Add ca_truster job to trust CA certs configured by manifest

[#83168476]

bosh-lite/cf-stub-spiff.yml

@@ -8,6 +8,29 @@ properties:
   loggregator_endpoint:
     shared_secret: PLACEHOLDER-LOGGREGATOR-SECRET
 
+  ca_truster:
+    certificates:
+      - |
+          -----BEGIN CERTIFICATE-----
+          MIIDETCCAfmgAwIBAgIJANZuykf1uh3LMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
+          BAMMFCouMTAuMjQ0LjAuMzQueGlwLmlvMB4XDTE0MTIyNDIzMTkxM1oXDTI0MTIy
+          MTIzMTkxM1owHzEdMBsGA1UEAwwUKi4xMC4yNDQuMC4zNC54aXAuaW8wggEiMA0G
+          CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCjq73Fgwfj2UT0/+wR9kVVsGAguMj
+          poA0opLCgE0yHStAhSvqq7YpO39dH3vBMWXyr2xIfDyaeZyhV86jWu/ZKswGjNGI
+          ZKv/yUINe1bqukOBqd+SHVvkVhxSLJuD1MR83JQMONRjOPJp661/ABpVhnrNfBiA
+          AA6aaFv4/KbyGY/E1FHoUXqEdh4WxaJdfX6SbgG05ArWxhSD7PNj4CYvJWGCdvqP
+          KBsvWFDrkxBHn5h1JIDfZJB8FKP6vaHBr7MU4pIHM+qaZ1Y+8ja0wcgkHn4YHcp6
+          IOhqpck7LaH5Qq2ydYFNTcG4fTbG0jXqcit2WSUxRkXzWnrgo2E0SiHBAgMBAAGj
+          UDBOMB0GA1UdDgQWBBSpCtEDtEvMwaZzXN6Lvk5U7Eyn2zAfBgNVHSMEGDAWgBSp
+          CtEDtEvMwaZzXN6Lvk5U7Eyn2zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
+          A4IBAQB1YIHmw3gPiMn8WDR4yVxDvSVgFHY6ZE1iZb17vVs4N2/mhQZXWJ2nZV02
+          goAivtgxHOj39sK5OBWsGvrQo5H8dt1t4XmbwB1C6xRerGc25dhDRq42RqhCN0RJ
+          zzjd9b8YSiwtAaZlW36l2jVDLfRapb00tWToF9qYrDrmKy2sekS7g2hbiRStcue/
+          bpT4X/CHxb/lUbpL4m8BpDbkGiOJgl+SEHRx5tZ0Kob/RDQRCcN3p+71FRbDIEBj
+          +8sJl/yUUUPwQ6PNYx6cjtlICWJ1G0l0hRa141VXPqSNCmxYS4dp/8ifPCSoLc+k
+          9TXFkuGl+86CPTyyMJxyMhEcAGZT
+          -----END CERTIFICATE-----
+
   cc:
     security_group_definitions:
       - name: public_networks

jobs/ca_truster/monit

@@ -0,0 +1,5 @@
+check process ca_truster with pidfile /var/vcap/sys/run/ca_truster/ca_truster.pid 
+  start program "/var/vcap/jobs/ca_truster/bin/ca_truster_ctl start"
+  stop program "/var/vcap/jobs/ca_truster/bin/ca_truster_ctl stop"
+
+

jobs/ca_truster/spec

@@ -0,0 +1,17 @@
+---
+name: ca_truster
+
+description: "CA truster adds CA certificates to the trusted list. It is intented do be included in every VM."
+
+templates:
+  ca_truster.sh.erb: bin/ca_truster.sh
+  ca_truster_ctl.erb: bin/ca_truster_ctl
+
+packages:
+  - common
+
+properties:
+  ca_truster.certificates:
+    description: "CA certificates to trust."
+    default: []
+

jobs/ca_truster/templates/ca_truster.sh.erb

@@ -0,0 +1,18 @@
+trust_cas() {
+  set -e -x
+
+  <% p("ca_truster.certificates", []).each_with_index do |certificate, i| %>
+    echo "adding CA /usr/local/share/ca-certificates/cf-ca-truster-<%= i %>.crt"
+    echo '<%= certificate %>' > /usr/local/share/ca-certificates/cf-ca-truster-<%= i %>.crt
+  <% end %>
+  update-ca-certificates
+  echo 1 > ${RUN_DIR}/ca_truster.pid
+}
+
+untrust_cas() {
+  set -e -x
+
+  rm -f /usr/local/share/ca-certificates/cf-ca-truster-*.crt
+  update-ca-certificates --fresh
+  rm -f ${RUN_DIR}/ca_truster.pid
+}

jobs/ca_truster/templates/ca_truster_ctl.erb

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+export CA_TRUSTER_JOB_DIR=/var/vcap/jobs/ca_truster
+
+RUN_DIR=/var/vcap/sys/run/ca_truster
+
+source /var/vcap/packages/common/utils.sh
+source $CA_TRUSTER_JOB_DIR/bin/ca_truster.sh
+
+case $1 in
+
+  start)
+    mkdir -p $RUN_DIR
+    trust_cas
+    ;;
+
+  stop)
+    untrust_cas
+    ;;
+
+  *)
+    echo "Usage: ca_truster_ctl {start|stop}"
+    ;;
+
+esac

spec/fixtures/aws/cf-manifest.yml.erb

@@ -36,6 +36,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: nats_z1
@@ -56,6 +58,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: nats_z2
@@ -76,6 +80,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 2
   name: etcd_z1
@@ -98,6 +104,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: etcd_z2
@@ -119,6 +127,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: stats_z1
@@ -135,6 +145,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 0
   name: nfs_z1
@@ -153,6 +165,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 0
   name: postgres_z1
@@ -171,6 +185,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: uaa_z1
@@ -187,6 +203,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: uaa_z2
@@ -203,6 +221,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: login_z1
@@ -219,6 +239,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: login_z2
@@ -235,6 +257,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: api_z1
@@ -260,6 +284,8 @@ jobs:
     release: cf
   - name: nfs_mounter
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: api_z2
@@ -285,6 +311,8 @@ jobs:
     release: cf
   - name: nfs_mounter
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: clock_global
@@ -302,6 +330,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: api_worker_z1
@@ -327,6 +357,8 @@ jobs:
     release: cf
   - name: nfs_mounter
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: api_worker_z2
@@ -352,6 +384,8 @@ jobs:
     release: cf
   - name: nfs_mounter
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: hm9000_z1
@@ -368,6 +402,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: hm9000_z2
@@ -384,6 +420,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: runner_z1
@@ -405,6 +443,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update:
     max_in_flight: 1
 - instances: 1
@@ -427,6 +467,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update:
     max_in_flight: 1
 - instances: 2
@@ -494,6 +536,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   name: router_z2
@@ -512,6 +556,8 @@ jobs:
     release: cf
   - name: metron_agent
     release: cf
+  - name: ca_truster
+    release: cf
   update: {}
 - instances: 1
   lifecycle: errand
@@ -522,6 +568,8 @@ jobs:
   templates:
   - name: acceptance-tests
     release: cf
+  - name: ca_truster
+    release: cf
 - instances: 1
   lifecycle: errand
   name: smoke_tests
@@ -534,6 +582,8 @@ jobs:
   templates:
   - name: smoke-tests
     release: cf
+  - name: ca_truster
+    release: cf
 meta:
   environment: null
   releases:
@@ -561,6 +611,8 @@ properties:
   acceptance_tests: null
   app_domains:
   - example.com
+  ca_truster:
+    certificates: []
   cc:
     allowed_cors_domains: []
     app_events: