Commit msg hook

.final_builds/packages/golang-1-linux/index.yml

@@ -7,4 +7,8 @@ builds:
     version: 8c04109541f4d504f5be559da433998bd459b0f45cd3654557cc3642cc4d2f60
     blobstore_id: 07b1c4f5-6c91-4ef2-583b-f0ebf2b94b27
     sha1: sha256:efdf65bca81264d9110ec764be7edea1de341781a1ffe59c219db064d71d9fc3
+  b09468ac73cd3350333a35eb09c980c6a06c5465be0e1ba430da62757dc10a04:
+    version: b09468ac73cd3350333a35eb09c980c6a06c5465be0e1ba430da62757dc10a04
+    blobstore_id: c94119af-352d-4599-6ff6-c24f3b0db5df
+    sha1: sha256:ea461525fb19ffd4c2753f98e3d740d426ed19872c4b1700413ae8100954a22a
 format-version: "2"

.hooks/README.md

@@ -0,0 +1,21 @@
+# Git Hooks
+
+Run conventional commit checks locally without any tool installation
+
+## Usage
+
+Adjust the git commit hook configuration as follows, from the root directory of pcap-release:
+
+```shell
+git config core.hooksPath .hooks
+```
+
+Please note that any hooks you had in other directories may not work.
+
+Alternatively you can also soft-link the commit-msg script:
+
+```shell
+ln -s .hooks/commit-msg .git/hooks/commit-msg
+```
+
+This invocation will fail if you have a commit-msg hook already, in order to not break existing hooks.

.hooks/commit-msg

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# use commitlint with its full config if available
+if command -v commitlint >/dev/null && commitlint -v >/dev/null; then
+  # Find base directory (script_location/..)
+  COMMITLINT_CONFIG="$(realpath "$(dirname "$0")/..")/commitlint.config.js"
+  # execute commitlint only if the commitlint config exists
+  [[ -f "$COMMITLINT_CONFIG" ]] && exec commitlint --edit "$1" --verbose --config "$COMMITLINT_CONFIG"
+fi
+
+# Configuration
+
+# list of allowed commit types, space separated
+TYPES="fix feat dep ci doc refactor test"
+# scope length
+SCOPE_LENGTH=25
+# commit subject length
+SUBJECT_LENGTH=70
+
+# Logic
+first_line=$(head -n1 "$1")
+conv_commit_msg="^(${TYPES// /|})(\(.{1,$SCOPE_LENGTH}\))?(!?): (.{1,$SUBJECT_LENGTH})\$"
+
+_print_convention() {
+  echo "ERROR: Commit message does not confirm to commit conventions."
+  echo "       ----"
+  sed 's/^/     > /' "$1"
+  echo
+  echo "Rules: type(scope)!: commit subject"
+  echo "     - type: must be one of: ${TYPES// /, }"
+  echo "     - scope: (optional) arbitrary text: "
+  echo "     - !: breaking change indicator. Body MUST contain 'breaking-change:' header (case in-sensitive)"
+}
+
+# trap will be fired when the script exits. It will exit if any of the commands, including the grep below, fail.
+trap '_print_convention "$1"' EXIT
+
+# check that the first line conforms to the convention pattern
+grep -qE "$conv_commit_msg" <<< "$first_line"
+
+# if there is a !, indicating breaking change, ensure that there is a "breaking-change:" header.
+if [[ "$(sed -nE "s/$conv_commit_msg/\3/p" <<<"$first_line")" == "!" ]]; then
+  grep -qiE "^breaking(-| )change: .+" "$1"
+fi
+
+# All rules passed. Disable _print_convention printing
+trap "" EXIT

acceptance-tests/bosh_helpers.go

@@ -99,20 +99,28 @@ var opsfileStartApache = `
         apt-get update && apt-get install apache2 -y && apache2ctl start
 `
 
