cf-dev@lists.cloudfoundry.org | Future usage of instance identity credentials

Home Messages Hashtags Subgroups

Date Date 1 - 1 of 1

Future usage of instance identity credentials

matthias.winzeler@... #8306 Hi all I was quite excited when I found out about instance identity credentials (https://docs.cloudfoundry.org/devguide/deploy-apps/instance-identity.html): Each app gets its own x509 keypair that can be used for mTLS - and it’s even rotated automatically! This looks like a powerful enabler for all kind of future mTLS scenarios. However, it looked like this keypair is currently limited to three use cases: Gorouter to App TLS (route integrity) Interpolation of Credhub refs to env credentials on container start time (outside of app) Java buildpacks automatically watches CF_INSTANCE_CERT/CF_INSTANCE_KEY files, making sure these (changed) keypair land automatically in the apps java truststore/keystore. (https://github.com/cloudfoundry/java-buildpack-security-provider) This is very interesting, since this basically means all java apps automagically use the keypair in all their https requests, smtps connections, database connections etc. Which means – we can use it for our use cases, too! Why I’m interested about this: We’re currently designing a new MySQL service We would like to allow clients to connect with mTLS On binding time, we would basically restrict the TLS client connection to the app that it’s bound to (identified by the app guid in the x509 CN) This would work out of the box with the java buildpack and mysql client – java buildpack security provider would add the keys, and spring cloud connector mysql would set up the usual jdbc connection – great UX! However, apps other than java do not profit from this. They could read the files from CF_INSTANCE_CERT and CF_INSTANCE_KEY (like for example this library does https://downey.io/blog/securing-rails-credentials-cloud-foundry-credhub/). But: the app does not notice when the keypair is rotated, causing the connection to break after the first rotation. Are there any plans to add support (i.e. automatic watching and insertion) for other buildpacks so that CF_INSTANCE_CERT/CF_INSTANCE_KEY becomes a first class resource for all kind of apps? If someone of the Credhub team is at CF Summit Basel next week I’d be very happy to chat about this! Best regards Matthias Matthias Winzeler Application Cloud https://developer.swisscom.com ^{___________________________________________________________________________}Mobile +41 79 664 96 16 matthias.winzeler@... ^{___________________________________________________________________________}Swisscom (Switzerland) Ltd
More All Messages By This Member

1 - 1 of 1

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms