Director can now call agent's update-settings action

[#91642850]
https://www.pivotaltracker.com/story/show/91642850

bosh-director/lib/bosh/director/agent_client.rb

@@ -94,6 +94,15 @@ def unmount_disk(*args)
       send_long_running_message(:unmount_disk, *args)
     end
 
+    def update_settings(certs)
+      begin
+        send_long_running_message(:update_settings, {"trusted_certs" => certs})
+      rescue RpcRemoteException => e
+        raise unless e.message == 'unknown message update_settings'
+        @logger.warn "remote agent does not support update_settings"
+      end
+    end
+
     def stop(*args)
       send_long_running_message(:stop, *args)
     end

bosh-director/lib/bosh/director/cloudcheck_helper.rb

@@ -130,6 +130,7 @@ def recreate_vm(vm)
       end
 
       agent_client(new_vm).wait_until_ready
+      agent_client(new_vm).update_settings(Bosh::Director::Config.trusted_certs)
 
       # After this point agent is actually responding to
       # pings, so if the rest of this handler fails

bosh-director/lib/bosh/director/config.rb

@@ -26,6 +26,7 @@ class << self
         :result,
         :revision,
         :task_checkpoint_interval,
+        :trusted_certs,
         :uuid,
         :current_job,
         :encryption,
@@ -139,6 +140,8 @@ def configure(config)
           .fetch('auto_fix_stateful_nodes', false)
         @enable_snapshots = config.fetch('snapshots', {}).fetch('enabled', false)
 
+        @trusted_certs = config['trusted_certs'] || ''
+
         Bosh::Clouds::Config.configure(self)
 
         @lock = Monitor.new

bosh-director/lib/bosh/director/deployment_plan/steps/package_compile_step.rb

@@ -159,6 +159,7 @@ def prepare_vm(stemcell)
           begin
             agent = AgentClient.with_defaults(vm.agent_id)
             agent.wait_until_ready
+            agent.update_settings(Bosh::Director::Config.trusted_certs)
 
             configure_vm(vm, agent, network_settings)
             vm_data.agent = agent

bosh-director/lib/bosh/director/instance_updater/vm_updater.rb

@@ -93,6 +93,7 @@ def create(new_disk_id)
 
           agent_client = AgentClient.with_defaults(vm_model.agent_id)
           agent_client.wait_until_ready
+          agent_client.update_settings(Bosh::Director::Config.trusted_certs)
         rescue Exception => e
           @logger.error("Failed to create/contact VM #{vm_model.cid}: #{e.inspect}")
           VmDeleter.new(@instance, vm_model, @cloud, @logger).delete

bosh-director/lib/bosh/director/resource_pool_updater.rb

@@ -53,6 +53,7 @@ def create_missing_vm(vm)
 
       agent = AgentClient.with_defaults(vm_model.agent_id)
       agent.wait_until_ready
+      agent.update_settings(Config.trusted_certs)
 
       update_state(agent, vm_model, vm)
 

bosh-director/lib/cloud/dummy.rb

@@ -60,6 +60,7 @@ def create_vm(agent_id, stemcell, resource_pool, networks, disk_locality = nil,
           disks: { persistent: {} },
           networks: networks,
           vm: { name: "vm-#{agent_id}" },
+          cert: '',
           mbus: @options['nats'],
         })
 

bosh-director/spec/unit/agent_client_spec.rb

@@ -71,6 +71,48 @@ def self.it_acts_as_a_long_running_message(message_name)
       it_acts_as_a_long_running_message :configure_networks
     end
 