+var opsfileChangeBoshDirectorCN string = `---
+# Replace bosh director cert common name with the right one
+- type: replace
+  path: /instance_groups/name=pcap-api/jobs/name=pcap-api/properties/pcap-api/bosh/tls/common_name
+  value: ((director_common_name))
+`
+
 // opsfiles that need to be set for all tests
-var defaultOpsfiles = []string{opsfileChangeName, opsfileChangeVersion, opsfileAddSSHUser, opsfileStartApache}
+var defaultOpsfiles = []string{opsfileChangeName, opsfileChangeVersion, opsfileChangeBoshDirectorCN, opsfileAddSSHUser, opsfileStartApache}
 var defaultSSHUser string = "ginkgo"
 
 // buildManifestVars returns a map of variables needed to deploy pcap.
 func buildManifestVars(baseManifestVars baseManifestVars, customVars map[string]interface{}) map[string]interface{} {
 	vars := map[string]interface{}{
-		"release-version":   config.ReleaseVersion,
-		"director_ssl_ca":   config.BoshDirectorCA,
-		"bosh_director_api": config.BoshDirectorAPI,
-		"director_ssl_cert": config.BoshDirectorCert,
-		"director_ssl_key":  config.BoshDirectorKey,
-		"deployment-name":   baseManifestVars.deploymentName,
-		"ssh_user":          defaultSSHUser,
+		"release-version":      config.ReleaseVersion,
+		"director_ssl_ca":      config.BoshDirectorCA,
+		"bosh_director_api":    config.BoshDirectorAPI,
+		"director_ssl_cert":    config.BoshDirectorCert,
+		"director_ssl_key":     config.BoshDirectorKey,
+		"director_common_name": config.BoshDirectorCertCN,
+		"deployment-name":      baseManifestVars.deploymentName,
+		"ssh_user":             defaultSSHUser,
 	}
 	for k, v := range customVars {
 		vars[k] = v

acceptance-tests/config.go

@@ -1,6 +1,8 @@
 package acceptance_tests
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"os"
 	"os/exec"
@@ -9,18 +11,19 @@ import (
 var config Config
 
 type Config struct {
-	ReleaseRepoPath  string `json:"releaseRepoPath"`
-	ReleaseVersion   string `json:"releaseVersion"`
-	BoshDirectorAPI  string `json:"boshDirectorAPI"`
-	BoshDirectorCert string `json:"boshDirectorCert"`
-	BoshDirectorKey  string `json:"boshDirectorKey"`
-	BoshDirectorCA   string `json:"boshDirectorCA"`
-	BoshClient       string `json:"boshClient"`
-	BoshClientSecret string `json:"boshClientSecret"`
-	BoshEnvironment  string `json:"boshEnvironment"`
-	BoshPath         string `json:"boshPath"`
-	BaseManifestPath string `json:"baseManifestPath"`
-	HomePath         string `json:"homePath"`
+	ReleaseRepoPath    string `json:"releaseRepoPath"`
+	ReleaseVersion     string `json:"releaseVersion"`
+	BoshDirectorAPI    string `json:"boshDirectorAPI"`
+	BoshDirectorCertCN string `json:"boshDirectorCertCN"`
+	BoshDirectorCert   string `json:"boshDirectorCert"`
+	BoshDirectorKey    string `json:"boshDirectorKey"`
+	BoshDirectorCA     string `json:"boshDirectorCA"`
+	BoshClient         string `json:"boshClient"`
+	BoshClientSecret   string `json:"boshClientSecret"`
+	BoshEnvironment    string `json:"boshEnvironment"`
+	BoshPath           string `json:"boshPath"`
+	BaseManifestPath   string `json:"baseManifestPath"`
+	HomePath           string `json:"homePath"`
 }
 
 func loadConfig() (Config, error) {
@@ -84,20 +87,30 @@ func loadConfig() (Config, error) {
 	if err != nil {
 		return Config{}, err
 	}
+	// extract Bosh Director SSL Certificate Common Name
+	block, _ := pem.Decode([]byte(boshDirectorCert))
+	if block == nil {
+		return Config{}, fmt.Errorf("failed to parse PEM block containing the public key")
+	}
+
+	cert, _ := x509.ParseCertificate(block.Bytes) // handle error
+
+	boshDirectorCertCN := cert.Subject.CommonName
 
