Skip to content
building a cloud foundry without gorouter....
Go Shell Dockerfile Other
Branch: master
Clone or download
Latest commit 82fa48a Jan 27, 2020
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/workflows chore: update integration-test env image location Nov 27, 2019
cfroutesync feat: hardcode the pod prefix label (#18) Jan 13, 2020
ci feat: explicitly declaring STRICT mTLS in default mesh policy Jan 27, 2020
config feat: explicitly declaring STRICT mTLS in default mesh policy Jan 27, 2020
doc doc: clarify ingress routing to sys components Jan 27, 2020
.adr-dir Move adr folder to doc/architecture-decisions Nov 26, 2019
.gitignore Basic integration test Oct 18, 2019
NOTICE Create NOTICE Dec 9, 2019 remove stale badge from readme Jan 1, 2020 Code of conduct file Nov 6, 2019


​ Routing and networking for Cloud Foundry running on Kubernetes.

Architecture Diagram of CF-K8s-Networking



  • A Cloud Foundry deployment using Eirini for app workloads
  • kubectl installed and access to the Kubernetes cluster backing Eirini
  • kapp installed
  • ytt installed


  • Install Istio to the Kubernetes cluster.

  • Include the istio-values.yaml in your Istio installation.

    Note: As an example, in our CI we are installing Istio via the task. ​



  1. cfroutesync needs to be able to authenticate with UAA and fetch routes from Cloud Controller. To do this you must override the following properties from install/ytt/networking/values.yaml. You can do this by creating a new file /tmp/values.yaml that contains the following information:

      ccCA: 'pem_encoded_cloud_controller_ca'
      ccBaseURL: ''
      uaaCA: 'pem_encoded_uaa_ca'
      uaaBaseURL: ''
      clientName: 'uaaClientName'
      clientSecret: 'uaaClientSecret'

    The UAA client specified by clientName is used for fetching routing data from Cloud Controller. It must have permission to access all routes and domains in the deployment. We recommend using a client with at least the cloud_controller.admin_read_only authority. For example, see the network-policy client in cf-deployment.

    As an example, for our dev environments we are using the generate_values.rb script to populate these values from the bbl-state.json and secrets in CredHub.

  2. Deploy the cf-k8s-networking CRDs and components using ytt and kapp:

    ytt -f config/cfroutesync/ -f /tmp/values.yaml \
        -f cfroutesync/crds/routebulksync.yaml | \
        kapp deploy -n "${system_namespace}" -a cfroutesync \
        -f - \
  3. Update the Prometheus configuration so metrics from cf-k8s-networking can be queried.

    prometheus_file="$(mktemp -u).yml"
    kubectl get -n istio-system configmap prometheus -o yaml > ${prometheus_file}
    ytt \
     -f "config/cfroutesync/values.yaml" \
     -f "${prometheus_file}" \
     -f "config/deps/prometheus-config.yaml" | \
     kubectl apply -f -

    Note: you might need to restart Prometheus pod(s) in the istio-system namespace after updating the ConfigMap 🧐🥺

    kubectl -n istio-system delete pod -l app=prometheus
You can’t perform that action at this time.