bump auctioneer bbs cf_http converger diego-ssh inigo nsync receptor rep route-emitter stager tps ifrit

Submodule src/github.com/cloudfoundry-incubator/auctioneer e4f24a7..f61b515:
  > support mutual-auth TLS to BBS
Submodule src/github.com/cloudfoundry-incubator/bbs 8bf3bb4..9d6efd4:
  > implements optional mutual SSL for BBS Client/Server communication
Submodule src/github.com/cloudfoundry-incubator/cf_http e2698df..8e03667:
  > improve error messages for TLS config creation
Submodule src/github.com/cloudfoundry-incubator/converger 5603922..be5b1fc:
  > support mutual-auth TLS to BBS
Submodule src/github.com/cloudfoundry-incubator/diego-ssh 9c52952..d704e4e:
  > support mutual-auth TLS to BBS
Submodule src/github.com/cloudfoundry-incubator/inigo 0560d23..30aea2e:
  > require TLS connectiions to BBS
Submodule src/github.com/cloudfoundry-incubator/nsync a607507..dac4e55:
  > support mutual-auth TLS to BBS
Submodule src/github.com/cloudfoundry-incubator/receptor 073dba7..40b817a:
  > support mutual-auth TLS to BBS
Submodule src/github.com/cloudfoundry-incubator/rep a044731..96c1cd9:
  > support mutual-auth TLS to BBS
Submodule src/github.com/cloudfoundry-incubator/route-emitter 127ed48..98a0077:
  > support mutual-auth TLS to BBS
Submodule src/github.com/cloudfoundry-incubator/stager a495461..f88e307:
  > support mutual-auth TLS to BBS
Submodule src/github.com/cloudfoundry-incubator/tps a4787ad..c2cb0e5:
  > support mutual-auth TLS to BBS
Submodule src/github.com/tedsuo/ifrit 65ca48c..5ddc47c:
  > Merge pull request #9 from jenspinney/wip-bbs-ssl

Signed-off-by: Jen Spinney <[email protected]>

Author: jfmyers9

jobs/auctioneer/spec

@@ -4,6 +4,9 @@ name: auctioneer
 templates:
   auctioneer_ctl.erb: bin/auctioneer_ctl
   dns_health_check.erb: bin/dns_health_check
+  bbs_ca.crt.erb: config/certs/bbs/ca.crt
+  bbs_client.crt.erb: config/certs/bbs/client.crt
+  bbs_client.key.erb: config/certs/bbs/client.key
 
 packages:
   - pid_utils
@@ -22,3 +25,10 @@ properties:
 
   diego.auctioneer.bbs.api_url:
     description: "Address to the BBS Server"
+
+  diego.auctioneer.bbs.ca_cert:
+    description: "PEM-encoded CA certificate"
+  diego.auctioneer.bbs.client_cert:
+    description: "PEM-encoded client certificate"
+  diego.auctioneer.bbs.client_key:
+    description: "PEM-encoded client key"

jobs/auctioneer/templates/auctioneer_ctl.erb

@@ -7,6 +7,17 @@ PIDFILE=$RUN_DIR/auctioneer.pid
 
 source /var/vcap/packages/pid_utils/pid_utils.sh
 
+<% require 'uri' %>
+
+<% if URI(p("diego.auctioneer.bbs.api_url")).scheme == "https" %>
+  bbs_sec_flags=" \
+   -bbsClientCert=${CONF_DIR}/certs/bbs/client.crt \
+   -bbsClientKey=${CONF_DIR}/certs/bbs/client.key \
+   -bbsCACert=${CONF_DIR}/certs/bbs/ca.crt"
+<% else %>
+  bbs_sec_flags=""
+<% end %>
+
 case $1 in
 
   start)
@@ -23,7 +34,7 @@ case $1 in
     # Allowed number of open file descriptors
     ulimit -n 100000
 