 	return Config{
-		ReleaseRepoPath:  releaseRepoPath,
-		ReleaseVersion:   releaseVersion,
-		BoshDirectorAPI:  boshDirectorAPI,
-		BoshDirectorCert: boshDirectorCert,
-		BoshDirectorKey:  boshDirectorKey,
-		BoshDirectorCA:   boshDirectorCA,
-		BoshClient:       boshClient,
-		BoshClientSecret: boshClientSecret,
-		BoshEnvironment:  boshEnvironment,
-		BoshPath:         boshPath,
-		BaseManifestPath: baseManifestPath,
-		HomePath:         homePath,
+		ReleaseRepoPath:    releaseRepoPath,
+		ReleaseVersion:     releaseVersion,
+		BoshDirectorAPI:    boshDirectorAPI,
+		BoshDirectorCertCN: boshDirectorCertCN,
+		BoshDirectorCert:   boshDirectorCert,
+		BoshDirectorKey:    boshDirectorKey,
+		BoshDirectorCA:     boshDirectorCA,
+		BoshClient:         boshClient,
+		BoshClientSecret:   boshClientSecret,
+		BoshEnvironment:    boshEnvironment,
+		BoshPath:           boshPath,
+		BaseManifestPath:   baseManifestPath,
+		HomePath:           homePath,
 	}, nil
 }
 

ci/Dockerfile

@@ -3,14 +3,15 @@ FROM bosh/docker-cpi:main
 
 ARG GINKGO_VERSION=latest
 ARG GOLANGCILINT_VERSION=latest
-RUN apt-get update && apt-get install -y libpcap-dev python3-pip && rm -rf /var/lib/apt/lists/*
-
-RUN curl -fsSL https://deb.nodesource.com/setup_current.x | sudo -E bash - && \
-    apt-get install -y nodejs && rm -rf /var/lib/apt/lists/*
-
 # Set bosh env at login
 RUN echo "source /tmp/local-bosh/director/env" >> /root/.bashrc
 
+# Install apt libs
+RUN apt-get update && apt-get install -y libpcap-dev python3-pip && rm -rf /var/lib/apt/lists/*
+
+# Install semantic-release and node lts
+RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - && \
+    apt-get install -y nodejs && rm -rf /var/lib/apt/lists/*
 RUN npm install -g semantic-release && \
     npm install -g @semantic-release/exec
 

docs/go.version

@@ -1,2 +1,2 @@
-This file was updated by CI on 2023-06-28 13:01:42
-go1.20.5
+This file was updated by CI on 2023-07-12 05:10:59
+go1.20.6

jobs/pcap-agent/spec

@@ -36,5 +36,5 @@ properties:
     description: "Certificate and chain to talk to pcap-api in PEM format"
   pcap-agent.listen.tls.private_key:
     description: "Private key to talk to pcap-api in PEM format"
-  pcap-agent.listen.tls.ca:
+  pcap-agent.listen.tls.client_cas:
     description: "CA bundle which is used to request and verify client certificates"

jobs/pcap-agent/templates/client-ca.crt.erb

@@ -1,3 +1,3 @@
-<%- if_p("pcap-agent.listen.tls.ca") do |client_ca| -%>
+<%- if_p("pcap-agent.listen.tls.client_cas") do |client_ca| -%>
 <%= client_ca -%>
 <%- end -%>

jobs/pcap-agent/templates/pcap-agent.yml.erb

@@ -7,7 +7,7 @@ config = {
     "tls" => {
       "certificate"=> "/var/vcap/jobs/pcap-agent/config/certs/pcap-agent.crt",
       "private_key" => "/var/vcap/jobs/pcap-agent/config/certs/pcap-agent.key",
-      "ca" => "/var/vcap/jobs/pcap-agent/config/certs/client-ca.crt",
+      "client_cas" => "/var/vcap/jobs/pcap-agent/config/certs/client-ca.crt",
     },
   },
   "buffer" => {

