Proposed
2025-06-21
- ZPascal
This proposal introduces support for organization- and space-scoped client certificates for Cloud Foundry Loggregator syslog drains using mutual TLS (mTLS), across both HTTPS and syslog+TLS protocols.
By issuing certificates per org or space instead of per application, we simplify certificate lifecycle management, enable centralized rotation, and allow integration with centrally managed certificate authorities (CAs), reducing operational burden and improving tenant-level security.
Currently, mTLS support in syslog drains relies on application-specific client certificates. This poses several limitations:
- High operational overhead: Certificates are bound to individual app instances and may need frequent re-issuance.
- Rotation complexity: Rotating certificates across many apps is error-prone and difficult to coordinate.
- Scalability: Managing hundreds or thousands of app-level certs becomes a bottleneck in large deployments.
By switching to org- and space-based certificates, we can:
- Simplify certificate management per tenant (org/space) rather than per app.
- Allow operators to integrate with existing enterprise certificate infrastructures (e.g., HashiCorp Vault, Venafi, internal PKI).
- Enable easier rotation by regenerating and propagating a single certificate per org or space.
- Provide clear attribution and access control tied to organizational boundaries.
We propose the following key capabilities:
-
Org/space-scoped certificate issuance: When a syslog drain is created, the drain metadata will include the associated org and space. The Loggregator system will retrieve or generate a client certificate scoped to that org or space.
-
Drain-level mTLS configuration: The syslog adapter or HTTPS forwarder will use the org/space certificate when establishing mTLS connections to the remote drain endpoint.
-
Automatic rotation support: Certificates can be automatically renewed and reloaded with minimal impact to traffic flow.
-
Audit and visibility: Logs and drain metadata will include the org/space identity used for certificate-based authentication.
- When an app binds a syslog drain, the Cloud Controller includes org and space GUIDs in the drain metadata.
- The Loggregator agent retrieves a client certificate for that org or space from a credential binding.
- The drain connection uses this certificate for TLS/ mTLS authentication.
- Continue using per-app certificates, which limits centralized control and increases rotation complexity.
- Rely solely on external drain-side authentication mechanisms (e.g., IP whitelisting, API tokens): lacks strong identity assurance and is harder to audit.
- Simplifies syslog drain configuration for tenants and operators.
- Reduces the surface area and frequency of certificate management tasks.
- Enables secure and manageable integration with enterprise logging platforms that require mutual TLS (e.g., Splunk, ELK, custom internal sinks).
- Slight increase in complexity in Loggregator certificate resolution logic.
- Backward-compatible: app-scoped certificates can still be supported if no org/space cert is available.
- Enterprise CF operators have requested space/ org-level drain identity for easier maintablity and security compliance.
- Should a default per-org/space CA be managed by Cloud Foundry, or should operators always provide their own?
- What granularity of certificate rotation events should trigger drain restarts or reconnections?
- Should fallback to app-level certificates be supported or deprecated?
- Add CLI/API support to display active org/space certificates.
- Support per-drain certificate overrides when stronger isolation is required.
- Enable automated certificate revocation on org/space deletion or access revocation.