From 717cc926cc6613672006e782c81df92c9e25154f Mon Sep 17 00:00:00 2001 From: Katharina Przybill <30441792+kathap@users.noreply.github.com> Date: Wed, 25 Mar 2026 08:52:43 +0100 Subject: [PATCH 1/8] Enhance storage-cli webdav config --- .../templates/storage_cli_config_buildpacks.json.erb | 8 +++++--- .../templates/storage_cli_config_droplets.json.erb | 8 +++++--- .../templates/storage_cli_config_packages.json.erb | 8 +++++--- .../storage_cli_config_resource_pool.json.erb | 8 +++++--- .../templates/storage_cli_config_buildpacks.json.erb | 10 ++++++---- .../templates/storage_cli_config_droplets.json.erb | 8 +++++--- .../templates/storage_cli_config_packages.json.erb | 8 +++++--- .../storage_cli_config_resource_pool.json.erb | 8 +++++--- .../templates/storage_cli_config_buildpacks.json.erb | 8 +++++--- .../templates/storage_cli_config_droplets.json.erb | 8 +++++--- .../templates/storage_cli_config_packages.json.erb | 8 +++++--- .../storage_cli_config_resource_pool.json.erb | 8 +++++--- .../templates/storage_cli_config_buildpacks.json.erb | 8 +++++--- .../templates/storage_cli_config_droplets.json.erb | 5 +++-- .../templates/storage_cli_config_packages.json.erb | 10 ++++++---- .../storage_cli_config_resource_pool.json.erb | 8 +++++--- .../templates/storage_cli_config_buildpacks.json.erb | 8 +++++--- .../templates/storage_cli_config_droplets.json.erb | 8 +++++--- .../templates/storage_cli_config_packages.json.erb | 8 +++++--- .../storage_cli_config_resource_pool.json.erb | 10 ++++++---- 20 files changed, 101 insertions(+), 62 deletions(-) diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb index 2e6886adf7..96b8ec91d3 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb @@ -91,19 +91,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = l.p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.public_endpoint") + options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb index c72cf61b76..7588e0ccc5 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb @@ -91,19 +91,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = l.p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.public_endpoint") + options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb index 62b6703cfa..7c1aaaa44b 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb @@ -91,19 +91,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = l.p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.public_endpoint") + options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb index 575efadebb..8714007959 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb @@ -91,19 +91,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = l.p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.public_endpoint") + options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb index f5454cf125..950872dcf3 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb @@ -90,20 +90,22 @@ if provider == "aliyun" || provider == "alioss" options["endpoint"] = l.p("#{scope}.aliyun_oss_endpoint") options["bucket_name"] = l.p("#{scope}.aliyun_oss_bucket") end - -# WebDAV/dav support intentionally excluded (not fully implemented) + +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.public_endpoint") + options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb index 050c260f39..cd665f1467 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb @@ -91,19 +91,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = l.p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.public_endpoint") + options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb index 62b6703cfa..7c1aaaa44b 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb @@ -91,19 +91,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = l.p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.public_endpoint") + options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb index cc3f84adb0..b1d4a43626 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb @@ -91,19 +91,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = l.p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.public_endpoint") + options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb index 3df22410bd..7996bf9b77 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb index 4616d8afe9..5b481e5386 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb index 9b35f91c78..fa146c43b1 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb index 024e57456e..26e468f4ca 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb index 3df22410bd..7996bf9b77 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb index 45024f6ccd..fd6bff01c4 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb @@ -94,14 +94,15 @@ if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb index d345fe3d88..fa146c43b1 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb @@ -88,20 +88,22 @@ if provider == "aliyun" || provider == "alioss" options["endpoint"] = p("#{scope}.aliyun_oss_endpoint") options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end - -# WebDAV/dav support intentionally excluded (not fully implemented) + +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb index 024e57456e..26e468f4ca 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb index 3df22410bd..7996bf9b77 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb index 4616d8afe9..5b481e5386 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb index d345fe3d88..edcec945c3 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb @@ -89,19 +89,21 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb index 024e57456e..0770196b51 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb @@ -88,20 +88,22 @@ if provider == "aliyun" || provider == "alioss" options["endpoint"] = p("#{scope}.aliyun_oss_endpoint") options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end - -# WebDAV/dav support intentionally excluded (not fully implemented) + +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" options["provider"] = provider options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.public_endpoint") + options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.empty? - options["tls"]={"cert"=>ca_cert} + options["tls"]={"cert"=>{"ca"=>ca_cert}} end end From 02c91933d496c4572ee1caf8ec561b4ff59be7f4 Mon Sep 17 00:00:00 2001 From: Katharina Przybill <30441792+kathap@users.noreply.github.com> Date: Wed, 25 Mar 2026 09:36:12 +0100 Subject: [PATCH 2/8] adapt tests --- .../storage_cli_config_jsons_spec.rb | 14 ++++++++------ .../storage_cli_config_jsons_spec.rb | 14 ++++++++------ .../storage_cli_config_jsons_spec.rb | 14 ++++++++------ .../storage_cli_config_jsons_spec.rb | 14 ++++++++------ 4 files changed, 32 insertions(+), 24 deletions(-) diff --git a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb index 24bec8ab58..94268e4d0c 100644 --- a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb +++ b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb @@ -329,7 +329,7 @@ def props_for_provider(provider) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'public_endpoint' => 'webdav.com', + 'private_endpoint' => 'https://webdav.com', 'ca_cert' => 'some_cert' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -337,8 +337,8 @@ def props_for_provider(provider) 'provider' => 'webdav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'webdav.com', - 'tls' => { 'cert' => 'some_cert' } + 'endpoint' => 'https://webdav.com/admin/', + 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -347,9 +347,10 @@ def props_for_provider(provider) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'public_endpoint' => 'webdav.com', + 'private_endpoint' => 'https://webdav.com', 'ca_cert' => 'some_cert', 'secret' => 'secret', + 'signing_method' => 'md5', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -357,9 +358,10 @@ def props_for_provider(provider) 'provider' => 'webdav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'webdav.com', - 'tls' => { 'cert' => 'some_cert' }, + 'endpoint' => 'https://webdav.com/admin/', + 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'secret', + 'signing_method' => 'md5', 'retry_attempts' => '4' ) end diff --git a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb index ff1fbc52a1..ca7d5006ff 100644 --- a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb @@ -282,7 +282,7 @@ def props_for_provider(provider) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'public_endpoint' => 'webdav.com', + 'private_endpoint' => 'https://webdav.com', 'ca_cert' => 'some_cert' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -290,8 +290,8 @@ def props_for_provider(provider) 'provider' => 'webdav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'webdav.com', - 'tls' => { 'cert' => 'some_cert' } + 'endpoint' => 'https://webdav.com/admin/', + 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -300,9 +300,10 @@ def props_for_provider(provider) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'public_endpoint' => 'webdav.com', + 'private_endpoint' => 'https://webdav.com', 'ca_cert' => 'some_cert', 'secret' => 'secret', + 'signing_method' => 'md5', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -310,9 +311,10 @@ def props_for_provider(provider) 'provider' => 'webdav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'webdav.com', - 'tls' => { 'cert' => 'some_cert' }, + 'endpoint' => 'https://webdav.com/admin/', + 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'secret', + 'signing_method' => 'md5', 'retry_attempts' => '4' ) end diff --git a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb index a44653048c..1519ab9610 100644 --- a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb @@ -283,7 +283,7 @@ def props_for_provider(provider) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'public_endpoint' => 'webdav.com', + 'private_endpoint' => 'https://webdav.com', 'ca_cert' => 'some_cert' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -291,8 +291,8 @@ def props_for_provider(provider) 'provider' => 'webdav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'webdav.com', - 'tls' => { 'cert' => 'some_cert' } + 'endpoint' => 'https://webdav.com/admin/', + 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -301,9 +301,10 @@ def props_for_provider(provider) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'public_endpoint' => 'webdav.com', + 'private_endpoint' => 'https://webdav.com', 'ca_cert' => 'some_cert', 'secret' => 'secret', + 'signing_method' => 'md5', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -311,9 +312,10 @@ def props_for_provider(provider) 'provider' => 'webdav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'webdav.com', - 'tls' => { 'cert' => 'some_cert' }, + 'endpoint' => 'https://webdav.com/admin/', + 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'secret', + 'signing_method' => 'md5', 'retry_attempts' => '4' ) end diff --git a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb index 8d08c5f950..40cd3a463d 100644 --- a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb @@ -282,7 +282,7 @@ def props_for_provider(provider) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'public_endpoint' => 'webdav.com', + 'private_endpoint' => 'https://webdav.com', 'ca_cert' => 'some_cert' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -290,8 +290,8 @@ def props_for_provider(provider) 'provider' => 'webdav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'webdav.com', - 'tls' => { 'cert' => 'some_cert' } + 'endpoint' => 'https://webdav.com/admin/', + 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -300,9 +300,10 @@ def props_for_provider(provider) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'public_endpoint' => 'webdav.com', + 'private_endpoint' => 'https://webdav.com', 'ca_cert' => 'some_cert', 'secret' => 'secret', + 'signing_method' => 'md5', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -310,9 +311,10 @@ def props_for_provider(provider) 'provider' => 'webdav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'webdav.com', - 'tls' => { 'cert' => 'some_cert' }, + 'endpoint' => 'https://webdav.com/admin/', + 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'secret', + 'signing_method' => 'md5', 