Add bosh properties/templates for syncing ASG data into policy-server

Signed-off-by: Geoff Franks <[email protected]>

Author: Marc Paquette

.ruby-version

@@ -0,0 +1 @@
+3.0.2

Gemfile

@@ -3,6 +3,6 @@ source 'https://rubygems.org'
 group :test do
   gem "nokogiri", ">= 1.10.8"
   gem 'rspec'
-  gem 'bosh-template'
+  gem 'bosh-template', ">= 2.2.1"
   gem 'solargraph'
 end

Gemfile.lock

@@ -3,7 +3,7 @@ GEM
   specs:
     ast (2.4.0)
     backport (1.1.2)
-    bosh-template (2.1.0)
+    bosh-template (2.2.1)
       semi_semantic (~> 1.2.0)
     diff-lcs (1.3)
     htmlentities (4.3.4)
@@ -64,7 +64,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  bosh-template
+  bosh-template (>= 2.2.1)
   nokogiri (>= 1.10.8)
   rspec
   solargraph

jobs/policy-server/spec

@@ -12,6 +12,10 @@ templates:
   uaa_ca.crt.erb: config/certs/uaa_ca.crt
   cc_ca.crt.erb: config/certs/cc_ca.crt
   database_ca.crt.erb: config/certs/database_ca.crt
+
+  locket_ca.crt.erb: config/certs/locket_ca.crt
+  locket.crt.erb: config/certs/locket.crt
+  locket.key.erb: config/certs/locket.key
 
   post-start.erb: bin/post-start
   pre-start.erb: bin/pre-start
@@ -203,3 +207,24 @@ properties:
   allowed_cors_domains:
     description: "List of domains (including scheme) from which Cross-Origin requests will be accepted."
     default: []
+
+  asg_sync_enabled:
+    description: "Enables syncing of ASG data from CAPI for use with dynamic ASGs in silk-release"
+    default: true
+
+  asg_sync_interval:
+    description: "Interval in seconds that policy-server will poll CAPI for ASG data. Requires asg_sync_enabled. Must be > 0"
+    default: 60
+
+  locket_address:
+    description: "Hostname and port of the Locket server. Must be set when asg_sync_enabled is set to true."
+    default: "locket.service.cf.internal:8891"
+
+  locket_ca_cert:
+    description: "The CA certificiate for the CA for Locket."
+
+  locket_client_cert:
+    description: "The client certificate for Locket."
+
+  locket_client_key:
+    description: "The private key for Locket."

jobs/policy-server/templates/locket.crt.erb

@@ -0,0 +1,3 @@
+<% if p("asg_sync_enabled") %>
+<%= p("locket_client_cert") %>
+<% end %>

jobs/policy-server/templates/locket.key.erb

@@ -0,0 +1,3 @@
+<% if p("asg_sync_enabled") %>
+<%= p("locket_client_key") %>
+<% end %>

jobs/policy-server/templates/locket_ca.crt.erb

@@ -0,0 +1,3 @@
+<% if p("asg_sync_enabled") %>
+<%= p("locket_ca_cert") %>
+<% end %>

jobs/policy-server/templates/policy-server.json.erb

@@ -66,6 +66,27 @@
     end
 
     parse_ip(p('listen_ip'), 'listen_ip')
+
+    def asg_sync_interval
+      # if p() is safe here since asg_sync_enabled + asg_sync_interval both have defaults and can't be nil
+      if p('asg_sync_enabled')
+        interval = p('asg_sync_interval')
+        if interval.class == Integer and interval >= 1
+          return interval
+        end
+          raise "asg_sync_interval must be an integer greater than 0"
+      end
+    end
+
+    def locket_address
+      # if p() is safe here since asg_sync_enabled + locket_address both have defaults and can't be nil
+      if p('asg_sync_enabled')
+        if p('locket_address') =~ /^[a-z0-9.-]+:[0-9]+$/
+          return p('locket_address')
+        end
+        raise 'asg_sync_enabled is true but the locket_address is invalid'
+      end
+    end
 %>
 
