Merge pull request cloudfoundry#1731 from cloudfoundry/optional-logcache-tls

cwlbraa · web-flow · commit f3a89c1e1036 · 2020-07-09T13:36:11.000-07:00
Make logcache tls optional

[finishes #173713439]
diff --git a/lib/cloud_controller/config_schemas/api_schema.rb b/lib/cloud_controller/config_schemas/api_schema.rb
@@ -213,7 +213,7 @@ class ApiSchema < VCAP::Config
             temporary_ignore_server_unavailable_errors: bool,
           },
 
-          logcache_tls: {
+          optional(:logcache_tls) => {
             key_file: String,
             cert_file: String,
             ca_file: String,
diff --git a/lib/logcache/client.rb b/lib/logcache/client.rb
@@ -7,16 +7,24 @@ class Client
     DEFAULT_LIMIT = 100
 
     def initialize(host:, port:, client_ca_path:, client_cert_path:, client_key_path:, tls_subject_name:, temporary_ignore_server_unavailable_errors:)
-      client_ca = IO.read(client_ca_path)
-      client_key = IO.read(client_key_path)
-      client_cert = IO.read(client_cert_path)
+      if client_ca_path
+        client_ca = IO.read(client_ca_path)
+        client_key = IO.read(client_key_path)
+        client_cert = IO.read(client_cert_path)
+
+        @service = Logcache::V1::Egress::Stub.new(
+          "#{host}:#{port}",
+          GRPC::Core::ChannelCredentials.new(client_ca, client_key, client_cert),
+          channel_args: { GRPC::Core::Channel::SSL_TARGET => tls_subject_name }
+        )
+      else
+        @service = Logcache::V1::Egress::Stub.new(
+          "#{host}:#{port}",
+          :this_channel_is_insecure
+        )
+      end
 
       @temporary_ignore_server_unavailable_errors = temporary_ignore_server_unavailable_errors
-      @service = Logcache::V1::Egress::Stub.new(
-        "#{host}:#{port}",
-        GRPC::Core::ChannelCredentials.new(client_ca, client_key, client_cert),
-        channel_args: { GRPC::Core::Channel::SSL_TARGET => tls_subject_name }
-      )
     end
 
     def container_metrics(source_guid:, envelope_limit: DEFAULT_LIMIT, start_time:, end_time:)
diff --git a/spec/logcache/client_spec.rb b/spec/logcache/client_spec.rb
@@ -10,133 +10,172 @@ module Logcache
 
     let(:host) { 'doppler.service.cf.internal' }
     let(:port) { '8080' }
-    let(:tls_subject_name) { 'my-logcache' }
-    let(:client_ca_path) { File.join(Paths::FIXTURES, 'certs/log_cache_ca.crt') }
-    let(:client_cert_path) { File.join(Paths::FIXTURES, 'certs/log_cache.crt') }
-    let(:client_key_path) { File.join(Paths::FIXTURES, 'certs/log_cache.key') }
-    let(:credentials) { instance_double(GRPC::Core::ChannelCredentials) }
-    let(:channel_arg_hash) do
-      {
-          channel_args: { GRPC::Core::Channel::SSL_TARGET => tls_subject_name }
-      }
-    end
-    let(:client) do
-      Logcache::Client.new(host: host, port: port, client_ca_path: client_ca_path,
-                           client_cert_path: client_cert_path, client_key_path: client_key_path, tls_subject_name: tls_subject_name,
-                           temporary_ignore_server_unavailable_errors: false)
-    end
     let(:expected_request_options) { { 'headers' => { 'Authorization' => 'bearer oauth-token' } } }
-    let(:client_ca) { File.open(client_ca_path).read }
-    let(:client_key) { File.open(client_key_path).read }
-    let(:client_cert) { File.open(client_cert_path).read }
-
-    describe '#container_metrics' do
-      let(:instance_count) { 2 }
-      let!(:process) { VCAP::CloudController::ProcessModel.make(instances: instance_count) }
-
-      before do
-        expect(GRPC::Core::ChannelCredentials).to receive(:new).
-          with(client_ca, client_key, client_cert).
-          and_return(credentials)
-        expect(Logcache::V1::Egress::Stub).to receive(:new).
-          with("#{host}:#{port}", credentials, channel_arg_hash).
-          and_return(logcache_service)
-        allow(Logcache::V1::ReadRequest).to receive(:new).and_return(logcache_request)
-      end
 