'retry_attempts' => '4' ) end From 8f6c7a389e47eff6e40ad44c8855de3b2351354c Mon Sep 17 00:00:00 2001 From: Katharina Przybill <30441792+kathap@users.noreply.github.com> Date: Thu, 26 Mar 2026 16:51:20 +0100 Subject: [PATCH 3/8] Include directory keys in WebDAV blobstore endpoint configuration Configure storage-cli WebDAV endpoints to include resource-specific directory keys (cc-droplets, cc-packages, cc-buildpacks, cc-resources) for backward compatibility with fog/webdav client. When using basic auth, endpoints are: /admin/{directory_key} When using signed URLs, endpoints are: /{directory_key} This ensures both storage-cli and fog/webdav store blobs at identical physical paths, enabling zero-downtime rollback between the two clients. Updated all job templates and RSpec tests to expect directory keys in endpoint paths. --- .../storage_cli_config_buildpacks.json.erb | 22 ++++++++++++--- .../storage_cli_config_droplets.json.erb | 22 ++++++++++++--- .../storage_cli_config_packages.json.erb | 22 ++++++++++++--- .../storage_cli_config_resource_pool.json.erb | 22 ++++++++++++--- .../storage_cli_config_buildpacks.json.erb | 22 ++++++++++++--- .../storage_cli_config_droplets.json.erb | 22 ++++++++++++--- .../storage_cli_config_packages.json.erb | 22 ++++++++++++--- .../storage_cli_config_resource_pool.json.erb | 22 ++++++++++++--- .../storage_cli_config_buildpacks.json.erb | 22 ++++++++++++--- .../storage_cli_config_droplets.json.erb | 22 ++++++++++++--- .../storage_cli_config_packages.json.erb | 22 ++++++++++++--- .../storage_cli_config_resource_pool.json.erb | 22 ++++++++++++--- .../storage_cli_config_buildpacks.json.erb | 22 ++++++++++++--- .../storage_cli_config_droplets.json.erb | 28 +++++++++++++++---- .../storage_cli_config_packages.json.erb | 22 ++++++++++++--- .../storage_cli_config_resource_pool.json.erb | 22 ++++++++++++--- .../storage_cli_config_buildpacks.json.erb | 22 ++++++++++++--- .../storage_cli_config_droplets.json.erb | 22 ++++++++++++--- .../storage_cli_config_packages.json.erb | 22 ++++++++++++--- .../storage_cli_config_resource_pool.json.erb | 22 ++++++++++++--- .../storage_cli_config_jsons_spec.rb | 23 +++++++++++---- .../storage_cli_config_jsons_spec.rb | 23 +++++++++++---- .../storage_cli_config_jsons_spec.rb | 19 ++++++++++--- .../storage_cli_config_jsons_spec.rb | 23 +++++++++++---- 24 files changed, 431 insertions(+), 103 deletions(-) diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb index 96b8ec91d3..cc4e5bfb53 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb @@ -94,11 +94,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", l.p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = l.p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = l.p("#{scope}.secret", nil) + base_endpoint = l.p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) @@ -110,4 +124,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb index 7588e0ccc5..6479375c34 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb @@ -94,11 +94,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", l.p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = l.p("cc.droplets.droplet_directory_key", "cc-droplets") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = l.p("#{scope}.secret", nil) + base_endpoint = l.p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) @@ -110,4 +124,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb index 7c1aaaa44b..0f0d596b36 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb @@ -94,11 +94,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", l.p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = l.p("cc.packages.app_package_directory_key", "cc-packages") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = l.p("#{scope}.secret", nil) + base_endpoint = l.p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) @@ -110,4 +124,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb index 8714007959..e94a4a0922 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb @@ -94,11 +94,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", l.p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = l.p("cc.resource_pool.resource_directory_key", "cc-resources") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = l.p("#{scope}.secret", nil) + base_endpoint = l.p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) @@ -110,4 +124,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb index 950872dcf3..f481343d96 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb @@ -94,11 +94,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", l.p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = l.p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = l.p("#{scope}.secret", nil) + base_endpoint = l.p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) @@ -110,4 +124,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb index cd665f1467..b1669d5f29 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb @@ -94,11 +94,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", l.p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = l.p("cc.droplets.droplet_directory_key", "cc-droplets") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = l.p("#{scope}.secret", nil) + base_endpoint = l.p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) @@ -110,4 +124,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb index 7c1aaaa44b..0f0d596b36 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb @@ -94,11 +94,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", l.p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = l.p("cc.packages.app_package_directory_key", "cc-packages") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = l.p("#{scope}.secret", nil) + base_endpoint = l.p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) @@ -110,4 +124,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb index b1d4a43626..c77101ac6d 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb @@ -94,11 +94,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - options["endpoint"] = l.p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", l.p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = l.p("cc.resource_pool.resource_directory_key", "cc-resources") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = l.p("#{scope}.secret", nil) + base_endpoint = l.p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) @@ -110,4 +124,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb index 7996bf9b77..9e8b4422cc 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb index 5b481e5386..e482cf91ef 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb index fa146c43b1..a810016898 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb index 26e468f4ca..3b11b00cc7 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb index 7996bf9b77..9e8b4422cc 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb index fd6bff01c4..b1e60479e8 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb @@ -21,6 +21,11 @@ end scope = "cc.droplets.connection_config" provider = p("cc.droplets.blobstore_provider", nil) + +# Normalize legacy fog provider names to storage-cli names +# Legacy fog name support to be REMOVED May 2026 +provider = "dav" if provider == "webdav" + options = {} # Support both native storage-cli types (azurebs) AND legacy fog names (AzureRM) @@ -89,13 +94,26 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -# WebDAV/dav support intentionally excluded (not fully implemented) -if provider == "webdav" || provider == "dav" - options["provider"] = provider +if provider == "dav" + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb index fa146c43b1..a810016898 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb index 26e468f4ca..3b11b00cc7 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb index 7996bf9b77..9e8b4422cc 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb index 5b481e5386..e482cf91ef 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb index edcec945c3..d688769ae1 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb index 0770196b51..3dc3809e89 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb @@ -92,11 +92,25 @@ end # Support both native storage-cli types (dav) AND legacy fog names (webdav) # Legacy fog name support to be REMOVED May 2026 if provider == "webdav" || provider == "dav" - options["provider"] = provider + options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - options["endpoint"] = p("#{scope}.private_endpoint") + "/admin/" - add_optional(options, "secret", p("#{scope}.secret", nil)) + + # Resource-specific directory for compatibility with fog/webdav + resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") + + # When using signed URLs (secret present), endpoint points to resource directory + # When using basic auth only (no secret), endpoint includes /admin/ prefix + secret = p("#{scope}.secret", nil) + base_endpoint = p("#{scope}.private_endpoint") + + if secret.nil? || secret.empty? + options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" + else + options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + end + + add_optional(options, "secret", secret) add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) @@ -108,4 +122,4 @@ if provider == "webdav" || provider == "dav" end -%> -<%= JSON.pretty_generate(options) %> \ No newline at end of file +<%= JSON.pretty_generate(options) %> diff --git a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb index 94268e4d0c..61fab22105 100644 --- a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb +++ b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb @@ -320,13 +320,24 @@ def props_for_provider(provider) let(:links) { [cc_link] } let(:props) { {} } + # Helper to determine expected directory key based on template path + def expected_directory_key(template_path) + case template_path + when /droplets/ then 'cc-droplets' + when /packages/ then 'cc-packages' + when /buildpacks/ then 'cc-buildpacks' + when /resource_pool/ then 'cc-resources' + end + end + TEMPLATES.each_value do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } + let(:directory_key) { expected_directory_key(template_path) } it 'maps required properties into the rendered config' do set(link_props, keypath, { - 'provider' => 'webdav', + 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.com', @@ -334,17 +345,17 @@ def props_for_provider(provider) }) json = YAML.safe_load(template.render(props, consumes: links)) expect(json).to include( - 'provider' => 'webdav', + 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'https://webdav.com/admin/', + 'endpoint' => "https://webdav.com/admin/#{directory_key}", 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end it 'includes optional properties when provided' do set(link_props, keypath, { - 'provider' => 'webdav', + 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.com', @@ -355,10 +366,10 @@ def props_for_provider(provider) }) json = YAML.safe_load(template.render(props, consumes: links)) expect(json).to include( - 'provider' => 'webdav', + 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'https://webdav.com/admin/', + 'endpoint' => "https://webdav.com/#{directory_key}", 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'secret', 'signing_method' => 'md5', diff --git a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb index ca7d5006ff..7c904a6d8e 100644 --- a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb @@ -273,13 +273,24 @@ def props_for_provider(provider) describe 'when provider is webdav' do let(:props) { props_for_provider('webdav') } + # Helper to determine expected directory key based on template path + def expected_directory_key(template_path) + case template_path + when /droplets/ then 'cc-droplets' + when /packages/ then 'cc-packages' + when /buildpacks/ then 'cc-buildpacks' + when /resource_pool/ then 'cc-resources' + end + end + TEMPLATES.each_value do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } + let(:directory_key) { expected_directory_key(template_path) } it 'maps required properties into the rendered config' do set(props, keypath, { - 'provider' => 'webdav', + 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.com', @@ -287,17 +298,17 @@ def props_for_provider(provider) }) json = YAML.safe_load(template.render(props, consumes: links)) expect(json).to include( - 'provider' => 'webdav', + 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'https://webdav.com/admin/', + 'endpoint' => "https://webdav.com/admin/#{directory_key}", 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end it 'includes optional properties when provided' do set(props, keypath, { - 'provider' => 'webdav', + 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.com', @@ -308,10 +319,10 @@ def props_for_provider(provider) }) json = YAML.safe_load(template.render(props, consumes: links)) expect(json).to include( - 'provider' => 'webdav', + 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'https://webdav.com/admin/', + 'endpoint' => "https://webdav.com/#{directory_key}", 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'secret', 'signing_method' => 'md5', diff --git a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb index 1519ab9610..b0f95fbf5b 100644 --- a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb @@ -274,9 +274,20 @@ def props_for_provider(provider) describe 'when provider is webdav' do let(:props) { props_for_provider('webdav') } + # Helper to determine expected directory key based on template path + def expected_directory_key(template_path) + case template_path + when /droplets/ then 'cc-droplets' + when /packages/ then 'cc-packages' + when /buildpacks/ then 'cc-buildpacks' + when /resource_pool/ then 'cc-resources' + end + end + TEMPLATES.each_value do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } + let(:directory_key) { expected_directory_key(template_path) } it 'maps required properties into the rendered config' do set(props, keypath, { @@ -288,10 +299,10 @@ def props_for_provider(provider) }) json = YAML.safe_load(template.render(props, consumes: links)) expect(json).to include( - 'provider' => 'webdav', + 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'https://webdav.com/admin/', + 'endpoint' => "https://webdav.com/admin/#{directory_key}", 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -309,10 +320,10 @@ def props_for_provider(provider) }) json = YAML.safe_load(template.render(props, consumes: links)) expect(json).to include( - 'provider' => 'webdav', + 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'https://webdav.com/admin/', + 'endpoint' => "https://webdav.com/#{directory_key}", 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'secret', 'signing_method' => 'md5', diff --git a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb index 40cd3a463d..97c20c6152 100644 --- a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb @@ -273,13 +273,24 @@ def props_for_provider(provider) describe 'when provider is webdav' do let(:props) { props_for_provider('webdav') } + # Helper to determine expected directory key based on template path + def expected_directory_key(template_path) + case template_path + when /droplets/ then 'cc-droplets' + when /packages/ then 'cc-packages' + when /buildpacks/ then 'cc-buildpacks' + when /resource_pool/ then 'cc-resources' + end + end + TEMPLATES.each_value do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } + let(:directory_key) { expected_directory_key(template_path) } it 'maps required properties into the rendered config' do set(props, keypath, { - 'provider' => 'webdav', + 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.com', @@ -287,17 +298,17 @@ def props_for_provider(provider) }) json = YAML.safe_load(template.render(props, consumes: links)) expect(json).to include( - 'provider' => 'webdav', + 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'https://webdav.com/admin/', + 'endpoint' => "https://webdav.com/admin/#{directory_key}", 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end it 'includes optional properties when provided' do set(props, keypath, { - 'provider' => 'webdav', + 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.com', @@ -308,10 +319,10 @@ def props_for_provider(provider) }) json = YAML.safe_load(template.render(props, consumes: links)) expect(json).to include( - 'provider' => 'webdav', + 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => 'https://webdav.com/admin/', + 'endpoint' => "https://webdav.com/#{directory_key}", 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'secret', 'signing_method' => 'md5', From 80450c8d585a185bace29fffc2be9bb7b72dadcb Mon Sep 17 00:00:00 2001 From: Katharina Przybill <30441792+kathap@users.noreply.github.com> Date: Mon, 11 May 2026 13:25:33 +0200 Subject: [PATCH 4/8] Configure WebDAV templates for storage-cli lazy signing Refactors WebDAV configuration in storage-cli templates to support dual-endpoint lazy signing: - Always use /admin/{resource_dir} for endpoint (internal) - Add public_endpoint configuration (external users) - Replace signing_method with signed_url_format - Simplify endpoint logic (remove secret-based conditional) - Fix TLS ca_cert nil check Required for storage-cli sign-internal and sign-public commands to generate URLs with correct endpoints for Diego (internal) vs external users (public). --- .../storage_cli_config_buildpacks.json.erb | 19 +++++++-------- .../storage_cli_config_droplets.json.erb | 19 +++++++-------- .../storage_cli_config_packages.json.erb | 19 +++++++-------- .../storage_cli_config_resource_pool.json.erb | 19 +++++++-------- .../storage_cli_config_buildpacks.json.erb | 19 +++++++-------- .../storage_cli_config_droplets.json.erb | 19 +++++++-------- .../storage_cli_config_packages.json.erb | 19 +++++++-------- .../storage_cli_config_resource_pool.json.erb | 19 +++++++-------- .../storage_cli_config_buildpacks.json.erb | 19 +++++++-------- .../storage_cli_config_droplets.json.erb | 19 +++++++-------- .../storage_cli_config_packages.json.erb | 19 +++++++-------- .../storage_cli_config_resource_pool.json.erb | 19 +++++++-------- .../storage_cli_config_buildpacks.json.erb | 19 +++++++-------- .../storage_cli_config_droplets.json.erb | 23 +++++++++---------- .../storage_cli_config_packages.json.erb | 19 +++++++-------- .../storage_cli_config_resource_pool.json.erb | 19 +++++++-------- .../storage_cli_config_buildpacks.json.erb | 18 ++++++--------- .../storage_cli_config_droplets.json.erb | 18 ++++++--------- .../storage_cli_config_packages.json.erb | 18 ++++++--------- .../storage_cli_config_resource_pool.json.erb | 18 ++++++--------- 20 files changed, 159 insertions(+), 221 deletions(-) diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb index cc4e5bfb53..2e11d70240 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb @@ -101,24 +101,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = l.p("#{scope}.secret", nil) - base_endpoint = l.p("#{scope}.private_endpoint") + private_base = l.p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = l.p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) + add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb index 6479375c34..f623cdd959 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb @@ -101,24 +101,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.droplets.droplet_directory_key", "cc-droplets") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = l.p("#{scope}.secret", nil) - base_endpoint = l.p("#{scope}.private_endpoint") + private_base = l.p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = l.p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) + add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb index 0f0d596b36..3774a62102 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb @@ -101,24 +101,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.packages.app_package_directory_key", "cc-packages") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = l.p("#{scope}.secret", nil) - base_endpoint = l.p("#{scope}.private_endpoint") + private_base = l.p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = l.p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) + add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb index e94a4a0922..aab693ec41 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb @@ -101,24 +101,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.resource_pool.resource_directory_key", "cc-resources") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = l.p("#{scope}.secret", nil) - base_endpoint = l.p("#{scope}.private_endpoint") + private_base = l.p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = l.p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) + add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb index f481343d96..c17a3b9e0d 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb @@ -101,24 +101,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = l.p("#{scope}.secret", nil) - base_endpoint = l.p("#{scope}.private_endpoint") + private_base = l.p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = l.p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) + add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb index b1669d5f29..7abc12e412 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb @@ -101,24 +101,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.droplets.droplet_directory_key", "cc-droplets") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = l.p("#{scope}.secret", nil) - base_endpoint = l.p("#{scope}.private_endpoint") + private_base = l.p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = l.p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) + add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb index 0f0d596b36..3774a62102 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb @@ -101,24 +101,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.packages.app_package_directory_key", "cc-packages") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = l.p("#{scope}.secret", nil) - base_endpoint = l.p("#{scope}.private_endpoint") + private_base = l.p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = l.p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) + add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb index c77101ac6d..57a504bf97 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb @@ -101,24 +101,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.resource_pool.resource_directory_key", "cc-resources") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = l.p("#{scope}.secret", nil) - base_endpoint = l.p("#{scope}.private_endpoint") + private_base = l.p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = l.p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", l.p("#{scope}.signing_method", nil)) + add_optional(options, "secret", l.p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb index 9e8b4422cc..37c9f76e00 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb @@ -99,24 +99,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb index e482cf91ef..cd5e02f8b7 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb @@ -99,24 +99,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb index a810016898..c338ceb1b3 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb @@ -99,24 +99,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb index 3b11b00cc7..79a53880fe 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb @@ -99,24 +99,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb index 9e8b4422cc..37c9f76e00 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb @@ -99,24 +99,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb index b1e60479e8..c1188e3e31 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb @@ -102,24 +102,23 @@ if provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") - - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + # Private endpoint includes /admin/ for Basic Auth operations (PUT, GET, DELETE, COPY, etc) + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" + + # Public endpoint (optional) for user-facing signed URLs (API downloads via gorouter) + public_base = p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb index a810016898..c338ceb1b3 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb @@ -99,24 +99,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb index 3b11b00cc7..79a53880fe 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb @@ -99,24 +99,21 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + public_base = p("#{scope}.public_endpoint", nil) + if public_base && !public_base.empty? + options["public_endpoint"] = public_base end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb index 9e8b4422cc..928722ae46 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb @@ -99,24 +99,20 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + if_p("#{scope}.public_endpoint") do |public_endpoint| + options["public_endpoint"] = public_endpoint end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb index e482cf91ef..0fe740dff3 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb @@ -99,24 +99,20 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + if_p("#{scope}.public_endpoint") do |public_endpoint| + options["public_endpoint"] = public_endpoint end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb index d688769ae1..28f9c2253c 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb @@ -99,24 +99,20 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + if_p("#{scope}.public_endpoint") do |public_endpoint| + options["public_endpoint"] = public_endpoint end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb index 3dc3809e89..0a7592f5ad 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb @@ -99,24 +99,20 @@ if provider == "webdav" || provider == "dav" # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") - # When using signed URLs (secret present), endpoint points to resource directory - # When using basic auth only (no secret), endpoint includes /admin/ prefix - secret = p("#{scope}.secret", nil) - base_endpoint = p("#{scope}.private_endpoint") + private_base = p("#{scope}.private_endpoint") + options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if secret.nil? || secret.empty? - options["endpoint"] = "#{base_endpoint}/admin/#{resource_dir}" - else - options["endpoint"] = "#{base_endpoint}/#{resource_dir}" + if_p("#{scope}.public_endpoint") do |public_endpoint| + options["public_endpoint"] = public_endpoint end - add_optional(options, "secret", secret) - add_optional(options, "signing_method", p("#{scope}.signing_method", nil)) + add_optional(options, "secret", p("#{scope}.secret", nil)) + add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) - unless ca_cert.empty? + unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} end end From c6562866e64b468512bdbed2c05d98c2bfa21a56 Mon Sep 17 00:00:00 2001 From: Katharina Przybill <30441792+kathap@users.noreply.github.com> Date: Mon, 11 May 2026 13:45:23 +0200 Subject: [PATCH 5/8] Adapt storage-cli config template tests --- .../storage_cli_config_jsons_spec.rb | 52 ++++++++++++++++--- .../storage_cli_config_jsons_spec.rb | 52 ++++++++++++++++--- .../storage_cli_config_jsons_spec.rb | 52 ++++++++++++++++--- .../storage_cli_config_jsons_spec.rb | 52 ++++++++++++++++--- 4 files changed, 176 insertions(+), 32 deletions(-) diff --git a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb index 61fab22105..4cb0400a3d 100644 --- a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb +++ b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb @@ -340,7 +340,7 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', - 'private_endpoint' => 'https://webdav.com', + 'private_endpoint' => 'https://webdav.internal', 'ca_cert' => 'some_cert' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -348,7 +348,28 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => "https://webdav.com/admin/#{directory_key}", + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'tls' => { 'cert' => { 'ca' => 'some_cert' } } + ) + expect(json).not_to have_key('public_endpoint') + end + + it 'includes public_endpoint when provided' do + set(link_props, keypath, { + 'provider' => 'dav', + 'username' => 'user', + 'password' => 'secret', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => 'https://webdav.example.com', + 'ca_cert' => 'some_cert' + }) + json = YAML.safe_load(template.render(props, consumes: links)) + expect(json).to include( + 'provider' => 'dav', + 'user' => 'user', + 'password' => 'secret', + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -358,10 +379,11 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', - 'private_endpoint' => 'https://webdav.com', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => 'https://webdav.example.com', 'ca_cert' => 'some_cert', - 'secret' => 'secret', - 'signing_method' => 'md5', + 'secret' => 'my-secret', + 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -369,13 +391,27 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => "https://webdav.com/#{directory_key}", + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, - 'secret' => 'secret', - 'signing_method' => 'md5', + 'secret' => 'my-secret', + 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' ) end + + it 'omits public_endpoint when empty' do + set(link_props, keypath, { + 'provider' => 'dav', + 'username' => 'user', + 'password' => 'secret', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => '', + 'ca_cert' => 'some_cert' + }) + json = YAML.safe_load(template.render(props, consumes: links)) + expect(json).not_to have_key('public_endpoint') + end end end end diff --git a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb index 7c904a6d8e..3e9d96363e 100644 --- a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb @@ -293,7 +293,7 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', - 'private_endpoint' => 'https://webdav.com', + 'private_endpoint' => 'https://webdav.internal', 'ca_cert' => 'some_cert' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -301,7 +301,28 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => "https://webdav.com/admin/#{directory_key}", + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'tls' => { 'cert' => { 'ca' => 'some_cert' } } + ) + expect(json).not_to have_key('public_endpoint') + end + + it 'includes public_endpoint when provided' do + set(props, keypath, { + 'provider' => 'dav', + 'username' => 'user', + 'password' => 'secret', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => 'https://webdav.example.com', + 'ca_cert' => 'some_cert' + }) + json = YAML.safe_load(template.render(props, consumes: links)) + expect(json).to include( + 'provider' => 'dav', + 'user' => 'user', + 'password' => 'secret', + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -311,10 +332,11 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', - 'private_endpoint' => 'https://webdav.com', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => 'https://webdav.example.com', 'ca_cert' => 'some_cert', - 'secret' => 'secret', - 'signing_method' => 'md5', + 'secret' => 'my-secret', + 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -322,13 +344,27 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => "https://webdav.com/#{directory_key}", + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, - 'secret' => 'secret', - 'signing_method' => 'md5', + 'secret' => 'my-secret', + 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' ) end + + it 'omits public_endpoint when empty' do + set(props, keypath, { + 'provider' => 'dav', + 'username' => 'user', + 'password' => 'secret', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => '', + 'ca_cert' => 'some_cert' + }) + json = YAML.safe_load(template.render(props, consumes: links)) + expect(json).not_to have_key('public_endpoint') + end end end end diff --git a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb index b0f95fbf5b..2ffdaec0a3 100644 --- a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb @@ -294,7 +294,7 @@ def expected_directory_key(template_path) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'private_endpoint' => 'https://webdav.com', + 'private_endpoint' => 'https://webdav.internal', 'ca_cert' => 'some_cert' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -302,7 +302,28 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => "https://webdav.com/admin/#{directory_key}", + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'tls' => { 'cert' => { 'ca' => 'some_cert' } } + ) + expect(json).not_to have_key('public_endpoint') + end + + it 'includes public_endpoint when provided' do + set(props, keypath, { + 'provider' => 'webdav', + 'username' => 'user', + 'password' => 'secret', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => 'https://webdav.example.com', + 'ca_cert' => 'some_cert' + }) + json = YAML.safe_load(template.render(props, consumes: links)) + expect(json).to include( + 'provider' => 'dav', + 'user' => 'user', + 'password' => 'secret', + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -312,10 +333,11 @@ def expected_directory_key(template_path) 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', - 'private_endpoint' => 'https://webdav.com', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => 'https://webdav.example.com', 'ca_cert' => 'some_cert', - 'secret' => 'secret', - 'signing_method' => 'md5', + 'secret' => 'my-secret', + 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -323,13 +345,27 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => "https://webdav.com/#{directory_key}", + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, - 'secret' => 'secret', - 'signing_method' => 'md5', + 'secret' => 'my-secret', + 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' ) end + + it 'omits public_endpoint when empty' do + set(props, keypath, { + 'provider' => 'webdav', + 'username' => 'user', + 'password' => 'secret', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => '', + 'ca_cert' => 'some_cert' + }) + json = YAML.safe_load(template.render(props, consumes: links)) + expect(json).not_to have_key('public_endpoint') + end end end end diff --git a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb index 97c20c6152..3a0972df45 100644 --- a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb @@ -293,7 +293,7 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', - 'private_endpoint' => 'https://webdav.com', + 'private_endpoint' => 'https://webdav.internal', 'ca_cert' => 'some_cert' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -301,7 +301,28 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => "https://webdav.com/admin/#{directory_key}", + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'tls' => { 'cert' => { 'ca' => 'some_cert' } } + ) + expect(json).not_to have_key('public_endpoint') + end + + it 'includes public_endpoint when provided' do + set(props, keypath, { + 'provider' => 'dav', + 'username' => 'user', + 'password' => 'secret', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => 'https://webdav.example.com', + 'ca_cert' => 'some_cert' + }) + json = YAML.safe_load(template.render(props, consumes: links)) + expect(json).to include( + 'provider' => 'dav', + 'user' => 'user', + 'password' => 'secret', + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } } ) end @@ -311,10 +332,11 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'username' => 'user', 'password' => 'secret', - 'private_endpoint' => 'https://webdav.com', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => 'https://webdav.example.com', 'ca_cert' => 'some_cert', - 'secret' => 'secret', - 'signing_method' => 'md5', + 'secret' => 'my-secret', + 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -322,13 +344,27 @@ def expected_directory_key(template_path) 'provider' => 'dav', 'user' => 'user', 'password' => 'secret', - 'endpoint' => "https://webdav.com/#{directory_key}", + 'endpoint' => "https://webdav.internal/admin/#{directory_key}", + 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, - 'secret' => 'secret', - 'signing_method' => 'md5', + 'secret' => 'my-secret', + 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' ) end + + it 'omits public_endpoint when empty' do + set(props, keypath, { + 'provider' => 'dav', + 'username' => 'user', + 'password' => 'secret', + 'private_endpoint' => 'https://webdav.internal', + 'public_endpoint' => '', + 'ca_cert' => 'some_cert' + }) + json = YAML.safe_load(template.render(props, consumes: links)) + expect(json).not_to have_key('public_endpoint') + end end end end From 7633e15398aeb4f7b1b1afb6eda6311863139906 Mon