 <%=
@@ -127,6 +148,14 @@
       'request_timeout' => 5,
     }
 
+    if p('asg_sync_enabled')
+      toRender['asg_sync_interval'] = asg_sync_interval
+      toRender['locket_address'] = locket_address
+      toRender['locket_ca_cert_file'] = '/var/vcap/jobs/policy-server/config/certs/locket_ca.crt'
+      toRender['locket_client_cert_file'] = '/var/vcap/jobs/policy-server/config/certs/locket.crt'
+      toRender['locket_client_key_file'] = '/var/vcap/jobs/policy-server/config/certs/locket.key'
+    end
+
     JSON.pretty_generate(toRender)
 %>
 <% end %>

spec/bosh-dns-adapter/bosh_dns_adapter_spec.rb

@@ -118,16 +118,14 @@ module Bosh::Template::Test
         end
       end
 
-      # This test must be pended until this PR is merged and a new version of the
-      # bosh-template gem is published:
-      # https://github.com/cloudfoundry/bosh/pull/2116
-      xdescribe 'when the optional vip_resolver_conn link is provided' do
+      describe 'when the optional vip_resolver_conn link is provided' do
         let(:links_with_vip_resolver_conn) do
           links << Link.new(
             name: 'vip_resolver_conn',
             properties: {
-              'listen_port_for_vip_resolver' => 1234
-            }
+              'listen_port_for_vip_resolver' => 1234,
+            },
+            address: 'copilot.bosh',
           )
         end
 

spec/policy-server/policy_server_spec.rb

@@ -48,6 +48,9 @@ module Bosh::Template::Test
         'metron_port' => 6789,
         'log_level' => 'debug',
         'allowed_cors_domains' => ['some-cors-domain'],
+        'locket_ca_cert' => 'the locket ca cert',
+        'locket_client_cert' => 'the locket cert',
+        'locket_client_key' => 'the locket key',
       }
     end
 
@@ -172,6 +175,11 @@ module Bosh::Template::Test
           'allowed_cors_domains' => ['some-cors-domain'],
           'uaa_ca' => '/var/vcap/jobs/policy-server/config/certs/uaa_ca.crt',
           'request_timeout' => 5,
+          'asg_sync_interval' => 60,
+          'locket_address' => 'locket.service.cf.internal:8891',
+          'locket_ca_cert_file' => '/var/vcap/jobs/policy-server/config/certs/locket_ca.crt',
+          'locket_client_cert_file' => '/var/vcap/jobs/policy-server/config/certs/locket.crt',
+          'locket_client_key_file' => '/var/vcap/jobs/policy-server/config/certs/locket.key',
         })
       end
 
