cf authentication fails on 7.9.1

[gaigaslab-operations]

BOSH deployment
We upgraded from 7.8.3 -> 7.9.1
We use integrated authentication for admin and cf authentication for developers, and one team uses github auth.

web nodes were in error after upgrade completed.
Failed with:
error: server: Failed to open connector cf: failed to open connector: unknown connector type "cf"

Pertinent config:

      cf_auth:
        api_url: https://<redacted>
        ca_cert: |
        <redacted>
        certificate: |
        <redacted>
        client_id: concourse-platform-1.<redacted>
        client_secret: <redacted>
        skip_ssl_validation: true       
      displayer_user_id_per_connector:
      - cf:email
      - github:username

Reverting to 7.8.3 versions restored web node functionality.

[blyles]

This was mentioned here as well - concourse/concourse-bosh-release#172

[xtremerui]

This regression was introduced by 7c84a2d#diff-a34fa0a152d545781e98ee4328a9123aa0b5199cfcc571e99b293391b49efa2c when concourse/dex renamed the cf connector to cloudfoundry for an upstream request.

For users that configured cf connector and upgraded to either 6.8.0 or 7.9.1, you have to remove the cf connector config for continue using the upgraded version or you will have to downgrade to older version for continue using cf connector.

For concourse users that are not using cf connector for their authentication, this is no impact.

[jhohiii]

I'm sorry, @xtremerui, I don't understand what I need to do to use the cloudfoundry connector.

The BOSH SPEC file still references 'cf' as the authentication specification for cloudfoundry.

How do I get concourse to authenticate via cloudfoundry?

[xtremerui]

@jhohiii the fix is done in a way that doesn't require change of the flag, and thus bosh spec and helm values ref to the connector remains the same. You will need to wait for next release of them though.

[jhohiii]

I apologize, @xtremerui, for the extra questions, but do you mean 'the next release' of Concourse or 'the next release' of the connector - which we don't specifically install - it is all part of Concourse to us.

[xtremerui]

@jhohiii next release of Concourse i.e. v7.9.2

[blyles]

This is unfortunately still broken for us, we're debugging but it doesn't seem to work from everything that we've tried. @xtremerui was the 7.9.2 still coming?

[Kump3r]

Unfortunately, we also experience the same problem with v7.10.0? Are there any updates, or threads, where we can follow the progress on this?

[xtremerui]

@Kump3r could you share how do you specify the --cf-xx config?

[Kump3r]

@xtremerui
We have a bosh deployment. Using OPS and VARS files we configure the properties in the web spec.
Example web properties from a generated manifest

      cf_auth:
        api_url: https://some_url/
        client_id: some_id
        client_secret: ((!some_secret))

Thanks for looking into it!

[xtremerui]

@gaigaslab-operations have you tested v7.10 in your case? Do you see the same error still"?

[gaigaslab-operations]

@xtremerui, I have not tried it because of the report of @Kump3r . Is it fixed? I can try tonight.

We specify in BOSH with:

  - release: concourse
    name: web
    properties:
      displayer_user_id_per_connector: [cf:email, github:username]
      cf_auth:
        client_id: ((client_id))
        client_secret: ((client_secret))
        api_url: ((cf-api-url))
        skip_ssl_validation: false
        certificate: |
        <blah>

[Kump3r]

@xtremerui, @gaigaslab-operations FYI
After switching from concourse 7.8.2 to 7.10.0, when bosh starts recreating the web VM's, the first VM in the deployment fails with:

web/INSTANCE-ID (0)' is not running after update. Review logs for failed jobs: web

As expected the process state of the vm is failing and reviewing the logs with:

tail /var/vcap/sys/log/web/web.stderr.log

outputs the following error:

error: server: Failed to open connector cf: failed to open connector: unknown connector type "cf"

That is why I assume the issue is still present and ongoing.
BTW without any changes, revert to 7.8.2 is successful.
Let me know if you have additional steps, that needs to be reevaluated.
Thanks again for looking into it!

[gaigaslab-operations]

@xtremerui We really need this working ASAP.
We've been waiting since March. The fix was apparently done many months ago. We just need it incorporated into a working patch release.

[blyles]

We define it the same way and we attempted 7.10 and it still fails.

[Kump3r]

Would this be fixed for 7.10.x as well?

[xtremerui]

@Kump3r we haven't decided if next release would be a patch or minor release

[gaigaslab-operations]

Release date, @xtremerui roadmap?

[richo6030]

Hi all,

thank you for addressing this issue. We appreciate your efforts in resolving it.
Could you please provide an estimated timeline for the release of Concourse with this fix included?

[jhohiii]

@wayneadams @xtremerui
When will this merge be released? It's been over 6 months and there's been one release (7.10.0) that did not fix this. We are stuck on an old version and security is pressing us for an upgrade date.
Note that we are @gaigaslab-operations