CF_INSTANCE_PORT Environment Variables Missing from App Containers After Upgrading to Tanzu Platform for Cloud Foundry 10.x
search cancel

CF_INSTANCE_PORT Environment Variables Missing from App Containers After Upgrading to Tanzu Platform for Cloud Foundry 10.x

book

Article ID: 438011

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

After upgrading Tanzu Platform for Cloud Foundry from version 6.x to 10.x, applications that reference the CF_INSTANCE_PORT environment variable may crash on startup or behave unexpectedly. In addition, any application or library reading CF_INSTANCE_PORT receives None, null, or an empty value. When SSHing into an affected application container, neither variable is present in the container environment.

Environment

Product: Tanzu Platform for Cloud Foundry (TPCF) / Elastic Application Runtime (EAR)
Versions affected: 10.2.x and later
Versions where behavior previously worked: 6.0.x and earlier

Cause

Breaking Change: Apps are no longer accessible via the Diego Cell IP and Diego Cell host port by default

In TPCF 10.x, the default setting for Gorouter and TCP Router app identity verification in the App Containers pane changed to Gorouter and TCP Router use mutual TLS with apps to verify each other's identity (mTLS). Under this configuration, Diego no longer allocates an unencrypted host-side port per application container instance. This is by design, as part of the platform's broader move to enforce encrypted communication between the Gorouter and application containers.


CF_INSTANCE_PORT is defined as the external (host-side) port corresponding to the internal container port. It is derived directly from the Diego executor's host-side port mapping (HostPort). When mTLS is enabled and no unencrypted host port is allocated, HostPort is set to 0 by Diego.

The Diego executor in executor/depot/steps/run_step.go contains the following conditional logic:

if len(step.portMappings) > 0 {
    if step.portMappings[0].HostPort > 0 {
        envVars = append(envVars, fmt.Sprintf("CF_INSTANCE_PORT=%d", step.portMappings[0].HostPort))
        envVars = append(envVars, fmt.Sprintf("CF_INSTANCE_ADDR=%s:%d", step.externalIP, step.portMappings[0].HostPort))
    }
}

When HostPort is 0, the condition fails and CF_INSTANCE_PORT is not injected into the container environment. 

Resolution

Reverting the Gorouter app identity verification setting from mTLS to TLS restores the unencrypted host-side port allocation, which causes Diego to populate HostPort with a non-zero value and allows the executor to inject CF_INSTANCE_PORT back into the container environment.

 

  • Log in to Tanzu Operations Manager.
  • Click the VMware Tanzu Platform for Cloud Foundry tile.
  • Navigate to the App Containers pane.
  • Under Gorouter and TCP Router app identity verification, select: Gorouter and TCP Router use TLS to verify app identity
  • Click Save.
  • Return to the Installation Dashboard and click Review Pending Changes.
  • Confirm the change and click Apply Changes.

Immediate Workaround:

If an apply changes cannot be performed immediately and applications must be restored quickly, the missing variable can be manually injected as a user-provided environment variable:

  • cf set-env <APP_NAME> CF_INSTANCE_PORT 8080
  • cf restage <APP_NAME>

 

Powered by Wolken Software