fix(api-tls-config): Add pcap-api.agents_mtls.enabled property

cloudfoundry · May 3, 2023 · f4553fb · f4553fb
1 parent a46faee
commit f4553fb
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 22 deletions.
diff --git a/jobs/pcap-api/spec b/jobs/pcap-api/spec
@@ -38,6 +38,8 @@ properties:
   pcap-api.listen.port:
     description: "The port for the pcap-api to listen on"
     default: 8080
+  pcap-api.listen.tls.enabled:
+    default: true
   pcap-api.listen.tls.certificate:
     description: "Certificate chain to talk to gorouter in PEM format"
   pcap-api.listen.tls.private_key:

diff --git a/jobs/pcap-api/templates/pcap-api.yml.erb b/jobs/pcap-api/templates/pcap-api.yml.erb
@@ -14,13 +14,11 @@ config = {
   "cli_download_root" => p("pcap-api.cli_download_root")
 }
 
-if_p("pcap-api.listen.tls.certificate", "pcap-api.listen.tls.private_key", "pcap-api.listen.tls.ca") do
-    config["listen"] = {
-      "tls" => {
+if p("pcap-api.listen.tls.enabled").to_s == "true"
+    config["listen"]["tls"] = {
         "certificate"=> "/var/vcap/jobs/pcap-api/config/certs/pcap-api.crt",
         "private_key" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api.key",
         "ca" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api-ca.crt"
-      }
     }
 end
 

diff --git a/manifests/pcap-api.yml b/manifests/pcap-api.yml
@@ -47,10 +47,8 @@ instance_groups:
             concurrent_captures: 5
             listen:
               port: 8080
-            #              tls:
-            #                certificate: ((pcap_api_platform_mtls.certificate))
-            #                private_key: ((pcap_api_platform_mtls.private_key))
-            #                ca: ((/bosh/cf/router_ca.ca))
+              tls:
+                enabled: false
             bosh:
               director_url: ((pcap_api.bosh_director_api))
               token_scope: bosh.admin
@@ -79,8 +77,6 @@ instance_groups:
               - name: pcap-api-public-endpoint
                 registration_interval: 20s
                 port: 8080
-                #                tls_port: 8080
-                #                server_cert_domain_san: pcap-api.service.cf.internal
                 uris:
                   - ((route_registrar.public_route))
           nats:
@@ -168,13 +164,3 @@ variables:
         - pcap-api.service.cf.internal
       extended_key_usage:
         - client_auth
-#  - name: pcap_api_platform_mtls
-#    type: certificate
-#    options:
-#      ca: /bosh/cf/router_ca
-#      common_name: pcap_api_platform_mtls
-#      alternative_names:
-#        - pcap-api.service.cf.internal
-#      extended_key_usage:
-#        - server_auth
-#        - client_auth
diff --git a/spec/api_global_options_spec.rb b/spec/api_global_options_spec.rb
@@ -78,18 +78,19 @@
     end
   end
 
-  context 'when incomplete pcap-api.tls config provided' do
+  context 'when platform-TLS is disabled' do
     let(:listen) do
       {
         'listen' => {
           'tls' => {
-            'certificate' => 'test'
+            'enabled' => 'false'
           }
         }
       }
     end
 
     it 'does not configure certificates for pcap-api' do
+      properties.merge!(listen)
       expect(pcap_api_conf['listen']).not_to have_key('tls')
     end
   end