The BOSH agent reads its blobstore settings from the metadata API endpoint (or equivalent) for its VM within the IaaS. If the blobstore settings are not set in the env.bosh.blobstores property, it will fallback to the top-level blobstore property in the metadata.
However, in modern configurations, the Director always sends the blobstore settings as part of the environment hash. Additionally, the Director does redaction of credentials in the environment hash when the signed URLs blobstore feature is enabled. This redaction is not applied to the top-level blobstore property in the metadata because that is generated solely by the CPI.
Rather than updating each CPI to know about the signed URL feature, we are instead removing the blobstore properties from the CPI. This will ensure that Director is the sole point of contact when configuring agent blobstore settings, and ensure that they are always properly redacted.
rkoster
commented
1 year ago
The BOSH agent reads its blobstore settings from the metadata API endpoint (or equivalent) for its VM within the IaaS. If the blobstore settings are not set in the
env.bosh.blobstoresproperty, it will fallback to the top-levelblobstoreproperty in the metadata.However, in modern configurations, the Director always sends the blobstore settings as part of the environment hash. Additionally, the Director does redaction of credentials in the environment hash when the signed URLs blobstore feature is enabled. This redaction is not applied to the top-level
blobstoreproperty in the metadata because that is generated solely by the CPI.Rather than updating each CPI to know about the signed URL feature, we are instead removing the
blobstoreproperties from the CPI. This will ensure that Director is the sole point of contact when configuring agent blobstore settings, and ensure that they are always properly redacted.