Remove cc_internal_api_user and cc_internal_api_password

johha · johha · commit 83d860e00495 · 2023-01-10T17:22:10.000+01:00
mTLS is required to communicate with the internal api. Therefore
internal user and password can be removed.
diff --git a/app/controllers/internal/app_crashed_controller.rb b/app/controllers/internal/app_crashed_controller.rb
@@ -1,6 +1,5 @@
 require 'sinatra'
 require 'controllers/base/base_controller'
-require 'cloud_controller/internal_api'
 
 module VCAP::CloudController
   class AppCrashedController < RestController::BaseController
diff --git a/app/controllers/internal/app_rescheduling_controller.rb b/app/controllers/internal/app_rescheduling_controller.rb
@@ -1,6 +1,5 @@
 require 'sinatra'
 require 'controllers/base/base_controller'
-require 'cloud_controller/internal_api'
 
 module VCAP::CloudController
   class AppReschedulingController < RestController::BaseController
diff --git a/app/controllers/internal/staging_completion_controller.rb b/app/controllers/internal/staging_completion_controller.rb
@@ -1,6 +1,5 @@
 require 'sinatra'
 require 'controllers/base/base_controller'
-require 'cloud_controller/internal_api'
 require 'cloud_controller/diego/failure_reason_sanitizer'
 require 'cloud_controller/telemetry_logger'
 
diff --git a/app/controllers/internal/task_completion_controller.rb b/app/controllers/internal/task_completion_controller.rb
@@ -1,6 +1,5 @@
 require 'sinatra'
 require 'controllers/base/base_controller'
-require 'cloud_controller/internal_api'
 require 'cloud_controller/diego/task_completion_handler'
 
 module VCAP::CloudController
diff --git a/config/bosh-lite.yml b/config/bosh-lite.yml
@@ -43,10 +43,6 @@ instance_file_descriptor_limit: 16384
 
 request_timeout_in_seconds: 900
 
-internal_api:
-  auth_user: internal_user
-  auth_password: "internal-password"
-
 nginx:
   use_nginx: false
   instance_socket: "/var/vcap/sys/run/cloud_controller_ng/cloud_controller.sock"
diff --git a/config/cloud_controller.yml b/config/cloud_controller.yml
@@ -138,10 +138,6 @@ route_services_enabled: true
 volume_services_enabled: true
 disable_private_domain_cross_space_context_path_route_sharing: false
 
-internal_api:
-  auth_user: internal_user
-  auth_password: internal_password
-
 # App staging parameters
 staging:
   # Max duration for staging process
diff --git a/lib/cloud_controller/config.rb b/lib/cloud_controller/config.rb
@@ -18,7 +18,6 @@
 require 'cloud_controller/config_schemas/vms/deployment_updater_schema'
 require 'cloud_controller/config_schemas/vms/rotate_database_key_schema'
 require 'utils/hash_utils'
-require 'cloud_controller/internal_api'
 
 module VCAP::CloudController
   class Config
@@ -124,7 +123,6 @@ def configure_components
       run_initializers
 
       ProcessObserver.configure(dependency_locator.stagers, dependency_locator.runners)
-      InternalApi.configure(self)
       @schema_class.configure_components(self)
     end
 
diff --git a/lib/cloud_controller/config_schemas/vms/api_schema.rb b/lib/cloud_controller/config_schemas/vms/api_schema.rb
@@ -39,11 +39,6 @@ class ApiSchema < VCAP::Config
               optional(:temporary_oci_buildpack_mode) => enum('oci-phase-1', NilClass),
               enable_declarative_asset_downloads: bool,
             },
-
-            internal_api: {
-              auth_user: String,
-              auth_password: String,
-            },
           }
         end
 
diff --git a/lib/cloud_controller/config_schemas/vms/clock_schema.rb b/lib/cloud_controller/config_schemas/vms/clock_schema.rb
@@ -36,11 +36,6 @@ class ClockSchema < VCAP::Config
               optional(:temporary_oci_buildpack_mode) => enum('oci-phase-1', NilClass),
               enable_declarative_asset_downloads: bool,
             },
-
-            internal_api: {
-              auth_user: String,
-              auth_password: String,
-            },
           }
         end
 