-      it 'calls Logcache with the correct parameters and returns envelopes' do
-        expect(
-          client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
-        ).to eq([:fake_envelope_1, :fake_envelope_2])
-
-        expect(Logcache::V1::ReadRequest).to have_received(:new).with(
-          source_id: process.guid,
-          limit: 1000,
-          descending: true,
-          start_time: 100,
-          end_time: 101,
-          envelope_types: [:GAUGE]
-        )
-        expect(logcache_service).to have_received(:read).with(logcache_request)
+    describe 'with TLS' do
+      let(:tls_subject_name) { 'my-logcache' }
+      let(:client_ca_path) { File.join(Paths::FIXTURES, 'certs/log_cache_ca.crt') }
+      let(:client_cert_path) { File.join(Paths::FIXTURES, 'certs/log_cache.crt') }
+      let(:client_key_path) { File.join(Paths::FIXTURES, 'certs/log_cache.key') }
+      let(:credentials) { instance_double(GRPC::Core::ChannelCredentials) }
+      let(:channel_arg_hash) do
+        {
+            channel_args: { GRPC::Core::Channel::SSL_TARGET => tls_subject_name }
+        }
       end
-    end
+      let(:client) do
+        Logcache::Client.new(host: host, port: port, client_ca_path: client_ca_path,
+                             client_cert_path: client_cert_path, client_key_path: client_key_path, tls_subject_name: tls_subject_name,
+                             temporary_ignore_server_unavailable_errors: false)
+      end
+      let(:client_ca) { File.open(client_ca_path).read }
+      let(:client_key) { File.open(client_key_path).read }
+      let(:client_cert) { File.open(client_cert_path).read }
+
+      describe '#container_metrics' do
+        let(:instance_count) { 2 }
+        let!(:process) { VCAP::CloudController::ProcessModel.make(instances: instance_count) }
+
+        before do
+          expect(GRPC::Core::ChannelCredentials).to receive(:new).
+            with(client_ca, client_key, client_cert).
+            and_return(credentials)
+          expect(Logcache::V1::Egress::Stub).to receive(:new).
+            with("#{host}:#{port}", credentials, channel_arg_hash).
+            and_return(logcache_service)
+          allow(Logcache::V1::ReadRequest).to receive(:new).and_return(logcache_request)
+        end
 
-    describe 'when logcache is unavailable' do
-      let(:instance_count) { 0 }
-      let(:bad_status) { GRPC::BadStatus.new(14) }
-      let!(:process) { VCAP::CloudController::ProcessModel.make(instances: instance_count) }
-
-      before do
-        expect(GRPC::Core::ChannelCredentials).to receive(:new).
-          with(client_ca, client_key, client_cert).
-          and_return(credentials)
-        expect(Logcache::V1::Egress::Stub).to receive(:new).
-          with("#{host}:#{port}", credentials, channel_arg_hash).
-          and_return(logcache_service)
-        allow(client).to receive(:sleep)
-        allow(Logcache::V1::ReadRequest).to receive(:new).and_return(logcache_request)
-        allow(logcache_service).to receive(:read).and_raise(bad_status)
+        it 'calls Logcache with the correct parameters and returns envelopes' do
+          expect(
+            client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
+          ).to eq([:fake_envelope_1, :fake_envelope_2])
+
+          expect(Logcache::V1::ReadRequest).to have_received(:new).with(
+            source_id: process.guid,
+            limit: 1000,
+            descending: true,
+            start_time: 100,
+            end_time: 101,
+            envelope_types: [:GAUGE]
+          )
+          expect(logcache_service).to have_received(:read).with(logcache_request)
+        end
       end
 
