Proposal: Instance Identity Credentials in Cloud Foundry
Eric Malm <emalm@...>
The CF Diego team has a proposal for Cloud Foundry to generate and
distribute instance-specific credentials to application instances running
on the platform. These credentials will be in the form of an X.509
certificate-key pair suitable for use in TLS communication, and are
intended to encode the CF identity of each individual application instance
in the subject distinguished name in the certificate.
We envision this functionality to be generally useful as more and more
communication happens directly with containerized application instances.
For example, these platform-native credentials will allow application
instances and tasks to present their identity as a CF application to:
- external services that they access via TLS communication,
- clients that communicate with them via TLS traffic that they terminate
(say, via TCP routing),
- other application instances on an overlay network established by the CF
Container Networking project.
The credentials will be relatively short-lived, to limit the impact of
accidental disclosure to untrusted parties, and will be rotated regularly
within the container filesystem. On the host Diego cell, they will be
protected from unauthorized access via filesystem permissions and will be
stored only in system memory via tmpfs or a similar ephemeral filesystem.
We of course welcome input and feedback on the proposal via inline
commentary on the proposal document, especially with regard to potential
use cases for this proposed platform capability. We have already identified
one immediate use case for these credentials: application instances will be
able to use them to authenticate with the recently proposed CredHub
project to retrieve credentials for bound services after service brokers
store them in CredHub, thus maximizing the compartmentalization of
extremely sensitive service credentials within CF.
Some initial stages of work are planned in the Diego backlog in the
Eric Malm, CF Diego PM