[cf-dev] Future usage of instance identity credentials

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] Future usage of instance identity credentials

Matthias.Winzeler

Hi all

 

I was quite excited when I found out about instance identity credentials (https://docs.cloudfoundry.org/devguide/deploy-apps/instance-identity.html):

Each app gets its own x509 keypair that can be used for mTLS - and it’s even rotated automatically! This looks like a powerful enabler for all kind of future mTLS scenarios.

 

However, it looked like this keypair is currently limited to three use cases:

  • Gorouter to App TLS (route integrity)
  • Interpolation of Credhub refs to env credentials on container start time (outside of app)
  • Java buildpacks automatically watches CF_INSTANCE_CERT/CF_INSTANCE_KEY files, making sure these (changed) keypair land automatically in the apps java truststore/keystore.
    (https://github.com/cloudfoundry/java-buildpack-security-provider)
    This is very interesting, since this basically means all java apps automagically use the keypair in all their https requests, smtps connections, database connections etc.
    Which means – we can use it for our use cases, too!

 

Why I’m interested about this:

  • We’re currently designing a new MySQL service
  • We would like to allow clients to connect with mTLS
  • On binding time, we would basically restrict the TLS client connection to the app that it’s bound to (identified by the app guid in the x509 CN)
  • This would work out of the box with the java buildpack and mysql client – java buildpack security provider would add the keys, and spring cloud connector mysql would set up the usual jdbc connection – great UX!
  • However, apps other than java do not profit from this. They could read the files from CF_INSTANCE_CERT and CF_INSTANCE_KEY (like for example this library does https://downey.io/blog/securing-rails-credentials-cloud-foundry-credhub/).

But: the app does not notice when the keypair is rotated, causing the connection to break after the first rotation.

 

Are there any plans to add support (i.e. automatic watching and insertion) for other buildpacks so that CF_INSTANCE_CERT/CF_INSTANCE_KEY becomes a first class resource for all kind of apps?

 

If someone of the Credhub team is at CF Summit Basel next week I’d be very happy to chat about this!

 

Best regards

Matthias

 

Matthias Winzeler

Application Cloud

https://developer.swisscom.com 

___________________________________________________________________________
Mobile  +41 79 664 96 16

<a href="applewebdata://953E86CB-EFAA-4902-8201-7AAE1BA35F4D/matthias.winzeler@swisscom.com">matthias.winzeler@...
___________________________________________________________________________
Swisscom (Switzerland) Ltd

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8306) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_