From a22edb2d5833166604b3085577c36be7fc503c9f Mon Sep 17 00:00:00 2001
From: Andrew Crump <crumpan@vmware.com>
Date: Sat, 5 Mar 2022 00:23:36 +0000
Subject: [PATCH] Converge log_cache_syslog_tls certificate

- In #949 Log Cache was split out from the doppler instance group to its
  own log-cache instance group
- Log Cache was also configured to use syslog ingress by default, rather
  than the previous behaviour which was to use the Reverse Log Proxy
- Operators who had previously used the experimental ops-file to opt into
  syslog ingress (operations/experimental/use-logcache-syslog-ingress.yml)
  would already have had the `log_cache_syslog_tls` credential in their
  CredHub
- When these operators attempted to upgrade to v18.0.0 the certificate
  was not re-generated by default, leading to a mismatch between the new
  service name and the existing certificate
- Specify `update_mode: converge` so that the certificate is re-generated
  and the syslog agent will be able to send logs to the log cache syslog
  server

Fixes:

```
failed to write to log-cache.service.cf.internal:6067, retrying in 8.192s, err: x509: certificate is valid for q-s3.doppler.default.cf.bosh, doppler.service.cf.internal, not log-cache.service.cf.internal
```
---
 cf-deployment.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cf-deployment.yml b/cf-deployment.yml
index bff871214..2754c72af 100644
--- a/cf-deployment.yml
+++ b/cf-deployment.yml
@@ -2262,6 +2262,7 @@ variables:
     - localhost
 - name: log_cache_syslog_tls
   type: certificate
+  update_mode: converge
   options:
     ca: loggregator_ca
     common_name: log-cache.service.cf.internal