Bosh Lite cf-deployment VirtualBox with MITM Proxy Certificate

Question

I'm trying to deploy CF locally through a VirtualBox bosh-lite VM, but I'm running into the corporate proxy injecting a self signed certificate before reaching out to the internet.

I've SSH'd into the box and added the CA to the trusted certs at the OS level, but I'm still getting untrusted certificates in chain.

Is there somewhere I can put the Corporate CA within the configuration so all of the items will download / install successfully?

Answer 1

BOSH deploys things like CF, Zookeeper, Kubernetes, etc. to "clouds" by creating "machines" and installing the appropriate software and running it in those "machines". On a "typical" cloud like Amazon Web Services or VMWare vSphere, a "machine" is a typical virtual machine.

BOSH can also treat various container runtimes like Docker, Kubernetes, or Garden as "clouds" as well, and in the BOSH-Lite case, it's targetting Garden as a cloud. So in the BOSH-Lite case, the "machines" are actually Linux containers running inside the VirtualBox VM. So when you install your certs at the OS level of the VM, that will not apply to things running as containers within the VM.

BOSH does have a native way of injecting trusted certs into each machine it manages, using the trusted_certs property. Assuming you followed these docs to install BOSH-Lite, you can update the create-env command from this:

bosh create-env ~/workspace/bosh-deployment/bosh.yml \
  --state ./state.json \
  -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
  -o ~/workspace/bosh-deployment/virtualbox/outbound-network.yml \
  -o ~/workspace/bosh-deployment/bosh-lite.yml \
  -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
  -o ~/workspace/bosh-deployment/uaa.yml \
  -o ~/workspace/bosh-deployment/credhub.yml \
  -o ~/workspace/bosh-deployment/jumpbox-user.yml \
  --vars-store ./creds.yml \
  -v director_name=bosh-lite \
  -v internal_ip=192.168.50.6 \
  -v internal_gw=192.168.50.1 \
  -v internal_cidr=192.168.50.0/24 \
  -v outbound_network_name=NatNetwork

to this:

bosh create-env ~/workspace/bosh-deployment/bosh.yml \
  --state ./state.json \
  -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \
  -o ~/workspace/bosh-deployment/virtualbox/outbound-network.yml \
  -o ~/workspace/bosh-deployment/bosh-lite.yml \
  -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \
  -o ~/workspace/bosh-deployment/uaa.yml \
  -o ~/workspace/bosh-deployment/credhub.yml \
  -o ~/workspace/bosh-deployment/jumpbox-user.yml \
  -o ~/workspace/bosh-deployment/openstack/trusted-certs.yml \
  --vars-store ./creds.yml \
  -v director_name=bosh-lite \
  -v internal_ip=192.168.50.6 \
  -v internal_gw=192.168.50.1 \
  -v internal_cidr=192.168.50.0/24 \
  -v outbound_network_name=NatNetwork \
  --var-file=openstack_ca_cert=</PATH/TO/YOUR/CERT>

This adds two lines:

-o ~/workspace/bosh-deployment/openstack/trusted-certs.yml
--var-file=openstack_ca_cert=</PATH/TO/YOUR/CERT>

Even though it says openstack, there's nothing OpenStack-specific about those files. The first line (with -o) modifies the base manifest for BOSH to include a section for setting the director.trusted_certs property but doesn't actually aset the value, it parameterizes it as a variable called openstack_ca_cert, and the second line (with --var-file) actually sets the value with the contents from the given file.

After you run that command, it will update BOSH-Lite, but it won't update the things deployed by BOSH, e.g. CF. You'll need to re-run the deploy commands for CF to make sure it picks up those trusted certs.