I was quite excited when I found out about instance identity credentials (https://docs.cloudfoundry.org/devguide/deploy-apps/instance-identity.html):
Each app gets its own x509 keypair that can be used for mTLS - and it’s even rotated automatically! This looks like a powerful enabler for all kind of future mTLS scenarios.
However, it looked like this keypair is currently limited to three use cases:
- Gorouter to App TLS (route integrity)
- Interpolation of Credhub refs to env credentials on container start time (outside of app)
- Java buildpacks automatically watches CF_INSTANCE_CERT/CF_INSTANCE_KEY files, making sure these (changed) keypair land automatically in
the apps java truststore/keystore.
This is very interesting, since this basically means all java apps automagically use the keypair in all their https requests, smtps connections, database connections etc.
Which means – we can use it for our use cases, too!
Why I’m interested about this:
- We’re currently designing a new MySQL service
- We would like to allow clients to connect with mTLS
- On binding time, we would basically restrict the TLS client connection to the app that it’s bound to (identified by the app guid in the
- This would work out of the box with the java buildpack and mysql client – java buildpack security provider would add the keys, and spring
cloud connector mysql would set up the usual jdbc connection – great UX!
- However, apps other than java do not profit from this. They could read the files from CF_INSTANCE_CERT and CF_INSTANCE_KEY (like for example
this library does
But: the app does not notice when the keypair is rotated, causing the connection to break after the first rotation.
Are there any plans to add support (i.e. automatic watching and insertion) for other buildpacks so that CF_INSTANCE_CERT/CF_INSTANCE_KEY becomes a first class resource for all kind of apps?
If someone of the Credhub team is at CF Summit Basel next week I’d be very happy to chat about this!
Mobile +41 79 664 96 16
Swisscom (Switzerland) Ltd