capi-release icon indicating copy to clipboard operation
capi-release copied to clipboard
verified publisher icon cloudfoundry

cloud_controller should emit SHA256 fingerprint for desired lrps for diego-ssh proxy

Open winkingturtle-vmw opened this issue 7 months ago • 2 comments

In this PR we added support for SHA1, but diego-ssh now has support for SHA256 fingerprint. This issue is tracking adding support for SHA256 fingerprint. After we merge and cut a new diego-release, we can then bump this to use SHA256 instead.

Notes:

  • We need to make sure diego-release has been in bumped in cf-deployment first
  • Please make sure that the PCF versions have also been bumped to use the latest diego-release before implementing this

winkingturtle-vmw avatar Apr 24 '25 18:04 winkingturtle-vmw

@winkingturtle-vmw what happens if capi-release is bumped before diego-release? What is the failure mode?

tcdowney avatar May 23 '25 18:05 tcdowney

If capi-release is updated before diego-release, I think cf ssh should fail.

I am personally not a fan of generic fingerprint, I think it's better to have an explicit sha256_fingerprint instead of fingerprint so that the logic on the diego-ssh side is not based on length, but the existence of the property, but this would require changing the desired-lrps's structure and I am not sure what level of agreement we need to make for this to happen.

winkingturtle-vmw avatar May 27 '25 11:05 winkingturtle-vmw