0.343.0
·
97 commits
to develop
since this release
0.343.0
Release Date: August 07, 2025
Changes
- Dependency Bumps
- Bumped to Golang 1.24.5
- Changed some redundant log messages to Debug. Thanks @hoffmaen!
- Added support to routing-api, tcp-router to allow route-registrar based TCP routes to request frontend TLS termination by tcp-router, using ALPNS to host multiple services behind a single TLS port, to reducing the number of TCP Routes needed for backend services. Thanks @AshishNaware @neowulf !
Bosh Job Spec changes:
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index c39eac917..f575e1006 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -104,7 +104,7 @@ properties:
type (optional, string, for all routes): Defaults to http, can specify http, sni, or tcp.
uris (required, array, for http routes): When Gorouter receives a request that matches one of these URIs,
it will forward them to the IP of the host on which route_registrar runs, and either port or tls_port.
- sni_port (required, integer, for sni rotues): When sni type provided, this is the downstream port to route to
+ sni_port (required, integer, for sni routes): When sni type provided, this is the downstream port to route to
port (required, integer, for all routes): Either `port` or `tls_port` are required; if both are provided, Gorouter will prefer tls_port.
Requests for associated URIs will be forwarded unencypted by the router to this port.
The IP is determined automatically from the host on which route-registrar is run.
@@ -128,6 +128,8 @@ properties:
external_port (required, string, for tcp routes): Port that the TCP router will listen on.
server_cert_domain_name_modifier (optional, string, for sni routes): a regex replace to help with complicated hostnames.
options (optional, object, for http routes): Custom per-route options
+ terminate_frontend_tls (optional, boolean): When true, the router will terminate TLS before forwarding requests to the backend. Default: false
+ alpns (optional, array): Application Layer Protocol Negotiation strings.
health_check object
name (required, string): Human-readable reference for the healthcheck
@@ -161,6 +163,10 @@ properties:
script_path: /path/to/script
timeout: 5s
route_service_url: https://my-oauth-proxy-route-service.example.com
+ terminate_frontend_tls: true
+ alpns:
+ - h2
+ - http/1.1
options:
loadbalancing: least-connection
- name: my-tls-endpoint
diff --git a/jobs/tcp_router/spec b/jobs/tcp_router/spec
index 234e3db92..7d1df979f 100644
--- a/jobs/tcp_router/spec
+++ b/jobs/tcp_router/spec
@@ -59,6 +59,21 @@ properties:
be set. For mTLS also set tcp_router.backend_tls.client_cert and
tcp_router.backend_tls.client_key.
default: false
+ tcp_router.frontend_tls_pem.certificate_path:
+ description: Path to the certs and key store
+ tcp_router.frontend_tls:
+ description: "Array of private keys, certificates and names for serving TLS requests. Each element in the array is an object containing fields 'private_key' and 'cert_chain', each of which supports a PEM block."
+ example: |
+ - cert_chain: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ private_key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+ name: |
+ name of the cert
tcp_router.backend_tls.client_cert:
description: "TCP Router's TLS client cert used for mTLS with route backends"
tcp_router.backend_tls.client_key:
✨ Built with go 1.24.6
Full Changelog: v0.342.0...v0.343.0
Resources
Contributors
neowulf, AshishNaware, and hoffmaen