Merge branch 'develop' into disable-tcp-router

Author: ameowlia

.final_builds/packages/golang-1.24-linux/index.yml

@@ -3,6 +3,10 @@ builds:
     version: 4cb5a37cbce65d7f724843664959f99b3a43432a56099aeca3bb999dff9e4e99
     blobstore_id: 0040560a-0c3a-48aa-655f-976b8098d3e4
     sha1: sha256:cb1cdf8f4018cad43e9ee47ef455db2b1792f6381953d784dad69f709c3b759e
+  527ba0d0e2133f59ca19e7407072b229407374fbff29c5d7f4cbfeb950157f07:
+    version: 527ba0d0e2133f59ca19e7407072b229407374fbff29c5d7f4cbfeb950157f07
+    blobstore_id: 2758e3b2-0441-45c7-4728-556bd4db33c4
+    sha1: sha256:1de2afcd78735f842f28457710b869c296881183921c5659670be922fa16554b
   7e16dacbe34be58aa80f17d6f9626d3668282accb2d859ccb13675710dccac31:
     version: 7e16dacbe34be58aa80f17d6f9626d3668282accb2d859ccb13675710dccac31
     blobstore_id: 63e82092-fdb7-44ba-5b33-af41ef843613

docs/01-route-registrar-usage.md

@@ -84,6 +84,8 @@ The route-registrar expects a configuration json file like the one below:
   - `route_service_url` is optional. When provided, Gorouter will proxy
     requests received for the `uris` above to this address.
   - `health_check` is optional and explained in more detail below.
+  - `sni_routable_san` is the SAN used to route the request to the appropriate
+    backend. Required when `type` is `sni` and `terminate_frontend_tls` is enabled.
   - `terminate_frontend_tls` is optional. When true, the router will terminate 
     TLS before forwarding the requests to the backend servers. Default: false
   - `enable_backend_tls` is optional. When true, the router will initiate a 

jobs/route_registrar/spec

@@ -130,6 +130,8 @@ properties:
         options (optional, object, for http routes): Custom per-route options
         terminate_frontend_tls (optional, boolean): When true, the router will terminate TLS before forwarding requests to the backend. Default: false
         alpns (optional, array): Application Layer Protocol Negotiation strings.
+        sni_routable_san(optional, string): is the SAN used to route the request to the appropriate backend. 
+          Required when `type` is `sni` and `terminate_frontend_tls` is enabled.
 
       health_check object
         name (required, string): Human-readable reference for the healthcheck

jobs/route_registrar/templates/registrar_settings.json.erb

@@ -54,7 +54,7 @@ TEXT
   end
 
   message_bus_servers = nil
-  if nats_user and nats_password
+  if nats_user && nats_password
     message_bus_servers = nats_machines.map do |host|
       {
         host: "#{host}:#{nats_port}",
@@ -91,7 +91,17 @@ TEXT
       route['uris'].map! { |uri| "#{spec.index}-#{uri}" }
     end
 
-    if route['type'] == 'sni'
+    if route['type'] == 'sni' && route['terminate_frontend_tls']
+      if route['sni_routable_san'] == nil || route['sni_routable_san'] == ''
+        raise "route_registrar.routes[#{index}].route.sni_routable_san must be provided when type is sni and terminate_frontend_tls is enabled"
+      end
+    end
+
+    if route['type'] == 'sni' && !route['terminate_frontend_tls']
+      if route['sni_routable_san'] != nil
+        raise "route_registrar.routes[#{index}].route.sni_routable_san cannot be provided when type is sni and terminate_frontend_tls is disabled"
+      end
+
       route['sni_routable_san'] = spec.address
 
       if route.key?('server_cert_domain_name_modifier')
@@ -142,7 +152,7 @@ TEXT
     end
 
     link.if_p('routing_api.enabled_api_endpoints') do |endpoints|
-      if endpoints == 'both' or endpoints == 'mtls'
+      if endpoints == 'both' || endpoints == 'mtls'
         api_scheme = 'https'
         api_port = link.p('routing_api.tls_port', api_port)
       end
@@ -156,7 +166,7 @@ TEXT
 
   if_p('route_registrar.routing_api.api_url') do |prop|
     if_link('routing_api') do |link|
-      if link.p('routing_api.enabled_api_endpoints') == "mtls" and not prop.start_with?('https')
+      if link.p('routing_api.enabled_api_endpoints') == "mtls" && !prop.start_with?('https')
           raise 'expected route_registrar.routing_api.api_url to be https when routing_api.enabled_api_endpoints is mtls only'
       end
     end

