Tracking

Item	Link
Tracking Issue	cloudfoundry/community#1481
RFC	cloudfoundry/community#1438
routing-release	cloudfoundry/routing-release#535
cloud_controller_ng	cloudfoundry/cloud_controller_ng#4910

rkoster / README.md

Last active June 1, 2026 12:44

PoC: DNS-based domain blocking in Cloud Foundry using BOSH DNS handlers

DNS-Based Domain Blocking in Cloud Foundry

A proof-of-concept demonstrating that Cloud Foundry's existing BOSH DNS handler system can be used to block domains — no code changes required.

How it works

CF apps on Noble stemcells resolve DNS via:

rkoster / xfcc-uri-field-research.md

Created June 12, 2026 08:57

Research Note: XFCC URI= field and CF app cert identity

Research: Should gorouter Envoy XFCC format include `URI=` field?

Context: PR cloudfoundry/java-buildpack-client-certificate-mapper#16 adds support for the Envoy XFCC key-value format including a XFCC_URI_ATTRIBUTE. The gorouter change emits Hash=<sha256>;Subject="<DN>" — no URI=. Question: does it make sense to add it?

Answer: No — CF app certs don't have URI SANs

Diego's createCertificateTemplate (executor/depot/containerstore/credmanager.go) generates the app identity certificate:

return &amp;x509.Certificate{

rkoster / README.md

Created June 15, 2026 12:54

Cloud Foundry Diego Download Cache Forensics - Trace cached droplet files back to CF apps

Cloud Foundry Diego Download Cache Forensics

Overview

When investigating suspicious files on Cloud Foundry Diego cells (compute nodes), you may encounter files in the download cache directory (/var/vcap/data/rep/shared/garden/download_cache/) with cryptic filenames like:

14a739ab8e326514832ea14273ca4410-1781206925504478185-56

Ruben Koster rkoster

RFC0055: App-to-App mTLS Routing — Acceptance Testing Guide