server (SNI) certificate and key for *.apps.identity, +signed by apps_identity_ca and appended to router.tls_pem.
+ +Together these establish mutual authentication in both directions: + +1. **Caller to Gorouter (client authentication):** the calling app presents its Diego +instance identity certificate, and the Gorouter validates it against +`diego_instance_identity_ca`. + +1. **Gorouter to caller (server authentication):** the Gorouter presents the +`apps_identity_router_tls` server certificate, and the calling app validates it +because `apps_identity_ca` is in its container trust store. + +

The ops file generates apps_identity_ca and +apps_identity_router_tls into the vars-store on deploy. Back up the +vars-store as you would for any other generated credential.

+ +## The router.domains BOSH property + +`router.domains` is the Gorouter BOSH property that the ops file populates. Each entry +in the array designates a domain that requires mutual TLS and configures how the +Gorouter handles the caller's certificate. + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescriptionValues (default)
nameThe domain to require mTLS on. The wildcard must be the leftmost label +(for example, *.apps.identity) and matches any single label; a +non-wildcard domain must match the request host exactly.Domain string
ca_certsPEM CA bundle used to validate caller (client) certificates on the domain.PEM
forwarded_client_certHow the Gorouter forwards the client certificate in the +X-Forwarded-Client-Cert (XFCC) header.always_forward (default), forward, +sanitize_set
xfcc_formatFormat of the XFCC header: raw is the full base64-encoded +certificate (~1.5 KB); envoy is the compact +Hash=<sha256>;Subject="<DN>" format (~300 bytes).raw (default), envoy
+ +

A domain listed in router.domains always requires a valid +client certificate signed by the domain's configured CA, regardless of the global +router.client_cert_validation setting.

+ +For `*.apps.identity`, the ops file sets `forwarded_client_cert: sanitize_set` and +`xfcc_format: envoy`. Operators who add their own mTLS domains set these fields +directly. + +## Trusting the CA in cflinuxfs5 + +If your foundation uses the cflinuxfs5 stack, also apply +`enable-identity-aware-routing-cflinuxfs5.yml` so that apps on cflinuxfs5 trust the +Gorouter's `*.apps.identity` server certificate. This companion ops file injects +`apps_identity_ca` into the cflinuxfs5 rootfs trust store. + +Apply it after both the cflinuxfs5 stack ops file and the base +`enable-identity-aware-routing.yml`: + +
+$ bosh -e YOUR-ENV -d cf deploy cf-deployment/cf-deployment.yml \
+  -o cf-deployment/operations/experimental/add-cflinuxfs5.yml \
+  -o cf-deployment/operations/enable-identity-aware-routing.yml \
+  -o cf-deployment/operations/enable-identity-aware-routing-cflinuxfs5.yml \
+  --vars-store deployment-vars.yml
+
+ +

This ops file requires add-cflinuxfs5.yml to be +applied first. Applying it on a foundation without the cflinuxfs5 stack fails the +deploy by design, signaling that the stack ops file is missing.

+ +You can view the ops file in the `cf-deployment` repository: +[enable-identity-aware-routing-cflinuxfs5.yml](https://github.com/cloudfoundry/cf-deployment/blob/master/operations/enable-identity-aware-routing-cflinuxfs5.yml). + +## Use an operator-provided domain + +`*.apps.identity` is a convention, not a hard requirement. To use a different domain, +also apply `use-operator-provided-identity-routing-domain.yml` and supply the +`identity_routing_domain` variable: + +
+$ bosh -e YOUR-ENV -d cf deploy cf-deployment/cf-deployment.yml \
+  -o cf-deployment/operations/enable-identity-aware-routing.yml \
+  -o cf-deployment/operations/use-operator-provided-identity-routing-domain.yml \
+  -v identity_routing_domain=apps.example.com \
+  --vars-store deployment-vars.yml
+
+ +This override applies to the BOSH DNS alias, the Gorouter domain name, and the +generated server certificate's common name and subject alternative name. The +`cf-deployment` repository ships an example vars file you can adapt: +`cf-deployment/operations/example-vars-files/vars-use-operator-provided-identity-routing-domain.yml`. + +Whatever domain you choose, you register that same domain in +<%= vars.app_runtime_abbr %> in the next section. + +## Register the domain in <%= vars.app_runtime_abbr %> + +After the deploy succeeds, register the identity-aware domain in +<%= vars.app_runtime_abbr %> so that developers can map routes and add policies on it. +The domain name must match the one configured in the ops file (`apps.identity` by +default): + +
+$ cf create-shared-domain apps.identity --enforce-route-policies
+
+ +The `--enforce-route-policies` flag turns on default-deny route-policy enforcement for +the domain and is immutable once set. You can optionally add `--scope (any|org|space)` +to narrow who may be named as a policy source; `--scope` is valid only together with +`--enforce-route-policies`. + +Once the domain exists, developers map routes on it and manage route policies. See +Configuring identity-aware routing. + +## Related reading + +* Identity-aware routing—how +identity-aware routing works. + +* Configuring identity-aware routing—the +developer how-to for mapping routes and managing route policies. + +* Deploying Cloud Foundry. + +* The `cf-deployment` ops files: +[operations](https://github.com/cloudfoundry/cf-deployment/tree/master/operations). + +* RFC-0055: +[Identity-Aware Routing for Gorouter](https://github.com/cloudfoundry/community/blob/main/toc/rfc/rfc-0055-identity-aware-routing-for-gorouter.md).