Add enable-identity-aware-routing ops-file (RFC0055)

[rkoster]

Summary

Adds ops-files to enable RFC0055 app-to-app mTLS routing via *.apps.identity.

Files added

File	Purpose
operations/enable-identity-aware-routing.yml	Main ops-file (cflinuxfs4 + rep)
operations/enable-identity-aware-routing-cflinuxfs5.yml	cflinuxfs5 trust companion
operations/use-operator-provided-identity-routing-domain.yml	Domain-override companion
operations/example-vars-files/vars-use-operator-provided-identity-routing-domain.yml	Example vars

What the main ops-file does

1. Adds BOSH DNS alias _.apps.identity → router instance group
2. Configures gorouter with a new mTLS domain *.apps.identity — client certs are verified against the existing diego_instance_identity_ca, X-Forwarded-Client-Cert is forwarded in Envoy format
3. Adds SNI TLS cert for *.apps.identity on the router (new apps_identity_ca + apps_identity_router_tls BOSH variables)
4. Injects apps_identity_ca as a trusted cert in cflinuxfs4 app containers and Diego rep

Usage

# Standard (hardcoded *.apps.identity domain)
bosh -d cf deploy cf-deployment.yml \
  -o operations/enable-identity-aware-routing.yml

# With cflinuxfs5 (apply add-cflinuxfs5.yml first)
bosh -d cf deploy cf-deployment.yml \
  -o operations/experimental/add-cflinuxfs5.yml \
  -o operations/enable-identity-aware-routing.yml \
  -o operations/enable-identity-aware-routing-cflinuxfs5.yml

# Custom domain
bosh -d cf deploy cf-deployment.yml \
  -o operations/enable-identity-aware-routing.yml \
  -o operations/use-operator-provided-identity-routing-domain.yml \
  -v identity_routing_domain=apps.mycompany.internal

Reference

• RFC0055 tracking: [RFC0055] Identity-Aware Routing for GoRouter community#1481
• Acceptance testing guide: https://gist.github.com/rkoster/5b252b0edca606f10be2dbdcb81a796f

[ard-wg-gitbot]

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! 👀

[jochenehret]

These new ops files must be unit-tested:
https://github.com/cloudfoundry/cf-deployment/blob/main/units/tests/standard_test/operations.yml

We should also move this ops files into the "experimental" folder for now. When the feature is mature, we can promote to regular ops files.

Questions:

1. Should this feature be enabled in one of the cf-deployment validation environments?
2. Are there integration tests planned for CATs? Or are there already tests in the routing test suite? -> yes, PR is already open: cloudfoundry/cf-acceptance-tests#1913

[rkoster]

These new ops files must be unit-tested: https://github.com/cloudfoundry/cf-deployment/blob/main/units/tests/standard_test/operations.yml

Have added unit tests in: 4b71097

We should also move this ops files into the "experimental" folder for now. When the feature is mature, we can promote to regular ops files.

The spec and scope for the feature has been discussed at great length in: https://github.com/cloudfoundry/community/blob/main/toc/rfc/rfc-0055-identity-aware-routing-for-gorouter.md. Given all the affected components (except for docs, which is on my todo list) have open or merged PRs (which are being tracked here). I'm wondering for how long this feature should be marked as experimental? If even at al. All the planned scope for this feature is included in the open PRs, there is no follow on work planned.

1. Should this feature be enabled in one of the cf-deployment validation environments?

Yes

[Milena-Encheva]

If this PR is merged first, we need to change the paths addressed in this pull request.