cloudfoundry · a18e · May 3, 2023 · Apr 14, 2023 · Apr 19, 2023 · Apr 25, 2023
@@ -100,11 +100,12 @@ bosh -e bosh upload-release
 
 # adjust the release to a dev release instead of the URL
 vim manifests/pcap-api.yml
-vim manifests/ops-files/add-pcap-agent-haproxy.yml
+vim manifests/ops-files/add-pcap-agent.yml
 
-# deploy pcap-agent to the HAProxy deployment(s)
-bosh interpolate -o manifests/ops-files/add-pcap-agent.yml haproxy.yml > haproxy-pcap.yml
-bosh -d cf haproxy haproxy-pcap.yml
+# deploy pcap-agent to the desired deployment(s) (example: diego-cells in cf deployment)
+bosh -d cf manifest > cf.yml
+bosh interpolate -o manifests/ops-files/add-pcap-agent.yml cf.yml > cf-pcap.yml
+bosh -d cf deploy cf-pcap.yml
 
 # deploy pcap-api
 cp manifests/vars-template.yml manifests/vars.yml

@@ -4,7 +4,7 @@ set -euo pipefail
 cd "${REPO_ROOT}"
 
 echo "> Running 'bundle exec rake lint'"
-bundle package
+bundle install
 bundle exec rake lint
 
 echo "> Running 'go vet'"

@@ -5,7 +5,7 @@ set -euo pipefail
 cd "${REPO_ROOT}"
 
 echo "> Running 'bundle exec rake spec'"
-bundle package
+bundle install
 bundle exec rake spec
 
 echo "> Running unit tests"

@@ -1,3 +1,3 @@
-<%- if_p("pcap-agent.listen.tls.certificate") do |cert| -%>
-<%= cert -%>
+<%- if_p("pcap-agent.listen.tls.certificate") do |pem| -%>
+<%= pem -%>
 <%- end -%>
@@ -38,6 +38,8 @@ properties:
   pcap-api.listen.port:
     description: "The port for the pcap-api to listen on"
     default: 8080
+  pcap-api.listen.tls.enabled:
+    default: true
   pcap-api.listen.tls.certificate:
     description: "Certificate chain to talk to gorouter in PEM format"
   pcap-api.listen.tls.private_key:

@@ -1,7 +1,3 @@
-<%
-  if_p("pcap-api.listen.tls.ca") do |pem|
-%>
-  <%= pem %>
-<%
-  end
-%>
+<%- if_p("pcap-api.listen.tls.ca") do |pem| -%>
+<%= pem %>
+<%- end -%>
@@ -1,7 +1,3 @@
-<%
-if_p("pcap-api.listen.tls.certificate") do |pem|
-%>
+<%- if_p("pcap-api.listen.tls.certificate") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>
@@ -1,7 +1,3 @@
-<%
-if_p("pcap-api.listen.tls.private_key") do |pem|
-%>
+<%- if_p("pcap-api.listen.tls.private_key") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>
@@ -10,15 +10,18 @@ config = {
   "concurrent_captures" => p("pcap-api.concurrent_captures"),
   "listen" => {
     "port" => p("pcap-api.listen.port"),
-    "tls" => {
-      "certificate"=> "/var/vcap/jobs/pcap-api/config/certs/pcap-api.crt",
-      "private_key" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api.key",
-      "ca" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api-ca.crt",
-    },
   },
   "cli_download_root" => p("pcap-api.cli_download_root")
 }
 
+if p("pcap-api.listen.tls.enabled").to_s == "true"
+    config["listen"]["tls"] = {
+        "certificate"=> "/var/vcap/jobs/pcap-api/config/certs/pcap-api.crt",
+        "private_key" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api.key",
+        "ca" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api-ca.crt"
+    }
+end
+
 if p("pcap-api.agents_mtls.enabled").to_s == "true"
   config["agents_mtls"] = {
       "common_name" => p("pcap-api.agents_mtls.common_name"),

