Skip to content

Add mTLS app-to-app routing support (RFC draft)#4910

Draft
rkoster wants to merge 5 commits intomainfrom
feature/app-to-app-mtls-routing
Draft

Add mTLS app-to-app routing support (RFC draft)#4910
rkoster wants to merge 5 commits intomainfrom
feature/app-to-app-mtls-routing

Conversation

@rkoster
Copy link
Contributor

@rkoster rkoster commented Mar 5, 2026
edited
Loading

Summary

Adds RFC-0027 compliant mTLS authorization options to routes for app-to-app mTLS routing.

Note: This PR is a draft because the RFC for App-to-App mTLS Routing has not been approved yet.

Features

  • New flat mTLS options in route options (RFC-0027 compliant):
    • mtls_allowed_apps: Comma-separated app GUIDs
    • mtls_allowed_spaces: Comma-separated space GUIDs
    • mtls_allowed_orgs: Comma-separated org GUIDs
    • mtls_allow_any: Boolean to allow any authenticated app
  • GUID existence validation against database
  • Mutual exclusivity enforcement (mtls_allow_any vs specific GUIDs)
  • Gated by app_to_app_mtls_routing feature flag

API Example

POST /v3/routes
{
  "host": "my-backend",
  "relationships": {
    "domain": {"data": {"guid": "mtls-domain-guid"}},
    "space": {"data": {"guid": "space-guid"}}
  },
  "options": {
    "mtls_allowed_apps": "frontend-app-guid-1,frontend-app-guid-2",
    "mtls_allowed_spaces": "trusted-space-guid",
    "mtls_allowed_orgs": "trusted-org-guid"
  }
}

Files Changed

  • app/messages/route_options_message.rb - Validation for mTLS route options
  • spec/unit/messages/route_options_message_spec.rb - Unit tests

Related PRs

rkoster added 5 commits March 5, 2026 08:33
@rkoster
Add allowed_sources support for mTLS app-to-app routing
5640df7 
- Add app_to_app_mtls_routing feature flag (default: false)
- Add allowed_sources to RouteOptionsMessage with validation
- Validate allowed_sources structure (apps/spaces/orgs arrays, any boolean)
- Validate that app/space/org GUIDs exist in database
- Enforce mutual exclusivity of 'any' with apps/spaces/orgs lists
@rkoster
Add unit tests for allowed_sources validation
223902c 
Tests cover:
- Feature flag disabled: allowed_sources rejected as unknown field
- Structure validation: object type, valid keys, array types, boolean any
- any exclusivity: cannot combine any:true with apps/spaces/orgs lists
- GUID existence validation: apps, spaces, orgs must exist in database
- Combined options: allowed_sources works with loadbalancing
@rkoster
Fix allowed_sources validation to handle symbol keys
f560db5 
Rails parses JSON with symbol keys, but validation was comparing
against string keys. Add normalized_allowed_sources helper to
transform keys to strings for consistent comparison.
@rkoster
Rename allowed_sources to mtls_allowed_sources for clarity
936d4dd 
Rename the route options field from allowed_sources to
mtls_allowed_sources for better clarity about its purpose
in mTLS app-to-app routing.

Updates RouteOptionsMessage to use the new field name in:
- Allowed keys registration
- Feature flag gating
- Validation methods
- All related tests
@rkoster
Refactor mTLS route options to RFC-0027 compliant flat format
9747046 
Change from nested mtls_allowed_sources object to flat options:
- mtls_allowed_apps: comma-separated app GUIDs (string)
- mtls_allowed_spaces: comma-separated space GUIDs (string)
- mtls_allowed_orgs: comma-separated org GUIDs (string)
- mtls_allow_any: boolean (true/false)

This complies with RFC-0027 which requires route options to only use
numbers, strings, and boolean values (no nested objects or arrays).
This was referenced Mar 5, 2026
Draft
Draft
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rkoster