diff --git a/lib/cloud_controller/config_schemas/vms/worker_schema.rb b/lib/cloud_controller/config_schemas/vms/worker_schema.rb
@@ -36,11 +36,6 @@ class WorkerSchema < VCAP::Config
               optional(:temporary_oci_buildpack_mode) => enum('oci-phase-1', NilClass),
               enable_declarative_asset_downloads: bool,
             },
-
-            internal_api: {
-              auth_user: String,
-              auth_password: String,
-            },
           }
         end
 
diff --git a/lib/cloud_controller/diego/task_recipe_builder.rb b/lib/cloud_controller/diego/task_recipe_builder.rb
@@ -96,10 +96,9 @@ def staging_completion_callback(config, staging_details)
         port   = config.get(:tls_port)
         scheme = 'https'
 
-        auth      = "#{config.get(:internal_api, :auth_user)}:#{CGI.escape(config.get(:internal_api, :auth_password))}"
         host_port = "#{config.get(:internal_service_hostname)}:#{port}"
         path      = "/internal/v3/staging/#{staging_details.staging_guid}/build_completed?start=#{staging_details.start_after_staging}"
-        "#{scheme}://#{auth}@#{host_port}#{path}"
+        "#{scheme}://#{host_port}#{path}"
       end
 
       def cpu_weight(task)
diff --git a/lib/cloud_controller/internal_api.rb b/lib/cloud_controller/internal_api.rb
diff --git a/lib/cloud_controller/opi/stager_client.rb b/lib/cloud_controller/opi/stager_client.rb
@@ -119,17 +119,15 @@ def get_lifecycle(staging_details, staging_guid, action_builder)
     def staging_completion_callback(staging_details)
       if config.kubernetes_api_configured?
         port = config.get(:internal_service_port)
-        auth = '' # on Kubernetes we are relying on NetworkPolicy and Istio AuthorizationPolicy for authz
         scheme = 'http'
       else
         port = config.get(:tls_port)
-        auth = "#{config.get(:internal_api, :auth_user)}:#{CGI.escape(config.get(:internal_api, :auth_password))}@"
         scheme = 'https'
       end
 
       host_port = "#{config.get(:internal_service_hostname)}:#{port}"
       path      = "/internal/v3/staging/#{staging_details.staging_guid}/build_completed?start=#{staging_details.start_after_staging}"
-      "#{scheme}://#{auth}#{host_port}#{path}"
+      "#{scheme}://#{host_port}#{path}"
     end
 
     def build_env(environment)
diff --git a/spec/fixtures/config/port_8181_config.yml b/spec/fixtures/config/port_8181_config.yml
@@ -64,10 +64,6 @@ loggregator:
 doppler:
   url: 'wss://doppler.the-system-domain.com:443'
 
-internal_api:
-  auth_user: internal_user
-  auth_password: internal_password
-
 nginx:
   use_nginx: false
   instance_socket: "/var/vcap/sys/run/cloud_controller_ng/cloud_controller.sock"
diff --git a/spec/unit/lib/cloud_controller/diego/task_recipe_builder_spec.rb b/spec/unit/lib/cloud_controller/diego/task_recipe_builder_spec.rb
@@ -46,10 +46,6 @@ module Diego
           Config.new({
             tls_port: tls_port,
             internal_service_hostname: internal_service_hostname,
-            internal_api: {
-              auth_user: user,
-              auth_password: password
-            },
             staging: {
               timeout_in_seconds: 90,
             },
@@ -63,8 +59,6 @@ module Diego
         let(:isolation_segment) { 'potato-segment' }
         let(:internal_service_hostname) { 'internal.awesome.sauce' }
         let(:tls_port) { '7773' }
-        let(:user) { 'user' }
-        let(:password) { 'pass[%3a]word' }
         let(:rule_dns_everywhere) do
           ::Diego::Bbs::Models::SecurityGroupRule.new(
             protocol: 'udp',
@@ -157,7 +151,7 @@ module Diego
             expect(result.image_layers).to eq(lifecycle_image_layers)
             expect(result.cpu_weight).to eq(50)
 
