Skip to content

0.386.0

Latest

Choose a tag to compare

@appruntimeplatform-bot appruntimeplatform-bot released this 09 Jul 18:24

0.386.0

Release Date: July 09, 2026

Changes

  • Upgrade golang-1.26-linux (1.26.5) - Author: App Platform Runtime Working Group CI Bot - SHA: 1ff26e3
  • Amelia/fix staticcheck go126 (#573) - Author: Amelia Downs - SHA: ebe6fed
  • Upgrade routing-healthchecker - Author: App Platform Runtime Working Group CI Bot - SHA: 39ee2e0
  • Upgrade routing-healthchecker - Author: App Platform Runtime Working Group CI Bot - SHA: 44fa554
  • Revert "Sync .github dir templates" (#570) - Author: Karthick Udayakumar - SHA: 4b9b076
  • Fix identity-aware routing tests for TLS 1.3 (#571) - Author: Amelia Downs - SHA: fab6101
  • Remove routing-api as a submodule, and pull it in via tools/tools.go for package building - Author: Geoff Franks - SHA: 1f8667f
  • Upgrade routing-healthchecker - Author: App Platform Runtime Working Group CI Bot - SHA: 141c153
  • fix: pin locket to v0.0.0-20260602143356-23bea5865010 via replace directive (#568) - Author: Geoff Franks - SHA: 58a9585
  • RFC0055 Identity-Aware Routing (#535) - Author: Ruben Koster - SHA: 02a2a93
  • Upgrade routing-healthchecker - Author: App Platform Runtime Working Group CI Bot - SHA: 0e550e7
  • Add MySQL 9.7 testing support across CI infrastructure and releases Add comprehensive MySQL 9.7 testing support to replace MySQL 8.0 EOL. - Create MySQL 9.7 Docker infrastructure with build jobs and CI pipeline resources - Add mysql-9.7 parameter support to release scripts in diego, routing, cf-networking, and silk - Include MySQL 9.7 in database flavor matrices for CI testing across all modules - Follow established MySQL 8.4 patterns for consistency and maintainability MySQL 9.7 is the current LTS release. Teams can now test against mysql-9.7 using existing create-docker-container.bash scripts. CI pipelines will automatically include MySQL 9.7 in database testing matrices. - Author: Amelia Downs - SHA: ace654a

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 8e7a93cf2..f1fc785d6 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -160,6 +160,8 @@ properties:
       none - Gorouter will not request client certificates in TLS handshakes, and will ignore them if presented. Incompatible with `forwarded_client_cert: forward` or `sanitize_set`.
       request - Gorouter will request client certificates in TLS handshakes, and will validate them when presented, but will not require them.
       require - Gorouter will fail a TLS handshake if the client does not provide a certificate signed by a CA it trusts. Select this option if your load balancer terminates TLS and does not require client certificates, and the load balancer provides a compatible client certificate of its own to Gorouter in an independent TLS handshake. This option may also be selected for Isolation Segments when Gorouter is the first point of TLS termination. Many clients of CF platform APIs do not present client certificates in TLS handshakes, so the first point of TLS termination for requests to the system domain must not require them. This option has no effect on the HTTP listener; to disable HTTP support set `disable_http: true`.
+
+      Note: This property applies to the default TLS listener. Domains configured in `router.domains` enforce their own mTLS requirement independently — client certificates are always required for those domains regardless of this setting.
     default: request
   router.disable_http:
     description: Disables the http listener on port specified by router.port. This cannot be set to true if enable_ssl is false.
@@ -200,6 +202,33 @@ properties:
   router.only_trust_client_ca_certs:
     description: "When router.only_trust_client_ca_certs is true, router.client_ca_certs are the only trusted CA certs for client requests. When router.only_trust_client_ca_certs is false, router.client_ca_certs are trusted in addition to router.ca_certs and the CA certificates installed on the filesystem. This will have no affect if the `router.client_cert_validation` property is set to none."
     default: false
+  router.domains:
+    description: |
+      Array of domains requiring mutual TLS authentication. Each domain can have its own CA certificate pool, forwarded_client_cert mode, and xfcc_format.
+      For non-wildcard domains, the domain must match the request host exactly.
+      For wildcard domains (e.g., *.apps.identity), the wildcard must be the leftmost label and matches any single label.
+
+      These domains enforce client certificate validation independently of `router.client_cert_validation` — clients connecting to these domains are always required to present a valid certificate signed by the domain's configured CA.
+
+      xfcc_format controls the format of the X-Forwarded-Client-Cert header:
+      - "raw" (default): Full base64-encoded certificate (~1.5KB)
+      - "envoy": Compact Hash=<sha256>;Subject="<DN>" format (~300 bytes)
+    default: []
+    example:
+    - name: "*.apps.identity"
+      ca_certs: |
+        -----BEGIN CERTIFICATE-----
+        <CA certificate for apps.identity domain>
+        -----END CERTIFICATE-----
+      forwarded_client_cert: sanitize_set
+      xfcc_format: envoy
+    - name: "secure.example.com"
+      ca_certs: |
+        -----BEGIN CERTIFICATE-----
+        <CA certificate for secure.example.com>
+        -----END CERTIFICATE-----
+      forwarded_client_cert: forward
+      xfcc_format: raw
   router.backends.max_attempts:
     description: |
       Maximum number of attempts on failing requests against backend routes.
@@ -339,7 +368,7 @@ properties:
       this property and operators have to explicitly enable them. This is done to prevent breaking
       log parsing in existing setups by the introduction of new fields. Does not affect stdout /
       stderr logs.
-      Available fields are: backend_time, dial_time, dns_time, failed_attempts, failed_attempts_time, local_address, tls_time
+      Available fields are: backend_time, caller_cf_app, caller_cf_org, caller_cf_space, dial_time, dns_time, failed_attempts, failed_attempts_time, local_address, route_policy, tls_sni, tls_time
     default: []
   router.enable_proxy:
     description: "Enables support for the popular PROXY protocol, allowing downstream load balancers that do not support HTTP to pass along client information."

✨ Built with go 1.26.5

Full Changelog: v0.385.0...v0.386.0

Resources