+    describe 'update_settings' do
+      subject(:client) { AgentClient.with_defaults('fake-agent_id') }
+      let(:vm_model) { instance_double('Bosh::Director::Models::Vm', credentials: nil) }
+      let(:task) do
+        {
+            'agent_task_id' => 'fake-agent_task_id',
+            'state' => 'running',
+            'value' => 'task value'
+        }
+      end
+      before do
+        allow(Models::Vm).to receive(:find).with(agent_id: 'fake-agent_id').and_return(vm_model)
+      end
+
+      it 'packages the certificates into a map and sends to the agent' do
+        expect(client).to receive(:send_message).with(:update_settings, "trusted_certs" => "these are the certificates")
+        allow(client).to receive(:get_task)
+        client.update_settings("these are the certificates")
+      end
+
+      it 'periodically polls the update settings task while it is running' do
+        allow(client).to receive(:send_message).and_return task
+        allow(client).to receive(:sleep).with(AgentClient::DEFAULT_POLL_INTERVAL)
+        expect(client).to receive(:get_task).with('fake-agent_task_id')
+        client.update_settings("these are the certificates")
+      end
+
+      it 'is only a warning when the remote agent does not implement update_settings' do
+        allow(client).to receive(:handle_method).and_raise(RpcRemoteException, "unknown message update_settings")
+
+        expect(Config.logger).to receive(:warn).with("remote agent does not support update_settings")
+        expect { client.update_settings("no certs") }.to_not raise_error
+      end
+
+      it 'still raises an exception for other RPC failures' do
+        allow(client).to receive(:handle_method).and_raise(RpcRemoteException, "random failure!")
+
+        expect(client).to_not receive(:warning)
+        expect { client.update_settings("no certs") }.to raise_error
+      end
+    end
+
     describe 'ping <=> pong' do
       let(:stemcell) do
         Models::Stemcell.make(:cid => 'stemcell-id')

bosh-director/spec/unit/cloudcheck_helper_spec.rb

@@ -132,6 +132,7 @@ def it_creates_vm_with_persistent_disk
             end
 
             expect(fake_new_agent).to receive(:wait_until_ready).ordered
+            expect(fake_new_agent).to receive(:update_settings).ordered
             expect(fake_cloud).to receive(:attach_disk).with('new-vm-cid', 'disk-cid').ordered
 
             expect(fake_new_agent).to receive(:mount_disk).with('disk-cid').ordered
@@ -183,6 +184,7 @@ def it_creates_vm_with_persistent_disk
             end
 
             expect(fake_new_agent).to receive(:wait_until_ready).ordered
+            expect(fake_new_agent).to receive(:update_settings).ordered
             expect(fake_new_agent).to receive(:apply).with(spec).ordered
             expect(fake_new_agent).to receive(:start).ordered
 

bosh-director/spec/unit/deployment_plan/steps/package_compile_step_spec.rb

@@ -190,6 +190,7 @@ def prepare_samples
           }
 
           expect(agent).to receive(:wait_until_ready)
+          expect(agent).to receive(:update_settings)
           expect(agent).to receive(:apply).with(initial_state)
           expect(agent).to receive(:compile_package) do |*args|
             name = args[2]
@@ -322,6 +323,7 @@ def prepare_samples
 
         agents.each do |agent|
           expect(agent).to receive(:wait_until_ready).at_most(6).times
+          expect(agent).to receive(:update_settings).at_most(6).times
           expect(agent).to receive(:apply).with(initial_state).at_most(6).times
           expect(agent).to receive(:compile_package).at_most(6).times do |*args|
             name = args[2]
@@ -390,6 +392,7 @@ def prepare_samples
         expect(AgentClient).to receive(:with_defaults).and_return(agent)
 
         expect(agent).to receive(:wait_until_ready)
+        expect(agent).to receive(:update_settings)
         expect(agent).to receive(:apply).with(initial_state)
         expect(agent).to receive(:compile_package).and_raise(RuntimeError)
 

bosh-director/spec/unit/deployment_plan/steps/planner_update_spec.rb

@@ -35,6 +35,7 @@ module Bosh::Director::DeploymentPlan
           allow(agent_client).to receive(:drain).with('shutdown').and_return(0)
           allow(agent_client).to receive(:stop)
           allow(agent_client).to receive(:wait_until_ready)
+          allow(agent_client).to receive(:update_settings)
         end
 
         let(:agent_client) { instance_double('Bosh::Director::AgentClient') }

bosh-director/spec/unit/instance_updater/vm_updater_spec.rb

@@ -359,7 +359,10 @@ def self.it_updates_vm(new_disk_cid)
       before { allow(instance_model).to receive(:persistent_disk_cid).with(no_args).and_return(nil) }
 
       before { allow(AgentClient).to receive(:with_defaults).and_return(agent_client) }
-      let(:agent_client) { instance_double('Bosh::Director::AgentClient', wait_until_ready: nil) }
+      let(:agent_client) {
+        instance_double('Bosh::Director::AgentClient',
+          wait_until_ready: nil,
+          update_settings: nil) }
 
