ert-plugin should enable cf auth for diego ssh

[ghost]

Expected config:

  - name: ssh_proxy
    release: diego
    properties:
      diego:
        ssh_proxy:
          enable_cf_auth: true

Actual config:

  - name: ssh_proxy
    release: diego
    properties:
      diego:
        ssh_proxy:
          enable_cf_auth: false

[xchapter7x]

have you tried setting the allow-app-ssh-access flag?

[ghost]

Even with the latest version, it looks like it's not observing the allow-app-ssh-access key set in vault:

$ vault read -field=allow-app-ssh-access secret/cf-sandbox-b-props
true

The generated manifest shows:

- name: cloud_controller-partition
  jobs:
  - name: cloud_controller_ng
    properties:
      app_ssh:
        host_key_fingerprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
      cc:
        allow_app_ssh_access: false
- name: ssh_proxy
  release: diego
  properties:
    diego:
      enable_cf_auth: false

[xchapter7x]

so is this an issue with the vault value only?
are you able to set the flag directly in the cli?

[ghost]

If I set the flag with the cli I get proper values, other than #1 and diego_auth. So it seems it's just not reading it when set in vault. Ideally, it observes the value in vault, so we don't have to modify the pipeline task at https://github.com/enaml-ops/concourse-deploy-cloudfoundry/blob/master/ci/tasks/generate-pcf-manifest.sh

diego_auth should remain false. When set to true, it yields this:

Error: Unable to render instance groups for deployment. Errors are:
   - Unable to render jobs for instance group 'diego_brain-partition'. Errors are:
     - Unable to render templates for job 'ssh_proxy'. Errors are:
       - Error filling in template 'ssh_proxy_as_vcap.erb' (line 31: Can't find property '["diego.ssh_proxy.diego_credentials"]')

[update] Moving the diego_auth problem to #6

[xchapter7x]

is it possible that you have that value stored in another vault hash as well?
below is the order we load values from hashes, and they will get overwritten if they exist lower down the cascade.
The reason the cli flag will work, is because that value takes priority over all values in vault.

- vault-hash-misc
- vault-hash-password
- vault-hash-keycert
- vault-hash-ip
- vault-hash-host

[ghost]

allow-app-ssh-access exists only in the misc hash.

[ryanpei]

@sushiandbeer has this worked out for you yet? If so I'll close this issue on behalf of @xchapter7x

[allomov]

Hey @ryanpei! Vault stores only string values, boolean values are also converted to string, so the plugin can't parse such options at the moment (you can read more in this thread).

@sushiandbeer has come to a work around for this issue. You can see the idea here. In your script you read the value from vault and after that compare it to "true" and set necessary flag.

[ryanpei]

ah thanks for explaining @allomov .

can you please submit your idea as a PR or a new issue and we consider the best solution here?

[allomov]

@ryanpei I already created 2 PRs to enaml-ops/concourse-deploy-cloudfoundry (#2, #3) if you are talking about it.

[allomov]

Here is a related issue enaml-ops/omg-product-bundle#16

[zmb3]

@ryanpei @sushiandbeer @allomov This should be all set now. The workaround mentioned above will still override anything in Vault, but boolean values in Vault are fine too.

[allomov]

@zmb3 that's a very cool news.

right now I am thinking on moving to unified pipeline instead of having set of distinct pipelines (concourse-deploy-cloudfoundry, concourse-deploy-rabbitmq and etc.). This fix will allow to do it easier.