-      context 'and operator has enabled temporary_ignore_server_unavailable_errors' do
-        let(:client) do
-          Logcache::Client.new(host: host, port: port, client_ca_path: client_ca_path,
-                               client_cert_path: client_cert_path, client_key_path: client_key_path, tls_subject_name: tls_subject_name,
-                               temporary_ignore_server_unavailable_errors: true)
+      describe 'when logcache is unavailable' do
+        let(:instance_count) { 0 }
+        let(:bad_status) { GRPC::BadStatus.new(14) }
+        let!(:process) { VCAP::CloudController::ProcessModel.make(instances: instance_count) }
+
+        before do
+          expect(GRPC::Core::ChannelCredentials).to receive(:new).
+            with(client_ca, client_key, client_cert).
+            and_return(credentials)
+          expect(Logcache::V1::Egress::Stub).to receive(:new).
+            with("#{host}:#{port}", credentials, channel_arg_hash).
+            and_return(logcache_service)
+          allow(client).to receive(:sleep)
+          allow(Logcache::V1::ReadRequest).to receive(:new).and_return(logcache_request)
+          allow(logcache_service).to receive(:read).and_raise(bad_status)
         end
 
-        it 'returns an empty envelope' do
-          expect(
+        context 'and operator has enabled temporary_ignore_server_unavailable_errors' do
+          let(:client) do
+            Logcache::Client.new(host: host, port: port, client_ca_path: client_ca_path,
+                                 client_cert_path: client_cert_path, client_key_path: client_key_path, tls_subject_name: tls_subject_name,
+                                 temporary_ignore_server_unavailable_errors: true)
+          end
+
+          it 'returns an empty envelope' do
+            expect(
+              client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
+            ).to be_a(Logcache::EmptyEnvelope)
+          end
+
+          # TODO: fix calling the function under test separately
+          it 'retries the request three times' do
             client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
-          ).to be_a(Logcache::EmptyEnvelope)
+
+            expect(logcache_service).to have_received(:read).with(logcache_request).exactly(3).times
+          end
         end
 
-        # TODO: fix calling the function under test separately
-        it 'retries the request three times' do
-          client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
+        context 'and operator has disabled temporary_ignore_server_unavailable_errors' do
+          let(:client) do
+            Logcache::Client.new(host: host, port: port, client_ca_path: client_ca_path,
+                                 client_cert_path: client_cert_path, client_key_path: client_key_path, tls_subject_name: tls_subject_name,
+                                 temporary_ignore_server_unavailable_errors: false)
+          end
+
+          it 'retries the request three times and raises an exception' do
+            expect {
+              client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
+            }.to raise_error(bad_status)
 
-          expect(logcache_service).to have_received(:read).with(logcache_request).exactly(3).times
+            expect(logcache_service).to have_received(:read).with(logcache_request).exactly(3).times
+          end
         end
       end
 
-      context 'and operator has disabled temporary_ignore_server_unavailable_errors' do
-        let(:client) do
-          Logcache::Client.new(host: host, port: port, client_ca_path: client_ca_path,
-                               client_cert_path: client_cert_path, client_key_path: client_key_path, tls_subject_name: tls_subject_name,
-                               temporary_ignore_server_unavailable_errors: false)
+      describe 'when the logcache service has any other error' do
+        let(:bad_status) { GRPC::BadStatus.new(13) }
+        let!(:process) { VCAP::CloudController::ProcessModel.make(instances: instance_count) }
+        let(:instance_count) { 2 }
+
+        before do
+          expect(GRPC::Core::ChannelCredentials).to receive(:new).
+            with(client_ca, client_key, client_cert).
+            and_return(credentials)
+          expect(Logcache::V1::Egress::Stub).to receive(:new).
+            with("#{host}:#{port}", credentials, channel_arg_hash).
+            and_return(logcache_service)
+          allow(client).to receive(:sleep)
+          allow(Logcache::V1::ReadRequest).to receive(:new).and_return(logcache_request)
+          allow(logcache_service).to receive(:read).and_raise(bad_status)
         end
 
-        it 'retries the request three times and raises an exception' do
+        it 'raises the exception' do
           expect {
             client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
           }.to raise_error(bad_status)
-
-          expect(logcache_service).to have_received(:read).with(logcache_request).exactly(3).times
         end
       end
     end
 
