The RLP certs should be discoverable: expose them via a bosh link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/159999209

The labels on this github issue will be updated when the story is started.

I disagree with this. With BOSH 2 it is easy enough to create a cert signed by the loggregator CA. Certs/keys should be unique to a service. e.g. why would google and yahoo use the same cert?

While I agree, CF and BOSH don't really seem to support any form of RBAC. Based on previous decisions within CF, I think we should move forward with exposing the link. We should lean on BOSH to allow for better control for the operator on which services can consume which links.

Instead of exposing a link for each component (in this case the RLP), consumers should just use the link that doppler provides (

@poy wouldn't that require doppler to mark its loggregator link with shared: true in the PCF manifest?

I'm not sure how to use that link in a tile.yml configuration.

@bradylove I found documentation on how to generate signed certificates in a tile form,

But is that possible directly with just a BOSH deploy? If so how do I do that? Do you have any documentation I can follow?

@mattysweeps You can use BOSH variables to generate certificates. Here is the BOSH documentation on how to do so, and here is an example of how we are generating the certificate for the RLP in CF Deployment.