Skip to content

Instantly share code, notes, and snippets.

View rkoster's full-sized avatar

Ruben Koster rkoster

88 followers · 127 following
  • Rabobank
  • Netherlands
View GitHub Profile
@rkoster
rkoster / README.md
Created April 22, 2026 14:07
Cloud Foundry XFCC Header Tester - Test X-Forwarded-Client-Cert format in CF mTLS environments

Cloud Foundry XFCC Header Tester

A simple Go application to test X-Forwarded-Client-Cert (XFCC) header format in Cloud Foundry environments with mTLS app-to-app routing.

Purpose

This tool verifies that GoRouter correctly implements the Envoy XFCC format when routing requests over mTLS domains. It checks whether the XFCC header contains:

  • Envoy format: Hash=<hash>;Subject="<subject>";URI=<uri>
  • Raw PEM certificate (bug): Cert="-----BEGIN CERTIFICATE-----\n..."
@rkoster
rkoster / api-design-alternatives.md
Last active April 14, 2026 11:35
RFC #1438: L7 Route Access Policies — API Design Alternatives (TOC 2026-04-14)

L7 Route Access Policies: API Design Alternatives

Context for TOC discussion (2026-04-14). The Identity-Aware Routing RFC introduces L7 route-level access policies ("access rules") that control which apps can reach a route through GoRouter using mTLS identity. This document compares two placement options for the external CRUD API that manages these access rules.

Background

Current Path-Based Routing on api.<system_domain>

Cloud Controller, the policy-server, and the routing-api are separate processes colocated on the api instance group. GoRouter routes requests to the correct backend using path-based prefix matching on api.<system_domain>. The current cf-deployment registers three overlapping prefixes:

@rkoster
rkoster / rfc-draft-domain-scoped-mtls-gorouter.md
Last active March 31, 2026 07:51
RFC: Domain-Scoped mTLS for GoRouter (with Access Policy API)

Meta

  • Name: Domain-Scoped mTLS for GoRouter
  • Start Date: 2026-02-16
  • Author(s): @rkoster, @beyhan, @maxmoehl
  • Status: Draft
  • RFC Pull Request: community#1438

Summary

@rkoster
rkoster / rfc-draft-domain-scoped-mtls-gorouter-v2.md
Created March 25, 2026 13:05
RFC: Domain-Scoped mTLS for GoRouter (Revised with Access Policy API)

Meta

  • Name: Domain-Scoped mTLS for GoRouter
  • Start Date: 2026-02-16
  • Author(s): @rkoster, @beyhan, @maxmoehl
  • Status: Draft
  • RFC Pull Request: community#1438

Summary

@rkoster
rkoster / README.md
Created March 20, 2026 11:14
Experiment: GoRouter route tags with shared routes (CF mTLS RFC)

Experiment: GoRouter Route Tags with Shared Routes

Context

Cloud Foundry's RFC for Domain-Scoped mTLS on GoRouter proposes scope-based authorization that uses GoRouter's existing route-emitter tags (organization_id, space_id) to enforce "same org/space" boundary checks at the domain level. This experiment verifies that the tags carry the correct information when routes are shared across spaces.

Question

When a route is shared from Space A to Space B (and both spaces have apps mapped to it), do the GoRouter route table tags reflect:

  • (a) The route owner's org/space (Space A for all endpoints), or
@rkoster
rkoster / README.md
Created March 11, 2026 14:10
Analysis: Why cf-deployment use-compiled-releases.yml is stuck on stemcell 1.423

Why use-compiled-releases.yml is Stuck on Stemcell 1.423

Summary

The operations/use-compiled-releases.yml file in cf-deployment references stemcell version 1.423 for all compiled releases, even though newer stemcells are available. This is due to how the CI pipeline is configured to only recompile all releases on major stemcell version bumps.

Root Cause

1. The update-stemcell-and-recompile-releases Job Only Triggers on Major Bumps

@rkoster
rkoster / README.md
Last active February 20, 2026 09:39
Comparison of bosh-agent PR #396 (AWS NVMe Instance Storage) vs PR #402 (Azure NVMe Support)

Comparison: bosh-agent PR #396 vs PR #402

Overview

Both PRs address NVMe device discovery challenges but for different cloud providers with fundamentally different approaches.

Aspect PR #396 (AWS) PR #402 (Azure)
URL cloudfoundry/bosh-agent#396 cloudfoundry/bosh-agent#402
Cloud Provider AWS Azure
@rkoster
rkoster / README.md
Last active March 12, 2026 09:15
Diego: Full mTLS for App-to-App Traffic - Current State and Implementation Plan

Meta

  • Name: Domain-Scoped mTLS for GoRouter
  • Start Date: 2026-02-16
  • Author(s): @rkoster, @beyhan, @maxmoehl
  • Status: Draft
  • RFC Pull Request: community#1438

Summary

@rkoster
rkoster / .envrc
Created November 6, 2020 18:59
Direnv nix config files for installing specific version on the fly cli when entering project dir.
use nix
@rkoster
rkoster / gist:f5cdab0c5955a149b9b5df669b3437c5
Last active September 15, 2020 13:15
Comparison between ixgbevf shipped with linux-aws and intel: https://sourceforge.net/projects/e1000/files/ixgbevf%20stable/
https://packages.ubuntu.com/xenial/linux-aws-source-4.4.0 ixgbevf 2.12.1-k
❯ diff ubuntu/linux-4.4/drivers/net/ethernet/intel/ixgbevf upstream/ixgbevf-2.12.1/src | wc -l
3424
❯ diff ubuntu/linux-4.4/drivers/net/ethernet/intel/ixgbevf upstream/ixgbevf-4.1.2/src | wc -l
3897
❯ diff ubuntu/linux-4.4/drivers/net/ethernet/intel/ixgbevf upstream/ixgbevf-4.6.3/src | wc -l
5348
❯ diff ubuntu/linux-4.4/drivers/net/ethernet/intel/ixgbevf upstream/ixgbevf-4.8.1/src | wc -l
5475