-    describe 'when the logcache service has any other error' do
-      let(:bad_status) { GRPC::BadStatus.new(13) }
-      let!(:process) { VCAP::CloudController::ProcessModel.make(instances: instance_count) }
-      let(:instance_count) { 2 }
-
-      before do
-        expect(GRPC::Core::ChannelCredentials).to receive(:new).
-          with(client_ca, client_key, client_cert).
-          and_return(credentials)
-        expect(Logcache::V1::Egress::Stub).to receive(:new).
-          with("#{host}:#{port}", credentials, channel_arg_hash).
-          and_return(logcache_service)
-        allow(client).to receive(:sleep)
-        allow(Logcache::V1::ReadRequest).to receive(:new).and_return(logcache_request)
-        allow(logcache_service).to receive(:read).and_raise(bad_status)
+    describe 'without TLS' do
+      let(:client) do
+        Logcache::Client.new(host: host, port: port, temporary_ignore_server_unavailable_errors: false,
+                            client_ca_path: nil, client_cert_path: nil, client_key_path: nil, tls_subject_name: nil)
       end
 
-      it 'raises the exception' do
-        expect {
-          client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
-        }.to raise_error(bad_status)
+      describe '#container_metrics' do
+        let(:instance_count) { 2 }
+        let!(:process) { VCAP::CloudController::ProcessModel.make(instances: instance_count) }
+
+        before do
+          expect(GRPC::Core::ChannelCredentials).not_to receive(:new)
+          expect(Logcache::V1::Egress::Stub).to receive(:new).
+            with("#{host}:#{port}", :this_channel_is_insecure).
+            and_return(logcache_service)
+          allow(Logcache::V1::ReadRequest).to receive(:new).and_return(logcache_request)
+        end
+
+        it 'calls Logcache with the correct parameters and returns envelopes' do
+          expect(
+            client.container_metrics(source_guid: process.guid, envelope_limit: 1000, start_time: 100, end_time: 101)
+          ).to eq([:fake_envelope_1, :fake_envelope_2])
+
+          expect(Logcache::V1::ReadRequest).to have_received(:new).with(
+            source_id: process.guid,
+            limit: 1000,
+            descending: true,
+            start_time: 100,
+            end_time: 101,
+            envelope_types: [:GAUGE]
+          )
+          expect(logcache_service).to have_received(:read).with(logcache_request)
+        end
       end
     end
   end
diff --git a/spec/unit/lib/cloud_controller/dependency_locator_spec.rb b/spec/unit/lib/cloud_controller/dependency_locator_spec.rb
@@ -471,6 +471,28 @@
   describe '#traffic_controller_compatible_logcache_client' do
     let(:logcache_client) { instance_double(Logcache::Client) }
     before do
+      allow(Logcache::Client).to receive(:new).and_return(logcache_client)
+    end
+
+    it 'returns the tc-decorated client without TLS' do
+      TestConfig.override(
+        {
+          logcache_tls: nil
+        }
+      )
+      expect(locator.traffic_controller_compatible_logcache_client).to be_an_instance_of(Logcache::TrafficControllerDecorator)
+      expect(Logcache::Client).to have_received(:new).with(
+        host: 'http://doppler.service.cf.internal',
+        port: 8080,
+        client_ca_path: nil,
+        client_cert_path: nil,
+        client_key_path: nil,
+        tls_subject_name: nil,
+        temporary_ignore_server_unavailable_errors: false
+      )
+    end
+
+    it 'returns the tc-decorated client with TLS certificates' do
       TestConfig.override(
         {
           logcache: {
@@ -486,11 +508,6 @@
           }
         }
       )
-
-      allow(Logcache::Client).to receive(:new).and_return(logcache_client)
-    end
-
-    it 'returns the tc-decorated client' do
       expect(locator.traffic_controller_compatible_logcache_client).to be_an_instance_of(Logcache::TrafficControllerDecorator)
       expect(Logcache::Client).to have_received(:new).with(
         host: 'some-logcache-host',
