Consume credhub.port link and internal CredHub Consul route

- added two new spec properties: credhub_api.ca_cert and
  credhub_api.hostname
- properties will only be used if the credhub link is provided
- Credhub::Client will now use the credhub_api.ca_cert_path
  to include the CredHub CA cert as a trusted cert

[#150753759]

Signed-off-by: Elena Sharma <[email protected]>

Author: tcdowney

bosh/jobs/cloud_controller_ng/spec

@@ -43,6 +43,7 @@ templates:
   stacks.yml.erb: config/stacks.yml
   uaa_ca.crt.erb: config/certs/uaa_ca.crt
   db_ca.crt.erb: config/certs/db_ca.crt
+  credhub_ca.crt.erb: config/certs/credhub_ca.crt
 
 
 packages:
@@ -75,6 +76,9 @@ consumes:
 - name: perm
   type: perm
   optional: true
+- name: credhub
+  type: credhub
+  optional: true
 
 properties:
   bpm.enabled:
@@ -837,6 +841,8 @@ properties:
     description: "Enable CF Permissions external service. Requires perm link to take effect"
     default: false
 
-  credhub_api.port:
-    description: "Temporary property until credhub-release exposes port as a link"
-    default: 8844
+  credhub_api.hostname:
+    description: "Hostname used to resolve the address of CredHub"
+    default: "credhub.service.cf.internal"
+  credhub_api.ca_cert:
+    description: "The certificate authority being used by CredHub"

bosh/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb

@@ -159,10 +159,11 @@ routing_api:
   routing_client_secret: <%= p("uaa.clients.cc_routing.secret") %>
 <% end %>
 
+<% if_link("credhub") do |credhub| %>
 credhub_api:
-  # TODO: This should come from credhub internal consul route
-  # TODO: This should come from the credhub-release link
-  url: <%= "https://credhub.#{system_domain}:#{p("credhub_api.port")}" %>
+  url: <%= "https://#{p("credhub_api.hostname")}:#{credhub.p("credhub.port")}" %>
+  ca_cert_path: "/var/vcap/jobs/cloud_controller_ng/config/certs/credhub_ca.crt"
+<% end %>
 
 # App staging parameters
 staging:

bosh/jobs/cloud_controller_ng/templates/credhub_ca.crt.erb

@@ -0,0 +1 @@
+<%= p("credhub_api.ca_cert", "") %>

config/cloud_controller.yml

@@ -346,3 +346,4 @@ perm:
 
 credhub_api:
   url: https://credhub.vcap.me:8844
+  ca_cert_path: "spec/fixtures/certs/credhub_ca.crt"

lib/cloud_controller/config_schemas/api_schema.rb

@@ -171,8 +171,9 @@ class ApiSchema < VCAP::Config
           cc_service_key_client_name: String,
           cc_service_key_client_secret: String,
 
-          credhub_api: {
+          optional(:credhub_api) => {
             url: String,
+            ca_cert_path: String,
           },
 
           renderer: {

lib/credhub/client.rb

@@ -39,7 +39,9 @@ def client
     end
 
     def build_client
-      HTTPClient.new(base_url: credhub_url)
+      client = HTTPClient.new(base_url: credhub_url)
+      client.ssl_config.set_trust_ca(VCAP::CloudController::Config.config.get(:credhub_api, :ca_cert_path))
+      client
     end
 
