stop sending basic auth in staging completion callback in cf-for-k8s

tcdowney · cwlbraa · cwlbraa · commit 62804330336a · 2020-10-15T17:21:44.000-07:00
This is secured by NetworkPolicy and Istio AuthorizationPolicy in cf-for-k8s - https://github.com/cloudfoundry/cf-for-k8s/blob/b5cd28db499009ab9ecbfbe30e77073938f8be39/config/networking/network-policies.yaml#L318-L339 - https://github.com/cloudfoundry/cf-for-k8s/blob/b5cd28db499009ab9ecbfbe30e77073938f8be39/config/networking/istio-authorization-policies.yml#L18-L38 [#175080278](https://www.pivotaltracker.com/story/show/175080278) Co-authored-by: Tim Downey <tdowney@vmware.com> Co-authored-by: Connor Braa <cbraa@pivotal.io>
diff --git a/lib/cloud_controller/opi/stager_client.rb b/lib/cloud_controller/opi/stager_client.rb
@@ -118,17 +118,18 @@ def get_lifecycle(staging_details, staging_guid, action_builder)
 
     def staging_completion_callback(staging_details)
       if config.kubernetes_api_configured?
-        port   = config.get(:internal_service_port)
+        port = config.get(:internal_service_port)
+        auth = '' # on Kubernetes we are relying on NetworkPolicy and Istio AuthorizationPolicy for authz
         scheme = 'http'
       else
-        port   = config.get(:tls_port)
+        port = config.get(:tls_port)
+        auth = "#{config.get(:internal_api, :auth_user)}:#{CGI.escape(config.get(:internal_api, :auth_password))}@"
         scheme = 'https'
       end
 
-      auth      = "#{config.get(:internal_api, :auth_user)}:#{CGI.escape(config.get(:internal_api, :auth_password))}"
       host_port = "#{config.get(:internal_service_hostname)}:#{port}"
       path      = "/internal/v3/staging/#{staging_details.staging_guid}/build_completed?start=#{staging_details.start_after_staging}"
-      "#{scheme}://#{auth}@#{host_port}#{path}"
+      "#{scheme}://#{auth}#{host_port}#{path}"
     end
 
     def build_env(environment)
diff --git a/spec/unit/lib/cloud_controller/opi/stager_client_spec.rb b/spec/unit/lib/cloud_controller/opi/stager_client_spec.rb
@@ -201,7 +201,7 @@
           stager_client.stage(staging_guid, staging_details)
           expect(WebMock).to have_requested(:post, "#{eirini_url}/stage/#{staging_guid}").with { |req|
             parsed_json = JSON.parse(req.body)
-            parsed_json['completion_callback'] == 'http://internal_user:internal_password@api.internal.cf:9090/internal/v3/staging/some_staging_guid/build_completed?start='
+            parsed_json['completion_callback'] == 'http://api.internal.cf:9090/internal/v3/staging/some_staging_guid/build_completed?start='
           }
         end
       end

Original file line number	Diff line number	Diff line change
`@@ -201,7 +201,7 @@`
`201`	`201`	`stager_client.stage(staging_guid, staging_details)`
`202`	`202`	`expect(WebMock).to have_requested(:post, "#{eirini_url}/stage/#{staging_guid}").with { \|req\|`
`203`	`203`	`parsed_json = JSON.parse(req.body)`
`204`		`- parsed_json['completion_callback'] == 'http://internal_user:internal_password@api.internal.cf:9090/internal/v3/staging/some_staging_guid/build_completed?start='`
	`204`	`+ parsed_json['completion_callback'] == 'http://api.internal.cf:9090/internal/v3/staging/some_staging_guid/build_completed?start='`
`205`	`205`	`}`
`206`	`206`	`end`
`207`	`207`	`end`