Skip to content

RFC0055 Identity-Aware Routing#1913

Open
rkoster wants to merge 9 commits into
developfrom
add-identity-aware-routing-tests
Open

RFC0055 Identity-Aware Routing#1913
rkoster wants to merge 9 commits into
developfrom
add-identity-aware-routing-tests

Conversation

@rkoster

@rkoster rkoster commented Apr 20, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Add comprehensive acceptance test coverage for the Identity-Aware Routing feature that enables mTLS-based authentication and authorization for app-to-app communication on dedicated domains (e.g., *.apps.identity).

This PR implements the CATs portion of RFC0055 for domain-scoped mTLS routing in GoRouter.

Changes

Test Coverage

Four test cases across two suites:

Identity-Aware Routing (identity_aware_routing/identity_aware_routing.go):

  1. Default-deny + route policy creation: Verifies requests are denied by default and allowed after running cf add-route-policy; confirms the policy appears in cf route-policies --domain
  2. Unauthorized app denial: Verifies that apps without a route policy are denied even when they hold a valid Diego mTLS certificate; uses Consistently to confirm the denial persists
  3. XFCC header forwarding: Verifies that the X-Forwarded-Client-Cert header is forwarded to the backend in Envoy format, containing the frontend app GUID (OU=app:<guid>)

Route Policy Domain Management (identity_aware_routing/identity_aware_routing.go):
4. Domain creation: Verifies that cf create-shared-domain <name> --enforce-route-policies --scope space succeeds and the resulting domain appears in cf domains

Infrastructure Changes

  • Extended proxy app (assets/proxy/main.go):

    • Added /headers endpoint: Returns all incoming request headers as JSON — used by tests to inspect what the backend receives
    • Added /mtls_proxy/<host.domain>/<path> endpoint: Dials <host.domain>:443 and performs an HTTPS request using the Diego instance identity certificate (CF_INSTANCE_CERT / CF_INSTANCE_KEY) for mTLS client auth; returns status code, body, and headers as JSON

  • New test suite (identity_aware_routing/identity_aware_routing.go):

    • 4 test cases following existing CATs patterns
    • Uses cf add-route-policy, cf route-policies, and cf create-shared-domain --enforce-route-policies --scope space
    • Retryable curl helper: parse failures during Eventually/Consistently polling return a StatusCode: -1 sentinel instead of hard-failing, preventing flakiness during route convergence

  • Configuration support (helpers/config/):

    • Added IncludeIdentityAwareRouting bool and IdentityAwareDomain string (default: apps.identity) config fields
    • Added IdentityAwareRoutingDescribe() wrapper for test gating
    • Added skip message constant

Requirements

  • Custom CF CLI with route policy and domain management commands:
    • cf add-route-policy <domain> --source-app <app> --hostname <host>
    • cf route-policies --domain <domain>
    • cf create-shared-domain <name> --enforce-route-policies --scope space
  • Cloud Foundry deployment with:
    • GoRouter configured with an mTLS domain (via router.domains job property)
    • A shared domain with route policy enforcement enabled (e.g., apps.identity)
    • BOSH DNS alias for the mTLS domain resolving to router instances

Testing

Tested against a local CF deployment with all 4 tests passing:

Ran 4 of 283 Specs in 582.609 seconds
SUCCESS! -- 4 Passed | 0 Failed | 2 Pending | 277 Skipped

Related Work

  • RFC: community/toc/rfc/rfc-draft-domain-scoped-mtls-gorouter.md
  • GoRouter implementation: routing-release (in parallel development)
  • CF CLI commands: cli repository (custom commands for route policy management)

@rkoster rkoster mentioned this pull request Apr 23, 2026
Open
7 tasks
@rkoster rkoster changed the title Add acceptance tests for Identity-Aware Routing (domain-scoped mTLS) RFC0055 Identity-Aware Routing Apr 23, 2026
@rkoster rkoster force-pushed the add-identity-aware-routing-tests branch 2 times, most recently from 6778b97 to 23a9670 Compare June 18, 2026 10:17
@rkoster rkoster marked this pull request as ready for review June 19, 2026 12:23
rkoster added 9 commits June 19, 2026 14:28
@rkoster
Add acceptance tests for Identity-Aware Routing (domain-scoped mTLS)
7d0569a 
Add comprehensive test coverage for the Identity-Aware Routing feature
that enables mTLS-based authentication and authorization for app-to-app
communication on dedicated domains (e.g., *.apps.identity).

Test coverage:
- Default-deny behavior and access rule creation
- Authorization enforcement (denies unauthorized apps)
- XFCC header forwarding with caller identity in Envoy format

Infrastructure changes:
- Extended proxy app with /headers and /mtls_proxy endpoints
- Added identity_aware_routing test suite with 3 test cases
- Added IncludeIdentityAwareRouting and IdentityAwareDomain config
- Added IdentityAwareRoutingDescribe wrapper for test gating

Tests use cf add-access-rule/remove-access-rule CLI commands and
validate mTLS certificate-based authentication via Diego instance
identity certificates.

Requires custom CF CLI with access rule management commands.
@rkoster
refactor: rename access-rule CLI calls to route-policy (CLI PR #3758 …
be3a2d2 
…rebranding)
@rkoster
refactor: rename remaining It() label from access rule to route policy
f295497
@rkoster
test: add smoke test for create-shared-domain --enforce-route-policies
72a6573
@rkoster
style: gofmt formatting fixes in config_struct.go and proxy/main.go
398dfd0
@rkoster
fix: add nil-check for identity_aware_domain in validateConfig
1f2392d
@rkoster
fix: remove duplicate IncludeIdentityAwareRouting nil-check
cffe377
@rkoster
Add .worktrees to .gitignore
5c692c5
@rkoster
fix: make curlMtlsProxy retryable in Eventually/Consistently pollers
2d05f71
@rkoster rkoster force-pushed the add-identity-aware-routing-tests branch from 7010a27 to 2d05f71 Compare June 19, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rkoster