{"id":19049845,"url":"https://github.com/emalm/tls-example-apps","last_synced_at":"2025-04-24T01:22:57.513Z","repository":{"id":57638539,"uuid":"106202208","full_name":"emalm/tls-example-apps","owner":"emalm","description":"Example Cloud Foundry applications that communicate directly over mutual TLS","archived":false,"fork":false,"pushed_at":"2019-06-08T18:42:21.000Z","size":48,"stargazers_count":11,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-18T09:34:17.593Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/emalm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-10-08T19:07:08.000Z","updated_at":"2021-06-29T17:57:09.000Z","dependencies_parsed_at":"2022-08-30T06:10:10.707Z","dependency_job_id":null,"html_url":"https://github.com/emalm/tls-example-apps","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emalm%2Ftls-example-apps","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emalm%2Ftls-example-apps/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emalm%2Ftls-example-apps/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emalm%2Ftls-example-apps/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/emalm","download_url":"https://codeload.github.com/emalm/tls-example-apps/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250541751,"owners_count":21447574,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T23:12:05.393Z","updated_at":"2025-04-24T01:22:57.460Z","avatar_url":"https://github.com/emalm.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TLS Example Apps\n\nThis collection of example applications contains a pair of applications designed to communicate directly over HTTP and to verify each other using Cloud Foundry instance-identity credentials.\n\n\n## Dependencies\n\n- [Golang](https://golang.org/dl/), to build the app binaries\n- [CF CLI](https://github.com/cloudfoundry/cli/releases), v6.30.0 or later\n- CF user with the `network.write` scope, to set network policies\n\n\n## Deploy to Cloud Foundry\n\n### Initial Setup\n\nClone this repository and make the frontend and backend binaries:\n\n```\ngit clone https://github.com/emalm/tls-example-apps.git\ncd tls-example-apps\nmake all\n```\n\nSet up a base domain for apps:\n\n```\napps_domain=bosh-lite.com # change for your environment\n```\n\nAlso, make sure you have logged into your CF deployment and targeted an org and a space to host the apps.\n\nIf your CF deployment has enabled [DNS-based platform-native service discovery](https://github.com/cloudfoundry/cf-app-sd-release), choose [Option 1](#option-1-dns-service-discovery) below. Otherwise, choose [Option 2](#option-2-public-service-discovery) for the frontend apps to discover the backend instances through a public route.\n\n### \u003ca name=\"option-1-dns-service-discovery\"\u003e\u003c/a\u003eOption 1: Use DNS-Based Platform Service Discovery\n\nPush the backend app without a public route:\n\n```\ncf push backend -p bin/linux/backend -b binary_buildpack -c './backend' -m 32M -k 32M -i 2 -u process --no-start --no-route\ncf set-env backend USE_PLATFORM_SERVICE_DISCOVERY true\n```\n\nMap an internal service-discovery route to the backend:\n\n```\nbackend_hostname=backend\ncf map-route backend apps.internal --hostname \"$backend_hostname\"\n```\n\nIf another space has already taken the internal route with the `backend` hostname, feel free to use an alternative of your choice, so long as you configure that same choice on the frontend apps below.