-    exec chpst -u vcap:vcap /var/vcap/packages/auctioneer/bin/auctioneer \
+    exec chpst -u vcap:vcap /var/vcap/packages/auctioneer/bin/auctioneer ${bbs_sec_flags} \
       -bbsAddress=<%= p("diego.auctioneer.bbs.api_url") %> \
       -consulCluster=http://127.0.0.1:8500 \
       -debugAddr=<%= p("diego.auctioneer.debug_addr") %> \

jobs/auctioneer/templates/bbs_ca.crt.erb

@@ -0,0 +1,2 @@
+<%= p("diego.auctioneer.bbs.ca_cert") %>
+

jobs/auctioneer/templates/bbs_client.crt.erb

@@ -0,0 +1,2 @@
+<%= p("diego.auctioneer.bbs.client_cert") %>
+

jobs/auctioneer/templates/bbs_client.key.erb

@@ -0,0 +1,2 @@
+<%= p("diego.auctioneer.bbs.client_key") %>
+

jobs/bbs/spec

@@ -7,6 +7,9 @@ templates:
   etcd_ca.crt.erb: config/certs/etcd/ca.crt
   etcd_client.crt.erb: config/certs/etcd/client.crt
   etcd_client.key.erb: config/certs/etcd/client.key
+  bbs_ca.crt.erb: config/certs/ca.crt
+  bbs_server.crt.erb: config/certs/server.crt
+  bbs_server.key.erb: config/certs/server.key
 
 packages:
   - pid_utils
@@ -44,3 +47,13 @@ properties:
   diego.bbs.encryption_keys:
     description: "List of encryption keys to be used"
     default: []
+
+  diego.bbs.require_ssl:
+    description: "require ssl for all communication the bbs"
+    default: true
+  diego.bbs.ca_cert:
+    description: "PEM-encoded CA certificate"
+  diego.bbs.server_cert:
+    description: "PEM-encoded client certificate"
+  diego.bbs.server_key:
+    description: "PEM-encoded client key"

jobs/bbs/templates/bbs_ca.crt.erb

@@ -0,0 +1,2 @@
+<%= p("diego.bbs.ca_cert") %>
+

jobs/bbs/templates/bbs_ctl.erb

@@ -18,6 +18,18 @@ etcd_sec_flags=" \
 etcd_sec_flags=""
 <% end %>
 
+<% if p("diego.bbs.require_ssl") %>
+  ad_url_scheme="https"
+  bbs_sec_flags=" \
+   -certFile=${CONF_DIR}/certs/server.crt \
+   -keyFile=${CONF_DIR}/certs/server.key \
+   -caFile=${CONF_DIR}/certs/ca.crt"
+<% else %>
+  ad_url_scheme="http"
+  bbs_sec_flags=""
+<% end %>
+
+
 case $1 in
 
   start)
@@ -61,9 +73,9 @@ case $1 in
     # Allowed number of open file descriptors
     ulimit -n 100000
 
-    exec chpst -u vcap:vcap /var/vcap/packages/bbs/bin/bbs ${etcd_sec_flags} \
+    exec chpst -u vcap:vcap /var/vcap/packages/bbs/bin/bbs ${etcd_sec_flags} ${bbs_sec_flags} \
       -activeKeyLabel='<%= p("diego.bbs.active_key_label") %>' \
-      -advertiseURL=<%= "http://#{name.gsub('_', '-')}-#{spec.index}.bbs.service.cf.internal:#{p("diego.bbs.listen_addr").split(':')[1]}" %> \
+      -advertiseURL=${ad_url_scheme}<%="://#{name.gsub('_', '-')}-#{spec.index}.bbs.service.cf.internal:#{p("diego.bbs.listen_addr").split(':')[1]}" %> \
       -auctioneerAddress=<%= p("diego.bbs.auctioneer.api_url") %> \
       -consulCluster=http://127.0.0.1:8500 \
       -debugAddr=<%= p("diego.bbs.debug_addr") %> \
@@ -73,6 +85,7 @@ case $1 in
       -etcdCluster=<%= p("diego.bbs.etcd.machines").map{|addr| "\"#{p("diego.bbs.etcd.require_ssl") ? "https" : "http"}://#{addr}:4001\""}.join(",")%> \
       -listenAddress=<%= p("diego.bbs.listen_addr") %> \
       -logLevel=<%= p("diego.bbs.log_level") %> \
+      -requireSSL=<%= p("diego.bbs.etcd.require_ssl") %> \
       2> >(tee -a $LOG_DIR/bbs.stderr.log | logger -p user.error -t vcap.bbs) \
       1> >(tee -a $LOG_DIR/bbs.stdout.log | logger -p user.info -t vcap.bbs)
 

jobs/bbs/templates/bbs_server.crt.erb

@@ -0,0 +1,2 @@
+<%= p("diego.bbs.server_cert") %>
+

jobs/bbs/templates/bbs_server.key.erb

@@ -0,0 +1,2 @@
+<%= p("diego.bbs.server_key") %>
+