When investigating suspicious files on Cloud Foundry Diego cells (compute nodes), you may encounter files in the download cache directory (/var/vcap/data/rep/shared/garden/download_cache/) with cryptic filenames like:
14a739ab8e326514832ea14273ca4410-1781206925504478185-56
Context: PR cloudfoundry/java-buildpack-client-certificate-mapper#16 adds support for the Envoy XFCC key-value format including a XFCC_URI_ATTRIBUTE. The gorouter change emits Hash=<sha256>;Subject="<DN>" — no URI=. Question: does it make sense to add it?
Diego's createCertificateTemplate (executor/depot/containerstore/credmanager.go) generates the app identity certificate:
return &x509.Certificate{
| Item | Link |
|---|---|
| Tracking Issue | cloudfoundry/community#1481 |
| RFC | cloudfoundry/community#1438 |
| routing-release | cloudfoundry/routing-release#535 |
| cloud_controller_ng | cloudfoundry/cloud_controller_ng#4910 |
A simple Go application to test X-Forwarded-Client-Cert (XFCC) header format in Cloud Foundry environments with mTLS app-to-app routing.
This tool verifies that GoRouter correctly implements the Envoy XFCC format when routing requests over mTLS domains. It checks whether the XFCC header contains:
Hash=<hash>;Subject="<subject>";URI=<uri>Cert="-----BEGIN CERTIFICATE-----\n..."
Context for TOC discussion (2026-04-14). The Identity-Aware Routing RFC introduces L7 route-level access policies ("access rules") that control which apps can reach a route through GoRouter using mTLS identity. This document compares two placement options for the external CRUD API that manages these access rules.
Cloud Controller, the policy-server, and the routing-api are separate processes colocated on the api instance group. GoRouter routes requests to the correct backend using path-based prefix matching on api.<system_domain>. The current cf-deployment registers three overlapping prefixes:
Cloud Foundry's RFC for Domain-Scoped mTLS on GoRouter proposes scope-based authorization that uses GoRouter's existing route-emitter tags (organization_id, space_id) to enforce "same org/space" boundary checks at the domain level. This experiment verifies that the tags carry the correct information when routes are shared across spaces.
When a route is shared from Space A to Space B (and both spaces have apps mapped to it), do the GoRouter route table tags reflect:
The operations/use-compiled-releases.yml file in cf-deployment references stemcell version 1.423 for all compiled releases, even though newer stemcells are available. This is due to how the CI pipeline is configured to only recompile all releases on major stemcell version bumps.