@@ -23,7 +23,7 @@
     type: certificate
     update_mode: converge
     options:
-      ca: pcap_ca
+      ca: /bosh/pcap/pcap.ca
       common_name: pcap_agent_mtls
       alternative_names:
         - pcap-agent.service.cf.internal
@@ -38,6 +38,15 @@
     release: pcap
     properties:
       pcap-agent:
-        cert: ((pcap_agent_mtls.certificate))
-        key: ((pcap_agent_mtls.private_key))
-        ca_cert: ((pcap_agent_mtls.ca))
+        id: pcap-agent
+        log_level: "info"
+        buffer:
+          size: 100
+          upper_limit: 95
+          lower_limit: 90
+        listen:
+          port: 9494
+          tls:
+            certificate: ((pcap_agent_mtls.certificate))
+            private_key: ((pcap_agent_mtls.private_key))
+            ca: ((/bosh/pcap/pcap_ca.ca))
@@ -18,7 +18,7 @@ addons:
                   domain: bosh
                   instance_group: nats
                   network: cf
-                  query: '*'
+                  query: "*"
             - domain: _.nats.service.cf.internal
               targets:
                 - deployment: cf
@@ -30,7 +30,7 @@ instance_groups:
   - name: pcap-api
     azs:
       - z1
-    instances: 2
+    instances: 1
     vm_type: ((pcap_api.vm_type))
     stemcell: default
     networks: ((pcap_api.networks))
@@ -39,15 +39,32 @@ instance_groups:
         release: pcap
         properties:
           pcap-api:
-            agent_tls_skip_verify: true
-            enable_server_tls: false
-            cf_api: ((pcap_api.cf_api))
-            bosh_director_api: ((pcap_api.bosh_director_api))
-            bosh_director_ca: ((pcap_api.bosh_director_ca))
-            client_cert: ((pcap_api_mtls.certificate))
-            client_key: ((pcap_api_mtls.private_key))
-            agent_ca: ((pcap_api_mtls.ca))
-            agent_common_name: pcap-agent.service.cf.internal
+            log_level: info
+            buffer:
+              size: 1000
+              upper_limit: 995
+              lower_limit: 900
+            concurrent_captures: 5
+            listen:
+              port: 8080
+              tls:
+                enabled: false
+            bosh:
+              director_url: ((pcap_api.bosh_director_api))
+              token_scope: bosh.admin
+              agent_port: 9494
+              mtls:
+                common_name: bosh.service.cf.internal
+                skip_verify: false
+                certificate: ((pcap_api_bosh_mtls.certificate))
+                private_key: ((pcap_api_bosh_mtls.private_key))
+                ca: ((/bootstrap-bosh/bosh/default_ca.ca))
+            agents_mtls:
+              common_name: pcap-agent.service.cf.internal
+              skip_verify: false
+              certificate: ((pcap_api_mtls.certificate))
+              private_key: ((pcap_api_mtls.private_key))
+              ca: ((pcap_agent_mtls.ca))
       - name: route_registrar
         release: routing
         consumes:
@@ -62,12 +79,27 @@ instance_groups:
                 port: 8080
                 uris:
                   - ((route_registrar.public_route))
-            port: 8080
           nats:
             tls:
               enabled: true
               client_cert: ((nats.client_cert))
               client_key: ((nats.client_key))
+      - name: pcap-agent
+        release: pcap
+        properties:
+          pcap-agent:
+            id: pcap-agent/123
+            log_level: info
+            buffer:
+              size: 100
+              upper_limit: 95
+              lower_limit: 90
+            listen:
+              port: 9494
+              tls:
+                certificate: ((pcap_agent_mtls.certificate))
+                private_key: ((pcap_agent_mtls.private_key))
+                ca: ((pcap_agent_mtls.ca))
 
 update:
   canaries: 1
@@ -78,36 +110,57 @@ update:
 
 stemcells:
   - alias: default
-    os: ubuntu-bionic
+    os: ubuntu-jammy
     version: latest
 
