Closed cholick closed 5 years ago
cf-gitbot
commented
5 years ago We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.
The labels on this github issue will be updated when the story is started.
mboldt
commented
5 years ago Added the Ops Manager cert to the deploy-all and delete-all VMs, at the same location as we did for docker-bosh in commit 0f4f201.
$ cat /var/vcap/data/certs/opsman-ca.pem
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIVAJVt1PZYAGCkFQfasSKwOAwWv7ABMA0GCSqGSIb3DQEB
CwUAMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdQaXZvdGFsMB4XDTE4MTAyNDE3
MzA0MloXDTIyMTAyNTE3MzA0MlowHzELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB1Bp
dm90YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzfaOhECHDtWFx
6Glpf4aXKU43Cqp0F2xORJCdug94pz+GeiYM083qNW/neSuZ9tj1vS0W8+E2lUUu
3sm1fFVJ1vaRrX7cbD4BU7wI5pOUY7W/uLrclApD+g9dtp1D5ngvyq/kKMz3fZN0
MRkRCl8aGDEZ7OgSgrXA6PkeHqBlc8xJQ5WrbNr7B/vMMBD+a1/8Ncg8yBztMXSS
7Z8aGPK5dIDU27AobhVPZwLrAkzGjQo9/k+mZVqxN13zxftllDqKjxvMbuTn0wfL
LbsfYp933gbeSrwnVRwB/y2ATGPph7lqN/6MXnOXBYTOM/8Alr5IiqC4WjmeUPkH
SIgAEBPJAgMBAAGjgYMwgYAwHQYDVR0OBBYEFE7OXUJarU4EQDIlkSTkA3x69H5r
MB8GA1UdIwQYMBaAFE7OXUJarU4EQDIlkSTkA3x69H5rMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
BjANBgkqhkiG9w0BAQsFAAOCAQEAT3FgHb52SLidkI+N5Mt7K3ySxCqJGYQtXpdt
w5Gwr9fAxrMimVEOrlbzRYKAm4fYUxl5O1EsSOnuTQU2iArpjXNZkVdGEpFSxg9Y
Axh5wspramIaQL06ucRzTsP5iyDVK0VBOk5ig7wgzxZ9AoGRSgySSUfPlcUF92o1
xSGYjpkGBGKzEkgfFFED+j0dXnqfB6p13HkLre5o8gD1pJxBGLEWJQMSUrOzlD+P
cIWX+4eDK4++fLcU74oa/Vkn8wBeWerIgUVEH4eW2eHtECMRxJeJ1fP1zn00aiIJ
BB545+oSDUSzqCN2L15Kp1ZRIOv4atP118YP4uyqCDKSPFiRVg==
-----END CERTIFICATE-----@jasonf1234 I think we're good here. Give a holler if you need anything else.
Scripts running in the
deploy-allanddelete-allcontext need the CA certificate OpsMan is using to securely communicate with some internal components.Implementation Suggestion
The
deploy-allanddelete-alljobs do have a spec property for that value,tls_cacertdefined here:This property is only populated for a particular package type, though,
docker-bosh. It's set here: https://github.com/cf-platform-eng/tile-generator/blob/master/tile_generator/package_flags.py#L146Please set this property for
deploy-allanddelete-allfor other package types as well.Enhancement
The opsmgr.env.erb script that presents several system properties. Propagating this cert value as well makes sense, it's a similar class of values to what's already defined.
Adding the value here would prevent consumes of this property from having to understand the layer of
erbtemplating to get the property value from BOSH - they could an environment variable, which would be much friendlier.cc @pivotal-todd-ritchie cc @jasonf1234