Skip to content

RFC: Full mTLS for Diego Container-to-Container Traffic#1437

Open
rkoster wants to merge 3 commits intomainfrom
rfc-diego-c2c-mtls
Open

RFC: Full mTLS for Diego Container-to-Container Traffic#1437
rkoster wants to merge 3 commits intomainfrom
rfc-diego-c2c-mtls

Conversation

@rkoster
Copy link
Contributor

@rkoster rkoster commented Feb 13, 2026
edited
Loading

Summary

This RFC proposes implementing full mutual TLS (mTLS) for container-to-container (C2C) traffic in Diego, enabling applications to both authenticate themselves and verify the identity of connecting applications.

View the full RFC

The approach introduces:

  • Port 62443: New HTTP-based C2C mTLS listener with XFCC header forwarding (server-side)
  • Port 61445: Egress proxy for automatic instance identity certificate injection (client-side)

Key Points

  • Backwards compatible: existing port 61443 remains unchanged
  • Dual opt-in model: both operators (BOSH properties) and app authors must opt-in
  • Phased implementation allowing gradual adoption
  • Server apps can extract caller identity from X-Forwarded-Client-Cert header

Implementation Phases

  1. Phase 1: Server-side HTTP-based C2C mTLS port (62443)
  2. Phase 2: Client-side egress proxy (61445) with selective cert injection
  3. Phase 3: Full integration

cc @cloudfoundry/toc @cloudfoundry/wg-app-runtime-platform

@rkoster
RFC: Full mTLS for Diego Container-to-Container Traffic
c98fc84 
Add draft RFC proposing implementation of full mutual TLS (mTLS) for
container-to-container traffic in Diego. The proposal introduces a new
HTTP-based listener on port 62443 alongside the existing TCP-based port
(61443), providing a dual opt-in model for operators and app authors.

Key features:
- Phase 1: Server-side HTTP-based C2C mTLS with XFCC header forwarding
- Phase 2: Client-side egress proxy for automatic cert injection
- Phase 3: Full zero-trust app-to-app communication integration

Maintains backwards compatibility with existing deployments.
@rkoster
Replace line breaks in mermaid diagrams
41babab 
Use HTML <br/> tags instead of \n for line breaks in mermaid diagram
labels to ensure proper rendering on GitHub and in markdown viewers.
@rkoster
Add PR link to RFC metadata
5bb107b
@beyhan beyhan added rfc CFF community RFC toc labels Feb 13, 2026
@beyhan beyhan requested review from a team, Gerg, beyhan, cweibel and stephanme and removed request for a team February 13, 2026 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beyhan beyhan Awaiting requested review from beyhan beyhan was automatically assigned from cloudfoundry/toc

@Gerg Gerg Awaiting requested review from Gerg Gerg was automatically assigned from cloudfoundry/toc

@stephanme stephanme Awaiting requested review from stephanme stephanme was automatically assigned from cloudfoundry/toc

@cweibel cweibel Awaiting requested review from cweibel cweibel was automatically assigned from cloudfoundry/toc

Assignees

No one assigned

Labels

rfc CFF community RFC toc

Projects

CF Community
Status: Inbox

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rkoster @beyhan