fix(): Finalize bosh-part (excluding platform-TLS)

- allow pcap-api to run w/o TLS to platform (TLS currently not working)
-- add spec tests for non-TLS mode
-- adjust example manifest/ops files to run w/o platform TLS
- add pcap-agent to pcap-api manifest so it get's deployed on the pcap-api VMs as well
- update dependencies: stemmcell, releases
- mTLS between api & agents currently works using a workaround: pcap-agents reuse whole cert-chain (instead of just CA) from pcap-api
- minimal supported TLS version is now 1.2
- fix bug with decoding certificate files with newlines
- add unit tests for certificate file parsing

---------

Co-authored-by: Tamara Boehm <tamara.boehm@sap.com>

Author: a18e

README.md

@@ -100,11 +100,12 @@ bosh -e bosh upload-release
 
 # adjust the release to a dev release instead of the URL
 vim manifests/pcap-api.yml
-vim manifests/ops-files/add-pcap-agent-haproxy.yml
+vim manifests/ops-files/add-pcap-agent.yml
 
-# deploy pcap-agent to the HAProxy deployment(s)
-bosh interpolate -o manifests/ops-files/add-pcap-agent.yml haproxy.yml > haproxy-pcap.yml
-bosh -d cf haproxy haproxy-pcap.yml
+# deploy pcap-agent to the desired deployment(s) (example: diego-cells in cf deployment)
+bosh -d cf manifest > cf.yml
+bosh interpolate -o manifests/ops-files/add-pcap-agent.yml cf.yml > cf-pcap.yml
+bosh -d cf deploy cf-pcap.yml
 
 # deploy pcap-api
 cp manifests/vars-template.yml manifests/vars.yml

ci/scripts/lint

@@ -4,7 +4,7 @@ set -euo pipefail
 cd "${REPO_ROOT}"
 
 echo "> Running 'bundle exec rake lint'"
-bundle package
+bundle install
 bundle exec rake lint
 
 echo "> Running 'go vet'"

ci/scripts/unit-tests

@@ -5,7 +5,7 @@ set -euo pipefail
 cd "${REPO_ROOT}"
 
 echo "> Running 'bundle exec rake spec'"
-bundle package
+bundle install
 bundle exec rake spec
 
 echo "> Running unit tests"

jobs/pcap-agent/templates/pcap-agent.crt.erb

@@ -1,3 +1,3 @@
-<%- if_p("pcap-agent.listen.tls.certificate") do |cert| -%>
-<%= cert -%>
+<%- if_p("pcap-agent.listen.tls.certificate") do |pem| -%>
+<%= pem -%>
 <%- end -%>

jobs/pcap-api/spec

@@ -38,6 +38,8 @@ properties:
   pcap-api.listen.port:
     description: "The port for the pcap-api to listen on"
     default: 8080
+  pcap-api.listen.tls.enabled:
+    default: true
   pcap-api.listen.tls.certificate:
     description: "Certificate chain to talk to gorouter in PEM format"
   pcap-api.listen.tls.private_key:

jobs/pcap-api/templates/pcap-api.ca.erb

@@ -1,7 +1,3 @@
-<%
-  if_p("pcap-api.listen.tls.ca") do |pem|
-%>
-  <%= pem %>
-<%
-  end
-%>
+<%- if_p("pcap-api.listen.tls.ca") do |pem| -%>
+<%= pem %>
+<%- end -%>

jobs/pcap-api/templates/pcap-api.crt.erb

@@ -1,7 +1,3 @@
-<%
-if_p("pcap-api.listen.tls.certificate") do |pem|
-%>
+<%- if_p("pcap-api.listen.tls.certificate") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>

jobs/pcap-api/templates/pcap-api.key.erb

@@ -1,7 +1,3 @@
-<%
-if_p("pcap-api.listen.tls.private_key") do |pem|
-%>
+<%- if_p("pcap-api.listen.tls.private_key") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>

jobs/pcap-api/templates/pcap-api.yml.erb

@@ -10,15 +10,18 @@ config = {
   "concurrent_captures" => p("pcap-api.concurrent_captures"),
   "listen" => {
     "port" => p("pcap-api.listen.port"),
-    "tls" => {
-      "certificate"=> "/var/vcap/jobs/pcap-api/config/certs/pcap-api.crt",
-      "private_key" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api.key",
-      "ca" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api-ca.crt",
-    },
   },
   "cli_download_root" => p("pcap-api.cli_download_root")
 }
 
+if p("pcap-api.listen.tls.enabled").to_s == "true"
+    config["listen"]["tls"] = {
+        "certificate"=> "/var/vcap/jobs/pcap-api/config/certs/pcap-api.crt",
+        "private_key" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api.key",
+        "ca" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api-ca.crt"
+    }
+end
+
 if p("pcap-api.agents_mtls.enabled").to_s == "true"
   config["agents_mtls"] = {
       "common_name" => p("pcap-api.agents_mtls.common_name"),