cloudfoundry · ameowlia · Sep 25, 2025 · Jul 9, 2025 · Jul 9, 2025 · Jul 9, 2025
@@ -21,8 +21,6 @@ This document describes how to enable the per-container [Envoy proxy](https://gi
 
 ## <a name="enabling-per-container-envoy-proxy"/> Enabling Per-Container Envoy Proxy
 
-A deployment operator enables the Linux cell reps to run an Envoy proxy process for each container by setting the `containers.proxy.enabled` property on the `rep` job to `true`.
-
 [Instance Identity Credentials](https://docs.cloudfoundry.org/adminguide/instance-identity.html) must also be enabled on the Diego cell rep so that it can configure the Envoy proxy process with the required TLS configuration.
 
 

@@ -256,9 +256,6 @@ properties:
     description: "time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10."
     default: 10
 
-  containers.proxy.enabled:
-    description: "Enable envoy proxy on garden containers. Requires valid TLS credentials in diego.executor.instance_identity_ca_cert and diego.executor.instance_identity_key."
-    default: false
   containers.proxy.additional_memory_allocation_mb:
     description: "Additional memory allocated to each container for the envoy proxy. This value must not be negative"
     default: 32
@@ -268,7 +265,7 @@ properties:
 
   containers.proxy.require_and_verify_client_certificates:
     default: false
-    description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable."
+    description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property."
 
   containers.proxy.trusted_ca_certificates:
     default: []
@@ -299,7 +296,7 @@ properties:
 
   containers.proxy.enable_unproxied_port_mappings:
     default: true
-    description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true."
+    description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports." 
 
   containers.trusted_ca_certificates:
     description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs."

@@ -59,7 +59,7 @@
     disk_mb: p("diego.executor.disk_capacity_mb").to_s,
     declarative_healthcheck_path: "/var/vcap/packages/healthcheck",
     enable_healthcheck_metrics: p("enable_healthcheck_metrics"),
-    enable_container_proxy: p("containers.proxy.enabled"),
+    enable_container_proxy: "true",
     container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"),
     container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"),
     container_proxy_verify_subject_alt_name: p("containers.proxy.verify_subject_alt_name"),
@@ -188,15 +188,11 @@
 
   config[:bbs_address] = "https://#{p("diego.rep.bbs.api_location")}"
 
-  if config[:enable_container_proxy]
-    begin
+  begin
       p("diego.executor.instance_identity_ca_cert")
       p("diego.executor.instance_identity_key")
-    rescue
-      raise '"when containers.proxy.enabled is true, diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set'
-    end
-  elsif !p("containers.proxy.enable_unproxied_port_mappings")
-    raise 'containers.proxy.enabled must be set to true in order to disable the unproxied port mappings'
+  rescue
+      raise '"diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set'
   end
 
   if config[:container_proxy_require_and_verify_client_certs]
@@ -206,10 +202,8 @@
       end
   end
 
-  if_p("diego.executor.instance_identity_ca_cert",
-       "diego.executor.instance_identity_key",
-       "diego.executor.instance_identity_validity_period_in_hours") do |cert, key, validity_period|
-    if !(cert.empty? || key.empty? || validity_period < 1)
+  if_p("diego.executor.instance_identity_validity_period_in_hours") do |validity_period|
+    if !(validity_period < 1)
       config[:instance_identity_ca_path] = "#{conf_dir}/certs/rep/instance_identity.crt"
       config[:instance_identity_private_key_path] = "#{conf_dir}/certs/rep/instance_identity.key"
       config[:instance_identity_cred_dir] = instance_identity_dir

@@ -72,7 +72,5 @@ rm -rf "$trusted_certs_dir"
 
 proxy_config_dir=${garden_shared_dir}/proxy_config
 rm -rf "$proxy_config_dir"
-<% if p("containers.proxy.enabled") %>
-  mkdir -p "$proxy_config_dir"
-  chown -R vcap:vcap "$proxy_config_dir"
-<% end %>
+mkdir -p "$proxy_config_dir"
+chown -R vcap:vcap "$proxy_config_dir"
@@ -264,9 +264,6 @@ properties:
     description: "time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10."
     default: 10
 
-  containers.proxy.enabled:
-    description: "EXPERIMENTAL: Enable envoy proxy on garden containers. Currently doesn't work on windows cells but left here for compatability with the linux Rep"
-    default: false
   containers.proxy.additional_memory_allocation_mb:
     description: "EXPERIMENTAL: Additional memory allocated to each container for the envoy proxy. This must not be negative. Currently doesn't work on windows cells but left here for compatability with the linux Rep"
     default: 32
@@ -276,7 +273,7 @@ properties:
 
   containers.proxy.require_and_verify_client_certificates:
     default: false
-    description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable."
+    description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. 
 
   containers.proxy.trusted_ca_certificates:
     default: []
@@ -307,7 +304,7 @@ properties:
 
   containers.proxy.enable_unproxied_port_mappings:
     default: true
-    description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true."
+    description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. 
 
   containers.trusted_ca_certificates:
     description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs."

@@ -59,7 +59,7 @@
     disk_mb: p("diego.executor.disk_capacity_mb").to_s,
     declarative_healthcheck_path: p("declarative_healthcheck_path"),
     enable_healthcheck_metrics: p("enable_healthcheck_metrics"),
-    enable_container_proxy: p("containers.proxy.enabled"),
+    enable_container_proxy: "true",
     container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"),
     container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"),
     container_proxy_verify_subject_alt_name: p("containers.proxy.verify_subject_alt_name"),
@@ -188,15 +188,11 @@
 
   config[:bbs_address] = "https://#{p("diego.rep.bbs.api_location")}"
 
-  if config[:enable_container_proxy]
-    begin
+  begin
       p("diego.executor.instance_identity_ca_cert")
       p("diego.executor.instance_identity_key")
-    rescue
-      raise '"when containers.proxy.enabled is true, diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set'
-    end
-  elsif !p("containers.proxy.enable_unproxied_port_mappings")
-    raise 'containers.proxy.enabled must be set to true in order to disable the unproxied port mappings'
+  rescue
+      raise '"diego.executor.instance_identity_ca_cert" and "diego.executor.instance_identity_key" must both be set'
   end
 
   if config[:container_proxy_require_and_verify_client_certs]
@@ -206,10 +202,8 @@
       end
   end
 
-  if_p("diego.executor.instance_identity_ca_cert",
-       "diego.executor.instance_identity_key",
-       "diego.executor.instance_identity_validity_period_in_hours") do |cert, key, validity_period|
-    if !(cert.empty? || key.empty? || validity_period < 1)
+  if_p("diego.executor.instance_identity_validity_period_in_hours") do |validity_period|
+    if !(validity_period < 1)
       config[:instance_identity_ca_path] = "#{conf_dir}/certs/rep/instance_identity.crt"
       config[:instance_identity_private_key_path] = "#{conf_dir}/certs/rep/instance_identity.key"
       config[:instance_identity_cred_dir] = instance_identity_dir
Original file line number	Diff line number	Diff line change
Expand Up		@@ -21,8 +21,6 @@ This document describes how to enable the per-container [Envoy proxy](https://gi

		## <a name="enabling-per-container-envoy-proxy"/> Enabling Per-Container Envoy Proxy

		A deployment operator enables the Linux cell reps to run an Envoy proxy process for each container by setting the `containers.proxy.enabled` property on the `rep` job to `true`.

		[Instance Identity Credentials](https://docs.cloudfoundry.org/adminguide/instance-identity.html) must also be enabled on the Diego cell rep so that it can configure the Envoy proxy process with the required TLS configuration.


Expand Down