gorouter icon indicating copy to clipboard operation
gorouter copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

Update Gorouter `CACerts` property to list

Open peanball opened this issue 2 years ago • 3 comments

This allows modifying and expanding the CAs in a development using ops-files.

This is a breaking change in configuration and will require a new major version of CF Deployment!

  • A short explanation of the proposed change:

CACerts in the gorouter configuration is a string, containing concatenated PEM format CA certificates. In order to add new certificates, the default list of CA certificates provided in the cf-deployment should be extended with additional certificates. Using ops-files in CF this is not possible.

By changing the CACerts field to an array, which may still contain PEM certificate chains, additional CA certificates can be added via ops-file without the risk of overwriting updated upstream CAs defined via cf-deployment.

  • An explanation of the use cases your change solves

See above.

  • Instructions to functionally test the behavior change using operator interfaces (BOSH manifest, logs, curl, and metrics)

The configuration allows defining CA Certificates as list of strings in the configuration.

The following ops-file to append an extra CA cert becomes possible:

- type: replace
  path: /instance_groups/name=router/jobs/name=gorouter/properties/router/ca_certs?/-
  value:
     - ((YOUR-CUSTOM-CA-1.ca))
  • Expected result after the change

New CA Certs can be added via ops-file

  • Current result before the change

New CA Certs can only be added by copy&pasting the default CA certs from the cf-deployment and adding a new one, risking to lose / overwrite changes introduced in a new cf-deployment manifest.

  • Links to any other associated PRs

  • [x] I have viewed signed and have submitted the Contributor License Agreement

  • [x] I have made this pull request to the main branch

  • [x] I have run all the unit tests using scripts/run-unit-tests-in-docker from routing-release. * Some tests unrelated to this change fail in the current main branch.

  • [ ] (Optional) I have run Routing Acceptance Tests and Routing Smoke Tests on bosh lite

  • [ ] (Optional) I have run CF Acceptance Tests on bosh lite

peanball avatar May 09 '22 15:05 peanball

Hi @peanball,

❓ Do you have a related PR for routing-release? Or else, I would think you would run into this template check.

In order to use this there needs to be changes in routing release to:

  • gorouter spec property definition
  • gorouter template
  • gorouter template tests

Thanks!

ameowlia avatar May 31 '22 14:05 ameowlia

FYI the CI job for this was failing irrespective of the PR, and it has been since disabled. Ignore that status check when reviewing.

geofffranks avatar Sep 02 '22 15:09 geofffranks

I will complete it next week. The PR is needed though. I would like to add a test for the new property.

peanball avatar Oct 11 '22 08:10 peanball

ran tests manually

mariash avatar Nov 09 '22 19:11 mariash