WIP - adapt scheduler

jobs/scheduler/spec

@@ -12,6 +12,10 @@ templates:
   scheduler_server.crt.erb: config/certs/server.crt
   scheduler_server.key.erb: config/certs/server.key
 
+  healthendpoint_ca.crt.erb: config/certs/healthendpoint/ca.crt
+  healthendpoint.crt.erb: config/certs/healthendpoint/server.crt
+  healthendpoint.key.erb: config/certs/healthendpoint/server.key
+
   scalingengine_ca.crt.erb: config/certs/scalingengine/ca.crt
   scalingengine_client.crt.erb: config/certs/scalingengine/client.crt
   scalingengine_client.key.erb: config/certs/scalingengine/client.key
@@ -119,6 +123,12 @@ properties:
   autoscaler.scheduler.health.port:
     description: "the listening port of health endpoint"
     default: 6204
+  autoscaler.scheduler.health.ca_cert:
+    description: "PEM-encoded CA certificate for the health endpoint"
+  autoscaler.scheduler.health.server_cert:
+    description: "PEM-encoded server certificate for the health endpoint"
+  autoscaler.scheduler.health.server_key:
+    description: "PEM-encoded server key for the health endpoint"
   autoscaler.scheduler.health.basicAuthEnabled:
     description: "if true, basic auth is enabled on the endpoint"
     default: false

jobs/scheduler/templates/healthendpoint.crt.erb

@@ -0,0 +1,3 @@
+<% if_p("autoscaler.scheduler.health.server_cert") do |value| %>
+<%= value %>
+<% end %>

jobs/scheduler/templates/healthendpoint.key.erb

@@ -0,0 +1,3 @@
+<% if_p("autoscaler.scheduler.health.server_key") do |value| %>
+<%= value %>
+<% end %>

jobs/scheduler/templates/healthendpoint_ca.crt.erb

@@ -0,0 +1,3 @@
+<% if_p("autoscaler.scheduler.health.ca_cert") do |value| %>
+<%= value %>
+<% end %>

jobs/scheduler/templates/scheduler.yml.erb

@@ -99,6 +99,23 @@ spring:
             instanceName: app-autoscaler
           threadPool:
             threadCount: 10
+    ############################################################
+    #    SSL Bundles
+    ############################################################
+    ssl:
+      bundle:
+        jks:
+          server:
+            key:
+              alias: "scheduler"
+            keystore:
+              location: "/var/vcap/jobs/scheduler/config/certs/server.p12"
+              password: "123456"
+            truststore:
+              location: "/var/vcap/jobs/scheduler/config/certs/cacerts"
+              password: "123456"
+        #pem:
+
 ############################################################
 #    Client SSL keys
 ############################################################
@@ -142,14 +159,16 @@ scheduler:
 server:
   port: <%=p('autoscaler.scheduler.port') %>
   ssl:
-    ciphers: TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
-    enabled-protocols: TLSv1.2
-    key-alias: scheduler
-    key-store: /var/vcap/jobs/scheduler/config/certs/server.p12
-    key-store-password: 123456
-    key-store-type: PKCS12
-    trust-store: /var/vcap/jobs/scheduler/config/certs/cacerts
-    trust-store-password: 123456
+    ciphers: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256
+    enabled-protocols: TLSv1.3
+    bundle: "server"
+    client-auth: NEED
+#    key-alias: scheduler
+#    key-store: /var/vcap/jobs/scheduler/config/certs/server.p12
+#    key-store-password: 123456
+#    key-store-type: PKCS12
+#    trust-store: /var/vcap/jobs/scheduler/config/certs/cacerts
+#    trust-store-password: 123456
 
 
 #User added properties

spec/jobs/common/health_endpoint_spec.rb

@@ -21,13 +21,13 @@
           @properties = YAML.safe_load(fixture(properties_file).read)
           @template = release.job(release_job).template(config_file)
           @links = case service
-                  when "eventgenerator"
-                    [ Bosh::Template::Test::Link.new(name: "eventgenerator") ]
-                  when "metricsgateway", "metricsserver"
-                    [ Bosh::Template::Test::Link.new(name: "metricsserver") ]
-                  else
-                    []
-                  end
+          when "eventgenerator"
+            [Bosh::Template::Test::Link.new(name: "eventgenerator")]
+          when "metricsgateway", "metricsserver"
+            [Bosh::Template::Test::Link.new(name: "metricsserver")]
+          else
+            []
+          end
           @rendered_template = YAML.safe_load(@template.render(@properties, consumes: @links))
         end
         it "by default TLS is not configured" do
@@ -46,10 +46,10 @@
 
           expect(rendered_template["health"]["tls"]).not_to be_nil
           expect(rendered_template["health"]["tls"]).to include({
-                                                                  "key_file" => "/var/vcap/jobs/#{release_job}/config/certs/healthendpoint/server.key",
-                                                                  "ca_file" => "/var/vcap/jobs/#{release_job}/config/certs/healthendpoint/ca.crt",
-                                                                  "cert_file" => "/var/vcap/jobs/#{release_job}/config/certs/healthendpoint/server.crt"
-                                                                })
+            "key_file" => "/var/vcap/jobs/#{release_job}/config/certs/healthendpoint/server.key",
+            "ca_file" => "/var/vcap/jobs/#{release_job}/config/certs/healthendpoint/ca.crt",
+            "cert_file" => "/var/vcap/jobs/#{release_job}/config/certs/healthendpoint/server.crt"
+          })
         end
       end
     end

src/scheduler/src/main/resources/application.yml

@@ -47,6 +47,22 @@ spring:
                         instanceName: app-autoscaler
                     threadPool:
                         threadCount: 10
+    ############################################################
+    #    SSL Bundles
+    ############################################################
+    ssl:
+        bundle:
+            jks:
+                server:
+                    key:
+                        alias: "test-scheduler"
+                    keystore:
+                        location: "src/test/resources/certs/test-scheduler.p12"
+                        password: "123456"
+                    truststore:
+                        location: "src/test/resources/certs/test.truststore"
+                        password: "123456"
+
 ############################################################
 #    Logging
 ############################################################
@@ -107,14 +123,18 @@ scheduler:
 ############################################################
 #    Server SSL keys
 ############################################################
+
 server:
     ssl:
-        ciphers: TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
-        enabled-protocols: TLSv1,TLSv1.1,TLSv1.2
-        key-alias: test-scheduler
-        key-store: src/test/resources/certs/test-scheduler.p12
-        key-store-password: 123456
-        key-store-type: PKCS12
-        trust-store: src/test/resources/certs/test.truststore
-        trust-store-password: 123456
+        ciphers: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256
+        enabled-protocols: TLSv1.3
+#        key-alias: test-scheduler
+#        key-store: src/test/resources/certs/test-scheduler.p12
+#        key-store-password: 123456
+#        key-store-type: PKCS12
+#        trust-store: src/test/resources/certs/test.truststore
+#        trust-store-password: 123456
+        bundle: "server"
+        client-auth: NEED
+