Sep 17 00:00:00 2001 From: Katharina Przybill <30441792+kathap@users.noreply.github.com> Date: Mon, 11 May 2026 14:13:08 +0200 Subject: [PATCH 6/8] Adjust tests, simplify public_endpoint in config templates for dav --- .../storage_cli_config_buildpacks.json.erb | 6 +-- .../storage_cli_config_droplets.json.erb | 6 +-- .../storage_cli_config_packages.json.erb | 6 +-- .../storage_cli_config_resource_pool.json.erb | 6 +-- .../storage_cli_config_buildpacks.json.erb | 6 +-- .../storage_cli_config_droplets.json.erb | 6 +-- .../storage_cli_config_packages.json.erb | 6 +-- .../storage_cli_config_resource_pool.json.erb | 6 +-- .../storage_cli_config_buildpacks.json.erb | 6 +-- .../storage_cli_config_droplets.json.erb | 6 +-- .../storage_cli_config_packages.json.erb | 6 +-- .../storage_cli_config_resource_pool.json.erb | 6 +-- .../storage_cli_config_buildpacks.json.erb | 6 +-- .../storage_cli_config_droplets.json.erb | 5 +-- .../storage_cli_config_packages.json.erb | 6 +-- .../storage_cli_config_resource_pool.json.erb | 6 +-- .../storage_cli_config_buildpacks.json.erb | 5 +-- .../storage_cli_config_droplets.json.erb | 5 +-- .../storage_cli_config_packages.json.erb | 5 +-- .../storage_cli_config_resource_pool.json.erb | 5 +-- .../storage_cli_config_jsons_spec.rb | 30 ++++++++------- .../storage_cli_config_jsons_spec.rb | 38 ++++++++++--------- .../storage_cli_config_jsons_spec.rb | 33 ++++++++-------- .../storage_cli_config_jsons_spec.rb | 38 ++++++++++--------- 24 files changed, 93 insertions(+), 161 deletions(-) diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb index 2e11d70240..8317e6d134 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb @@ -104,11 +104,7 @@ if provider == "webdav" || provider == "dav" private_base = l.p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = l.p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb index f623cdd959..61cb14b3ed 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb @@ -104,11 +104,7 @@ if provider == "webdav" || provider == "dav" private_base = l.p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = l.p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb index 3774a62102..65ae733f99 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb @@ -104,11 +104,7 @@ if provider == "webdav" || provider == "dav" private_base = l.p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = l.p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb index aab693ec41..573cf18262 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb @@ -104,11 +104,7 @@ if provider == "webdav" || provider == "dav" private_base = l.p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = l.p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb index c17a3b9e0d..d3361af8e9 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb @@ -104,11 +104,7 @@ if provider == "webdav" || provider == "dav" private_base = l.p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = l.p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb index 7abc12e412..26a5a84996 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb @@ -104,11 +104,7 @@ if provider == "webdav" || provider == "dav" private_base = l.p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = l.p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb index 3774a62102..65ae733f99 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb @@ -104,11 +104,7 @@ if provider == "webdav" || provider == "dav" private_base = l.p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = l.p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb index 57a504bf97..81ede9da33 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb @@ -104,11 +104,7 @@ if provider == "webdav" || provider == "dav" private_base = l.p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = l.p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb index 37c9f76e00..52eb1d04d4 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb @@ -102,11 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb index cd5e02f8b7..89002191a8 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb @@ -102,11 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb index c338ceb1b3..6e391a6061 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb @@ -102,11 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb index 79a53880fe..36401322e7 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb @@ -102,11 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb index 37c9f76e00..52eb1d04d4 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb @@ -102,11 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb index c1188e3e31..bde13bdb34 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb @@ -107,10 +107,7 @@ if provider == "dav" options["endpoint"] = "#{private_base}/admin/#{resource_dir}" # Public endpoint (optional) for user-facing signed URLs (API downloads via gorouter) - public_base = p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb index c338ceb1b3..6e391a6061 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb @@ -102,11 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb index 79a53880fe..36401322e7 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb @@ -102,11 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - public_base = p("#{scope}.public_endpoint", nil) - if public_base && !public_base.empty? - options["public_endpoint"] = public_base - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb index 928722ae46..52eb1d04d4 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb @@ -102,10 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if_p("#{scope}.public_endpoint") do |public_endpoint| - options["public_endpoint"] = public_endpoint - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb index 0fe740dff3..89002191a8 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb @@ -102,10 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if_p("#{scope}.public_endpoint") do |public_endpoint| - options["public_endpoint"] = public_endpoint - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb index 28f9c2253c..c31a33b6a0 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb @@ -102,10 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if_p("#{scope}.public_endpoint") do |public_endpoint| - options["public_endpoint"] = public_endpoint - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb index 0a7592f5ad..b3e65773a5 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb @@ -102,10 +102,7 @@ if provider == "webdav" || provider == "dav" private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - if_p("#{scope}.public_endpoint") do |public_endpoint| - options["public_endpoint"] = public_endpoint - end - + add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) diff --git a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb index 4cb0400a3d..8ba6c47ce2 100644 --- a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb +++ b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb @@ -4,18 +4,20 @@ require 'yaml' require 'bosh/template/test' -TEMPLATES = { - droplets: ['config/storage_cli_config_droplets.json', %w[cc droplets connection_config]], - buildpacks: ['config/storage_cli_config_buildpacks.json', %w[cc buildpacks connection_config]], - packages: ['config/storage_cli_config_packages.json', %w[cc packages connection_config]], - resource_pool: ['config/storage_cli_config_resource_pool.json', %w[cc resource_pool connection_config]] -}.freeze - module Bosh module Template module Test RSpec.describe 'storage-cli JSON templates' do - let(:release_path) { File.join(File.dirname(__FILE__), '../..') } + def self.storage_cli_templates + [ + ['config/storage_cli_config_droplets.json', %w[cc droplets connection_config]], + ['config/storage_cli_config_buildpacks.json', %w[cc buildpacks connection_config]], + ['config/storage_cli_config_packages.json', %w[cc packages connection_config]], + ['config/storage_cli_config_resource_pool.json', %w[cc resource_pool connection_config]] + ] + end + + let(:release_path) { File.expand_path('../..', __dir__) } let(:release) { ReleaseDir.new(release_path) } let(:job) { release.job('cc_deployment_updater') } @@ -47,7 +49,7 @@ def props_for_provider(provider) let(:links) { [cc_link] } let(:props) { {} } - TEMPLATES.each_value do |(template_path, _keypath)| + storage_cli_templates.each do |(template_path, _keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -70,7 +72,7 @@ def props_for_provider(provider) let(:links) { [cc_link] } let(:props) { {} } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -118,7 +120,7 @@ def props_for_provider(provider) let(:links) { [cc_link] } let(:props) { {} } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -230,7 +232,7 @@ def props_for_provider(provider) let(:links) { [cc_link] } let(:props) { {} } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -284,7 +286,7 @@ def props_for_provider(provider) let(:links) { [cc_link] } let(:props) { {} } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -330,7 +332,7 @@ def expected_directory_key(template_path) end end - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } let(:directory_key) { expected_directory_key(template_path) } diff --git a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb index 3e9d96363e..a8b71761bb 100644 --- a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb @@ -4,18 +4,20 @@ require 'yaml' require 'bosh/template/test' -TEMPLATES = { - droplets: ['config/storage_cli_config_droplets.json', %w[cc droplets connection_config]], - buildpacks: ['config/storage_cli_config_buildpacks.json', %w[cc buildpacks connection_config]], - packages: ['config/storage_cli_config_packages.json', %w[cc packages connection_config]], - resource_pool: ['config/storage_cli_config_resource_pool.json', %w[cc resource_pool connection_config]] -}.freeze - module Bosh module Template module Test RSpec.describe 'storage-cli JSON templates' do - let(:release_path) { File.join(File.dirname(__FILE__), '../..') } + def self.storage_cli_templates + [ + ['config/storage_cli_config_droplets.json', %w[cc droplets connection_config]], + ['config/storage_cli_config_buildpacks.json', %w[cc buildpacks connection_config]], + ['config/storage_cli_config_packages.json', %w[cc packages connection_config]], + ['config/storage_cli_config_resource_pool.json', %w[cc resource_pool connection_config]] + ] + end + + let(:release_path) { File.expand_path('../..', __dir__) } let(:release) { ReleaseDir.new(release_path) } let(:job) { release.job('cloud_controller_clock') } let(:links) { {} } @@ -40,7 +42,7 @@ def props_for_provider(provider) describe 'unsupported provider' do let(:props) { props_for_provider('Unsupported') } - TEMPLATES.each_value do |(template_path, _keypath)| + storage_cli_templates.each do |(template_path, _keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -55,7 +57,7 @@ def props_for_provider(provider) describe 'when provider is AzureRM' do let(:props) { props_for_provider('AzureRM') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -95,7 +97,7 @@ def props_for_provider(provider) describe 'when provider is AWS' do let(:props) { props_for_provider('AWS') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -199,7 +201,7 @@ def props_for_provider(provider) describe 'when provider is Google' do let(:props) { props_for_provider('Google') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -245,7 +247,7 @@ def props_for_provider(provider) describe 'when provider is aliyun' do let(:props) { props_for_provider('aliyun') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -283,14 +285,14 @@ def expected_directory_key(template_path) end end - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } let(:directory_key) { expected_directory_key(template_path) } it 'maps required properties into the rendered config' do set(props, keypath, { - 'provider' => 'dav', + 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.internal', @@ -309,7 +311,7 @@ def expected_directory_key(template_path) it 'includes public_endpoint when provided' do set(props, keypath, { - 'provider' => 'dav', + 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.internal', @@ -329,7 +331,7 @@ def expected_directory_key(template_path) it 