 releases:
   - name: bpm
-    version: 1.1.8
-    url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=1.1.8
-    sha1: c956394fce7e74f741e4ae8c256b480904ad5942
+    url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=1.1.21
+    version: 1.1.21
+    sha1: e8abe19ec186962828de843f8f281cddb6141904
   - name: pcap
-    version: 0+dev.7
-    url: https://github.com/domdom82/pcap-server-release/releases/download/v0.0.1/pcap-server-0.0.1.tgz
-    sha1: a1655c1992b911fef3ad0b46c5abb8a0217ef0a2
+    version: 0+dev.1682596802
   - name: bosh-dns-aliases
     version: 0.0.4
     url: https://bosh.io/d/github.com/cloudfoundry/bosh-dns-aliases-release?v=0.0.4
     sha1: 55b3dced813ff9ed92a05cda02156e4b5604b273
   - name: routing
-    version: 0.232.0
-    url: https://bosh.io/d/github.com/cloudfoundry/routing-release?v=0.232.0
-    sha1: 1150a7c89a04db07145c906ccdbfda7424e6dfc6
+    url: https://bosh.io/d/github.com/cloudfoundry/routing-release?v=0.259.0
+    version: 0.259.0
 
 variables:
+  - name: pcap_ca
+    type: certificate
+    options:
+      common_name: pcap_ca
+      is_ca: true
   - name: pcap_api_mtls
     type: certificate
-    update_mode: converge
     options:
-      ca: ((pcap_api.ca_path))
+      ca: pcap_ca
       common_name: pcap_api_mtls
       alternative_names:
         - pcap-api.service.cf.internal
       extended_key_usage:
         - client_auth
         - server_auth
+  - name: pcap_agent_mtls
+    type: certificate
+    update_mode: converge
+    options:
+      ca: pcap_ca
+      common_name: pcap_agent_mtls
+      alternative_names:
+        - pcap-agent.service.cf.internal
+      extended_key_usage:
+        - client_auth
+        - server_auth
+  - name: pcap_api_bosh_mtls
+    type: certificate
+    options:
+      ca: /bootstrap/bosh/default_ca
+      common_name: pcap_api_bosh_mtls
+      alternative_names:
+        - pcap-api.service.cf.internal
+      extended_key_usage:
+        - client_auth
@@ -78,6 +78,44 @@
     end
   end
 
+  context 'when platform-TLS is disabled' do
+    let(:listen) do
+      {
+        'listen' => {
+          'tls' => {
+            'enabled' => 'false'
+          }
+        }
+      }
+    end
+
+    it 'does not configure certificates for pcap-api' do
+      properties.merge!(listen)
+      expect(pcap_api_conf['listen']).not_to have_key('tls')
+    end
+  end
+
+  context 'when pcap-api.tls config provided' do
+    let(:listen) do
+      {
+        'listen' => {
+          'tls' => {
+            'certificate' => 'test',
+            'private_key' => 'test',
+            'ca' => 'test'
+          }
+        }
+      }
+    end
+
+    it 'configures pcap-api TLS settings correctly' do
+      properties.merge!(listen)
+      expect(pcap_api_conf['listen']['tls']['certificate']).to include('/var/vcap/jobs/pcap-api/config/certs/pcap-api.crt')
+      expect(pcap_api_conf['listen']['tls']['private_key']).to include('/var/vcap/jobs/pcap-api/config/certs/pcap-api.key')
+      expect(pcap_api_conf['listen']['tls']['ca']).to include('/var/vcap/jobs/pcap-api/config/certs/pcap-api-ca.crt')
+    end
+  end
+
   context 'when pcap-api.buffer provided' do
     let(:buffer) do
       {

@@ -61,14 +61,14 @@ func main() {
 	// set up a BoshResolver, if one is defined.
 	err = registerBoshResolver(config.BoshResolverConfig, api)
 	if err != nil {
-		log.Error("Could not register BOSH Resolver", zap.Error(err))
+		log.Error("could not register BOSH Resolver", zap.Error(err))
 		return
 	}
 
 	//TODO: CFAgentResolver
 
 	if len(api.HealthyResolverNames()) == 0 {
-		log.Error("Could not register any AgentResolvers. Please check the configuration.")
+		log.Error("could not register any AgentResolvers. Please check the configuration.")
 		return
 	}