\n\nPush the 'green' copy of the frontend app and grant it access to the backend app:\n\n```\ncf push frontend-green -p bin/linux/frontend -b binary_buildpack -c './frontend' -m 32M -k 32M -i 2 --no-start\ncf set-env frontend-green USE_PLATFORM_SERVICE_DISCOVERY true\ncf set-env frontend-green BACKEND_DOMAIN \"$backend_hostname.apps.internal\"\n\ncf add-network-policy frontend-green --destination-app backend --protocol tcp --port 9999\n```\n\nPush the 'blue' copy of the frontend app and grant it access to the backend app:\n\n```\ncf push frontend-blue -p bin/linux/frontend -b binary_buildpack -c './frontend' -m 32M -k 32M -i 2 --no-start\ncf set-env frontend-blue USE_PLATFORM_SERVICE_DISCOVERY true\ncf set-env frontend-blue BACKEND_DOMAIN \"$backend_hostname.apps.internal\"\n\ncf add-network-policy frontend-blue --destination-app backend --protocol tcp --port 9999\n```\n\nSkip over Option 2 to [finish configuring the apps and start them](#start-apps).\n\n### \u003ca name=\"option-2-public-service-discovery\"\u003e\u003c/a\u003eOption 2: Use Public Route for Service Discovery\n\nPush the backend app with its default route:\n\n```\ncf push backend -p bin/linux/backend -b binary_buildpack -c './backend' -m 32M -k 32M -i 2 --no-start\n```\n\nPush the 'green' copy of the frontend app and grant it access to the backend app:\n\n```\ncf push frontend-green -p bin/linux/frontend -b binary_buildpack -c './frontend' -m 32M -k 32M -i 2 --no-start\ncf set-env frontend-green BACKEND_DISCOVERY_URL \"http://backend.${apps_domain}\"\n\ncf add-network-policy frontend-green --destination-app backend --protocol tcp --port 9999\n```\n\nPush the 'blue' copy of the frontend app and grant it access to the backend app:\n\n```\ncf push frontend-blue -p bin/linux/frontend -b binary_buildpack -c './frontend' -m 32M -k 32M -i 2 --no-start\ncf set-env frontend-blue BACKEND_DISCOVERY_URL \"http://backend.${apps_domain}\"\n\ncf add-network-policy frontend-blue --destination-app backend --protocol tcp --port 9999\n```\n\n\n### \u003ca name=\"start-apps\"\u003e\u003c/a\u003eFinish Configuration and Start the Apps\n\nConfigure the backend app to authorize only the 'green' frontend app:\n\n```\nFRONTEND_GREEN_APP_GUID=$(cf app frontend-green --guid)\nFRONTEND_BLUE_APP_GUID=$(cf app frontend-blue --guid)\n\ncf set-env backend AUTHORIZED_APP_GUIDS \"[\\\"$FRONTEND_GREEN_APP_GUID\\\"]\"\n```\n\nStart the apps:\n\n```\ncf start backend\ncf start frontend-green\ncf start frontend-blue\n```\n\nMake requests to the frontend apps:\n\n```\ncurl https://frontend-green.${apps_domain}\ncurl https://frontend-blue.${apps_domain}\n```\n\nThe 'green' frontend app will report success, and the 'blue' one will report failure.\n\nReconfigure the backend to authorize the 'blue' frontend instead:\n\n```\ncf set-env backend AUTHORIZED_APP_GUIDS \"[\\\"$FRONTEND_BLUE_APP_GUID\\\"]\"\ncf restart backend\n```\n\nNow requests to the 'blue' frontend will succeed, and those to the 'green' frontend will fail.\n\n\n## CF Deployment Configuration\n\nThe CF deployment must be configured to use container networking and to enable the Diego cells to generate instance-identity credentials. Version [v0.31.0 of cf-deployment](https://github.com/cloudfoundry/cf-deployment/tree/v0.31.0) with the [enable-instance-identity-credentials](https://github.com/cloudfoundry/cf-deployment/blob/v0.31.0/operations/experimental/enable-instance-identity-credentials.yml) operations file will be configured this way.\n\n\n## Local Development\n\nOn Mac OS X:\n\n```\nmake all\n\nCERT_RELOAD_INTERVAL=10s \\\nCF_INSTANCE_GUID=backend-1 \\\nCF_INSTANCE_INTERNAL_IP=127.0.0.1 \\\nCF_INSTANCE_CERT=creds/server.crt \\\nCF_INSTANCE_KEY=creds/server.key \\\nCA_CERT_FILE=creds/ca.crt \\\n./bin/darwin/backend/backend\n\nPORT=8081 \\\nCERT_RELOAD_INTERVAL=10s \\\nCF_INSTANCE_CERT=creds/client.crt \\\nCF_INSTANCE_KEY=creds/client.key \\\nCA_CERT_FILE=creds/ca.crt \\\n./bin/darwin/frontend/frontend\n\ncurl http://127.0.0.1:8081\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femalm%2Ftls-example-apps","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Femalm%2Ftls-example-apps","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femalm%2Ftls-example-apps/lists"}