'includes optional properties when provided' do set(props, keypath, { - 'provider' => 'dav', + 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.internal', @@ -355,7 +357,7 @@ def expected_directory_key(template_path) it 'omits public_endpoint when empty' do set(props, keypath, { - 'provider' => 'dav', + 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.internal', diff --git a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb index 2ffdaec0a3..34170a6878 100644 --- a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb @@ -1,22 +1,23 @@ # frozen_string_literal: true require 'rspec' -require 'yaml' # frozen_string_literal: true - +require 'yaml' require 'bosh/template/test' -TEMPLATES = { - droplets: ['config/storage_cli_config_droplets.json', %w[cc droplets connection_config]], - buildpacks: ['config/storage_cli_config_buildpacks.json', %w[cc buildpacks connection_config]], - packages: ['config/storage_cli_config_packages.json', %w[cc packages connection_config]], - resource_pool: ['config/storage_cli_config_resource_pool.json', %w[cc resource_pool connection_config]] -}.freeze - module Bosh module Template module Test RSpec.describe 'storage-cli JSON templates' do - let(:release_path) { File.join(File.dirname(__FILE__), '../..') } + def self.storage_cli_templates + [ + ['config/storage_cli_config_droplets.json', %w[cc droplets connection_config]], + ['config/storage_cli_config_buildpacks.json', %w[cc buildpacks connection_config]], + ['config/storage_cli_config_packages.json', %w[cc packages connection_config]], + ['config/storage_cli_config_resource_pool.json', %w[cc resource_pool connection_config]] + ] + end + + let(:release_path) { File.expand_path('../..', __dir__) } let(:release) { ReleaseDir.new(release_path) } let(:job) { release.job('cloud_controller_ng') } let(:links) { {} } @@ -41,7 +42,7 @@ def props_for_provider(provider) describe 'unsupported provider' do let(:props) { props_for_provider('Unsupported') } - TEMPLATES.each_value do |(template_path, _keypath)| + storage_cli_templates.each do |(template_path, _keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -56,7 +57,7 @@ def props_for_provider(provider) describe 'when provider is AzureRM' do let(:props) { props_for_provider('AzureRM') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -96,7 +97,7 @@ def props_for_provider(provider) describe 'when provider is AWS' do let(:props) { props_for_provider('AWS') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -200,7 +201,7 @@ def props_for_provider(provider) describe 'when provider is Google' do let(:props) { props_for_provider('Google') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -246,7 +247,7 @@ def props_for_provider(provider) describe 'when provider is aliyun' do let(:props) { props_for_provider('aliyun') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -284,7 +285,7 @@ def expected_directory_key(template_path) end end - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } let(:directory_key) { expected_directory_key(template_path) } diff --git a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb index 3a0972df45..41f36ee898 100644 --- a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb @@ -4,18 +4,20 @@ require 'yaml' require 'bosh/template/test' -TEMPLATES = { - droplets: ['config/storage_cli_config_droplets.json', %w[cc droplets connection_config]], - buildpacks: ['config/storage_cli_config_buildpacks.json', %w[cc buildpacks connection_config]], - packages: ['config/storage_cli_config_packages.json', %w[cc packages connection_config]], - resource_pool: ['config/storage_cli_config_resource_pool.json', %w[cc resource_pool connection_config]] -}.freeze - module Bosh module Template module Test RSpec.describe 'storage-cli JSON templates' do - let(:release_path) { File.join(File.dirname(__FILE__), '../..') } + def self.storage_cli_templates + [ + ['config/storage_cli_config_droplets.json', %w[cc droplets connection_config]], + ['config/storage_cli_config_buildpacks.json', %w[cc buildpacks connection_config]], + ['config/storage_cli_config_packages.json', %w[cc packages connection_config]], + ['config/storage_cli_config_resource_pool.json', %w[cc resource_pool connection_config]] + ] + end + + let(:release_path) { File.expand_path('../..', __dir__) } let(:release) { ReleaseDir.new(release_path) } let(:job) { release.job('cloud_controller_worker') } let(:links) { {} } @@ -40,7 +42,7 @@ def props_for_provider(provider) describe 'unsupported provider' do let(:props) { props_for_provider('Unsupported') } - TEMPLATES.each_value do |(template_path, _keypath)| + storage_cli_templates.each do |(template_path, _keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -55,7 +57,7 @@ def props_for_provider(provider) describe 'when provider is AzureRM' do let(:props) { props_for_provider('AzureRM') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -95,7 +97,7 @@ def props_for_provider(provider) describe 'when provider is AWS' do let(:props) { props_for_provider('AWS') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -199,7 +201,7 @@ def props_for_provider(provider) describe 'when provider is Google' do let(:props) { props_for_provider('Google') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -245,7 +247,7 @@ def props_for_provider(provider) describe 'when provider is aliyun' do let(:props) { props_for_provider('aliyun') } - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } @@ -283,14 +285,14 @@ def expected_directory_key(template_path) end end - TEMPLATES.each_value do |(template_path, keypath)| + storage_cli_templates.each do |(template_path, keypath)| describe template_path do let(:template) { job.template(template_path) } let(:directory_key) { expected_directory_key(template_path) } it 'maps required properties into the rendered config' do set(props, keypath, { - 'provider' => 'dav', + 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.internal', @@ -309,7 +311,7 @@ def expected_directory_key(template_path) it 'includes public_endpoint when provided' do set(props, keypath, { - 'provider' => 'dav', + 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.internal', @@ -329,7 +331,7 @@ def expected_directory_key(template_path) it 'includes optional properties when provided' do set(props, keypath, { - 'provider' => 'dav', + 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.internal', @@ -355,7 +357,7 @@ def expected_directory_key(template_path) it 'omits public_endpoint when empty' do set(props, keypath, { - 'provider' => 'dav', + 'provider' => 'webdav', 'username' => 'user', 'password' => 'secret', 'private_endpoint' => 'https://webdav.internal', From 1b842c1e3cb267378971798a69b95318c304367f Mon Sep 17 00:00:00 2001 From: Katharina Przybill <30441792+kathap@users.noreply.github.com> Date: Fri, 5 Jun 2026 15:21:03 +0200 Subject: [PATCH 7/8] remove signed_url_format from DAV storage-cli config templates and specs --- config/blobs.yml | 23 +- .../templates/blobstore.conf-correct.erb | 273 ++++++++++++++++++ .../storage_cli_config_buildpacks.json.erb | 3 - .../storage_cli_config_droplets.json.erb | 3 - .../storage_cli_config_packages.json.erb | 3 - .../storage_cli_config_resource_pool.json.erb | 3 - .../storage_cli_config_buildpacks.json.erb | 3 - .../storage_cli_config_droplets.json.erb | 3 - .../storage_cli_config_packages.json.erb | 3 - .../storage_cli_config_resource_pool.json.erb | 3 - .../storage_cli_config_buildpacks.json.erb | 3 - .../storage_cli_config_droplets.json.erb | 3 - .../storage_cli_config_packages.json.erb | 3 - .../storage_cli_config_resource_pool.json.erb | 3 - .../storage_cli_config_buildpacks.json.erb | 3 - .../storage_cli_config_droplets.json.erb | 15 +- .../storage_cli_config_packages.json.erb | 3 - .../storage_cli_config_resource_pool.json.erb | 3 - .../storage_cli_config_buildpacks.json.erb | 3 - .../storage_cli_config_droplets.json.erb | 3 - .../storage_cli_config_packages.json.erb | 3 - .../storage_cli_config_resource_pool.json.erb | 3 - packages/storage-cli/packaging | 2 +- packages/storage-cli/spec | 2 +- .../storage_cli_config_jsons_spec.rb | 2 - .../storage_cli_config_jsons_spec.rb | 2 - .../storage_cli_config_jsons_spec.rb | 2 - .../storage_cli_config_jsons_spec.rb | 2 - 28 files changed, 293 insertions(+), 87 deletions(-) create mode 100644 jobs/blobstore/templates/blobstore.conf-correct.erb diff --git a/config/blobs.yml b/config/blobs.yml index 46610a2bfd..cbd7de40e2 100644 --- a/config/blobs.yml +++ b/config/blobs.yml @@ -74,10 +74,10 @@ nginx/newrelic_nginx_agent-1.2.1.tar.gz: size: 5222 object_id: c63358f6-574a-4e20-9d2b-7e1450368b6d sha: sha256:a5a7f9b3a7e20302943b1dd448d9b725cf3cb28d774d79f618aab7c4ddeea52b -nginx/nginx-1.28.3.tar.gz: - size: 1284562 - object_id: 4320d61a-2a45-4211-5bc0-94363cf6cdaa - sha: sha256:2c96a946bfb0882a21744ed429770a2123ae1828c7c48665092993ddee91a918 +nginx/nginx-1.30.2.tar.gz: + size: 1325247 + object_id: f20dbcca-6e95-4b37-40d3-ce0856fbb571 + sha: sha256:7df3090907fca3cc0e456d6dc00ceb230da74ea88026ceff0affc29dbbd9ac4c nginx/nginx-dav-ext-module-3.0.0.tar.gz: size: 14558 object_id: 44648d53-c24b-45e4-4434-007713aa5fe7 @@ -86,6 +86,10 @@ nginx/nginx-upload-module-2.3.0.tar.gz: size: 40139 object_id: 2f8f59a7-8e90-4bf5-67d8-1637924ab331 sha: sha256:c86e318addb9c88d70fdbd58ff1f6ef6f404a93070f6db8017a1f880c97946c4 +nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz: + size: 5452 + object_id: ede41169-975a-4873-5a9e-d2d1aac3e865 + sha: sha256:0d4a69f39b513a3427f5fb41a7503844e703395ca04517d0a55400e4a3150927 nginx/pcre-8.45.tar.gz: size: 2096552 object_id: a90f9f20-e23b-4755-59c7-101197325dab @@ -94,10 +98,13 @@ postgres/postgresql-18.1.tar.gz: size: 29294939 object_id: 808e5f9e-83b4-4b0f-46dc-3ab4d5036365 sha: sha256:b0f18c2d6973d2aa023cfc77feda787d7bbe9c31a3977d0f04ac29885fb98ec4 -storage-cli/storage-cli-0.0.6-linux-amd64: - size: 59824141 - object_id: dbe5fe41-3296-4a33-53b0-897774ff69ea - sha: sha256:4018cc72489359eefab01b6cc53ce82c0067f27b99aaf3a5fc5b6bbe9342a9e7 +storage-cli/storage-cli-0.0.7-linux-amd64: + size: 60034395 + object_id: a58ed62e-4497-46f3-6728-6c763f700438 + sha: sha256:fb686ed933f6dc4451fcde613bfd2ca529ad5e7eba44e8171f30172baa5b024c +storage-cli/storage-cli-linux-amd64: + size: 42672290 + sha: sha256:bf65e33fa72a78169e82dd3ec17a9817a3954a6635a718a94eb0b655695cfe78 valkey/7.2.13.tar.gz: size: 3446469 object_id: 8cc08c82-1212-47bb-6aaa-368eeb33acf6 diff --git a/jobs/blobstore/templates/blobstore.conf-correct.erb b/jobs/blobstore/templates/blobstore.conf-correct.erb new file mode 100644 index 0000000000..6448eb15c2 --- /dev/null +++ b/jobs/blobstore/templates/blobstore.conf-correct.erb @@ -0,0 +1,273 @@ +<% +# /signed/ location pair — emitted once per server block (internal, public HTTP, public TLS). +# Split into two locations to avoid nginx's regex+alias+dav_methods collision on large PUTs: +# the verify location checks HMAC and rewrites; the internal location does the actual file I/O. +signed_location = <<~NGINX + # ensure the contents of this location block always match the other server /signed/ location blocks + location ~ ^/signed/(?.+)$ { + if ( $request_method !~ ^(GET|HEAD|PUT)$ ) { + return 405; + } + + secure_link_hmac $arg_st,$arg_ts,$arg_e; + secure_link_hmac_secret #{p('blobstore.secure_link.secret')}; + secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e; + secure_link_hmac_algorithm sha256; + + if ($secure_link_hmac != "1") { + return 403; + } + + rewrite ^/signed/(.