Skip to content

Enhance storage-cli webdav config#634

Open
kathap wants to merge 3 commits intodevelopfrom
storage-cli-webdav-support
Open

Enhance storage-cli webdav config#634
kathap wants to merge 3 commits intodevelopfrom
storage-cli-webdav-support

Conversation

@kathap
Copy link
Copy Markdown
Contributor

@kathap kathap commented Mar 25, 2026
edited
Loading

Needs new storage-cli release with cloudfoundry/storage-cli#70 to be in first

  • A short explanation of the proposed change:
    Add support for optional signing_method configuration field in WebDAV/DAV storage-cli config templates across all Cloud Controller jobs. This allows operators to specify which URL
    signing method (SHA256 or MD5) the storage-cli should use when generating signed blobstore URLs.

  • An explanation of the use cases your change solves

    1. BBL/CAPI Environments with MD5 Blobstore: Operators can now set signing_method: md5 in their manifest's connection_config blocks to generate URLs compatible with CAPI's existing
      nginx blobstore configuration, which only supports MD5 signed URLs.
    2. Flexible Migration Path: Enables gradual migration from MD5 to SHA256 signing methods by allowing different components to use different signing methods during transition periods.
    3. Environment-Specific Configuration: Allows the same CAPI release to work with both BOSH-style (SHA256) and CAPI-style (MD5) blobstores by simply configuring the signing method in
      the deployment manifest.
    4. Backward Compatibility: When signing_method is not specified, storage-cli defaults to SHA256 (BOSH-compatible), maintaining compatibility with existing BOSH-integrated
      deployments.

    Changes Made:

    • 20 config template files updated across 5 Cloud Controller job types:
      • cloud_controller_ng
      • cloud_controller_worker
      • cloud_controller_clock
      • cc_deployment_updater
      • blobstore_benchmark
    • 3 key modifications to each WebDAV/DAV config section:
      a. Added signing_method field pass-through (optional)
      b. Fixed endpoint to use private_endpoint + "/admin/" (correct authenticated upload path)
      c. Fixed TLS cert structure to {"cert":{"ca":ca_cert}} (correct storage-cli format)

    Example Manifest Usage:

   cc:
     buildpacks:
       blobstore_type: storage-cli
       blobstore_provider: webdav
       connection_config:
         username: blobstore-user
         password: ((password))
         private_endpoint: https://blobstore.internal:4443
         secret: ((blobstore_secret))
         signing_method: md5  # Optional: "md5" or "sha256", if not specified defaults to "sha256"

  • Links to any other associated PRs

  • I have viewed signed and have submitted the Contributor License Agreement

  • I have made this pull request to the develop branch

  • I have run CF Acceptance Tests on bosh lite

@kathap kathap marked this pull request as draft March 25, 2026 08:16
kathap added 2 commits March 25, 2026 09:36
@kathap
adapt tests
423731b
@kathap
Include directory keys in WebDAV blobstore endpoint configuration
6ae8c02 
  Configure storage-cli WebDAV endpoints to include resource-specific
  directory keys (cc-droplets, cc-packages, cc-buildpacks, cc-resources)
  for backward compatibility with fog/webdav client.

  When using basic auth, endpoints are: /admin/{directory_key}
  When using signed URLs, endpoints are: /{directory_key}

  This ensures both storage-cli and fog/webdav store blobs at identical
  physical paths, enabling zero-downtime rollback between the two clients.

  Updated all job templates and RSpec tests to expect directory keys in
  endpoint paths.
@kathap kathap mentioned this pull request Mar 26, 2026
Open
5 tasks
@kathap kathap marked this pull request as ready for review March 27, 2026 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kathap