jobs/pcap-api/spec

@@ -9,9 +9,7 @@ templates:
   pcap-api.crt.erb: config/certs/pcap-api.crt
   pcap-api.key.erb: config/certs/pcap-api.key
   pcap-api.ca.erb: config/certs/pcap-api-ca.crt
-  bosh_mtls/pcap-api-bosh.ca.erb: config/certs/bosh/pcap-api-bosh-ca.crt
-  bosh_mtls/pcap-api-bosh.crt.erb: config/certs/bosh/pcap-api-bosh.crt
-  bosh_mtls/pcap-api-bosh.key.erb: config/certs/bosh/pcap-api-bosh.key
+  pcap-api-bosh.ca.erb: config/certs/bosh/pcap-api-bosh-ca.crt
   agents_mtls/pcap-api-client.crt.erb: config/certs/pcap-api-client.crt
   agents_mtls/pcap-api-client.key.erb: config/certs/pcap-api-client.key
   agents_mtls/pcap-api-client.ca.erb: config/certs/pcap-api-client-ca.crt
@@ -44,7 +42,7 @@ properties:
     description: "Certificate chain to talk to gorouter in PEM format"
   pcap-api.listen.tls.private_key:
     description: "Private key to talk to gorouter in PEM format"
-  pcap-api.listen.tls.ca:
+  pcap-api.listen.tls.client_cas:
     description: "CA bundle which is used to request and verify client certificates" # platform CA (gorouter CA)
 
   pcap-api.agents_mtls.enabled:
@@ -70,19 +68,15 @@ properties:
     description: "Endpoint of the BOSH Director API"
   pcap-api.bosh.token_scope:
     description: "Scope of the token"
-  pcap-api.bosh.mtls.enabled:
+  pcap-api.bosh.tls.enabled:
     default: true
-  pcap-api.bosh.mtls.common_name:
+  pcap-api.bosh.tls.common_name:
     description: "Common name of the Bosh Director"
-  pcap-api.bosh.mtls.skip_verify:
+  pcap-api.bosh.tls.skip_verify:
     description: "Skip server verification for connection to Bosh Director"
     default: false
-  pcap-api.bosh.mtls.certificate:
-    description: "Client certificate to talk to Bosh Director in PEM format"
-  pcap-api.bosh.mtls.private_key:
-    description: "Private key to talk to Bosh Director in PEM format"
-  pcap-api.bosh.mtls.ca:
-    description: "CA bundle which is used to request and verify Bosh Director client certificates"
+  pcap-api.bosh.tls.ca:
+    description: "CA bundle which is used to request and verify Bosh Director certificates"
 
 
   pcap-api.cli_download_root:

jobs/pcap-api/templates/agents_mtls/pcap-api-client.ca.erb

@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.ca") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.ca", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid client CAs"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.ca") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>

jobs/pcap-api/templates/agents_mtls/pcap-api-client.crt.erb

@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.certificate") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.certificate", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid certificate"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.certificate") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>

jobs/pcap-api/templates/agents_mtls/pcap-api-client.key.erb

@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.private_key") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.private_key", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid private key"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.private_key") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>

jobs/pcap-api/templates/pcap-api-bosh.ca.erb

@@ -0,0 +1,13 @@
+<%- if p("pcap-api.bosh.tls.enabled").to_s == "true"
+      if !p("pcap-api.bosh.tls.ca", nil)
+        raise "Conflicting configuration: pcap-api.bosh.tls.enabled, you must provide a valid Bosh CAs"
+      end
+    end
+-%>
+<%
+if_p("pcap-api.bosh.tls.ca") do |pem|
+%>
+<%= pem %>
+<%
+end
+%>

jobs/pcap-api/templates/pcap-api.ca.erb

@@ -1,3 +1,9 @@
+<%- if p("pcap-api.listen.tls.enabled").to_s == "true"
+      if !p("pcap-api.listen.tls.client_cas", nil)
+        raise "Conflicting configuration: pcap-api.listen.tls.enabled is true, you must provide a valid client CA"
+      end
+    end
+-%>
 <%- if_p("pcap-api.listen.tls.ca") do |pem| -%>
 <%= pem %>
-<%- end -%>
+<%- end -%>