       let(:vm_model) { Models::Vm.make }
 

bosh-director/spec/unit/problem_handlers/missing_vm_spec.rb

@@ -52,6 +52,7 @@ def fake_job_context
         allow(AgentClient).to receive(:with_defaults).with('agent-222', anything).and_return(fake_new_agent)
 
         expect(fake_new_agent).to receive(:wait_until_ready).ordered
+        expect(fake_new_agent).to receive(:update_settings).ordered
         expect(fake_new_agent).to receive(:apply).with(spec).ordered
         expect(fake_new_agent).to receive(:start).ordered
 

bosh-director/spec/unit/problem_handlers/unresponsive_agent_spec.rb

@@ -121,6 +121,7 @@ def make_handler(vm, cloud, agent, data = {})
             with('agent-222', 'sc-302', { 'foo' => 'bar' }, ['A', 'B', 'C'], [], { 'key1' => 'value1' })
 
           expect(fake_new_agent).to receive(:wait_until_ready).ordered
+          expect(fake_new_agent).to receive(:update_settings).ordered
           expect(fake_new_agent).to receive(:apply).with(spec).ordered
           expect(fake_new_agent).to receive(:start).ordered
 

bosh-director/spec/unit/resource_pool_updater_spec.rb

@@ -81,6 +81,7 @@ module Bosh::Director
       it 'should create a VM' do
         agent = double(:AgentClient)
         expect(agent).to receive(:wait_until_ready)
+        expect(agent).to receive(:update_settings)
         expect(agent).to receive(:get_state).and_return({'state' => 'foo'})
         allow(AgentClient).to receive(:with_defaults).with('agent-1').and_return(agent)
 

bosh_cli_plugin_micro/lib/bosh/cli/commands/micro.rb

@@ -106,9 +106,12 @@ def perform(stemcell = nil)
       update = !!options[:update]
 
       err 'No deployment set' unless deployment
+      puts "Deployment:\n#{deployment}"
 
       manifest = load_yaml_file(deployment)
 
+      puts "Loaded manifest:\n#{manifest}"
+
       if stemcell.nil?
         unless manifest.is_a?(Hash)
           err('Invalid manifest format')

release/jobs/director/spec

@@ -290,6 +290,10 @@ properties:
       - 0.pool.ntp.org
       - 1.pool.ntp.org
 
+  trusted_certs:
+    description: Cerfiticates that VMs created by this director should trust in addition to those packaged with the stemcell (PEM encoded; zero or more certs allowed)
+    DEFAULT: ''
+
   # Cpi
   director.cpi_job:
     description: Name of cpi job (null to use bundled cpi gems)

release/jobs/director/templates/director.yml.erb.erb

@@ -114,6 +114,10 @@ blobstore:
     password: <%= p('blobstore.director.password') %>
 <% end %>
 
+<% if_p('trusted_certs') do |trusted_certs| %>
+<%= dump_yaml('trusted_certs', trusted_certs) %>
+<% end %>
+
 <%= dump_yaml('user_management', p('director.user_management')) %>
 
 <% if_p('compiled_package_cache.options.bucket_name',

stemcell_builder/stages/bosh_go_agent/apply.sh

@@ -13,9 +13,11 @@ mkdir -p $chroot/var/vcap/monit/svlog
 # Set up agent and monit with runit
 run_in_bosh_chroot $chroot "
 chmod +x /etc/sv/agent/run /etc/sv/agent/log/run
+rm -f /etc/service/agent
 ln -s /etc/sv/agent /etc/service/agent
 
 chmod +x /etc/sv/monit/run /etc/sv/monit/log/run
+rm -f /etc/service/monit
 ln -s /etc/sv/monit /etc/service/monit
 "
 
@@ -28,6 +30,7 @@ cd $agent_dir
 bin/build
 mv out/bosh-agent $chroot/var/vcap/bosh/bin/
 cp Tools/bosh-agent-rc $chroot/var/vcap/bosh/bin/
+cp mbus/agent.{cert,key} $chroot/var/vcap/bosh/
 
 cd $assets_dir/go/src/github.com/cloudfoundry/bosh-davcli
 bin/build