jobs/tcp_router/templates/pre-start.erb

@@ -1,7 +1,6 @@
 #!/bin/bash -e
 <% unless p("tcp_router.disable") %>
-# pre-start
-<% if spec.bootstrap == true %>
+# This pre-start script runs (1) config validation and (2) creates frontend certs on the VM (if any)
 /var/vcap/packages/tcp_router/bin/config-validator -config /var/vcap/jobs/tcp_router/config/tcp_router.yml -enable-cert-creation true
 <% end %>
-<% end %>
+

packages/golang-1.24-linux/spec.lock

@@ -1,2 +1,2 @@
 name: golang-1.24-linux
-fingerprint: a90cc272bb527c55616cdc8aee918f0bf63838d3a3f3f1a223566a8b3da020ee
+fingerprint: 527ba0d0e2133f59ca19e7407072b229407374fbff29c5d7f4cbfeb950157f07

spec/route_registar_templates_spec.rb

@@ -41,6 +41,18 @@
     }
   end
 
+  let(:sni_route) { {
+    "name" => "svc-name",
+    "registration_interval" => "20s",
+    "router_group" => "svc-router-group",
+    "external_port" => 1024,
+    "type" => "sni",
+    "sni_port" => 5671,
+    "sni_routable_san" => "svc-1.foobar.com",
+    "terminate_frontend_tls" => true,
+    "enable_backend_tls" => true
+  } }
+
   describe 'config/routing_api/certs/client.crt' do
     let(:template) { job.template('config/routing_api/certs/client.crt') }
     let(:links) do
@@ -492,7 +504,7 @@
       context 'when uaa.tls_port is provided in the link' do
         let(:uaa_link_properties) do
           {
-             'tls_port' => 9443, 
+             'tls_port' => 9443,
           }
         end
         it 'uses the link value' do
@@ -511,7 +523,7 @@
       context 'when uaa.token_endpoint is provided in the link' do
         let(:uaa_link_properties) do
           {
-            'token_endpoint' => 'link-uaa.service.cf.internal', 
+            'token_endpoint' => 'link-uaa.service.cf.internal',
           }
         end
         it 'uses the link value' do
@@ -681,6 +693,56 @@
       end
     end
 
+    describe 'when type is sni and frontend_tls is enabled and sni_routable_san is provided' do
+      before do
+        merged_manifest_properties['route_registrar']['routes'][0] = sni_route
+        merged_manifest_properties['nats'] = { 'fail_if_using_nats_without_tls' => false }
+      end
+
+      it 'should use the provided sni_routable_san' do
+        rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))
+        expect(rendered_hash['routes'][0]).to eq({
+                                                   "name" => "svc-name",
+                                                   "registration_interval" => "20s",
+                                                   "router_group" => "svc-router-group",
+                                                   "external_port" => 1024,
+                                                   "type" => "sni",
+                                                   "sni_port" => 5671,
+                                                   "sni_routable_san" => "svc-1.foobar.com",
+                                                   "terminate_frontend_tls" => true,
+                                                   "enable_backend_tls" => true
+                                                 })
+      end
+    end
+
+    describe 'when type is sni and frontend_tls is disabled and sni_routable_san is provided' do
+      before do
+        merged_manifest_properties['route_registrar']['routes'][0] = sni_route
+        merged_manifest_properties['route_registrar']['routes'][0]['terminate_frontend_tls'] = false
+        merged_manifest_properties['nats'] = { 'fail_if_using_nats_without_tls' => false }
+      end
+
+      it 'raises an error for invalid sni_routable_san' do
+        expect { template.render(merged_manifest_properties, consumes: links) }.to raise_error(
+          RuntimeError, 'route_registrar.routes[0].route.sni_routable_san cannot be provided when type is sni and terminate_frontend_tls is disabled'
+       )
+      end
+    end
+
+    describe 'when type is sni and frontend_tls is enabled and sni_routable_san is NOT provided' do
+      before do
+        merged_manifest_properties['route_registrar']['routes'][0] = sni_route
+        merged_manifest_properties['route_registrar']['routes'][0]['sni_routable_san'] = ''
+        merged_manifest_properties['nats'] = { 'fail_if_using_nats_without_tls' => false }
+      end
+
+      it 'raises an error for invalid sni_routable_san' do
+        expect { template.render(merged_manifest_properties, consumes: links) }.to raise_error(
+         RuntimeError, 'route_registrar.routes[0].route.sni_routable_san must be provided when type is sni and terminate_frontend_tls is enabled'
+       )
+      end
+    end
+
     describe 'when tls is not enabled and the san is not provided' do
       before do
         merged_manifest_properties['route_registrar']['routes'][0].delete('tls_port')