Skip to content

Enable mtls for file_server by default#1317

Open
stephanme wants to merge 1 commit intodevelopfrom
file-server-mtls
Open

Enable mtls for file_server by default#1317
stephanme wants to merge 1 commit intodevelopfrom
file-server-mtls

Conversation

@stephanme
Copy link
Member

@stephanme stephanme commented Feb 20, 2026
edited
Loading

WHAT is this change about?

  • inline the content of ops file enable-tls-on-file-server.yml
  • deprecate this ops file
  • configure tls.client_ca_cert
  • update tests and doc

What customer problem is being addressed? Use customer persona to define the problem e.g. Alana is unable to...

This PR ensures that the file-server is secured by mTLS by default. Before, TLS could be enabled by ops-file enable-tls-on-file-server.yml but not mTLS.

Please provide any contextual information.

cloudfoundry/diego-release#1107

Has a cf-deployment including this change passed cf-acceptance-tests?

  • YES
  • NO

Does this PR introduce a breaking change? Please take a moment to read through the examples before answering the question.

  • YES - please choose the category from below. Feel free to provide additional details.
  • NO

How should this change be described in cf-deployment release notes?

  • mTLS is enabled by default for the file-server
  • The ops-file enable-tls-on-file-server.yml has become obsolete and is deprecated.

Does this PR introduce a new BOSH release into the base cf-deployment.yml manifest or any ops-files?

  • YES - please specify
  • NO

Does this PR make a change to an experimental or GA'd feature/component?

  • experimental feature/component
  • GA'd feature/component

Please provide Acceptance Criteria for this change?

  • green tests
  • a new semantic test "file-server-mtls-enabled-by-default" was added

What is the level of urgency for publishing this change?

  • Urgent - unblocks current or future work
  • Slightly Less than Urgent

Tag your pair, your PM, and/or team!

n/a

@stephanme
Copy link
Member Author

stephanme commented Feb 23, 2026

CATS succeed with:

CATS / simple apps fail with current diego-release develop branch. Starting an app fails:

   2026-02-23T14:19:22.94+0000 [PROXY/0] ERR [2026-02-23 14:19:22.940][92][critical][main] [source/server/server.cc:453] error `Protobuf message (type envoy.config.bootstrap.v3.Bootstrap reason INVALID_ARGUMENT: invalid JSON  in envoy.config.bootstrap.v3.Bootstrap  @ static_resources.listeners[0].filter_chains[0].filters[0].typed_config.<any>: message   envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy, near 1:4843 (offset 4842): no  such field:   'upstream_connect_mode') has unknown fields` initializing config '  /etc/cf-assets/envoy_config/envoy.yaml'
   2026-02-23T14:19:22.94+0000 [PROXY/0] ERR Protobuf message (type envoy.config.bootstrap.v3.Bootstrap reason INVALID_ARGUMENT: invalid JSON  in envoy.config.bootstrap.v3.Bootstrap  @ static_resources.listeners[0].filter_chains[0].filters[0].typed_config.<any>: message   envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy, near 1:4843 (offset 4842): no  such field:   'upstream_connect_mode') has unknown fields
   2026-02-23T14:19:23.02+0000 [PROXY/0] OUT Exit status 1

(not related to file-server, staging itself was successful)

@stephanme stephanme marked this pull request as ready for review February 23, 2026 18:14
jochenehret
jochenehret previously approved these changes Feb 24, 2026
View reviewed changes
@jochenehret jochenehret requested a review from a team February 24, 2026 10:08
jochenehret
jochenehret reviewed Feb 24, 2026
View reviewed changes
@stephanme
Enable mtls for file_server by default
c55cd8e 
- inline the content of ops file enable-tls-on-file-server.yml
- deprecate this ops file
- configure tls.client_ca_cert
- update tests and doc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jochenehret jochenehret jochenehret approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stephanme @jochenehret