*)$ /signed-internal/$1 last; + } + + location /signed-internal/ { + internal; + + dav_methods PUT DELETE; + create_full_put_path on; + send_timeout 600s; + + alias /var/vcap/store/shared/; + } +NGINX +%> +# Default server +# + +<% unless p('temporary_disable_non_tls_endpoints') %> + +server { + listen <%= p('blobstore.port') %>; + return 404; +} +<% end %> + +server { + listen <%= p('blobstore.public_tls_port') %> ssl; + + ssl_certificate /var/vcap/jobs/blobstore/ssl/blobstore_public.crt; + ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore_public.key; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + return 404; +} + +upstream blob_url_signer { + server unix:/var/vcap/data/blobstore/signer.sock; +} + +# Internal server +server { + listen <%= p('blobstore.tls.port') %> ssl; + server_name blobstore.service.cf.internal; + ssl_certificate /var/vcap/jobs/blobstore/ssl/blobstore.crt; + ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore.key; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + root /var/vcap/store/shared/; + + <%= p('blobstore.internal_access_rules').join("\n ") %> + deny all; + + access_log /var/vcap/sys/log/blobstore/internal_access.log; + error_log /var/vcap/sys/log/blobstore/internal_error.log; + + client_max_body_size <%= p('blobstore.max_upload_size') %>; + + location /admin/ { + auth_basic "Blobstore Admin"; + auth_basic_user_file write_users; + + dav_methods DELETE PUT COPY; + dav_ext_methods PROPFIND; + + create_full_put_path on; + + alias /var/vcap/store/shared/; + } + + location /sign { + auth_basic "Blobstore Signing"; + auth_basic_user_file write_users; + + proxy_pass http://blob_url_signer; + } + +<%= signed_location %> + + # ensure the contents of this location block always match the public server /read/ location block + location /read/ { + if ( $request_method !~ ^(GET|HEAD)$ ) { + return 405; + } + + secure_link $arg_md5,$arg_expires; + secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; + + if ($secure_link = "") { + return 403; + } + + if ($secure_link = "0") { + return 410; + } + + alias /var/vcap/store/shared/; + } + + # ensure the contents of this location block always match the public server /write/ location block + location /write/ { + dav_methods PUT; + create_full_put_path on; + + if ( $request_method !~ ^(PUT)$ ) { + return 405; + } + + secure_link $arg_md5,$arg_expires; + secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; + + if ($secure_link = "") { + return 403; + } + + if ($secure_link = "0") { + return 410; + } + + alias /var/vcap/store/shared/; + } +} + +# Public server +# + +<% unless p('temporary_disable_non_tls_endpoints') %> +server { + server_name blobstore.<%= p('system_domain') %>; + + listen <%= p('blobstore.port') %>; + + root /var/vcap/store/shared/; + + access_log /var/vcap/sys/log/blobstore/public_access.log; + error_log /var/vcap/sys/log/blobstore/public_error.log; + +<%= signed_location %> + + # ensure the contents of this location block always match the internal server /read/ location block + location /read/ { + if ( $request_method !~ ^(GET|HEAD)$ ) { + return 405; + } + + secure_link $arg_md5,$arg_expires; + secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; + + if ($secure_link = "") { + return 403; + } + + if ($secure_link = "0") { + return 410; + } + + alias /var/vcap/store/shared/; + } + + # ensure the contents of this location block always match the internal server /write/ location block + location /write/ { + dav_methods PUT; + create_full_put_path on; + + if ( $request_method !~ ^(PUT)$ ) { + return 405; + } + + secure_link $arg_md5,$arg_expires; + secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; + + if ($secure_link = "") { + return 403; + } + + if ($secure_link = "0") { + return 410; + } + + alias /var/vcap/store/shared/; + } +} + +<% end %> + +server { + listen <%= p('blobstore.public_tls_port') %> ssl; + server_name blobstore.<%= p('system_domain') %>; + + ssl_certificate /var/vcap/jobs/blobstore/ssl/blobstore_public.crt; + ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore_public.key; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + root /var/vcap/store/shared/; + + access_log /var/vcap/sys/log/blobstore/public_access.log; + error_log /var/vcap/sys/log/blobstore/public_error.log; + +<%= signed_location %> + + # ensure the contents of this location block always match the internal server /read/ location block + location /read/ { + if ( $request_method !~ ^(GET|HEAD)$ ) { + return 405; + } + + secure_link $arg_md5,$arg_expires; + secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; + + if ($secure_link = "") { + return 403; + } + + if ($secure_link = "0") { + return 410; + } + + alias /var/vcap/store/shared/; + } + + # ensure the contents of this location block always match the internal server /write/ location block + location /write/ { + dav_methods PUT; + create_full_put_path on; + + if ( $request_method !~ ^(PUT)$ ) { + return 405; + } + + secure_link $arg_md5,$arg_expires; + secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; + + if ($secure_link = "") { + return 403; + } + + if ($secure_link = "0") { + return 410; + } + + alias /var/vcap/store/shared/; + } +} diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb index 8317e6d134..fd90cc6b22 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb @@ -98,7 +98,6 @@ if provider == "webdav" || provider == "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") private_base = l.p("#{scope}.private_endpoint") @@ -106,10 +105,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb index 61cb14b3ed..068a8f7560 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb @@ -98,7 +98,6 @@ if provider == "webdav" || provider == "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.droplets.droplet_directory_key", "cc-droplets") private_base = l.p("#{scope}.private_endpoint") @@ -106,10 +105,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb index 65ae733f99..912e28d1bc 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb @@ -98,7 +98,6 @@ if provider == "webdav" || provider == "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.packages.app_package_directory_key", "cc-packages") private_base = l.p("#{scope}.private_endpoint") @@ -106,10 +105,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb index 573cf18262..10d05eb637 100644 --- a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb @@ -98,7 +98,6 @@ if provider == "webdav" || provider == "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.resource_pool.resource_directory_key", "cc-resources") private_base = l.p("#{scope}.private_endpoint") @@ -106,10 +105,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb index d3361af8e9..f90fad6488 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb @@ -98,7 +98,6 @@ if provider == "webdav" || provider == "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") private_base = l.p("#{scope}.private_endpoint") @@ -106,10 +105,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb index 26a5a84996..bd97781727 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb @@ -98,7 +98,6 @@ if provider == "webdav" || provider == "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.droplets.droplet_directory_key", "cc-droplets") private_base = l.p("#{scope}.private_endpoint") @@ -106,10 +105,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb index 65ae733f99..912e28d1bc 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb @@ -98,7 +98,6 @@ if provider == "webdav" || provider == "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.packages.app_package_directory_key", "cc-packages") private_base = l.p("#{scope}.private_endpoint") @@ -106,10 +105,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb index 81ede9da33..c5cb694132 100644 --- a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb @@ -98,7 +98,6 @@ if provider == "webdav" || provider == "dav" options["user"] = l.p("#{scope}.username") options["password"] = l.p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = l.p("cc.resource_pool.resource_directory_key", "cc-resources") private_base = l.p("#{scope}.private_endpoint") @@ -106,10 +105,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", l.p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", l.p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", l.p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", l.p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=l.p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb index 52eb1d04d4..f3518a43f6 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb index 89002191a8..c7219ce1e3 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb index 6e391a6061..59557ba97e 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb index 36401322e7..c7636f75ca 100644 --- a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb index 52eb1d04d4..f3518a43f6 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb index bde13bdb34..c7219ce1e3 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb @@ -21,11 +21,6 @@ end scope = "cc.droplets.connection_config" provider = p("cc.droplets.blobstore_provider", nil) - -# Normalize legacy fog provider names to storage-cli names -# Legacy fog name support to be REMOVED May 2026 -provider = "dav" if provider == "webdav" - options = {} # Support both native storage-cli types (azurebs) AND legacy fog names (AzureRM) @@ -94,26 +89,22 @@ if provider == "aliyun" || provider == "alioss" options["bucket_name"] = p("#{scope}.aliyun_oss_bucket") end -if provider == "dav" +# Support both native storage-cli types (dav) AND legacy fog names (webdav) +# Legacy fog name support to be REMOVED May 2026 +if provider == "webdav" || provider == "dav" options["provider"] = "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") - # Private endpoint includes /admin/ for Basic Auth operations (PUT, GET, DELETE, COPY, etc) private_base = p("#{scope}.private_endpoint") options["endpoint"] = "#{private_base}/admin/#{resource_dir}" - # Public endpoint (optional) for user-facing signed URLs (API downloads via gorouter) add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) - add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb index 6e391a6061..59557ba97e 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb index 36401322e7..c7636f75ca 100644 --- a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb index 52eb1d04d4..f3518a43f6 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.buildpacks.buildpack_directory_key", "cc-buildpacks") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb index 89002191a8..c7219ce1e3 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.droplets.droplet_directory_key", "cc-droplets") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb index c31a33b6a0..e277b5f974 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.packages.app_package_directory_key", "cc-packages") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb index b3e65773a5..428d319605 100644 --- a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb +++ b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb @@ -96,7 +96,6 @@ if provider == "webdav" || provider == "dav" options["user"] = p("#{scope}.username") options["password"] = p("#{scope}.password") - # Resource-specific directory for compatibility with fog/webdav resource_dir = p("cc.resource_pool.resource_directory_key", "cc-resources") private_base = p("#{scope}.private_endpoint") @@ -104,10 +103,8 @@ if provider == "webdav" || provider == "dav" add_optional(options, "public_endpoint", p("#{scope}.public_endpoint", nil)) add_optional(options, "secret", p("#{scope}.secret", nil)) - add_optional(options, "signed_url_format", p("#{scope}.signed_url_format", nil)) add_optional(options, "retry_attempts", p("#{scope}.retry_attempts", nil)) - # TLS nested object with a Cert inside ca_cert=p("#{scope}.ca_cert",nil) unless ca_cert.nil? || ca_cert.empty? options["tls"]={"cert"=>{"ca"=>ca_cert}} diff --git a/packages/storage-cli/packaging b/packages/storage-cli/packaging index 07ceba7cf6..671774fb44 100644 --- a/packages/storage-cli/packaging +++ b/packages/storage-cli/packaging @@ -2,5 +2,5 @@ set -e storage_cli_version="0.0.6" mkdir -p ${BOSH_INSTALL_TARGET}/bin -mv storage-cli/storage-cli-${storage_cli_version}-linux-amd64 ${BOSH_INSTALL_TARGET}/bin/storage-cli +mv storage-cli/storage-cli-linux-amd64 ${BOSH_INSTALL_TARGET}/bin/storage-cli chmod +x ${BOSH_INSTALL_TARGET}/bin/storage-cli diff --git a/packages/storage-cli/spec b/packages/storage-cli/spec index 490050af74..a22d17aa01 100644 --- a/packages/storage-cli/spec +++ b/packages/storage-cli/spec @@ -1,4 +1,4 @@ --- name: storage-cli files: - - storage-cli/storage-cli-0.0.6-linux-amd64 \ No newline at end of file + - storage-cli/storage-cli-linux-amd64 \ No newline at end of file diff --git a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb index 8ba6c47ce2..13141aea53 