@@ -337,6 +345,145 @@ module Bosh::Template::Test
           JSON.parse(template.render(merged_manifest_properties))
         }.to raise_error('policy_cleanup_interval must be at least 1 minute')
       end
+
+      it 'raises an error when asg_sync_enabled is true and the asg_sync_interval is invalid' do
+        intervals = [
+          'notanumber',
+          0,
+          -1,
+          1.3,
+          0.5,
+          true,
+          -0,
+          '1',
+          '0',
+        ]
+        merged_manifest_properties['asg_sync_enabled'] = true
+        intervals.each do |interval|
+          merged_manifest_properties['asg_sync_interval'] = interval
+          expect {
+            JSON.parse(template.render(merged_manifest_properties))
+          }.to raise_error('asg_sync_interval must be an integer greater than 0')
+        end
+      end
+      it 'raises an error when asg_sync_enabled is true and there is no locket_address defined' do
+        addrs = [
+          '',
+          'my-site-without-port.com',
+          'http://asdf.com',
+          'http://asdf:1234',
+          'asdf.com:badport',
+          'me+you:1234',
+        ]
+        merged_manifest_properties['asg_sync_enabled'] = true
+        addrs.each do |addr|
+          merged_manifest_properties['locket_address'] = addr
+          expect {
+            JSON.parse(template.render(merged_manifest_properties))
+          }.to raise_error('asg_sync_enabled is true but the locket_address is invalid')
+        end
+      end
+      it 'allows common domain name/ip addr combos for locket_address' do
+        addrs = [
+          'test.com:1234',
+          '10.10.10.10:1234',
+          'my-cool-site.com:1234',
+        ]
+        merged_manifest_properties['asg_sync_enabled'] = true
+        addrs.each do |addr|
+          merged_manifest_properties['locket_address'] = addr
+          expect {
+          JSON.parse(template.render(merged_manifest_properties))
+        }.to_not raise_error
+        end
+      end
+    end
+    describe 'locket.ca.crt' do
+      let(:template) {job.template('config/certs/locket_ca.crt')}
+      describe 'When the property exits' do
+        it 'renders the locket cert' do
+          cert = template.render(merged_manifest_properties)
+          expect(cert.strip).to eq('the locket ca cert')
+        end
+      end
+
+      describe 'when the property doesn\'t exist' do
+        before do
+          merged_manifest_properties.delete('locket_ca_cert')
+        end
+
+        it 'raises an error when asg_sync_enabled is true and there is no locket_ca_cert defined' do
+          merged_manifest_properties['asg_sync_enabled'] = true
+          expect {
+            template.render(merged_manifest_properties)
+          }.to raise_error Bosh::Template::UnknownProperty
+        end
+
+        it 'raises and error when asg_sync_enabled is false and there is no locket_ca_cert defined' do
+          merged_manifest_properties['asg_sync_enabled'] = false
+          expect {
+            template.render(merged_manifest_properties)
+          }.to_not raise_error
+        end
+      end
+    end
+    describe 'locket.crt' do
+      let(:template) {job.template('config/certs/locket.crt')}
+      describe 'When the property exits' do
+        it 'renders the locket cert' do
+          cert = template.render(merged_manifest_properties)
+          expect(cert.strip).to eq('the locket cert')
+        end
+      end
+
+      describe 'when the property doesn\'t exist' do
+        before do
+          merged_manifest_properties.delete('locket_client_cert')
+        end
+
+        it 'raises an error when asg_sync_enabled is true and there is no locket_client defined' do
+          merged_manifest_properties['asg_sync_enabled'] = true
+          expect {
+            template.render(merged_manifest_properties)
+          }.to raise_error Bosh::Template::UnknownProperty
+        end
+
+        it 'raises and error when asg_sync_enabled is false and there is no locket_client defined' do
+          merged_manifest_properties['asg_sync_enabled'] = false
+          expect {
+            template.render(merged_manifest_properties)
+          }.to_not raise_error
+        end
+      end
+    end
+    describe 'locket.key' do
+      let(:template) {job.template('config/certs/locket.key')}
+      describe 'When the property exits' do
+        it 'renders the locket cert' do
+          cert = template.render(merged_manifest_properties)
+          expect(cert.strip).to eq('the locket key')
+        end
+      end
+
+      describe 'when the property doesn\'t exist' do
+        before do
+          merged_manifest_properties.delete('locket_client_key')
+        end
+
+        it 'raises an error when asg_sync_enabled is true and there is no locket_client_key defined' do
+          merged_manifest_properties['asg_sync_enabled'] = true
+          expect {
+            template.render(merged_manifest_properties)
+          }.to raise_error Bosh::Template::UnknownProperty
+        end
+
+        it 'raises and error when asg_sync_enabled is false and there is no locket_client_key defined' do
+          merged_manifest_properties['asg_sync_enabled'] = false
+          expect {
+            template.render(merged_manifest_properties)
+          }.to_not raise_error
+        end
+      end
     end
   end
 end