Configuring Cloud Foundry Routing

This topic describes how to configure Cloud Foundry to handle routing for Cloud Foundry Container Runtime (CFCR).

You configure Cloud Foundry routing by editing the BOSH configuration files before deploying BOSH for CFCR. The procedure for generating these files and using them to deploy BOSH for CFCR will vary depending on your IaaS.


Consult the following list of prerequisites before performing the procedures in this topic:

Step 1: Enable Internal Communication

You must edit your IaaS firewall rules to enable communication between the Cloud Foundry components and the CFCR VMs. The procedures will vary by IaaS, but you must do the following:

  • Ensure that the Cloud Foundry routing components can reach your CFCR cluster on the NodePort port range.
  • Ensure that the Cloud Foundry TCP Router can reach the CFCR master nodes on port 8443 to communicate with the Kubernetes API server.
  • Ensure that the CFCR components can reach the Cloud Foundry NATS servers on port 4222.
  • Ensure that the CFCR components can reach the Cloud Foundry API and UAA endpoints. Both are HTTPS endpoints in the Cloud Foundry system domain, accessible on port 443.

Step 2: Create a Routing UAA Client

Perform the following steps to create a UAA client for CFCR routing:

  1. Target the UAA server of your Cloud Foundry deployment. Run the following command:
    uaac target uaa.YOUR-SYS-DOMAIN --skip-ssl-validation

    Where YOUR-SYS-DOMAIN is your system domain.

    For example:

    $ uaac target uaa.sys.example.com --skip-ssl-validation

  2. Authenticate and obtain an access token for the admin client. Enter the following command:

    $ uaac token client get admin

    When prompted, enter the UAA admin client password. This is uaa:admin:client_secret in your Cloud Foundry deployment manifest.

  3. Add a client for CFCR routing. CFCR will use this client to create routes in Cloud Foundry. Enter the following command:

    $ uaac client add routing_api_client \ --authorities "routing.router_groups.read,routing.routes.write,cloud_controller.admin" --authorized_grant_type "client_credentials"

    When prompted, enter a secret for the new client. Record this secret.

Step 3: Configure CFCR for Cloud Foundry Routing

Perform the following steps to configure CFCR for Cloud Foundry routing:

  1. Navigate to KUBO_ENV and open the director-secrets.yml file.
  2. Uncomment the routing-cf-client-secret line and fill in the UAA routing client secret you created above.
  3. Uncomment the routing-cf-nats-password line and fill in the NATS password. This is nats: nats: password in your Cloud Foundry deployment manifest.


    The director-secrets.yml file contains sensitive information and should not be under version control.

  4. Open the director.yml file.

  5. Comment out the IaaS routing mode settings section.
  6. Uncomment the CF routing mode settings section, and set appropriate values for your deployment.

    1. Uncomment routing_mode: cf.
    2. Set the kubernetes_master_host to the TCP router hostname or IP address for Cloud Foundry. This is typically tcp.YOUR-APPS-DOMAIN, such as tcp.apps.cf-example.com.


      If you are using a domain, ensure that the DNS resolves correctly. For more information, see the Pre-Deployment Steps section of the Enabling TCP Routing topic in the Cloud Foundry documentation.

    3. Set the kubernetes_master_port to an available port on the Cloud Foundry TCP router.

    4. Set the routing-cf-api-url to the Cloud Foundry API URL, such as https://api.sys.cf-example.com.
    5. Set the routing-cf-client-id to routing_api_client.
    6. Set the routing-cf-uaa-url to the Cloud Foundry UAA URL, such as https://uaa.sys.cf-example.com.
    7. Set the routing-cf-app-domain-name to the Cloud Foundry apps domain, such as apps.cf-example.com.
    8. Set the routing-cf-nats-internal-ips to the array of internal IP addresses used by Cloud Foundry NATS, such as []. To obtain the IP addresses for your NATS instances, log in to the BOSH Director you used to deploy Cloud Foundry and run bosh -e YOUR-ENV instances.
    9. Uncomment routing-cf-nats-username: nats.
    10. Uncomment routing-cf-nats-port: 4222.
  7. Deploy BOSH for CFCR by performing the procedures specific to your IaaS: