Make basic auth for internal staging completion endpoints optional

- Optional specifically only when Kubernetes configuration is provided

[#175080278]

Co-authored-by: Nat Bennett <nbennett@pivotal.io>
Co-authored-by: Jaskanwal Pawar <jpawar@pivotal.io>

Author: njbennett

app/controllers/internal/staging_completion_controller.rb

@@ -15,6 +15,11 @@ def self.dependencies
     def initialize(*)
       super
       auth = Rack::Auth::Basic::Request.new(env)
+
+      if Config.kubernetes_api_configured?
+        return
+      end
+
       unless auth.provided? && auth.basic? && auth.credentials == InternalApi.credentials
         raise CloudController::Errors::NotAuthenticated
       end

lib/cloud_controller/config_schemas/api_schema.rb

@@ -96,10 +96,6 @@ class ApiSchema < VCAP::Config
             auth_password: String,
           },
 
-          internal_api: {
-            auth_user: String,
-            auth_password: String,
-          },
 
           staging: {
             timeout_in_seconds: Integer,
@@ -393,6 +389,11 @@ class ApiSchema < VCAP::Config
               optional(:temporary_oci_buildpack_mode) => enum('oci-phase-1', NilClass),
               enable_declarative_asset_downloads: bool,
             },
+
+            internal_api: {
+              auth_user: String,
+              auth_password: String,
+            },
           ),
 
         }

lib/cloud_controller/config_schemas/clock_schema.rb

@@ -56,11 +56,6 @@ class ClockSchema < VCAP::Config
             optional(:ca_cert_path) => String,
           },
 
-          internal_api: {
-            auth_user: String,
-            auth_password: String,
-          },
-
           staging: {
             timeout_in_seconds: Integer,
             **VCAP::Config::Dsl.omit_on_k8s(
@@ -216,6 +211,11 @@ class ClockSchema < VCAP::Config
               optional(:temporary_oci_buildpack_mode) => enum('oci-phase-1', NilClass),
               enable_declarative_asset_downloads: bool,
             },
+
+            internal_api: {
+              auth_user: String,
+              auth_password: String,
+            },
           ),
         }
       end

lib/cloud_controller/config_schemas/worker_schema.rb

@@ -47,11 +47,6 @@ class WorkerSchema < VCAP::Config
             optional(:ca_cert_path) => String,
           },
 
-          internal_api: {
-            auth_user: String,
-            auth_password: String,
-          },
-
           staging: {
             timeout_in_seconds: Integer,
             **VCAP::Config::Dsl.omit_on_k8s(
@@ -221,6 +216,11 @@ class WorkerSchema < VCAP::Config
               optional(:temporary_oci_buildpack_mode) => enum('oci-phase-1', NilClass),
               enable_declarative_asset_downloads: bool,
             },
+
+            internal_api: {
+              auth_user: String,
+              auth_password: String,
+            },
           ),
         }
       end

spec/unit/controllers/internal/staging_completion_controller_spec.rb

@@ -39,6 +39,8 @@ module VCAP::CloudController
     let(:one_hour_in_nanoseconds) { (1.hour.to_i * 1e9).to_i }
 
     before do
+      TestConfig.override({ kubernetes: nil })
+
       allow(VCAP::CloudController::Metrics::StatsdUpdater).to receive(:new).and_return(statsd_updater)
     end
 
@@ -184,6 +186,20 @@ module VCAP::CloudController
       end
 
       describe 'authentication' do
+        context 'when running in Kubernetes' do
+          before do
+            TestConfig.override({ kubernetes: { host_url: 'example.com' } })
+          end
+
+          context 'when missing authentication' do
+            it 'succeeds' do
+              header('Authorization', nil)
+              post url, MultiJson.dump(staging_response)
+              expect(last_response.status).to eq(200)
+            end
+          end
+        end
+
         context 'when missing authentication' do
           it 'fails with authentication required' do
             header('Authorization', nil)