     def auth_header

spec/fixtures/certs/credhub_ca.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE8jCCAtqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5jZXJ0
+LWF1dGhvcml0eTAeFw0xNzAxMDQyMTUwNDRaFw0yNzAxMDQyMTUwNDhaMBkxFzAV
+BgNVBAMTDmNlcnQtYXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAwVQAchJX6iaRJGhEx+KtvP3o+U0FzPzBkNE0b7BETthoXg+gvh3C57l5
+694UU1ZDCL2h4bEjfKiH+X3qI8NpGl+s2ZmvDB3pQUXh77WaXib2D0sRdlLPHSut
+a8CtcyIGdUo/d+3AlBlDzIqvku1lWOAUlPO4AqvsiqLX9y09/pfdpWofIxEbHm9e
+2KQkNgdCBPsLRNEU9deUUNoR5/zLNsLk6Xqjdtet8oVqjYlYcjmTw1P7Td+O673F
+7F4oiMjXukFvea840El9iv/YaAzpsDWaTyMSnthm+IrRCeFD4zUINlmxbyqDT5FT
+u88lbUDxhgDGO5yE/4g7dDLQQ29j1saDdNU1WmXqJ5Vf1WfnKjKaQo01mZf13ll/
+im9pjYLqVktYkisd18Ych6Bw3MSeTo1dG/RkJp2AqzAw98BAp35isSfJeFKEDJka
+In7jErVrgNXU37tbjbL9hHrWvLeWa3xAl5ZeamiedJElX8mfAQKhCwD3S+1AqHbs
+2hO2G0qVmAIO/SQ2iDiEthN5cVNIOqrFmW46kuvIl9F1GRzP9msxcJNQ+5s+KHfu
+do7pB8LTiwkpPdOcHeuU4YUqO80Nw3nqlIKJkiH3kKpwku9vHicvkwun8YbAxdzd
+VwBl2bAU/QdNmhtufP/pOhwq9gpBgDYAH6Va5CPdgqz54JRTvDMCAwEAAaNFMEMw
+DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNVf
+f0+PnnGodaSWKAvToAaR6quRMA0GCSqGSIb3DQEBCwUAA4ICAQB8iqqL9zFEYmJe
+BzQOGpwrelT+0w3aZJxAMsQLrPhPQwdb7MDuvETmz6u9XHw5mfHAS5Nwif1JLRjm
+a+SxcLG64m/6KXxCsb+3sIX3uaCIT+lhRC872G+KZnC8aH3aqm4SadVWptr9v7k/
+8glyfAUXrfc4ftYuS0ma4BE2dLMMY2Et4lc9p599HccfD2jyNVI29cJJg9cCc8lJ
+T2rTPT+Y7cWxWYsdjnFUgq6HoIfALaYlJu8OIZgy218rxCy2lVi+nIncYAJXdJr9
+Aw68ofG/ajHw3faWNr3NcWjE+EY20o7kKlzLX/t8z3Hj8I4Enjf+hNbbw5bD00mH
+1L8xFQtl53rfBRd9mE8aSSJHTgpSHpp8jp8j6exHeuxKV8b73lPODcJZnklQIxt4
+ro2YCnxeBZDebs2Fn7XZswNvEPpYD0jRhgu5Ovsf4/05SHECs/oA+oXOzdgUW/dj
+lp+oD1xRE278eq23kgudUUhtwb/RYEv75yh5d4m4Z2qOj7NP16fiUYU2Tx4F09Rr
+Afy8ZXJ5EQmKyZivOexiJ1J/eq3UPgKfiyMV7hG4C3Swo3szskKKwr/vl1SG8rQ9
+Ws5eJEyXf1QaMxWEW/8sTCwQjushyE7Wm8DdETmYetcrlBfvQmBptYeJsx3sbx5N
+ROk0R8CrGWFqNdCnVgQne4VbnKr42A==
+-----END CERTIFICATE-----

spec/unit/lib/credhub/client_spec.rb

@@ -11,6 +11,15 @@ module Credhub
 
     subject { Credhub::Client.new(credhub_url, uaa_client) }
 
+    describe '#client' do
+      describe 'ssl_config' do
+        it 'uses the configured credhub_ca.crt' do
+          expect(subject.send(:client).ssl_config.cert_store_items).
+            to include(TestConfig.config_instance.get(:credhub_api, :ca_cert_path))
+        end
+      end
+    end
+
     describe '#get_credential_by_name' do
       before do
         stub_request(:get, "#{credhub_url}/api/v1/data?name=#{credhub_reference}&current=true").