Is there any reason why support for encrypted s3 blobs has been removed [1]
without any public notice? Doing a quick search [2] I found 17 bosh
releases having the common encrypted key used by old versions of the
bosh-gen tool. Those releases don't work anymore if using a recent Bosh cli
version.

[1]
https://github.com/cloudfoundry/bosh/commit/de65d705597200462bd0c91816a1cd71931ba220#diff-a4839dca5c661b934c1cc84b5f490e56

[2]
https://github.com/search?utf8=%E2%9C%93&q=encryption_key%3A+cloudfoundry-community+extension%3Ayml&type=Code&ref=searchresults

- Ferdy

(Ignore this thread if your config/final.yml does not have encryption_key)

Looks like we've missed this hidden feature during the upgrade to the AWS
SDK v2 to support IAM roles since it didnt have any integration level
tests. Reviewing its purpose now, I think it makes sense to avoid bringing
it back.

There is no easy way to migrate off of this feature transparently for old
releases so our proposed solution is for maintainers of those releases in
cloudfoundry-community to build a new final release version from scratch.
Here are the steps to do so:

- cd into release directory
- note list of blobs from config/blobs.yml
- clear out config/blobs.yml (echo -e "---\n{}" > config/blobs.yml)
- remove readonly s3 credentials and encryption key from config/final.yml
- as usual set write credentials in config/private.yml
- download necessary blobs from official sources and use bosh add blob
command
- bosh upload blobs to upload newly added blobs (will not be encrypted)
- note last final release version
- rm -rf .final_builds/ releases/ .dev_builds/ dev_releases/
- bosh create release --final --version X (where X is a desired next final
release version)
- commit and push

Note that if a release was already tracked by bosh.io, existing final
release versions will continue to be there and work as expected.

For more details on how configure S3 bucket for releases see
http://bosh.io/docs/s3-release-blobstore.html.

Sorry for inconvenience.

Why does it make sense to avoid restoring functionality?

I think someone can write a reusable/shareable script to fix any broken bosh release based on Dmitiry's instructions. Work around shouldn't be a huge issue. Since I was the one who cargo culted the encryption keys thing into bosh-gen then perhaps I can write the script one day. Traveling at moment so might not be done immediately.

On Thu, Jan 7, 2016 at 12:23 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

(Ignore this thread if your config/final.yml does not have encryption_key)
Looks like we've missed this hidden feature during the upgrade to the AWS
SDK v2 to support IAM roles since it didnt have any integration level
tests. Reviewing its purpose now, I think it makes sense to avoid bringing
it back.
There is no easy way to migrate off of this feature transparently for old
releases so our proposed solution is for maintainers of those releases in
cloudfoundry-community to build a new final release version from scratch.
Here are the steps to do so:
- cd into release directory
- note list of blobs from config/blobs.yml
- clear out config/blobs.yml (echo -e "---\n{}" > config/blobs.yml)
- remove readonly s3 credentials and encryption key from config/final.yml
- as usual set write credentials in config/private.yml
- download necessary blobs from official sources and use bosh add blob
command
- bosh upload blobs to upload newly added blobs (will not be encrypted)
- note last final release version
- rm -rf .final_builds/ releases/ .dev_builds/ dev_releases/
- bosh create release --final --version X (where X is a desired next final
release version)
- commit and push
Note that if a release was already tracked by bosh.io, existing final
release versions will continue to be there and work as expected.
For more details on how configure S3 bucket for releases see
http://bosh.io/docs/s3-release-blobstore.html.
Sorry for inconvenience.
On Wed, Jan 6, 2016 at 12:00 PM, Ferran Rodenas <frodenas(a)gmail.com> wrote:

Is there any reason why support for encrypted s3 blobs has been removed
[1] without any public notice? Doing a quick search [2] I found 17 bosh
releases having the common encrypted key used by old versions of the
bosh-gen tool. Those releases don't work anymore if using a recent Bosh cli
version.

[1]
https://github.com/cloudfoundry/bosh/commit/de65d705597200462bd0c91816a1cd71931ba220#diff-a4839dca5c661b934c1cc84b5f490e56

[2]
https://github.com/search?utf8=%E2%9C%93&q=encryption_key%3A+cloudfoundry-community+extension%3Ayml&type=Code&ref=searchresults

- Ferdy

Josh: we have not seen the case when this is necessary (i was unaware it
was even there). it's also confusing to configure it and currently would
prevent us from doing some necessary updates to blobstore support. to
clarify this is not an s3 feature, but something that was added on top.

On Fri, Jan 8, 2016 at 9:44 AM, Dr Nic Williams <drnicwilliams(a)gmail.com>
wrote:

I think someone can write a reusable/shareable script to fix any broken
bosh release based on Dmitiry's instructions. Work around shouldn't be a
huge issue. Since I was the one who cargo culted the encryption keys thing
into bosh-gen then perhaps I can write the script one day. Traveling at
moment so might not be done immediately.




On Thu, Jan 7, 2016 at 12:23 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

(Ignore this thread if your config/final.yml does not have encryption_key)

Looks like we've missed this hidden feature during the upgrade to the AWS
SDK v2 to support IAM roles since it didnt have any integration level
tests. Reviewing its purpose now, I think it makes sense to avoid bringing
it back.

There is no easy way to migrate off of this feature transparently for old
releases so our proposed solution is for maintainers of those releases in
cloudfoundry-community to build a new final release version from scratch.
Here are the steps to do so:

- cd into release directory
- note list of blobs from config/blobs.yml
- clear out config/blobs.yml (echo -e "---\n{}" > config/blobs.yml)
- remove readonly s3 credentials and encryption key from config/final.yml
- as usual set write credentials in config/private.yml
- download necessary blobs from official sources and use bosh add blob
command
- bosh upload blobs to upload newly added blobs (will not be encrypted)
- note last final release version
- rm -rf .final_builds/ releases/ .dev_builds/ dev_releases/
- bosh create release --final --version X (where X is a desired next
final release version)
- commit and push

Note that if a release was already tracked by bosh.io, existing final
release versions will continue to be there and work as expected.

For more details on how configure S3 bucket for releases see
http://bosh.io/docs/s3-release-blobstore.html.

Sorry for inconvenience.


On Wed, Jan 6, 2016 at 12:00 PM, Ferran Rodenas <frodenas(a)gmail.com>
wrote:

Is there any reason why support for encrypted s3 blobs has been removed
[1] without any public notice? Doing a quick search [2] I found 17 bosh
releases having the common encrypted key used by old versions of the
bosh-gen tool. Those releases don't work anymore if using a recent Bosh cli
version.

[1]
https://github.com/cloudfoundry/bosh/commit/de65d705597200462bd0c91816a1cd71931ba220#diff-a4839dca5c661b934c1cc84b5f490e56

[2]
https://github.com/search?utf8=%E2%9C%93&q=encryption_key%3A+cloudfoundry-community+extension%3Ayml&type=Code&ref=searchresults

- Ferdy