Enable mtls for file_server by default

- inline the content of ops file enable-tls-on-file-server.yml
- deprecate this ops file
- configure tls.client_ca_cert
- update tests and doc

Author: stephanme

cf-deployment.yml

@@ -1054,6 +1054,11 @@ instance_groups:
       bpm:
         enabled: true
       enable_consul_service_registration: false
+      https_server_enabled: true
+      tls:
+        cert: ((file_server_cert.certificate))
+        key: ((file_server_cert.private_key))
+        client_ca_cert: ((file_server_cert.ca))
       loggregator: *diego_loggregator_client_properties
   - name: routing-api
     release: routing
@@ -2804,6 +2809,17 @@ variables:
     extended_key_usage:
     - server_auth
 
+- name: file_server_cert
+  type: certificate
+  update_mode: converge
+  options:
+    ca: service_cf_internal_ca
+    common_name: file-server.service.cf.internal
+    alternative_names:
+    - file-server.service.cf.internal
+    extended_key_usage:
+    - server_auth
+
 releases:
 - name: binary-buildpack
   url: https://bosh.io/d/github.com/cloudfoundry/binary-buildpack-release?v=1.1.21

operations/README.md

@@ -39,10 +39,10 @@ This is the README for Ops-files. To learn more about `cf-deployment`, go to the
 | [`disable-router-tls-termination.yml`](disable-router-tls-termination.yml) | Eliminates keys related to performing TLS termination within the gorouter job. | Useful for deployments where TLS termination is performed prior to the gorouter - for instance, on AWS, such termination is commonly done at the ELB. This also eliminates the need to specify `((router_ssl.certificate))` and `((router_ssl.private_key))` in the var files. | **NO** |
 | [`disable-http2.yml`](disable-http2.yml) | Prevent gorouter from accepting and forwarding HTTP/2 requests. | | **NO** |
 | [`disable-dynamic-asgs.yml`](disable-dynamic-asgs.yml) | Disable dynamic updates for security groups. | | **NO** |
-| [`disable-tls-tcp-routing-stage-1-unproxied-ports.yml`](disable-tls-tcp-routing-stage-1-unproxied-ports.yml) | Stage 1 deployment for disabling TLS for TCP Routes on. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO ** |
-| [`disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml`](disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml) | Stage 2 deployment for disabling TLS for TCP Routes on. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO ** |
-| [`disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml`](disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml) | Stage 1 deployment for disabling TLS for TCP Routes on isolation segments. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO ** |
-| [`disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml`](disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml) | Stage 2 deployment for disabling TLS for TCP Routes on isolation segments. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO ** |
+| [`disable-tls-tcp-routing-stage-1-unproxied-ports.yml`](disable-tls-tcp-routing-stage-1-unproxied-ports.yml) | Stage 1 deployment for disabling TLS for TCP Routes on. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO** |
+| [`disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml`](disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml) | Stage 2 deployment for disabling TLS for TCP Routes on. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO** |
+| [`disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml`](disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml) | Stage 1 deployment for disabling TLS for TCP Routes on isolation segments. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO** |
+| [`disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml`](disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml) | Stage 2 deployment for disabling TLS for TCP Routes on isolation segments. See [configuring TCP routes](https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#tls-tcp-routes) for more info. | | **NO** |
 | [`enable-cc-rate-limiting.yml`](enable-cc-rate-limiting.yml) | Enable rate limiting for UAA-authenticated endpoints. | Introduces variables `cc_rate_limiter_general_limit` and `cc_rate_limiter_unauthenticated_limit` | **NO** |
 | [`enable-cc-v2-rate-limiting.yml`](enable-cc-rate-limiting.yml) | Enable V2 API rate limiting for UAA-authenticated endpoints. | Introduces variables `cc_v2_rate_limiter_general_limit`, `cc_v2_rate_limiter_admin_limit` and `cc_v2_rate_limiter_reset_interval_in_minutes` | **NO** |
 | [`enable-cc-worker-metrics.yml`](enable-cc-worker-metrics.yml) | Enable metrics for cc-workers. | This will setup the metrics endpoint, configure the prom_scraper job and uses mTLS. If you want to use another scraper than prom_scraper you can additionally set `cc.prom_scraper.disabled` to true. | **NO** |
@@ -53,7 +53,7 @@ This is the README for Ops-files. To learn more about `cf-deployment`, go to the
 | [`enable-privileged-container-support.yml`](enable-privileged-container-support.yml) | Enables Diego privileged container support. | | **NO** |
 | [`enable-service-discovery.yml`](enable-service-discovery.yml) | Enables application service discovery | | **YES** |
 | [`enable-smb-volume-service.yml`](enable-smb-volume-service.yml) | Enables volume support and deploys an SMB broker and volume driver | As of cf-deployment v2, you must use the `smbbrokerpush` errand to cf push the smb broker after `bosh deploy` completes. | **NO** |
-| [`enable-tls-on-file-server.yml`](enable-tls-on-file-server.yml) | Enables TLS on file-server for assets | Enables downloading lifecycle assets over HTTPS | **NO** |
+| [`enable-tls-on-file-server.yml`](enable-tls-on-file-server.yml) | no-op, deprecated/obsolete | file-server mTLS is enabled by default since cf-d v54.10.0.  | **NO** |
 | [`enable-v2-api.yml`](enable-v2-api.yml) | Enable Cloud Controller API v2 endpoints | | **NO** |
 | [`override-app-domains.yml`](override-app-domains.yml) | Switches from using the system domain as a shared app domain; allows the configuration of one or more shared app domains instead. | Adds [new variables](example-vars-files/vars-override-app-domains.yml).<br/> **CAUTION:** Seeding domains with a router group name (including TCP domains) may cause problems deploying. Please use the `cf` CLI to add shared domains with router group names. | **NO** |
 | [`rename-network-and-deployment.yml`](rename-network-and-deployment.yml) | Allows a deployer to rename the network and deployment by passing a variables `network_name` and `deployment_name` | **CAUTION:** If you are using this ops file along  with another ops file that increases the number of instance groups (e.g. `perm-services.yml`), this ops file will not rename the network for those instance groups. | **YES** |