-            expect(result.completion_callback_url).to eq("https://#{user}:#{CGI.escape(password)}@#{internal_service_hostname}:#{tls_port}" \
+            expect(result.completion_callback_url).to eq("https://#{internal_service_hostname}:#{tls_port}" \
                                    "/internal/v3/staging/#{droplet.guid}/build_completed?start=#{staging_details.start_after_staging}")
 
             timeout_action = result.action.timeout_action
@@ -291,7 +285,7 @@ module Diego
 
           it 'sets the completion callback' do
             result = task_recipe_builder.build_staging_task(config, staging_details)
-            expect(result.completion_callback_url).to eq("https://#{user}:#{CGI.escape(password)}@#{internal_service_hostname}:#{tls_port}" \
+            expect(result.completion_callback_url).to eq("https://#{internal_service_hostname}:#{tls_port}" \
                                    "/internal/v3/staging/#{droplet.guid}/build_completed?start=#{staging_details.start_after_staging}")
           end
 
@@ -368,10 +362,6 @@ module Diego
           Config.new({
             tls_port: tls_port,
             internal_service_hostname: internal_service_hostname,
-            internal_api: {
-              auth_user: user,
-              auth_password: password
-            },
             diego: {
               lifecycle_bundles: { 'buildpack/potato-stack': 'potato_lifecycle_bundle_url' },
               pid_limit: 100,
@@ -382,8 +372,6 @@ module Diego
         let(:isolation_segment) { 'potato-segment' }
         let(:internal_service_hostname) { 'internal.awesome.sauce' }
         let(:tls_port) { '7777' }
-        let(:user) { 'user' }
-        let(:password) { 'password' }
         let(:rule_dns_everywhere) do
           ::Diego::Bbs::Models::SecurityGroupRule.new(
             protocol: 'udp',
diff --git a/spec/unit/lib/cloud_controller/opi/stager_client_spec.rb b/spec/unit/lib/cloud_controller/opi/stager_client_spec.rb
@@ -9,10 +9,6 @@
         cc_uploader_url: 'http://cc-uploader.service.cf.internal:9091'
       },
       tls_port: 8182,
-      internal_api: {
-        auth_user: 'internal_user',
-        auth_password: 'internal_password'
-      },
       internal_service_hostname: 'api.internal.cf',
       internal_service_port:     '9090',
       kubernetes: kubernetes_config,
@@ -73,7 +69,7 @@
           environment: [{ name: 'VCAP_APPLICATION', value: '{"wow":"pants"}' },
                         { name: 'MEMORY_LIMIT', value: '256m' },
                         { name: 'VCAP_SERVICES', value: '{}' }],
-          completion_callback: 'https://internal_user:internal_password@api.internal.cf:8182/internal/v3/staging/some_staging_guid/build_completed?start=',
+          completion_callback: 'https://api.internal.cf:8182/internal/v3/staging/some_staging_guid/build_completed?start=',
           lifecycle: {
             buildpack_lifecycle: {
               droplet_upload_uri: "http://cc-uploader.service.cf.internal:9091/v1/droplet/#{staging_guid}?cc-droplet-upload-uri=http://upload.me",
@@ -111,7 +107,7 @@
                           { name: 'VCAP_APPLICATION', value: '{"wow":"pants"}' },
                           { name: 'MEMORY_LIMIT', value: '256m' },
                           { name: 'VCAP_SERVICES', value: '{}' }],
-            completion_callback: 'https://internal_user:internal_password@api.internal.cf:8182/internal/v3/staging/some_staging_guid/build_completed?start=',
+            completion_callback: 'https://api.internal.cf:8182/internal/v3/staging/some_staging_guid/build_completed?start=',
             lifecycle: {
               buildpack_lifecycle: {
                 droplet_upload_uri: "http://cc-uploader.service.cf.internal:9091/v1/droplet/#{staging_guid}?cc-droplet-upload-uri=http://upload.me",
@@ -175,7 +171,7 @@
           environment: [{ name: 'VCAP_APPLICATION', value: '{"wow":"pants"}' },
                         { name: 'MEMORY_LIMIT', value: '256m' },
                         { name: 'VCAP_SERVICES', value: '{}' }],
-          completion_callback: 'https://internal_user:internal_password@api.internal.cf:8182/internal/v3/staging/some_staging_guid/build_completed?start=',
+          completion_callback: 'https://api.internal.cf:8182/internal/v3/staging/some_staging_guid/build_completed?start=',
           lifecycle: {
             docker_lifecycle: {
               image: 'docker.io/some/image',