100644 --- a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb +++ b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb @@ -385,7 +385,6 @@ def expected_directory_key(template_path) 'public_endpoint' => 'https://webdav.example.com', 'ca_cert' => 'some_cert', 'secret' => 'my-secret', - 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -397,7 +396,6 @@ def expected_directory_key(template_path) 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'my-secret', - 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' ) end diff --git a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb index a8b71761bb..2a9599f3d8 100644 --- a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb @@ -338,7 +338,6 @@ def expected_directory_key(template_path) 'public_endpoint' => 'https://webdav.example.com', 'ca_cert' => 'some_cert', 'secret' => 'my-secret', - 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -350,7 +349,6 @@ def expected_directory_key(template_path) 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'my-secret', - 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' ) end diff --git a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb index 34170a6878..43d8156b62 100644 --- a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb @@ -338,7 +338,6 @@ def expected_directory_key(template_path) 'public_endpoint' => 'https://webdav.example.com', 'ca_cert' => 'some_cert', 'secret' => 'my-secret', - 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -350,7 +349,6 @@ def expected_directory_key(template_path) 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'my-secret', - 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' ) end diff --git a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb index 41f36ee898..c16aec7094 100644 --- a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb +++ b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb @@ -338,7 +338,6 @@ def expected_directory_key(template_path) 'public_endpoint' => 'https://webdav.example.com', 'ca_cert' => 'some_cert', 'secret' => 'my-secret', - 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' }) json = YAML.safe_load(template.render(props, consumes: links)) @@ -350,7 +349,6 @@ def expected_directory_key(template_path) 'public_endpoint' => 'https://webdav.example.com', 'tls' => { 'cert' => { 'ca' => 'some_cert' } }, 'secret' => 'my-secret', - 'signed_url_format' => 'external-nginx-secure-link-signer', 'retry_attempts' => '4' ) end From 350052d9dc8cacdeb3a45403ff7b24162427b5b8 Mon Sep 17 00:00:00 2001 From: Katharina Przybill <30441792+kathap@users.noreply.github.com> Date: Fri, 5 Jun 2026 15:26:06 +0200 Subject: [PATCH 8/8] Revert blobs.yml to original state --- config/blobs.yml | 23 +- .../templates/blobstore.conf-correct.erb | 273 ------------------ packages/storage-cli/packaging | 2 +- packages/storage-cli/spec | 2 +- 4 files changed, 10 insertions(+), 290 deletions(-) delete mode 100644 jobs/blobstore/templates/blobstore.conf-correct.erb diff --git a/config/blobs.yml b/config/blobs.yml index cbd7de40e2..46610a2bfd 100644 --- a/config/blobs.yml +++ b/config/blobs.yml @@ -74,10 +74,10 @@ nginx/newrelic_nginx_agent-1.2.1.tar.gz: size: 5222 object_id: c63358f6-574a-4e20-9d2b-7e1450368b6d sha: sha256:a5a7f9b3a7e20302943b1dd448d9b725cf3cb28d774d79f618aab7c4ddeea52b -nginx/nginx-1.30.2.tar.gz: - size: 1325247 - object_id: f20dbcca-6e95-4b37-40d3-ce0856fbb571 - sha: sha256:7df3090907fca3cc0e456d6dc00ceb230da74ea88026ceff0affc29dbbd9ac4c +nginx/nginx-1.28.3.tar.gz: + size: 1284562 + object_id: 4320d61a-2a45-4211-5bc0-94363cf6cdaa + sha: sha256:2c96a946bfb0882a21744ed429770a2123ae1828c7c48665092993ddee91a918 nginx/nginx-dav-ext-module-3.0.0.tar.gz: size: 14558 object_id: 44648d53-c24b-45e4-4434-007713aa5fe7 @@ -86,10 +86,6 @@ nginx/nginx-upload-module-2.3.0.tar.gz: size: 40139 object_id: 2f8f59a7-8e90-4bf5-67d8-1637924ab331 sha: sha256:c86e318addb9c88d70fdbd58ff1f6ef6f404a93070f6db8017a1f880c97946c4 -nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz: - size: 5452 - object_id: ede41169-975a-4873-5a9e-d2d1aac3e865 - sha: sha256:0d4a69f39b513a3427f5fb41a7503844e703395ca04517d0a55400e4a3150927 nginx/pcre-8.45.tar.gz: size: 2096552 object_id: a90f9f20-e23b-4755-59c7-101197325dab @@ -98,13 +94,10 @@ postgres/postgresql-18.1.tar.gz: size: 29294939 object_id: 808e5f9e-83b4-4b0f-46dc-3ab4d5036365 sha: sha256:b0f18c2d6973d2aa023cfc77feda787d7bbe9c31a3977d0f04ac29885fb98ec4 -storage-cli/storage-cli-0.0.7-linux-amd64: - size: 60034395 - object_id: a58ed62e-4497-46f3-6728-6c763f700438 - sha: sha256:fb686ed933f6dc4451fcde613bfd2ca529ad5e7eba44e8171f30172baa5b024c -storage-cli/storage-cli-linux-amd64: - size: 42672290 - sha: sha256:bf65e33fa72a78169e82dd3ec17a9817a3954a6635a718a94eb0b655695cfe78 +storage-cli/storage-cli-0.0.6-linux-amd64: + size: 59824141 + object_id: dbe5fe41-3296-4a33-53b0-897774ff69ea + sha: sha256:4018cc72489359eefab01b6cc53ce82c0067f27b99aaf3a5fc5b6bbe9342a9e7 valkey/7.2.13.tar.gz: size: 3446469 object_id: 8cc08c82-1212-47bb-6aaa-368eeb33acf6 diff --git a/jobs/blobstore/templates/blobstore.conf-correct.erb b/jobs/blobstore/templates/blobstore.conf-correct.erb deleted file mode 100644 index 6448eb15c2..0000000000 --- a/jobs/blobstore/templates/blobstore.conf-correct.erb +++ /dev/null @@ -1,273 +0,0 @@ -<% -# /signed/ location pair — emitted once per server block (internal, public HTTP, public TLS). -# Split into two locations to avoid nginx's regex+alias+dav_methods collision on large PUTs: -# the verify location checks HMAC and rewrites; the internal location does the actual file I/O. -signed_location = <<~NGINX - # ensure the contents of this location block always match the other server /signed/ location blocks - location ~ ^/signed/(?.+)$ { - if ( $request_method !~ ^(GET|HEAD|PUT)$ ) { - return 405; - } - - secure_link_hmac $arg_st,$arg_ts,$arg_e; - secure_link_hmac_secret #{p('blobstore.secure_link.secret')}; - secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e; - secure_link_hmac_algorithm sha256; - - if ($secure_link_hmac != "1") { - return 403; - } - - rewrite ^/signed/(.*)$ /signed-internal/$1 last; - } - - location /signed-internal/ { - internal; - - dav_methods PUT DELETE; - create_full_put_path on; - send_timeout 600s; - - alias /var/vcap/store/shared/; - } -NGINX -%> -# Default server -# - -<% unless p('temporary_disable_non_tls_endpoints') %> - -server { - listen <%= p('blobstore.port') %>; - return 404; -} -<% end %> - -server { - listen <%= p('blobstore.public_tls_port') %> ssl; - - ssl_certificate /var/vcap/jobs/blobstore/ssl/blobstore_public.crt; - ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore_public.key; - - ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - return 404; -} - -upstream blob_url_signer { - server unix:/var/vcap/data/blobstore/signer.sock; -} - -# Internal server -server { - listen <%= p('blobstore.tls.port') %> ssl; - server_name blobstore.service.cf.internal; - ssl_certificate /var/vcap/jobs/blobstore/ssl/blobstore.crt; - ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore.key; - - ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - root /var/vcap/store/shared/; - - <%= p('blobstore.internal_access_rules').join("\n ") %> - deny all; - - access_log /var/vcap/sys/log/blobstore/internal_access.log; - error_log /var/vcap/sys/log/blobstore/internal_error.log; - - client_max_body_size <%= p('blobstore.max_upload_size') %>; - - location /admin/ { - auth_basic "Blobstore Admin"; - auth_basic_user_file write_users; - - dav_methods DELETE PUT COPY; - dav_ext_methods PROPFIND; - - create_full_put_path on; - - alias /var/vcap/store/shared/; - } - - location /sign { - auth_basic "Blobstore Signing"; - auth_basic_user_file write_users; - - proxy_pass http://blob_url_signer; - } - -<%= signed_location %> - - # ensure the contents of this location block always match the public server /read/ location block - location /read/ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; - } - - secure_link $arg_md5,$arg_expires; - secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; - - if ($secure_link = "") { - return 403; - } - - if ($secure_link = "0") { - return 410; - } - - alias /var/vcap/store/shared/; - } - - # ensure the contents of this location block always match the public server /write/ location block - location /write/ { - dav_methods PUT; - create_full_put_path on; - - if ( $request_method !~ ^(PUT)$ ) { - return 405; - } - - secure_link $arg_md5,$arg_expires; - secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; - - if ($secure_link = "") { - return 403; - } - - if ($secure_link = "0") { - return 410; - } - - alias /var/vcap/store/shared/; - } -} - -# Public server -# - -<% unless p('temporary_disable_non_tls_endpoints') %> -server { - server_name blobstore.<%= p('system_domain') %>; - - listen <%= p('blobstore.port') %>; - - root /var/vcap/store/shared/; - - access_log /var/vcap/sys/log/blobstore/public_access.log; - error_log /var/vcap/sys/log/blobstore/public_error.log; - -<%= signed_location %> - - # ensure the contents of this location block always match the internal server /read/ location block - location /read/ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; - } - - secure_link $arg_md5,$arg_expires; - secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; - - if ($secure_link = "") { - return 403; - } - - if ($secure_link = "0") { - return 410; - } - - alias /var/vcap/store/shared/; - } - - # ensure the contents of this location block always match the internal server /write/ location block - location /write/ { - dav_methods PUT; - create_full_put_path on; - - if ( $request_method !~ ^(PUT)$ ) { - return 405; - } - - secure_link $arg_md5,$arg_expires; - secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; - - if ($secure_link = "") { - return 403; - } - - if ($secure_link = "0") { - return 410; - } - - alias /var/vcap/store/shared/; - } -} - -<% end %> - -server { - listen <%= p('blobstore.public_tls_port') %> ssl; - server_name blobstore.<%= p('system_domain') %>; - - ssl_certificate /var/vcap/jobs/blobstore/ssl/blobstore_public.crt; - ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore_public.key; - - ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - root /var/vcap/store/shared/; - - access_log /var/vcap/sys/log/blobstore/public_access.log; - error_log /var/vcap/sys/log/blobstore/public_error.log; - -<%= signed_location %> - - # ensure the contents of this location block always match the internal server /read/ location block - location /read/ { - if ( $request_method !~ ^(GET|HEAD)$ ) { - return 405; - } - - secure_link $arg_md5,$arg_expires; - secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; - - if ($secure_link = "") { - return 403; - } - - if ($secure_link = "0") { - return 410; - } - - alias /var/vcap/store/shared/; - } - - # ensure the contents of this location block always match the internal server /write/ location block - location /write/ { - dav_methods PUT; - create_full_put_path on; - - if ( $request_method !~ ^(PUT)$ ) { - return 405; - } - - secure_link $arg_md5,$arg_expires; - secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>"; - - if ($secure_link = "") { - return 403; - } - - if ($secure_link = "0") { - return 410; - } - - alias /var/vcap/store/shared/; - } -} diff --git a/packages/storage-cli/packaging b/packages/storage-cli/packaging index 671774fb44..07ceba7cf6 100644 --- a/packages/storage-cli/packaging +++ b/packages/storage-cli/packaging @@ -2,5 +2,5 @@ set -e storage_cli_version="0.0.6" mkdir -p ${BOSH_INSTALL_TARGET}/bin -mv storage-cli/storage-cli-linux-amd64 ${BOSH_INSTALL_TARGET}/bin/storage-cli +mv storage-cli/storage-cli-${storage_cli_version}-linux-amd64 ${BOSH_INSTALL_TARGET}/bin/storage-cli chmod +x ${BOSH_INSTALL_TARGET}/bin/storage-cli diff --git a/packages/storage-cli/spec b/packages/storage-cli/spec index a22d17aa01..490050af74 100644 --- a/packages/storage-cli/spec +++ b/packages/storage-cli/spec @@ -1,4 +1,4 @@ --- name: storage-cli files: - - storage-cli/storage-cli-linux-amd64 \ No newline at end of file + - storage-cli/storage-cli-0.0.6-linux-amd64 \ No newline at end of file