operations/enable-tls-on-file-server.yml

@@ -1,22 +1,2 @@
 ---
-- type: replace
-  path: /instance_groups/name=api/jobs/name=file_server/properties/https_server_enabled?
-  value: true
-- type: replace
-  path: /instance_groups/name=api/jobs/name=file_server/properties/tls?
-  value:
-    cert: ((file_server_cert.certificate))
-    key: ((file_server_cert.private_key))
-- type: replace
-  path: /variables/-
-  value:
-    name: file_server_cert
-    type: certificate
-    update_mode: converge
-    options:
-      ca: service_cf_internal_ca
-      common_name: file-server.service.cf.internal
-      alternative_names:
-      - file-server.service.cf.internal
-      extended_key_usage:
-        - server_auth
+# deprecated: content was integrated into cf-deployment.yml

units/tests/semantic_test/semantic_test.go

@@ -287,6 +287,54 @@ func TestSemantic(t *testing.T) {
 			t.Errorf("walk error: %v", err)
 		}
 	})
+
+	t.Run("file-server-mtls-enabled-by-default", func(t *testing.T) {
+		// Test 1: Verify https_server_enabled is true
+		httpsEnabled, err := helpers.BoshInterpolate(
+			operationsSubDirectory,
+			manifestPath,
+			"",
+			"--path", "/instance_groups/name=api/jobs/name=file_server/properties/https_server_enabled",
+		)
+		if err != nil {
+			t.Fatalf("failed to get https_server_enabled: %v", err)
+		}
+
+		if strings.TrimSpace(string(httpsEnabled)) != "true" {
+			t.Errorf("expected https_server_enabled to be 'true', got '%s'", strings.TrimSpace(string(httpsEnabled)))
+		}
+
+		// Test 2: Verify tls.client_ca_cert is configured
+		clientCaCert, err := helpers.BoshInterpolate(
+			operationsSubDirectory,
+			manifestPath,
+			"",
+			"--path", "/instance_groups/name=api/jobs/name=file_server/properties/tls/client_ca_cert",
+		)
+		if err != nil {
+			t.Fatalf("failed to get tls.client_ca_cert: %v", err)
+		}
+
+		expectedCaCert := "((file_server_cert.ca))"
+		if strings.TrimSpace(string(clientCaCert)) != expectedCaCert {
+			t.Errorf("expected client_ca_cert to be '%s', got '%s'", expectedCaCert, strings.TrimSpace(string(clientCaCert)))
+		}
+
+		// Test 3: Verify certificate variable exists
+		certVariable, err := helpers.BoshInterpolate(
+			operationsSubDirectory,
+			manifestPath,
+			"",
+			"--path", "/variables/name=file_server_cert",
+		)
+		if err != nil {
+			t.Fatalf("failed to get file_server_cert variable: %v", err)
+		}
+
+		if len(certVariable) == 0 {
+			t.Error("file_server_cert variable not found in manifest")
+		}
+	})
 }
 
 func TestReleaseVersions(t *testing.T) {